sediff fixes
This commit is contained in:
Chris PeBenito
parent
ab58ad00cd
commit
da4fc9ce2b
@ -183,7 +183,7 @@ interface(`term_dontaudit_use_console',`
|
|||||||
type console_device_t;
|
type console_device_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 console_device_t:chr_file { read write };
|
dontaudit $1 console_device_t:chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -364,11 +364,10 @@ interface(`term_dontaudit_use_generic_pty',`
|
|||||||
interface(`term_use_controlling_term',`
|
interface(`term_use_controlling_term',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type devtty_t;
|
type devtty_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 devtty_t:chr_file { getattr read write ioctl };
|
allow $1 devtty_t:chr_file { rw_term_perms lock append };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -668,11 +667,10 @@ interface(`term_write_unallocated_ttys',`
|
|||||||
interface(`term_use_unallocated_tty',`
|
interface(`term_use_unallocated_tty',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type tty_device_t;
|
type tty_device_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 tty_device_t:chr_file { getattr read write ioctl };
|
allow $1 tty_device_t:chr_file { rw_term_perms lock append };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -142,7 +142,7 @@ miscfiles_read_localization(apmd_t)
|
|||||||
modutils_domtrans_insmod(apmd_t)
|
modutils_domtrans_insmod(apmd_t)
|
||||||
modutils_read_module_conf(apmd_t)
|
modutils_read_module_conf(apmd_t)
|
||||||
|
|
||||||
seutil_dontaudit_search_config(apmd_t)
|
seutil_dontaudit_read_config(apmd_t)
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fd(apmd_t)
|
userdom_dontaudit_use_unpriv_user_fd(apmd_t)
|
||||||
userdom_dontaudit_search_sysadm_home_dir(apmd_t)
|
userdom_dontaudit_search_sysadm_home_dir(apmd_t)
|
||||||
@ -191,6 +191,10 @@ optional_policy(`clock.te',`
|
|||||||
clock_rw_adjtime(apmd_t)
|
clock_rw_adjtime(apmd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`cron.te',`
|
||||||
|
cron_domtrans_anacron_system_job(apmd_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`logrotate.te',`
|
optional_policy(`logrotate.te',`
|
||||||
logrotate_use_fd(apmd_t)
|
logrotate_use_fd(apmd_t)
|
||||||
')
|
')
|
||||||
@ -221,7 +225,6 @@ ifdef(`TODO',`
|
|||||||
allow apmd_t proc_t:file write;
|
allow apmd_t proc_t:file write;
|
||||||
allow apmd_t user_tty_type:chr_file { ioctl read getattr lock write append };
|
allow apmd_t user_tty_type:chr_file { ioctl read getattr lock write append };
|
||||||
optional_policy(`cron.te',`
|
optional_policy(`cron.te',`
|
||||||
domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)
|
|
||||||
allow apmd_t crond_t:fifo_file { getattr read write ioctl };
|
allow apmd_t crond_t:fifo_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|||||||
@ -161,9 +161,10 @@ optional_policy(`rhgb.te',`
|
|||||||
#
|
#
|
||||||
|
|
||||||
allow bluetooth_helper_t self:capability sys_nice;
|
allow bluetooth_helper_t self:capability sys_nice;
|
||||||
|
allow bluetooth_helper_t self:process getsched;
|
||||||
allow bluetooth_helper_t self:fifo_file rw_file_perms;
|
allow bluetooth_helper_t self:fifo_file rw_file_perms;
|
||||||
allow bluetooth_helper_t self:shm create_shm_perms;
|
allow bluetooth_helper_t self:shm create_shm_perms;
|
||||||
allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms;
|
allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
|
|
||||||
allow bluetooth_helper_t bluetooth_t:socket { read write };
|
allow bluetooth_helper_t bluetooth_t:socket { read write };
|
||||||
|
|
||||||
|
|||||||
@ -33,7 +33,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms;
