restructure users, and add signalling
This commit is contained in:
parent
07da0af7bd
commit
c6fd1f85ba
@ -128,54 +128,6 @@ attribute can_load_kernmodule;
|
|||||||
class capability sys_module;
|
class capability sys_module;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# kernel_kill_unlabeled_process(domain)
|
|
||||||
#
|
|
||||||
define(`kernel_kill_unlabeled_process',`
|
|
||||||
requires_block_template(`$0'_depend)
|
|
||||||
allow $1 unlabeled_t:process sigkill;
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`kernel_kill_unlabeled_process_depend',`
|
|
||||||
type unlabeled_t;
|
|
||||||
class process sigkill;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# kernel_ignore_get_unlabeled_block_device_attributes(domain)
|
|
||||||
#
|
|
||||||
define(`kernel_ignore_get_unlabeled_block_device_attributes',`
|
|
||||||
requires_block_template(`$0'_depend)
|
|
||||||
allow $1 unlabeled_t:blk_file getattr;
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',`
|
|
||||||
type unlabeled_t;
|
|
||||||
class process getattr;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# kernel_relabel_unlabeled_object(domain)
|
|
||||||
#
|
|
||||||
define(`kernel_relabel_unlabeled_object',`
|
|
||||||
requires_block_template(`$0'_depend)
|
|
||||||
allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } { getattr relabelfrom };
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`kernel_relabel_unlabeled_object_depend',`
|
|
||||||
type unlabeled_t;
|
|
||||||
class dir { getattr relabelfrom };
|
|
||||||
class file { getattr relabelfrom };
|
|
||||||
class lnk_file { getattr relabelfrom };
|
|
||||||
class fifo_file { getattr relabelfrom };
|
|
||||||
class sock_file { getattr relabelfrom };
|
|
||||||
class chr_file { getattr relabelfrom };
|
|
||||||
class blk_file { getattr relabelfrom };
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# kernel_get_selinux_enforcement_mode(domain)
|
# kernel_get_selinux_enforcement_mode(domain)
|
||||||
@ -1053,6 +1005,145 @@ class file { getattr read write };
|
|||||||
class lnk_file { getattr read };
|
class lnk_file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <interface name="kernel_kill_unlabeled_process">
|
||||||
|
## <description>
|
||||||
|
## Send a kill signal to unlabeled processes.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="write" weight="1"/>
|
||||||
|
## </interface>
|
||||||
|
#
|
||||||
|
define(`kernel_kill_unlabeled_process',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
allow $1 unlabeled_t:process sigkill;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`kernel_kill_unlabeled_process_depend',`
|
||||||
|
type unlabeled_t;
|
||||||
|
class process sigkill;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <interface name="kernel_signal_unlabeled_process">
|
||||||
|
## <description>
|
||||||
|
## Send general signals to unlabeled processes.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="write" weight="1"/>
|
||||||
|
## </interface>
|
||||||
|
#
|
||||||
|
define(`kernel_signal_unlabeled_process',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
allow $1 unlabeled_t:process signal;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`kernel_signal_unlabeled_process_depend',`
|
||||||
|
type unlabeled_t;
|
||||||
|
class process signal;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <interface name="kernel_signull_unlabeled_process">
|
||||||
|
## <description>
|
||||||
|
## Send a null signal to unlabeled processes.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="write" weight="1"/>
|
||||||
|
## </interface>
|
||||||
|
#
|
||||||
|
define(`kernel_signull_unlabeled_process',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
allow $1 unlabeled_t:process signull;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`kernel_signull_unlabeled_process_depend',`
|
||||||
|
type unlabeled_t;
|
||||||
|
class process signull;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <interface name="kernel_sigstop_unlabeled_process">
