more fixes
This commit is contained in:
Chris PeBenito
parent
da4fc9ce2b
commit
e6a2eaffdf
@ -2361,5 +2361,5 @@ interface(`fs_unconfined',`
|
||||
# Create/access other files. fs_type is to pick up various
|
||||
# pseudo filesystem types that are applied to both the filesystem
|
||||
# and its files.
|
||||
allow $1 filesystem_type:{ dir lnk_file sock_file fifo_file blk_file } *;
|
||||
allow $1 filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
|
||||
')
|
||||
|
||||
@ -130,11 +130,10 @@ interface(`storage_raw_write_fixed_disk',`
|
||||
gen_require(`
|
||||
attribute fixed_disk_raw_write;
|
||||
type fixed_disk_device_t;
|
||||
class blk_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
|
||||
allow $1 fixed_disk_device_t:blk_file { getattr write append ioctl };
|
||||
typeattribute $1 fixed_disk_raw_write;
|
||||
')
|
||||
|
||||
|
||||
@ -326,11 +326,10 @@ interface(`term_ioctl_generic_pty',`
|
||||
interface(`term_use_generic_pty',`
|
||||
gen_require(`
|
||||
type devpts_t;
|
||||
class chr_file { read write };
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 devpts_t:chr_file { read write };
|
||||
allow $1 devpts_t:chr_file { rw_term_perms lock append };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -500,7 +499,7 @@ interface(`term_use_all_user_ptys',`
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 devpts_t:dir r_dir_perms;
|
||||
allow $1 ptynode:chr_file { getattr read write ioctl };
|
||||
allow $1 ptynode:chr_file { rw_term_perms lock append };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -797,11 +796,10 @@ interface(`term_write_all_user_ttys',`
|
||||
interface(`term_use_all_user_ttys',`
|
||||
gen_require(`
|
||||
attribute ttynode;
|
||||
class chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 ttynode:chr_file { getattr read write ioctl };
|
||||
allow $1 ttynode:chr_file { rw_term_perms lock append };
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -148,13 +148,6 @@ userdom_dontaudit_use_unpriv_user_fd(apmd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(apmd_t)
|
||||
userdom_dontaudit_search_all_users_home(apmd_t) # Excessive?
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_tty(apmd_t)
|
||||
term_dontaudit_use_generic_pty(apmd_t)
|
||||
files_dontaudit_read_root_file(apmd_t)
|
||||
unconfined_domain_template(apmd_t)
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
allow apmd_t apmd_lock_t:file create_file_perms;
|
||||
files_create_lock(apmd_t,apmd_lock_t)
|
||||
@ -162,7 +155,7 @@ ifdef(`distro_redhat',`
|
||||
can_exec(apmd_t, apmd_var_run_t)
|
||||
|
||||
# ifconfig_exec_t needs to be run in its own domain for Red Hat
|
||||
optional_policy(`ifconfig.te',`
|
||||
optional_policy(`sysnetwork.te',`
|
||||
sysnet_domtrans_ifconfig(apmd_t)
|
||||
')
|
||||
|
||||
@ -186,6 +179,13 @@ ifdef(`distro_suse',`
|
||||
files_create_var_lib(apmd_t,apmd_var_lib_t)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_tty(apmd_t)
|
||||
term_dontaudit_use_generic_pty(apmd_t)
|
||||
files_dontaudit_read_root_file(apmd_t)
|
||||
unconfined_domain_template(apmd_t)
|
||||
')
|
||||
|
||||
optional_policy(`clock.te',`
|
||||
clock_domtrans(apmd_t)
|
||||
clock_rw_adjtime(apmd_t)
|
||||
|
||||
@ -75,6 +75,7 @@ corenet_tcp_sendrecv_all_nodes(dovecot_t)
|
||||
corenet_raw_sendrecv_all_nodes(dovecot_t)
|
||||
corenet_tcp_sendrecv_all_ports(dovecot_t)
|
||||
corenet_tcp_bind_all_nodes(dovecot_t)
|
||||
corenet_tcp_bind_pop_port(dovecot_t)
|
||||
corenet_tcp_connect_all_ports(dovecot_t)
|
||||
|
||||
dev_read_sysfs(dovecot_t)
|
||||
|
||||
@ -77,7 +77,7 @@ corecmd_exec_shell(fingerd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(fingerd_t)
|
||||
|
||||
files_getattr_home_dir(fingerd_t)
|
||||
files_search_home(fingerd_t)