|
|||||||
allow canna_t self:tcp_socket create_stream_socket_perms;
|
allow canna_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
|
||||||
allow canna_t canna_log_t:file create_file_perms;
|
allow canna_t canna_log_t:file create_file_perms;
|
||||||
allow canna_t canna_log_t:dir rw_dir_perms;
|
allow canna_t canna_log_t:dir { rw_dir_perms setattr };
|
||||||
logging_create_log(canna_t,canna_log_t,{ file dir })
|
logging_create_log(canna_t,canna_log_t,{ file dir })
|
||||||
|
|
||||||
allow canna_t canna_var_lib_t:dir create_dir_perms;
|
allow canna_t canna_var_lib_t:dir create_dir_perms;
|
||||||
@ -54,6 +54,7 @@ corenet_tcp_sendrecv_all_if(canna_t)
|
|||||||
corenet_raw_sendrecv_all_if(canna_t)
|
corenet_raw_sendrecv_all_if(canna_t)
|
||||||
corenet_tcp_sendrecv_all_nodes(canna_t)
|
corenet_tcp_sendrecv_all_nodes(canna_t)
|
||||||
corenet_raw_sendrecv_all_nodes(canna_t)
|
corenet_raw_sendrecv_all_nodes(canna_t)
|
||||||
|
corenet_tcp_sendrecv_all_ports(canna_t)
|
||||||
corenet_tcp_bind_all_nodes(canna_t)
|
corenet_tcp_bind_all_nodes(canna_t)
|
||||||
corenet_tcp_connect_all_ports(canna_t)
|
corenet_tcp_connect_all_ports(canna_t)
|
||||||
|
|
||||||
|
|||||||
@ -324,7 +324,7 @@ interface(`cron_system_entry',`
|
|||||||
allow $1 system_crond_t:fifo_file rw_file_perms;
|
allow $1 system_crond_t:fifo_file rw_file_perms;
|
||||||
allow $1 system_crond_t:process sigchld;
|
allow $1 system_crond_t:process sigchld;
|
||||||
|
|
||||||
allow $1 crond_t:fifo_file { getattr read write ioctl };
|
allow $1 crond_t:fifo_file rw_file_perms;
|
||||||
allow $1 crond_t:fd use;
|
allow $1 crond_t:fd use;
|
||||||
allow $1 crond_t:process sigchld;
|
allow $1 crond_t:process sigchld;
|
||||||
')
|
')
|
||||||
@ -416,6 +416,27 @@ interface(`cron_search_spool',`
|
|||||||
allow $1 cron_spool_t:dir search;
|
allow $1 cron_spool_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute APM in the apm domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`cron_domtrans_anacron_system_job',`
|
||||||
|
gen_require(`
|
||||||
|
type system_crond_t, anacron_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
domain_auto_trans($1,anacron_exec_t,system_crond_t)
|
||||||
|
|
||||||
|
allow $1 system_crond_t:fd use;
|
||||||
|
allow system_crond_t $1:fd use;
|
||||||
|
allow system_crond_t $1:fifo_file rw_file_perms;
|
||||||
|
allow system_crond_t $1:process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Inherit and use a file descriptor
|
## Inherit and use a file descriptor
|
||||||
|
|||||||
@ -75,6 +75,7 @@ corenet_tcp_sendrecv_all_nodes(dovecot_t)
|
|||||||
corenet_raw_sendrecv_all_nodes(dovecot_t)
|
corenet_raw_sendrecv_all_nodes(dovecot_t)
|
||||||
corenet_tcp_sendrecv_all_ports(dovecot_t)
|
corenet_tcp_sendrecv_all_ports(dovecot_t)
|
||||||
corenet_tcp_bind_all_nodes(dovecot_t)
|
corenet_tcp_bind_all_nodes(dovecot_t)
|
||||||
|
corenet_tcp_connect_all_ports(dovecot_t)
|
||||||
|
|
||||||
dev_read_sysfs(dovecot_t)
|
dev_read_sysfs(dovecot_t)
|
||||||
dev_read_urand(dovecot_t)
|
dev_read_urand(dovecot_t)
|
||||||
|
|||||||
@ -823,10 +823,9 @@ interface(`files_create_root',`
|
|||||||
interface(`files_dontaudit_read_root_file',`
|
interface(`files_dontaudit_read_root_file',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type root_t;
|
type root_t;
|
||||||
class file read;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 root_t:file read;
|
dontaudit $1 root_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -2150,7 +2149,7 @@ interface(`files_search_var',`
|
|||||||
type var_t;
|
type var_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 var_t:dir search;
|