|
||||||
|
## <description>
|
||||||
|
## Send a stop signal to unlabeled processes.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="write" weight="1"/>
|
||||||
|
## </interface>
|
||||||
|
#
|
||||||
|
define(`kernel_sigstop_unlabeled_process',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
allow $1 unlabeled_t:process sigstop;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`kernel_sigstop_unlabeled_process_depend',`
|
||||||
|
type unlabeled_t;
|
||||||
|
class process sigstop;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <interface name="kernel_sigchld_unlabeled_process">
|
||||||
|
## <description>
|
||||||
|
## Send a child terminated signal to unlabeled processes.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="write" weight="1"/>
|
||||||
|
## </interface>
|
||||||
|
#
|
||||||
|
define(`kernel_sigchld_unlabeled_process',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
allow $1 unlabeled_t:process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`kernel_sigchld_unlabeled_process_depend',`
|
||||||
|
type unlabeled_t;
|
||||||
|
class process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# kernel_ignore_get_unlabeled_block_device_attributes(domain)
|
||||||
|
#
|
||||||
|
define(`kernel_ignore_get_unlabeled_block_device_attributes',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
allow $1 unlabeled_t:blk_file getattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',`
|
||||||
|
type unlabeled_t;
|
||||||
|
class process getattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# kernel_relabel_unlabeled_object(domain)
|
||||||
|
#
|
||||||
|
define(`kernel_relabel_unlabeled_object',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } { getattr relabelfrom };
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`kernel_relabel_unlabeled_object_depend',`
|
||||||
|
type unlabeled_t;
|
||||||
|
class dir { getattr relabelfrom };
|
||||||
|
class file { getattr relabelfrom };
|
||||||
|
class lnk_file { getattr relabelfrom };
|
||||||
|
class fifo_file { getattr relabelfrom };
|
||||||
|
class sock_file { getattr relabelfrom };
|
||||||
|
class chr_file { getattr relabelfrom };
|
||||||
|
class blk_file { getattr relabelfrom };
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# kernel_list_usb_hardware(domain)
|
# kernel_list_usb_hardware(domain)
|
||||||
|
@ -126,8 +126,15 @@ class process setsched;
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
## <interface name="domain_signal_all_domains">
|
||||||
# domain_signal_all_domains(domain)
|
## <description>
|
||||||
|
## Send general signals to all domains.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="write" weight="1"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`domain_signal_all_domains',`
|
define(`domain_signal_all_domains',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -161,8 +168,57 @@ class process signull;
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
## <interface name="domain_sigstop_all_domains">
|
||||||
|
## <description>
|
||||||
|
## Send a stop signal to all domains.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="write" weight="1"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
# domain_kill_all_domains(domain)
|
define(`domain_sigstop_all_domains',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
allow $1 domain:process sigstop;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`domain_sigstop_all_domains_depend',`
|
||||||
|
attribute domain;
|
||||||
|
class process sigstop;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <interface name="domain_sigchld_all_domains">
|
||||||
|
## <description>
|
||||||
|
## Send a child terminated signal to all domains.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="write" weight="1"/>
|
||||||
|
## </interface>
|
||||||
|
#
|
||||||
|
define(`domain_sigchld_all_domains',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
allow $1 domain:process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`domain_sigchld_all_domains_depend',`
