4924 lines
319 KiB
Diff
4924 lines
319 KiB
Diff
From 21aa1fb602540d26e3ccad46ab59922da1810dd8 Mon Sep 17 00:00:00 2001
|
||
From: Vit Mojzis <vmojzis@redhat.com>
|
||
Date: Wed, 29 Nov 2023 10:38:48 +0100
|
||
Subject: [PATCH] Add option to generate custom policy for a confined user
|
||
MIME-Version: 1.0
|
||
Content-Type: text/plain; charset=UTF-8
|
||
Content-Transfer-Encoding: 8bit
|
||
|
||
Udica can now generate cil policy for a confined user using a list of
|
||
macros.
|
||
The macros are based on policy templates created by Patrik Končitý:
|
||
https://github.com/Koncpa/confined-users-policy
|
||
|
||
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||
---
|
||
setup.py | 1 +
|
||
udica/__main__.py | 332 +-
|
||
udica/confined_user.py | 134 +
|
||
udica/macros/confined_user_macros.cil | 4367 +++++++++++++++++++++++++
|
||
4 files changed, 4719 insertions(+), 115 deletions(-)
|
||
create mode 100644 udica/confined_user.py
|
||
create mode 100644 udica/macros/confined_user_macros.cil
|
||
|
||
diff --git a/setup.py b/setup.py
|
||
index deb6457..d3f20f4 100644
|
||
--- a/setup.py
|
||
+++ b/setup.py
|
||
@@ -37,6 +37,7 @@ setuptools.setup(
|
||
data_files=[
|
||
("/usr/share/licenses/udica", ["LICENSE"]),
|
||
("/usr/share/udica/ansible", ["udica/ansible/deploy-module.yml"]),
|
||
+ ("/usr/share/udica/macros", ["udica/macros/confined_user_macros.cil"]),
|
||
],
|
||
# scripts=["bin/udica"],
|
||
entry_points={"console_scripts": ["udica=udica.__main__:main"]},
|
||
diff --git a/udica/__main__.py b/udica/__main__.py
|
||
index 43d2e43..2bbd401 100644
|
||
--- a/udica/__main__.py
|
||
+++ b/udica/__main__.py
|
||
@@ -13,8 +13,9 @@
|
||
# You should have received a copy of the GNU General Public License
|
||
# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||
|
||
-import subprocess
|
||
import argparse
|
||
+import subprocess
|
||
+import sys
|
||
|
||
# import udica
|
||
from udica.parse import parse_avc_file
|
||
@@ -25,116 +26,214 @@ from udica.policy import create_policy, load_policy, generate_playbook
|
||
|
||
|
||
def get_args():
|
||
- parser = argparse.ArgumentParser(
|
||
- description="Script generates SELinux policy for running container."
|
||
- )
|
||
- parser.add_argument("-V", "--version", action="version", version=version)
|
||
- parser.add_argument(
|
||
- type=str, help="Name for SELinux policy module", dest="ContainerName"
|
||
- )
|
||
- parser.add_argument(
|
||
- "-i",
|
||
- "--container-id",
|
||
- type=str,
|
||
- help="Running container ID",
|
||
- dest="ContainerID",
|
||
- default=None,
|
||
- )
|
||
- parser.add_argument(
|
||
- "-j",
|
||
- "--json",
|
||
- help='Load json from this file, use "-j -" for stdin',
|
||
- required=False,
|
||
- dest="JsonFile",
|
||
- default=None,
|
||
- )
|
||
- parser.add_argument(
|
||
- "--full-network-access",
|
||
- help="Allow container full Network access ",
|
||
- required=False,
|
||
- dest="FullNetworkAccess",
|
||
- action="store_true",
|
||
- )
|
||
- parser.add_argument(
|
||
- "--tty-access",
|
||
- help="Allow container to read and write the controlling terminal ",
|
||
- required=False,
|
||
- dest="TtyAccess",
|
||
- action="store_true",
|
||
- )
|
||
- parser.add_argument(
|
||
- "--X-access",
|
||
- help="Allow container to communicate with Xserver ",
|