allow $1 var_t:dir search_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -2215,11 +2214,9 @@ interface(`files_manage_var_dirs',`
|
|||||||
interface(`files_read_var_files',`
|
interface(`files_read_var_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type var_t;
|
type var_t;
|
||||||
class dir search;
|
|
||||||
class file r_file_perms;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 var_t:dir search;
|
allow $1 var_t:dir search_dir_perms;
|
||||||
allow $1 var_t:file r_file_perms;
|
allow $1 var_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -2253,11 +2250,9 @@ interface(`files_manage_var_files',`
|
|||||||
interface(`files_read_var_symlink',`
|
interface(`files_read_var_symlink',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type var_t;
|
type var_t;
|
||||||
class dir search;
|
|
||||||
class lnk_file { getattr read };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 var_t:dir search;
|
allow $1 var_t:dir search_dir_perms;
|
||||||
allow $1 var_t:lnk_file { getattr read };
|
allow $1 var_t:lnk_file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -2273,8 +2268,6 @@ interface(`files_read_var_symlink',`
|
|||||||
interface(`files_manage_var_symlinks',`
|
interface(`files_manage_var_symlinks',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type var_t;
|
type var_t;
|
||||||
class dir rw_dir_perms;
|
|
||||||
class lnk_file create_lnk_perms;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 var_t:dir rw_dir_perms;
|
allow $1 var_t:dir rw_dir_perms;
|
||||||
@ -2321,10 +2314,9 @@ interface(`files_create_var',`
|
|||||||
interface(`files_getattr_var_lib_dir',`
|
interface(`files_getattr_var_lib_dir',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type var_t, var_lib_t;
|
type var_t, var_lib_t;
|
||||||
class dir getattr;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 var_t:dir search;
|
allow $1 var_t:dir search_dir_perms;
|
||||||
allow $1 var_lib_t:dir getattr;
|
allow $1 var_lib_t:dir getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -2339,10 +2331,9 @@ interface(`files_getattr_var_lib_dir',`
|
|||||||
interface(`files_search_var_lib',`
|
interface(`files_search_var_lib',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type var_t, var_lib_t;
|
type var_t, var_lib_t;
|
||||||
class dir search;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 { var_t var_lib_t }:dir search;
|
allow $1 { var_t var_lib_t }:dir search_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -2356,10 +2347,9 @@ interface(`files_search_var_lib',`
|
|||||||
interface(`files_list_var_lib',`
|
interface(`files_list_var_lib',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type var_t, var_lib_t;
|
type var_t, var_lib_t;
|
||||||
class dir r_dir_perms;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 var_t:dir search;
|
allow $1 var_t:dir search_dir_perms;
|
||||||
allow $1 var_lib_t:dir r_dir_perms;
|
allow $1 var_lib_t:dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -2383,7 +2373,7 @@ interface(`files_create_var_lib',`
|
|||||||
class dir rw_dir_perms;
|
class dir rw_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 var_t:dir search;
|
allow $1 var_t:dir search_dir_perms;
|
||||||
allow $1 var_lib_t:dir rw_dir_perms;
|
allow $1 var_lib_t:dir rw_dir_perms;
|
||||||
|
|
||||||
ifelse(`$3',`',`
|
ifelse(`$3',`',`
|
||||||
@ -2406,7 +2396,7 @@ interface(`files_read_var_lib_files',`
|
|||||||
type var_t, var_lib_t;
|
type var_t, var_lib_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 { var_t var_lib_t }:dir search;
|
allow $1 { var_t var_lib_t }:dir search_dir_perms;
|
||||||
allow $1 var_lib_t:file r_file_perms;
|