|
||||||
|
attribute domain;
|
||||||
|
class process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <interface name="domain_kill_all_domains">
|
||||||
|
## <description>
|
||||||
|
## Send a kill signal to all domains.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="write" weight="1"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`domain_kill_all_domains',`
|
define(`domain_kill_all_domains',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
@ -100,8 +100,12 @@ corecommands_chroot(init_t)
|
|||||||
corecommands_execute_general_programs(init_t)
|
corecommands_execute_general_programs(init_t)
|
||||||
corecommands_execute_system_programs(init_t)
|
corecommands_execute_system_programs(init_t)
|
||||||
|
|
||||||
domain_signal_all_domains(init_t)
|
|
||||||
domain_kill_all_domains(init_t)
|
domain_kill_all_domains(init_t)
|
||||||
|
domain_signal_all_domains(init_t)
|
||||||
|
domain_signull_all_domains(init_t)
|
||||||
|
domain_sigstop_all_domains(init_t)
|
||||||
|
domain_sigstop_all_domains(init_t)
|
||||||
|
domain_sigchld_all_domains(init_t)
|
||||||
|
|
||||||
files_modify_system_runtime_data(init_t)
|
files_modify_system_runtime_data(init_t)
|
||||||
# file descriptors inherited from the rootfs:
|
# file descriptors inherited from the rootfs:
|
||||||
|
@ -13,10 +13,37 @@ define(`base_user_domain',`
|
|||||||
attribute $1_file_type;
|
attribute $1_file_type;
|
||||||
|
|
||||||
type $1_t, userdomain;
|
type $1_t, userdomain;
|
||||||
|
domain_make_domain($1_t)
|
||||||
corecommands_make_shell_entrypoint($1_t)
|
corecommands_make_shell_entrypoint($1_t)
|
||||||
role $1_r types $1_t;
|
role $1_r types $1_t;
|
||||||
allow system_r $1_r;
|
allow system_r $1_r;
|
||||||
|
|
||||||
|
# user pseudoterminal
|
||||||
|
type $1_devpts_t;
|
||||||
|
terminal_make_user_pseudoterminal($1_t,$1_devpts_t)
|
||||||
|
|
||||||
|
# type for contents of home directory
|
||||||
|
type $1_home_t, $1_file_type, home_type;
|
||||||
|
files_make_file($1_home_t)
|
||||||
|
|
||||||
|
# type of home directory
|
||||||
|
type $1_home_dir_t, home_dir_type, home_type;
|
||||||
|
files_make_file($1_home_t)
|
||||||
|
|
||||||
|
type $1_tmp_t, $1_file_type;
|
||||||
|
files_make_temporary_file($1_tmp_t)
|
||||||
|
|
||||||
|
type $1_tmpfs_t;
|
||||||
|
files_make_tmpfs_file($1_tmpfs_t)
|
||||||
|
|
||||||
|
type $1_tty_device_t;
|
||||||
|
terminal_make_physical_terminal($1_t,$1_tty_device_t)
|
||||||
|
|
||||||
|
##############################
|
||||||
|
#
|
||||||
|
# Local policy
|
||||||
|
#
|
||||||
|
|
||||||
allow $1_t self:capability { setgid chown fowner };
|
allow $1_t self:capability { setgid chown fowner };
|
||||||
dontaudit $1_t self:capability { sys_nice fsetid };
|
dontaudit $1_t self:capability { sys_nice fsetid };
|
||||||
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||||
@ -57,6 +84,13 @@ allow $1_t $1_tmp_t:file { getattr read execute execute_no_trans };
|
|||||||
# cjp: this is combination is not checked and should be removed
|
# cjp: this is combination is not checked and should be removed
|
||||||
allow $1_t $1_tmp_t:unix_stream_socket name_bind;
|
allow $1_t $1_tmp_t:unix_stream_socket name_bind;
|
||||||
|
|
||||||
|
allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||||
|
allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
|
||||||
|
allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
filesystem_create_private_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||||
|
|
||||||
allow $1_t $1_tty_device_t:chr_file { setattr getattr read write append ioctl lock };
|
allow $1_t $1_tty_device_t:chr_file { setattr getattr read write append ioctl lock };
|
||||||
|
|
||||||
allow $1_t unpriv_userdomain:fd use;
|
allow $1_t unpriv_userdomain:fd use;
|
||||||
@ -70,10 +104,12 @@ per_userdomain_templates($1)
|
|||||||
|
|
||||||
kernel_read_kernel_sysctl($1_t)
|
kernel_read_kernel_sysctl($1_t)
|
||||||
kernel_get_selinuxfs_mount_point($1_t)
|
kernel_get_selinuxfs_mount_point($1_t)