|
||||
files_read_etc_files(fingerd_t)
|
||||
files_read_etc_runtime_files(fingerd_t)
|
||||
|
||||
|
||||
@ -44,19 +44,23 @@ allow ftpd_t self:unix_stream_socket create_socket_perms;
|
||||
allow ftpd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow ftpd_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow ftpd_t ftpd_etc_t:file { getattr read };
|
||||
allow ftpd_t ftpd_etc_t:file r_file_perms;
|
||||
|
||||
allow ftpd_t ftpd_tmp_t:dir create_dir_perms;
|
||||
allow ftpd_t ftpd_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(ftpd_t, ftpd_tmp_t, { file dir })
|
||||
|
||||
allow ftpd_t ftpd_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow ftpd_t ftpd_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||
allow ftpd_t ftpd_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow ftpd_t ftpd_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
|
||||
allow ftpd_t ftpd_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow ftpd_t ftpd_tmpfs_t:fifo_file create_file_perms;
|
||||
allow ftpd_t ftpd_tmpfs_t:dir create_dir_perms;
|
||||
allow ftpd_t ftpd_tmpfs_t:file create_file_perms;
|
||||
allow ftpd_t ftpd_tmpfs_t:lnk_file create_lnk_perms;
|
||||
allow ftpd_t ftpd_tmpfs_t:sock_file create_file_perms;
|
||||
fs_create_tmpfs_data(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
allow ftpd_t ftpd_var_run_t:file create_file_perms;
|
||||
allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
|
||||
files_create_pid(ftpd_t,ftpd_var_run_t)
|
||||
|
||||
# Create and modify /var/log/xferlog.
|
||||
allow ftpd_t xferlog_t:file create_file_perms;
|
||||
logging_create_log(ftpd_t,xferlog_t)
|
||||
@ -86,6 +90,7 @@ corenet_tcp_connect_all_ports(ftpd_t)
|
||||
|
||||
term_dontaudit_use_console(ftpd_t)
|
||||
|
||||
auth_domtrans_chk_passwd(ftpd_t)
|
||||
# Append to /var/log/wtmp.
|
||||
auth_append_login_records(ftpd_t)
|
||||
#kerberized ftp requires the following
|
||||
@ -190,6 +195,10 @@ optional_policy(`mount.te',`
|
||||
mount_send_nfs_client_request(ftpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(ftpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(ftpd_t)
|
||||
')
|
||||
|
||||
@ -23,6 +23,7 @@ files_pid_file(hald_var_run_t)
|
||||
|
||||
allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
|
||||
dontaudit hald_t self:capability sys_tty_config;
|
||||
allow hald_t self:process signal_perms;
|
||||
allow hald_t self:fifo_file rw_file_perms;
|
||||
allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow hald_t self:unix_dgram_socket create_socket_perms;
|
||||
@ -45,8 +46,10 @@ kernel_read_kernel_sysctl(hald_t)
|
||||
kernel_write_proc_file(hald_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(hald_t)
|
||||
corenet_udp_sendrecv_all_if(hald_t)
|
||||
corenet_raw_sendrecv_all_if(hald_t)
|
||||
corenet_tcp_sendrecv_all_nodes(hald_t)
|
||||
corenet_udp_sendrecv_all_nodes(hald_t)
|
||||
corenet_raw_sendrecv_all_nodes(hald_t)
|
||||
corenet_tcp_sendrecv_all_ports(hald_t)
|
||||
corenet_tcp_bind_all_nodes(hald_t)
|
||||
|
||||
@ -144,9 +144,7 @@ optional_policy(`unconfined.te', `
|
||||
unconfined_domtrans(inetd_t)
|
||||
')
|
||||
|
||||
# This should be tunable_policy, but leaving
|
||||
# ifdef until typeattribute works in conditionals
|
||||
ifdef(`unlimitedInetd', `
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain_template(inetd_t)
|
||||
')
|
||||
|
||||
@ -184,8 +182,10 @@ kernel_read_system_state(inetd_child_t)
|
||||
kernel_read_network_state(inetd_child_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(inetd_child_t)
|
||||
corenet_udp_sendrecv_all_if(inetd_child_t)
|
||||
corenet_raw_sendrecv_all_if(inetd_child_t)
|
||||
corenet_tcp_sendrecv_all_nodes(inetd_child_t)
|
||||