allow $1 var_lib_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -2423,7 +2413,7 @@ interface(`files_read_var_lib_symlinks',`
|
|||||||
type var_t, var_lib_t;
|
type var_t, var_lib_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 { var_t var_lib_t }:dir search;
|
allow $1 { var_t var_lib_t }:dir search_dir_perms;
|
||||||
allow $1 var_lib_t:lnk_file { getattr read };
|
allow $1 var_lib_t:lnk_file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -2434,11 +2424,9 @@ interface(`files_read_var_lib_symlinks',`
|
|||||||
interface(`files_manage_urandom_seed',`
|
interface(`files_manage_urandom_seed',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type var_t, var_lib_t;
|
type var_t, var_lib_t;
|
||||||
class dir rw_file_perms;
|
|
||||||
class file { getattr create read write setattr unlink };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 var_t:dir search;
|
allow $1 var_t:dir search_dir_perms;
|
||||||
allow $1 var_lib_t:dir rw_dir_perms;
|
allow $1 var_lib_t:dir rw_dir_perms;
|
||||||
allow $1 var_lib_t:file { getattr create read write setattr unlink };
|
allow $1 var_lib_t:file { getattr create read write setattr unlink };
|
||||||
')
|
')
|
||||||
@ -2449,12 +2437,10 @@ interface(`files_manage_urandom_seed',`
|
|||||||
#
|
#
|
||||||
interface(`files_search_locks',`
|
interface(`files_search_locks',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type var_t;
|
type var_t, var_lock_t;
|
||||||
type var_lock_t;
|
|
||||||
class dir search;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 { var_t var_lock_t }:dir search;
|
allow $1 { var_t var_lock_t }:dir search_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -2488,7 +2474,7 @@ interface(`files_rw_locks_dir',`
|
|||||||
type var_t, var_lock_t;
|
type var_t, var_lock_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 var_t:dir search;
|
allow $1 var_t:dir search_dir_perms;
|
||||||
allow $1 var_lock_t:dir rw_dir_perms;
|
allow $1 var_lock_t:dir rw_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -2498,13 +2484,10 @@ interface(`files_rw_locks_dir',`
|
|||||||
#
|
#
|
||||||
interface(`files_getattr_generic_locks',`
|
interface(`files_getattr_generic_locks',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type var_t;
|
type var_t, var_lock_t;
|
||||||
type var_lock_t;
|
|
||||||
class dir r_dir_perms;
|
|
||||||
class file getattr;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 var_t:dir search;
|
allow $1 var_t:dir search_dir_perms;
|
||||||
allow $1 var_lock_t:dir r_dir_perms;
|
allow $1 var_lock_t:dir r_dir_perms;
|
||||||
allow $1 var_lock_t:file getattr;
|
allow $1 var_lock_t:file getattr;
|
||||||
')
|
')
|
||||||
@ -2516,8 +2499,6 @@ interface(`files_getattr_generic_locks',`
|
|||||||
interface(`files_manage_generic_locks',`
|
interface(`files_manage_generic_locks',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type var_lock_t;
|
type var_lock_t;
|
||||||
class dir { getattr search create read write setattr add_name remove_name rmdir };
|
|
||||||
class file { getattr create read write setattr unlink };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
|
allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
|
||||||
|
|||||||
@ -610,11 +610,10 @@ interface(`init_unix_connect_script',`
|
|||||||
interface(`init_use_script_pty',`
|
interface(`init_use_script_pty',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type initrc_devpts_t;
|
type initrc_devpts_t;
|
||||||
class chr_file rw_term_perms;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
term_list_ptys($1)
|
term_list_ptys($1)
|
||||||
allow $1 initrc_devpts_t:chr_file rw_term_perms;
|
allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -35,8 +35,13 @@ files_type(shlib_t)