|
||||||
# Very permissive allowing every domain to see every type.
|
# Very permissive allowing every domain to see every type:
|
||||||
kernel_get_sysvipc_info($1_t)
|
kernel_get_sysvipc_info($1_t)
|
||||||
# Find CDROM devices
|
# Find CDROM devices:
|
||||||
kernel_read_device_sysctl($1_t)
|
kernel_read_device_sysctl($1_t)
|
||||||
|
# GNOME checks for usb and other devices:
|
||||||
|
kernel_modify_usb_hardware_config_option($1_t)
|
||||||
|
|
||||||
corenetwork_network_tcp_on_all_interfaces($1_t)
|
corenetwork_network_tcp_on_all_interfaces($1_t)
|
||||||
corenetwork_network_raw_on_all_interfaces($1_t)
|
corenetwork_network_raw_on_all_interfaces($1_t)
|
||||||
@ -247,19 +283,12 @@ allow $1_t removable_device_t:blk_file r_file_perms;
|
|||||||
}
|
}
|
||||||
allow $1_t usbtty_device_t:chr_file read;
|
allow $1_t usbtty_device_t:chr_file read;
|
||||||
|
|
||||||
# GNOME checks for usb and other devices
|
|
||||||
rw_dir_file($1_t,usbfs_t)
|
|
||||||
|
|
||||||
can_exec($1_t, noexattrfile)
|
can_exec($1_t, noexattrfile)
|
||||||
|
|
||||||
# for running TeX programs
|
# for running TeX programs
|
||||||
r_dir_file($1_t, tetex_data_t)
|
r_dir_file($1_t, tetex_data_t)
|
||||||
can_exec($1_t, tetex_data_t)
|
can_exec($1_t, tetex_data_t)
|
||||||
|
|
||||||
type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
|
|
||||||
file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
|
|
||||||
allow $1_tmpfs_t tmpfs_t:filesystem associate;
|
|
||||||
|
|
||||||
# Run programs developed by other users in the same domain.
|
# Run programs developed by other users in the same domain.
|
||||||
|
|
||||||
can_resmgrd_connect($1_t)
|
can_resmgrd_connect($1_t)
|
||||||
@ -378,25 +407,15 @@ define(`user_domain_template', `
|
|||||||
base_user_domain($1)
|
base_user_domain($1)
|
||||||
|
|
||||||
typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
|
typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
|
||||||
domain_make_domain($1_t)
|
|
||||||
domain_make_file_descriptors_widely_inheritable($1_t)
|
domain_make_file_descriptors_widely_inheritable($1_t)
|
||||||
|
|
||||||
type $1_devpts_t; # userpty_type, user_tty_type;
|
#typeattribute $1_devpts_t userpty_type, user_tty_type;
|
||||||
terminal_make_user_pseudoterminal($1_t,$1_devpts_t)
|
#typeattribute $1_home_dir_t user_home_dir_type;
|
||||||
|
#typeattribute $1_home_t user_home_type;
|
||||||
|
|
||||||
# Type for home directory.
|
#typeattribute $1_tmp_t, user_tmpfile;
|
||||||
type $1_home_dir_t, home_dir_type, home_type; #, user_home_dir_type;
|
|
||||||
files_make_file($1_home_dir_t)
|
|
||||||
|
|
||||||
# Type for files and directories in the home directory
|
#typeattribute $1_tty_device_t user_tty_type;
|
||||||
type $1_home_t, $1_file_type, home_type; #, user_home_type;
|
|
||||||
files_make_file($1_home_t)
|
|
||||||
|
|
||||||
type $1_tmp_t, $1_file_type; #, user_tmpfile
|
|
||||||
files_make_temporary_file($1_tmp_t)
|
|
||||||
|
|
||||||
type $1_tty_device_t; #, sysadmfile, ttyfile, user_tty_type, dev_fs;
|
|
||||||
terminal_make_physical_terminal($1_t,$1_tty_device_t)
|
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
@ -591,27 +610,14 @@ base_user_domain($1)
|
|||||||
|
|
||||||
typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
|
typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
|
||||||
kernel_make_object_identity_change_constraint_exception($1_t)
|
kernel_make_object_identity_change_constraint_exception($1_t)
|
||||||
domain_make_domain($1_t)
|
|
||||||
role system_r types $1_t;
|
role system_r types $1_t;
|
||||||
|
|
||||||
#ifdef(`direct_sysadm_daemon', `, priv_system_role')
|
#ifdef(`direct_sysadm_daemon', `, priv_system_role')