corenet_udp_sendrecv_all_nodes(inetd_child_t)
|
||||
corenet_raw_sendrecv_all_nodes(inetd_child_t)
|
||||
corenet_tcp_bind_all_nodes(inetd_child_t)
|
||||
corenet_tcp_sendrecv_all_ports(inetd_child_t)
|
||||
|
||||
@ -248,7 +248,7 @@ interface(`mailman_read_archive',`
|
||||
type mailman_archive_t;
|
||||
')
|
||||
|
||||
allow $1 mailman_archive_t:dir { getattr read search };
|
||||
allow $1 mailman_archive_t:file { read getattr };
|
||||
allow $1 mailman_archive_t:dir list_dir_perms;
|
||||
allow $1 mailman_archive_t:file r_file_perms;
|
||||
allow $1 mailman_archive_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
@ -121,6 +121,7 @@ libs_exec_lib_files(squid_t)
|
||||
|
||||
logging_send_syslog_msg(squid_t)
|
||||
|
||||
miscfiles_read_certs(squid_t)
|
||||
miscfiles_read_localization(squid_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(squid_t)
|
||||
@ -172,7 +173,7 @@ optional_policy(`rhgb.te',`
|
||||
ifdef(`apache.te',`
|
||||
can_tcp_connect(squid_t, httpd_t)
|
||||
')
|
||||
r_dir_file(squid_t, cert_t)
|
||||
|
||||
ifdef(`winbind.te', `
|
||||
domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t)
|
||||
allow winbind_helper_t squid_t:tcp_socket rw_socket_perms;
|
||||
|
||||
@ -1322,10 +1322,9 @@ interface(`files_create_etc_config',`
|
||||
interface(`files_dontaudit_search_isid_type_dir',`
|
||||
gen_require(`
|
||||
type file_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
dontaudit $1 file_t:dir search;
|
||||
dontaudit $1 file_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1566,10 +1565,9 @@ interface(`files_dontaudit_getattr_home_dir',`
|
||||
interface(`files_search_home',`
|
||||
gen_require(`
|
||||
type home_root_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
allow $1 home_root_t:dir search;
|
||||
allow $1 home_root_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1584,10 +1582,9 @@ interface(`files_search_home',`
|
||||
interface(`files_dontaudit_search_home',`
|
||||
gen_require(`
|
||||
type home_root_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
dontaudit $1 home_root_t:dir search;
|
||||
dontaudit $1 home_root_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -2565,10 +2562,9 @@ interface(`files_dontaudit_getattr_pid_dir',`
|
||||
interface(`files_search_pids',`
|
||||
gen_require(`
|
||||
type var_t, var_run_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_t:dir search_dir_perms;
|
||||
allow $1 var_run_t:dir search;
|
||||
')
|
||||
|
||||
@ -2599,7 +2595,7 @@ interface(`files_list_pids',`
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_t:dir search_dir_perms;
|
||||
allow $1 var_run_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
@ -2613,7 +2609,7 @@ interface(`files_create_pid',`
|
||||
class dir rw_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_t:dir search_dir_perms;
|
||||
allow $1 var_run_t:dir rw_dir_perms;
|
||||
|
||||
ifelse(`$3',`',`
|
||||
@ -2650,7 +2646,6 @@ interface(`files_rw_generic_pids',`
|
||||
interface(`files_dontaudit_write_all_pids',`
|
||||
gen_require(`
|
||||
attribute pidfile;
|
||||
class file write;
|
||||
')
|
||||
|
||||
dontaudit $1 pidfile:file write;
|
||||
@ -2667,7 +2662,6 @@ interface(`files_dontaudit_write_all_pids',`
|
||||
interface(`files_dontaudit_ioctl_all_pids',`
|
||||
gen_require(`
|
||||
attribute pidfile;
|
||||
class file ioctl;
|
||||
')
|
||||
|
||||
dontaudit $1 pidfile:file ioctl;
|
||||
@ -2681,11 +2675,9 @@ interface(`files_read_all_pids',`
|
||||
gen_require(`
|
||||
attribute pidfile;
|
||||
type var_t;
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_t:dir search_dir_perms;
|
||||
allow $1 pidfile:dir r_dir_perms;
|
||||
allow $1 pidfile:file r_file_perms;
|
||||
')
|
||||
|
||||
@ -38,7 +38,7 @@ files_pid_file(getty_var_run_t)
