targeted policy fixes
This commit is contained in:
		
							parent
							
								
									af4752bcb9
								
							
						
					
					
						commit
						de764944d8
					
				| @ -4,3 +4,4 @@ system_r:local_login_t:s0 system_r:unconfined_t:s0 | |||||||
| system_r:remote_login_t:s0	system_r:unconfined_t:s0 | system_r:remote_login_t:s0	system_r:unconfined_t:s0 | ||||||
| system_r:rshd_t:s0		system_r:unconfined_t:s0 | system_r:rshd_t:s0		system_r:unconfined_t:s0 | ||||||
| system_r:crond_t:s0		system_r:unconfined_t:s0 | system_r:crond_t:s0		system_r:unconfined_t:s0 | ||||||
|  | system_r:sshd_t:s0		system_r:unconfined_t:s0 | ||||||
|  | |||||||
| @ -4,3 +4,4 @@ system_r:local_login_t:s0 system_r:unconfined_t:s0 | |||||||
| system_r:remote_login_t:s0	system_r:unconfined_t:s0 | system_r:remote_login_t:s0	system_r:unconfined_t:s0 | ||||||
| system_r:rshd_t:s0		system_r:unconfined_t:s0 | system_r:rshd_t:s0		system_r:unconfined_t:s0 | ||||||
| system_r:crond_t:s0		system_r:unconfined_t:s0 | system_r:crond_t:s0		system_r:unconfined_t:s0 | ||||||
|  | system_r:sshd_t:s0		system_r:unconfined_t:s0 | ||||||
|  | |||||||
| @ -4,3 +4,4 @@ system_r:local_login_t system_r:unconfined_t | |||||||
| system_r:remote_login_t		system_r:unconfined_t | system_r:remote_login_t		system_r:unconfined_t | ||||||
| system_r:rshd_t			system_r:unconfined_t | system_r:rshd_t			system_r:unconfined_t | ||||||
| system_r:crond_t		system_r:unconfined_t | system_r:crond_t		system_r:unconfined_t | ||||||
|  | system_r:sshd_t			system_r:unconfined_t | ||||||
|  | |||||||
| @ -11,7 +11,6 @@ init_daemon_domain(apmd_t,apmd_exec_t) | |||||||
| 
 | 
 | ||||||
| type apm_t; | type apm_t; | ||||||
| domain_type(apm_t) | domain_type(apm_t) | ||||||
| role sysadm_r types apm_t; |  | ||||||
| role system_r types apm_t; | role system_r types apm_t; | ||||||
| 
 | 
 | ||||||
| type apm_exec_t; | type apm_exec_t; | ||||||
|  | |||||||
| @ -163,6 +163,8 @@ template(`ssh_per_userdomain_template',` | |||||||
| 	sysnet_dns_name_resolve($1_ssh_t) | 	sysnet_dns_name_resolve($1_ssh_t) | ||||||
| 
 | 
 | ||||||
| 	userdom_use_unpriv_users_fd($1_ssh_t) | 	userdom_use_unpriv_users_fd($1_ssh_t) | ||||||
|  | 	# Write to the user domain tty. | ||||||
|  | 	userdom_use_user_terminals($1,$1_ssh_t) | ||||||
| 
 | 
 | ||||||
| 	tunable_policy(`read_default_t',` | 	tunable_policy(`read_default_t',` | ||||||
| 		files_list_default($1_ssh_t) | 		files_list_default($1_ssh_t) | ||||||
| @ -220,11 +222,6 @@ template(`ssh_per_userdomain_template',` | |||||||
| 	# Inherit and use descriptors from gnome-pty-helper. | 	# Inherit and use descriptors from gnome-pty-helper. | ||||||
| 	ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;') | 	ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;') | ||||||
| 
 | 
 | ||||||
| 	# Write to the user domain tty. |  | ||||||
| 	allow $1_ssh_t $1_tty_device_t:chr_file { read write getattr ioctl }; |  | ||||||
| 	allow $1_ssh_t devpts_t:dir { read search getattr }; |  | ||||||
| 	allow $1_ssh_t $1_devpts_t:chr_file { read write getattr ioctl }; |  | ||||||
| 
 |  | ||||||
| 	# allow ps to show ssh | 	# allow ps to show ssh | ||||||
| 	can_ps($1_t, $1_ssh_t) | 	can_ps($1_t, $1_ssh_t) | ||||||
| 
 | 
 | ||||||
|  | |||||||
| @ -423,6 +423,23 @@ interface(`auth_read_lastlog',` | |||||||
| 	allow $1 lastlog_t:file { getattr read }; | 	allow $1 lastlog_t:file { getattr read }; | ||||||
| ') | ') | ||||||
| 
 | 
 | ||||||
|  | ####################################### | ||||||
|  | ## <summary> | ||||||
|  | ##	Append only to the last logins log. | ||||||
|  | ## </summary> | ||||||
|  | ## <param name="domain"> | ||||||
|  | ##	Domain allowed access. | ||||||
|  | ## </param> | ||||||
|  | # | ||||||
|  | interface(`auth_append_lastlog',` | ||||||
|  | 	gen_require(` | ||||||
|  | 		type lastlog_t; | ||||||
|  | 	') | ||||||
|  | 
 | ||||||
|  | 	logging_search_logs($1) | ||||||
|  | 	allow $1 lastlog_t:file { getattr lock append }; | ||||||
|  | ') | ||||||
|  | 
 | ||||||
| ####################################### | ####################################### | ||||||
| ## <summary> | ## <summary> | ||||||
| ##	Read and write to the last logins log. | ##	Read and write to the last logins log. | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user