||
- required=False,
|
||
- dest="XAccess",
|
||
- action="store_true",
|
||
- )
|
||
- parser.add_argument(
|
||
- "--virt-access",
|
||
- help="Allow container to communicate with libvirt ",
|
||
- required=False,
|
||
- dest="VirtAccess",
|
||
- action="store_true",
|
||
- )
|
||
- parser.add_argument(
|
||
- "-s",
|
||
- "--stream-connect",
|
||
- help="Allow container to stream connect with given SELinux domain ",
|
||
- required=False,
|
||
- dest="StreamConnect",
|
||
- )
|
||
- parser.add_argument(
|
||
- "-l",
|
||
- "--load-modules",
|
||
- help="Load templates and module created by this tool ",
|
||
- required=False,
|
||
- dest="LoadModules",
|
||
- action="store_true",
|
||
- )
|
||
- parser.add_argument(
|
||
- "-c",
|
||
- "--caps",
|
||
- help='List of capabilities, e.g "-c AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT"',
|
||
- required=False,
|
||
- dest="Caps",
|
||
- default=None,
|
||
- )
|
||
- parser.add_argument(
|
||
- "--devices",
|
||
- type=str,
|
||
- help='List of devices the container should have access to, e.g "--devices /dev/dri/card0,/dev/dri/renderD128"',
|
||
- dest="Devices",
|
||
- required=False,
|
||
- default=None,
|
||
- )
|
||
- parser.add_argument(
|
||
- "-d",
|
||
- "--ansible",
|
||
- help="Generate ansible playbook to deploy SELinux policy for containers ",
|
||
- required=False,
|
||
- dest="Ansible",
|
||
- action="store_true",
|
||
- )
|
||
- parser.add_argument(
|
||
- "-a",
|
||
- "--append-rules",
|
||
- type=str,
|
||
- help="Append more SELinux allow rules from file",
|
||
- dest="FileAVCS",
|
||
- required=False,
|
||
- default=None,
|
||
- )
|
||
- parser.add_argument(
|
||
- "-e",
|
||
- "--container-engine",
|
||
- type=str,
|
||
- help="Specify which container engine is used for the inspected container (supports: {})".format(
|
||
- ", ".join(ENGINE_ALL)
|
||
- ),
|
||
- dest="ContainerEngine",
|
||
- required=False,
|
||
- default="-",
|
||
- )
|
||
+ if "confined_user" in sys.argv:
|
||
+ # set up confined_user parser (do not show normal "udica" options)
|
||
+ parser = argparse.ArgumentParser(
|
||
+ description="SELinux confined user policy generator"
|
||
+ )
|
||
+ parser.add_argument("confined_user")
|
||
+ parser.add_argument(
|
||
+ "-a",
|
||
+ "--admin_commands",
|
||
+ action="store_true",
|
||
+ default=False,
|
||
+ dest="admin_commands",
|
||
+ help="Use administrative commands (vipw, passwd, ...)",
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "-g",
|
||
+ "--graphical_login",
|
||
+ action="store_true",
|
||
+ default=False,
|
||
+ dest="graphical_login",
|
||
+ help="Use graphical login environment",
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "-m",
|
||
+ "--mozilla_usage",
|
||
+ action="store_true",
|
||
+ default=False,
|
||
+ dest="mozilla_usage",
|
||
+ help="Use mozilla firefox",
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "-n",
|
||
+ "--networking",
|
||
+ action="store_true",
|
||
+ default=False,
|
||
+ dest="networking",
|
||
+ help="Manage basic networking (ip, ifconfig, traceroute, tcpdump, ...)",
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "-d",
|
||
+ "--security_advanced",
|
||
+ action="store_true",
|
||
+ default=False,
|
||
+ dest="security_advanced",
|
||
+ help="Manage SELinux settings (semanage, semodule, sepolicy, ...)",