|
|||||||
# texrel_shlib_t is the type of shared objects in the system lib
|
# texrel_shlib_t is the type of shared objects in the system lib
|
||||||
# directories, which require text relocation.
|
# directories, which require text relocation.
|
||||||
#
|
#
|
||||||
type texrel_shlib_t;
|
|
||||||
files_type(texrel_shlib_t)
|
ifdef(`targeted_policy',`
|
||||||
|
typealias lib_t alias texrel_shlib_t;
|
||||||
|
',`
|
||||||
|
type texrel_shlib_t;
|
||||||
|
files_type(texrel_shlib_t)
|
||||||
|
')
|
||||||
|
|
||||||
kernel_use_ld_so_from(lib_t,ld_so_t,ld_so_cache_t)
|
kernel_use_ld_so_from(lib_t,ld_so_t,ld_so_cache_t)
|
||||||
kernel_use_shared_libs_from(lib_t,{ shlib_t texrel_shlib_t })
|
kernel_use_shared_libs_from(lib_t,{ shlib_t texrel_shlib_t })
|
||||||
|
|||||||
@ -150,10 +150,6 @@ userdom_dontaudit_search_sysadm_home_dir(auditd_t)
|
|||||||
# cjp: this is questionable
|
# cjp: this is questionable
|
||||||
userdom_use_sysadm_tty(auditd_t)
|
userdom_use_sysadm_tty(auditd_t)
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
|
||||||
unconfined_domain_template(auditd_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`selinuxutil.te',`
|
optional_policy(`selinuxutil.te',`
|
||||||
seutil_sigchld_newrole(auditd_t)
|
seutil_sigchld_newrole(auditd_t)
|
||||||
')
|
')
|
||||||
|
|||||||
@ -32,9 +32,10 @@ domain_entry_file(cardmgr_t,cardctl_exec_t)
|
|||||||
# Use capabilities (net_admin for route), setuid for cardctl
|
# Use capabilities (net_admin for route), setuid for cardctl
|
||||||
allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
|
allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
|
||||||
dontaudit cardmgr_t self:capability sys_tty_config;
|
dontaudit cardmgr_t self:capability sys_tty_config;
|
||||||
|
allow cardmgr_t self:process signal_perms;
|
||||||
|
allow cardmgr_t self:fifo_file rw_file_perms;
|
||||||
allow cardmgr_t self:unix_dgram_socket create_socket_perms;
|
allow cardmgr_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow cardmgr_t self:unix_stream_socket create_socket_perms;
|
allow cardmgr_t self:unix_stream_socket create_socket_perms;
|
||||||
allow cardmgr_t self:fifo_file rw_file_perms;
|
|
||||||
|
|
||||||
allow cardmgr_t cardmgr_lnk_t:lnk_file create_lnk_perms;
|
allow cardmgr_t cardmgr_lnk_t:lnk_file create_lnk_perms;
|
||||||
dev_create_dev_node(cardmgr_t,cardmgr_lnk_t,lnk_file)
|
dev_create_dev_node(cardmgr_t,cardmgr_lnk_t,lnk_file)
|
||||||
@ -124,6 +125,7 @@ ifdef(`targeted_policy', `
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinuxutils.te',`
|
optional_policy(`selinuxutils.te',`
|
||||||
|
seutil_dontaudit_read_config(cardmgr_t)
|
||||||
seutil_sigchld_newrole(cardmgr_t)
|
seutil_sigchld_newrole(cardmgr_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|||||||
@ -486,8 +486,6 @@ interface(`seutil_dontaudit_search_config',`
|
|||||||
interface(`seutil_dontaudit_read_config',`
|
interface(`seutil_dontaudit_read_config',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type selinux_config_t;
|
type selinux_config_t;
|
||||||
class dir search;
|
|
||||||
class file { getattr read };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 selinux_config_t:dir search;
|
dontaudit $1 selinux_config_t:dir search;
|
||||||
|
|||||||
@ -65,6 +65,7 @@ ifdef(`targeted_policy',`
|
|||||||
|
|
||||||
# dont need to use the full role_change()
|
# dont need to use the full role_change()
|
||||||
allow sysadm_r system_r;
|
allow sysadm_r system_r;
|
||||||
|
allow sysadm_r user_r;
|
||||||
allow user_r system_r;
|
allow user_r system_r;
|
||||||
allow user_r sysadm_r;
|
allow user_r sysadm_r;
|
||||||
allow system_r sysadm_r;
|
allow system_r sysadm_r;
|
||||||
|
|||||||
@ -194,7 +194,7 @@ define(`create_shm_perms', `{ associate getattr setattr create destroy read writ
|
|||||||
#
|
#
|
||||||
# Directory
|
# Directory
|
||||||
#
|
#
|
||||||
define(`search_dir_perms',`{ search }')
|
define(`search_dir_perms',`{ getattr search }')
|
||||||
define(`getattr_dir_perms',`{ getattr }')
|
define(`getattr_dir_perms',`{ getattr }')
|
||||||
define(`setattr_dir_perms',`{ setattr }')
|
define(`setattr_dir_perms',`{ setattr }')
|
||||||
define(`list_dir_perms',`{ getattr search read lock ioctl }')
|
define(`list_dir_perms',`{ getattr search read lock ioctl }')
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user