|
||||
|
||||
# Use capabilities.
|
||||
allow getty_t self:capability { dac_override chown sys_resource sys_tty_config fowner fsetid };
|
||||
allow getty_t self:process { getpgid getsession };
|
||||
allow getty_t self:process { getpgid getsession signal_perms };
|
||||
|
||||
allow getty_t getty_etc_t:dir r_dir_perms;
|
||||
allow getty_t getty_etc_t:file r_file_perms;
|
||||
@ -47,14 +47,15 @@ files_create_etc_config(getty_t,getty_etc_t,{ file dir })
|
||||
allow getty_t getty_lock_t:file create_file_perms;
|
||||
files_create_lock(getty_t,getty_lock_t)
|
||||
|
||||
allow getty_t getty_log_t:file { getattr append setattr };
|
||||
allow getty_t getty_log_t:file create_file_perms;
|
||||
logging_create_log(getty_t,getty_log_t)
|
||||
|
||||
allow getty_t getty_tmp_t:file { getattr create read setattr write setattr unlink };
|
||||
allow getty_t getty_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir };
|
||||
allow getty_t getty_tmp_t:file create_file_perms;
|
||||
allow getty_t getty_tmp_t:dir create_dir_perms;
|
||||
files_create_tmp_files(getty_t,getty_tmp_t,{ file dir })
|
||||
|
||||
allow getty_t getty_var_run_t:file create_file_perms;
|
||||
allow getty_t getty_var_run_t:dir create_dir_perms;
|
||||
allow getty_t getty_var_run_t:dir rw_dir_perms;
|
||||
files_create_pid(getty_t,getty_var_run_t)
|
||||
|
||||
dev_read_sysfs(getty_t)
|
||||
@ -90,11 +91,6 @@ logging_send_syslog_msg(getty_t)
|
||||
|
||||
miscfiles_read_localization(getty_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
#
|
||||
# getty needs to be able to run pppd
|
||||
#
|
||||
ifdef(`pppd.te', `
|
||||
domain_auto_trans(getty_t, pppd_exec_t, pppd_t)
|
||||
optional_policy(`ppp.te',`
|
||||
ppp_domtrans(getty_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
@ -19,6 +19,7 @@ role system_r types hostname_t;
|
||||
# for setting the hostname
|
||||
allow hostname_t self:process { sigchld sigkill sigstop signull signal };
|
||||
allow hostname_t self:capability sys_admin;
|
||||
allow hostname_t self:unix_stream_socket create_stream_socket_perms;
|
||||
dontaudit hostname_t self:capability sys_tty_config;
|
||||
|
||||
kernel_dontaudit_use_fd(hostname_t)
|
||||
|
||||
@ -14,6 +14,7 @@ init_daemon_domain(hotplug_t,hotplug_exec_t)
|
||||
type hotplug_etc_t; #, usercanread;
|
||||
files_type(hotplug_etc_t)
|
||||
kernel_search_from(hotplug_etc_t)
|
||||
domain_entry_file(hotplug_t,hotplug_etc_t)
|
||||
|
||||
type hotplug_var_run_t;
|
||||
files_pid_file(hotplug_var_run_t)
|
||||
@ -27,7 +28,7 @@ allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
|
||||
dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
|
||||
# for access("/etc/bashrc", X_OK) on Red Hat
|
||||
dontaudit hotplug_t self:capability { dac_override dac_read_search };
|
||||
allow hotplug_t self:process { getsession getattr };
|
||||
allow hotplug_t self:process { getsession getattr signal_perms };
|
||||
allow hotplug_t self:fifo_file rw_file_perms;
|
||||
allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow hotplug_t self:udp_socket create_socket_perms;
|
||||
@ -36,11 +37,11 @@ allow hotplug_t self:tcp_socket connected_stream_socket_perms;
|
||||
allow hotplug_t hotplug_etc_t:file r_file_perms;
|
||||
allow hotplug_t hotplug_etc_t:dir r_dir_perms;
|
||||
allow hotplug_t hotplug_etc_t:lnk_file r_file_perms;
|
||||
can_exec(hotplug_t,hotplug_etc_t)
|
||||
|
||||