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "-i",
|
||
+ "--security_basic",
|
||
+ action="store_true",
|
||
+ default=False,
|
||
+ dest="security_basic",
|
||
+ help="Use read-only security-related tools (seinfo, getsebool, sesearch, ...)",
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "-s",
|
||
+ "--sudo",
|
||
+ action="store_true",
|
||
+ default=False,
|
||
+ dest="sudo",
|
||
+ help="Run commands as root using sudo",
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "-l",
|
||
+ "--user_login",
|
||
+ action="store_true",
|
||
+ default=False,
|
||
+ dest="user_login",
|
||
+ help="Basic rules common to all users (tty, pty, ...)",
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "-c",
|
||
+ "--ssh_connect",
|
||
+ action="store_true",
|
||
+ default=False,
|
||
+ dest="ssh_connect",
|
||
+ help="Connect over SSH",
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "-b",
|
||
+ "--basic_commands",
|
||
+ action="store_true",
|
||
+ default=False,
|
||
+ dest="basic_commands",
|
||
+ help="Use basic commands (date, ls, ps, man, systemctl -user, journalctl -user, passwd, ...)",
|
||
+ )
|
||
+ parser.add_argument("--level", nargs="?", default="s0", dest="level")
|
||
+ parser.add_argument(
|
||
+ "--range", nargs="?", default="s0-s0:c0.c1023", dest="range"
|
||
+ )
|
||
+ parser.add_argument("uname")
|
||
+ else:
|
||
+ # set up normal udica parser
|
||
+ parser = argparse.ArgumentParser(
|
||
+ description="Script generates SELinux policy for running container.",
|
||
+ prog="udica [confined_user]",
|
||
+ formatter_class=argparse.RawDescriptionHelpFormatter,
|
||
+ epilog="""Additional options:
|
||
+ confined_user Generate policy for a new confined user instead of a container policy""",
|
||
+ )
|
||
+ parser.add_argument("-V", "--version", action="version", version=version)
|
||
+ parser.add_argument(
|
||
+ type=str, help="Name for SELinux policy module", dest="ContainerName"
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "-i",
|
||
+ "--container-id",
|
||
+ type=str,
|
||
+ help="Running container ID",
|
||
+ dest="ContainerID",
|
||
+ default=None,
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "-j",
|
||
+ "--json",
|
||
+ help='Load json from this file, use "-j -" for stdin',
|
||
+ required=False,
|
||
+ dest="JsonFile",
|
||
+ default=None,
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "--full-network-access",
|
||
+ help="Allow container full Network access ",
|
||
+ required=False,
|
||
+ dest="FullNetworkAccess",
|
||
+ action="store_true",
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "--tty-access",
|
||
+ help="Allow container to read and write the controlling terminal ",
|
||
+ required=False,
|
||
+ dest="TtyAccess",
|
||
+ action="store_true",
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "--X-access",
|
||
+ help="Allow container to communicate with Xserver ",
|
||
+ required=False,
|
||
+ dest="XAccess",
|
||
+ action="store_true",
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "--virt-access",
|
||
+ help="Allow container to communicate with libvirt ",
|
||
+ required=False,
|
||
+ dest="VirtAccess",
|
||
+ action="store_true",
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "-s",
|
||
+ "--stream-connect",
|
||