|
||||||
#; dnl end of sysadm_t type declaration
|
#; dnl end of sysadm_t type declaration
|
||||||
|
|
||||||
# Type and access for pty devices.
|
typeattribute $1_devpts_t admin_terminal;
|
||||||
type $1_devpts_t, admin_terminal;
|
|
||||||
terminal_make_pseudoterminal($1_devpts_t)
|
|
||||||
|
|
||||||
type $1_home_t, $1_file_type; #, home_type;
|
typeattribute $1_tty_device_t admin_terminal;
|
||||||
files_make_file($1_home_t)
|
|
||||||
|
|
||||||
type $1_home_dir_t; #, home_dir_type, home_type;
|
|
||||||
files_make_file($1_home_t)
|
|
||||||
|
|
||||||
type $1_tmp_t, $1_file_type;
|
|
||||||
files_make_temporary_file($1_tmp_t)
|
|
||||||
|
|
||||||
type $1_tty_device_t, admin_terminal;
|
|
||||||
terminal_make_physical_terminal($1_t,$1_tty_device_t)
|
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
@ -663,6 +669,12 @@ kernel_compute_selinux_access_vector($1_t)
|
|||||||
kernel_compute_selinux_create_context($1_t)
|
kernel_compute_selinux_create_context($1_t)
|
||||||
kernel_compute_selinux_relabel_context($1_t)
|
kernel_compute_selinux_relabel_context($1_t)
|
||||||
kernel_compute_selinux_reachable_user_contexts($1_t)
|
kernel_compute_selinux_reachable_user_contexts($1_t)
|
||||||
|
# signal unlabeled processes:
|
||||||
|
kernel_kill_unlabeled_process($1_t)
|
||||||
|
kernel_signal_unlabeled_process($1_t)
|
||||||
|
kernel_sigstop_unlabeled_process($1_t)
|
||||||
|
kernel_signull_unlabeled_process($1_t)
|
||||||
|
kernel_sigchld_unlabeled_process($1_t)
|
||||||
|
|
||||||
corenetwork_bind_tcp_on_general_port($1_t)
|
corenetwork_bind_tcp_on_general_port($1_t)
|
||||||
|
|
||||||
@ -689,6 +701,13 @@ authlogin_relabel_all_files_except_shadow($1_t)
|
|||||||
|
|
||||||
domain_set_all_domains_priorities($1_t)
|
domain_set_all_domains_priorities($1_t)
|
||||||
domain_read_all_domains_process_state($1_t)
|
domain_read_all_domains_process_state($1_t)
|
||||||
|
# signal all domains:
|
||||||
|
domain_kill_all_domains($1_t)
|
||||||
|
domain_signal_all_domains($1_t)
|
||||||
|
domain_signull_all_domains($1_t)
|
||||||
|
domain_sigstop_all_domains($1_t)
|
||||||
|
domain_sigstop_all_domains($1_t)
|
||||||
|
domain_sigchld_all_domains($1_t)
|
||||||
|
|
||||||
files_execute_system_source_code_scripts($1_t)
|
files_execute_system_source_code_scripts($1_t)
|
||||||
|
|
||||||
@ -719,9 +738,6 @@ allow $1_t shadow_t:file getattr;
|
|||||||
# for lsof
|
# for lsof
|
||||||
allow $1_t mtrr_device_t:file getattr;
|
allow $1_t mtrr_device_t:file getattr;
|
||||||
|
|
||||||
# Send signals to all processes.
|
|
||||||
allow $1_t { domain unlabeled_t }:process signal_perms;
|
|
||||||
|
|
||||||
allow $1_t serial_device:chr_file setattr;
|
allow $1_t serial_device:chr_file setattr;
|
||||||
|
|
||||||
# allow setting up tunnels
|
# allow setting up tunnels
|
||||||
|
Loading…
Reference in New Issue
Block a user