allow hotplug_t hotplug_exec_t:file { getattr read ioctl execute execute_no_trans };
|
||||
allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans };
|
||||
can_exec(hotplug_t,hotplug_exec_t)
|
||||
|
||||
allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink };
|
||||
allow hotplug_t hotplug_var_run_t:file manage_file_perms;
|
||||
files_create_pid(hotplug_t,hotplug_var_run_t)
|
||||
|
||||
kernel_sigchld(hotplug_t)
|
||||
|
||||
@ -616,6 +616,23 @@ interface(`init_use_script_pty',`
|
||||
allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read and
|
||||
## write the init script pty.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`init_dontaudit_use_script_pty',`
|
||||
gen_require(`
|
||||
type initrc_devpts_t;
|
||||
')
|
||||
|
||||
dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read init scripts.
|
||||
@ -634,19 +651,6 @@ interface(`init_read_script_file',`
|
||||
allow $1 initrc_exec_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# init_dontaudit_use_script_pty(domain)
|
||||
#
|
||||
interface(`init_dontaudit_use_script_pty',`
|
||||
gen_require(`
|
||||
type initrc_devpts_t;
|
||||
class chr_file { read write ioctl };
|
||||
')
|
||||
|
||||
dontaudit $1 initrc_devpts_t:chr_file { read write ioctl };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write init script temporary data.
|
||||
|
||||
@ -49,8 +49,6 @@ files_create_pid(cardmgr_t,cardmgr_var_run_t)
|
||||
|
||||
kernel_read_system_state(cardmgr_t)
|
||||
kernel_read_kernel_sysctl(cardmgr_t)
|
||||
kernel_list_proc(cardmgr_t)
|
||||
kernel_read_proc_symlinks(cardmgr_t)
|
||||
kernel_dontaudit_getattr_message_if(cardmgr_t)
|
||||
|
||||
bootloader_search_kernel_modules(cardmgr_t)
|
||||
@ -118,13 +116,13 @@ sysnet_manage_config(cardmgr_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(cardmgr_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(cardmgr_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_tty(cardmgr_t)
|
||||
term_dontaudit_use_generic_pty(cardmgr_t)
|
||||
files_dontaudit_read_root_file(cardmgr_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutils.te',`
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_dontaudit_read_config(cardmgr_t)
|
||||
seutil_sigchld_newrole(cardmgr_t)
|
||||
')
|
||||
|
||||
@ -141,7 +141,7 @@ interface(`sysnet_rw_dhcp_config',`
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 dhcp_etc_t:file { getattr read };
|
||||
allow $1 dhcp_etc_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -244,7 +244,7 @@ rhgb_domain(dhcpc_t)
|
||||
#
|
||||
|
||||
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
|
||||
allow ifconfig_t self:capability { net_admin sys_tty_config };
|
||||
allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
|
||||
dontaudit ifconfig_t self:capability sys_module;
|
||||
|
||||
allow ifconfig_t self:fd use;
|
||||
|
||||
@ -1781,7 +1781,7 @@ interface(`userdom_dontaudit_search_sysadm_home_dir',`
|
||||
type sysadm_home_dir_t;
|
||||
')
|
||||
|
||||
dontaudit $1 sysadm_home_dir_t:dir search;
|
||||
dontaudit $1 sysadm_home_dir_t:dir { getattr search };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1849,7 +1849,7 @@ interface(`userdom_dontaudit_search_all_users_home',`
|
||||
attribute home_dir_type, home_type;
|
||||
')
|
||||
|
||||
dontaudit $1 { home_dir_type home_type }:dir search;
|
||||
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
Loading…
Reference in New Issue
Block a user