+ help="Allow container to stream connect with given SELinux domain ",
|
||
+ required=False,
|
||
+ dest="StreamConnect",
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "-l",
|
||
+ "--load-modules",
|
||
+ help="Load templates and module created by this tool ",
|
||
+ required=False,
|
||
+ dest="LoadModules",
|
||
+ action="store_true",
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "-c",
|
||
+ "--caps",
|
||
+ help='List of capabilities, e.g "-c AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT"',
|
||
+ required=False,
|
||
+ dest="Caps",
|
||
+ default=None,
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "--devices",
|
||
+ type=str,
|
||
+ help='List of devices the container should have access to, e.g "--devices /dev/dri/card0,/dev/dri/renderD128"',
|
||
+ dest="Devices",
|
||
+ required=False,
|
||
+ default=None,
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "-d",
|
||
+ "--ansible",
|
||
+ help="Generate ansible playbook to deploy SELinux policy for containers ",
|
||
+ required=False,
|
||
+ dest="Ansible",
|
||
+ action="store_true",
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "-a",
|
||
+ "--append-rules",
|
||
+ type=str,
|
||
+ help="Append more SELinux allow rules from file",
|
||
+ dest="FileAVCS",
|
||
+ required=False,
|
||
+ default=None,
|
||
+ )
|
||
+ parser.add_argument(
|
||
+ "-e",
|
||
+ "--container-engine",
|
||
+ type=str,
|
||
+ help="Specify which container engine is used for the inspected container (supports: {})".format(
|
||
+ ", ".join(ENGINE_ALL)
|
||
+ ),
|
||
+ dest="ContainerEngine",
|
||
+ required=False,
|
||
+ default="-",
|
||
+ )
|
||
+
|
||
args = parser.parse_args()
|
||
return vars(args)
|
||
|
||
@@ -142,6 +241,13 @@ def get_args():
|
||
def main():
|
||
opts = get_args()
|
||
|
||
+ # generate confined user policy
|
||
+ if "confined_user" in opts.keys():
|
||
+ from udica.confined_user import create_confined_user_policy
|
||
+
|
||
+ create_confined_user_policy(opts)
|
||
+ return
|
||
+
|
||
if opts["ContainerID"]:
|
||
container_inspect_raw = None
|
||
for backend in [ENGINE_PODMAN, ENGINE_DOCKER]:
|
||
@@ -167,8 +273,6 @@ def main():
|
||
|
||
if opts["JsonFile"]:
|
||
if opts["JsonFile"] == "-":
|
||
- import sys
|
||
-
|
||
container_inspect_raw = sys.stdin.read()
|
||
else:
|
||
import os.path
|
||
@@ -182,8 +286,6 @@ def main():
|
||
|
||
if (not opts["JsonFile"]) and (not opts["ContainerID"]):
|
||
try:
|
||
- import sys
|
||
-
|
||
container_inspect_raw = sys.stdin.read()
|
||
except Exception as e:
|
||
print("Couldn't parse inspect data from stdin:", e)
|
||
diff --git a/udica/confined_user.py b/udica/confined_user.py
|
||
new file mode 100644
|
||
index 0000000..796f543
|
||
--- /dev/null
|
||
+++ b/udica/confined_user.py
|
||
@@ -0,0 +1,134 @@
|
||
+# Copyright (C) 2023 Vit Mojzis, <vmojzis@redhat.com>
|
||
+#
|
||
+# This program is free software; you can redistribute it and/or
|
||
+# modify it under the terms of the GNU General Public License as
|
||
+# published by the Free Software Foundation; either version 2 of
|
||
+# the License, or (at your option) any later version.
|
||
+#
|
||
+# This program is distributed in the hope that it will be useful,
|
||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
+# GNU General Public License for more details.
