ddbd71a506
Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content.
200 lines
3.4 KiB
Plaintext
200 lines
3.4 KiB
Plaintext
## <summary> Red Hat Graphical Boot </summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## RHGB stub interface. No access allowed.
|
|
## </summary>
|
|
## <param name="domain" unused="true">
|
|
## <summary>
|
|
## N/A
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`rhgb_stub',`
|
|
gen_require(`
|
|
type rhgb_t;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Use a rhgb file descriptor.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`rhgb_use_fds',`
|
|
gen_require(`
|
|
type rhgb_t;
|
|
')
|
|
|
|
allow $1 rhgb_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the process group of rhgb.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`rhgb_getpgid',`
|
|
gen_require(`
|
|
type rhgb_t;
|
|
')
|
|
|
|
allow $1 rhgb_t:process getpgid;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send a signal to rhgb.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`rhgb_signal',`
|
|
gen_require(`
|
|
type rhgb_t;
|
|
')
|
|
|
|
allow $1 rhgb_t:process signal;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write to unix stream sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`rhgb_rw_stream_sockets',`
|
|
gen_require(`
|
|
type rhgb_t;
|
|
')
|
|
|
|
allow $1 rhgb_t:unix_stream_socket { read write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read and write
|
|
## rhgb unix domain stream sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`rhgb_dontaudit_rw_stream_sockets',`
|
|
gen_require(`
|
|
type rhgb_t;
|
|
')
|
|
|
|
dontaudit $1 rhgb_t:unix_stream_socket { read write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Connected to rhgb unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`rhgb_stream_connect',`
|
|
gen_require(`
|
|
type rhgb_t;
|
|
')
|
|
|
|
allow $1 rhgb_t:unix_stream_socket connectto;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write to rhgb shared memory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`rhgb_rw_shm',`
|
|
gen_require(`
|
|
type rhgb_t;
|
|
')
|
|
|
|
allow $1 rhgb_t:shm rw_shm_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read from and write to the rhgb devpts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`rhgb_use_ptys',`
|
|
gen_require(`
|
|
type rhgb_devpts_t;
|
|
')
|
|
|
|
allow $1 rhgb_devpts_t:chr_file rw_term_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## dontaudit Read from and write to the rhgb devpts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`rhgb_dontaudit_use_ptys',`
|
|
gen_require(`
|
|
type rhgb_devpts_t;
|
|
')
|
|
|
|
dontaudit $1 rhgb_devpts_t:chr_file rw_term_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write to rhgb temporary file system.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`rhgb_rw_tmpfs_files',`
|
|
gen_require(`
|
|
type rhgb_tmpfs_t;
|
|
')
|
|
|
|
fs_search_tmpfs($1)
|
|
allow $1 rhgb_tmpfs_t:file rw_file_perms;
|
|
')
|