|
||
+#
|
||
+# You should have received a copy of the GNU General Public License
|
||
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||
+
|
||
+MACRO_CALLS = {
|
||
+ "admin_commands": (
|
||
+ "(call confinedom_admin_commands_macro ({}))",
|
||
+ ("_t", "_r", "_sudo_t"),
|
||
+ ),
|
||
+ "graphical_login": (
|
||
+ "(call confinedom_graphical_login_macro ({}))",
|
||
+ ("_t", "_r", "_dbus_t"),
|
||
+ ),
|
||
+ "mozilla_usage": ("(call confinedom_mozilla_usage_macro ({}))", ("_t", "_r")),
|
||
+ "networking": ("(call confinedom_networking_macro ({}))", ("_t", "_r")),
|
||
+ "security_advanced": (
|
||
+ "(call confinedom_security_advanced_macro ({}))",
|
||
+ ("_t", "_r", "_sudo_t", "_userhelper_t"),
|
||
+ ),
|
||
+ "security_basic": ("(call confinedom_security_basic_macro ({}))", ("_t", "_r")),
|
||
+ "sudo": (
|
||
+ "(call confinedom_sudo_macro ({}))",
|
||
+ ("_t", "_r", "_sudo_t", "_sudo_tmp_t"),
|
||
+ ),
|
||
+ "user_login": (
|
||
+ "(call confinedom_user_login_macro ({}))",
|
||
+ ("_t", "_r", "_gkeyringd_t", "_dbus_t", "_exec_content"),
|
||
+ ),
|
||
+ "ssh_connect": (
|
||
+ "(call confined_ssh_connect_macro ({}))",
|
||
+ ("_t", "_r", "_ssh_agent_t"),
|
||
+ ),
|
||
+ "basic_commands": ("(call confined_use_basic_commands_macro ({}))", ("_t", "_r")),
|
||
+}
|
||
+
|
||
+TYPE_DEFS = {
|
||
+ "_t": "(type {}_t)",
|
||
+ "_r": "(role {}_r)",
|
||
+ "_dbus_t": "(type {}_dbus_t)",
|
||
+ "_gkeyringd_t": "(type {}_gkeyringd_t)",
|
||
+ "_ssh_agent_t": "(type {}_ssh_agent_t)",
|
||
+ "_sudo_t": "(type {}_sudo_t)",
|
||
+ "_sudo_tmp_t": "(type {}_sudo_tmp_t)",
|
||
+ "_userhelper_t": "(type {}_userhelper_t)",
|
||
+ "_exec_content": "(boolean {}_exec_content true)",
|
||
+}
|
||
+
|
||
+
|
||
+def create_confined_user_policy(opts):
|
||
+ # MCS/MLS range handling - needs to be separated into up-to 4 parts
|
||
+ # s0-s15:c0.c1023 -> (userrange {uname}_u ((s0 ) (s15 (range c0 c1023))))
|
||
+ # s0:c0 -> (userrange {uname}_u ((s0 ) (s0 (c0))))
|
||
+ mls_range = opts["range"]
|
||
+ mcs_range = ""
|
||
+ # separate MCS portion
|
||
+ if ":" in opts["range"]:
|
||
+ # s0:c0.c1023
|
||
+ (mls_range, mcs_range) = opts["range"].split(":")
|
||
+ if "-" in mls_range:
|
||
+ # s0-s15
|
||
+ (range_l, range_h) = mls_range.split("-")
|
||
+ else:
|
||
+ # s0
|
||
+ range_l = mls_range
|
||
+ range_h = range_l
|
||
+ if mcs_range != "":
|
||
+ if "." in mcs_range:
|
||
+ # s0:c0.c1023 -> (userrange {uname}_u ((s0 ) (s0 (range c0 c1023))))
|
||
+ (mcs_range_l, mcs_range_h) = mcs_range.split(".")
|
||
+ mcs_range = "(range {} {})".format(mcs_range_l, mcs_range_h)
|
||
+ else:
|
||
+ # s0:c0 -> (userrange {uname}_u ((s0 ) (s0 (c0))))
|
||
+ mcs_range = "({})".format(mcs_range)
|
||
+
|
||
+ range = "({} ) ({} {})".format(range_l, range_h, mcs_range)
|
||
+
|
||
+ defs = set()
|
||
+
|
||
+ policy = """
|
||
+(user {uname}_u)
|
||
+(userrole {uname}_u {uname}_r)
|
||
+(userlevel {uname}_u ({level}))
|
||
+(userrange {uname}_u ({range}))
|
||
+""".format(
|
||
+ uname=opts["uname"], level=opts["level"], range=range
|
||
+ )
|
||
+
|
||
+ # process arguments determining which macros are to be used
|
||
+ for arg, value in opts.items():
|
||
+ if not value or arg not in MACRO_CALLS.keys():
|
||
+ continue
|
||
+ for param in MACRO_CALLS[arg][1]:
|
||
+ defs.add(TYPE_DEFS[param].format(opts["uname"]))
|
||
+ policy += "\n" + (
|
||
+ MACRO_CALLS[arg][0].format(
|
||
+ " ".join([opts["uname"] + s for s in MACRO_CALLS[arg][1]])
|
||
+ )
|
||
+ )
|
||
+ # print("{}: {}".format(arg, value))
|
||
+
|
||
+ policy = "\n".join(sorted(defs)) + policy
|
||
+
|
||
+ with open("{}.cil".format(opts["uname"]), "w") as f:
|
||
+ f.write(policy)
|
||
+
|
||
+ print("Created {}.cil".format(opts["uname"]))
|
||
+ print("Run the following commands to apply the new policy:")
|
||
+ print("Install the new policy module")
|
||
+ print(
|
||
+ "# semodule -i {}.cil /usr/share/udica/macros/confined_user_macros.cil".format(
|
||
+ opts["uname"]
|
||
+ )
|
||
+ )
|
||
+ print("Create a default context file for the new user")
|
||
+ print(
|
||
+ "# sed -e ’s|user|{}|g’ /etc/selinux/targeted/contexts/users/user_u > /etc/selinux/targeted/contexts/users/{}_u".format(
|
||
+ opts["uname"], opts["uname"]
|
||
+ )
|
||
+ )
|
||
+ print("Map the new selinux user to an existing user account")
|
||
+ print("# semanage login -a -s {}_u {}".format(opts["uname"], opts["uname"]))
|
||
+ print("Fix labels in the user's home direcotry")
|
||
+ print("# restorecon -RvF /home/{}".format(opts["uname"]))
|
||
diff --git a/udica/macros/confined_user_macros.cil b/udica/macros/confined_user_macros.cil
|
||
new file mode 100644
|
||
index 0000000..ddb5689
|
||
--- /dev/null
|
||
+++ b/udica/macros/confined_user_macros.cil
|
||
@@ -0,0 +1,4367 @@
|
||
+(typeattribute login_confinedom)
|
||
+
|
||
+(optional confined_transition_userdomain_optional
|
||
+ (typeattributeset cil_gen_require init_t)
|
||
+ (typeattributeset cil_gen_require xdm_t)
|
||
+ (typeattributeset cil_gen_require login_confinedom)
|
||
+ (typeattributeset cil_gen_require xsession_exec_t)
|
||
+ (allow xdm_t xsession_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow xdm_t login_confinedom (process (transition)))
|
||
+ (allow login_confinedom xdm_t (fd (use)))
|
||
+ (allow login_confinedom xdm_t (fifo_file (ioctl read write getattr lock append open)))
|
||
+ (allow login_confinedom xdm_t (process (sigchld)))
|
||
+)
|
||
+
|
||
+(optional confined_xsession_spec_domtrans_conf_users_optional
|
||
+ (typeattributeset cil_gen_require init_t)
|
||
+ (typeattributeset cil_gen_require xdm_t)
|
||
+ (typeattributeset cil_gen_require login_confinedom)
|
||
+ (allow init_t login_confinedom (process (transition)))
|
||
+)
|
||
+
|
||
+(macro confinedom_admin_commands_macro ((type utype) (role urole) (type sudo_type))
|
||
+ (optional confinedom_admin_commands_optional_2
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (roleattributeset cil_gen_require iptables_roles)
|
||
+ (typeattributeset cil_gen_require utype)
|
||
+ (typeattributeset cil_gen_require sudo_type)
|
||
+ (typeattributeset cil_gen_require domain)
|
||
+ (typeattributeset cil_gen_require usbmon_device_t)
|
||
+ (typeattributeset cil_gen_require device_t)
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset cil_gen_require selinux_config_t)
|
||
+ (typeattributeset cil_gen_require policy_config_t)
|
||
+ (typeattributeset cil_gen_require etc_t)
|
||
+ (typeattributeset cil_gen_require modules_object_t)
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset cil_gen_require files_unconfined_type)
|
||
+ (typeattributeset cil_gen_require init_var_run_t)
|
||
+ (typeattributeset cil_gen_require init_var_lib_t)
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require var_lib_t)
|
||
+ (typeattributeset cil_gen_require init_t)
|
||
+ (typeattributeset cil_gen_require iptables_t)
|
||
+ (typeattributeset cil_gen_require iptables_exec_t)
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require proc_t)
|
||
+ (typeattributeset cil_gen_require proc_net_t)
|
||
+ (typeattributeset cil_gen_require auditd_t)
|
||
+ (typeattributeset cil_gen_require auditd_etc_t)
|
||
+ (typeattributeset cil_gen_require auditd_log_t)
|
||
+ (typeattributeset cil_gen_require auditd_var_run_t)
|
||
+ (typeattributeset cil_gen_require auditd_initrc_exec_t)
|
||
+ (typeattributeset cil_gen_require auditd_unit_file_t)
|
||
+ (typeattributeset cil_gen_require auditctl_t)
|
||
+ (typeattributeset cil_gen_require auditctl_exec_t)
|
||
+ (typeattributeset cil_gen_require initrc_t)
|
||
+ (typeattributeset cil_gen_require initrc_transition_domain)
|
||
+ (typeattributeset cil_gen_require filesystem_type)
|
||
+ (typeattributeset cil_gen_require can_system_change)
|
||
+ (typeattributeset cil_gen_require systemd_systemctl_exec_t)
|
||
+ (typeattributeset cil_gen_require cgroup_t)
|
||
+ (typeattributeset cil_gen_require tmpfs_t)
|
||
+ (typeattributeset cil_gen_require sysfs_t)
|
||
+ (typeattributeset cil_gen_require efivarfs_t)
|
||
+ (typeattributeset cil_gen_require systemd_unit_file_type)
|
||
+ (typeattributeset cil_gen_require var_run_t)
|
||
+ (typeattributeset cil_gen_require systemd_logind_var_run_t)
|
||
+ (typeattributeset cil_gen_require systemd_passwd_agent_t)
|
||
+ (typeattributeset cil_gen_require systemd_passwd_agent_exec_t)
|
||
+ (typeattributeset cil_gen_require systemd_passwd_var_run_t)
|
||
+ (typeattributeset cil_gen_require syslogd_t)
|
||
+ (typeattributeset cil_gen_require klogd_t)
|
||
+ (typeattributeset cil_gen_require syslog_conf_t)
|
||
+ (typeattributeset cil_gen_require syslogd_tmp_t)
|
||
+ (typeattributeset cil_gen_require syslogd_var_lib_t)
|
||
+ (typeattributeset cil_gen_require syslogd_var_run_t)
|
||
+ (typeattributeset cil_gen_require klogd_var_run_t)
|
||
+ (typeattributeset cil_gen_require klogd_tmp_t)
|
||
+ (typeattributeset cil_gen_require var_log_t)
|
||
+ (typeattributeset cil_gen_require syslogd_initrc_exec_t)
|
||
+ (typeattributeset cil_gen_require logfile)
|
||
+ (typeattributeset cil_gen_require user_home_dir_t)
|
||
+ (typeattributeset cil_gen_require user_home_t)
|
||
+ (typeattributeset cil_gen_require user_home_type)
|
||
+ (typeattributeset cil_gen_require home_root_t)
|
||
+ (typeattributeset cil_gen_require passwd_t)
|
||
+ (typeattributeset cil_gen_require passwd_exec_t)
|
||
+ (roleattributeset cil_gen_require iptables_roles)
|
||
+ (roleattributeset iptables_roles (urole ))
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (roletype urole auditctl_t)
|
||
+ (typeattributeset cil_gen_require initrc_transition_domain)
|
||
+ (typeattributeset initrc_transition_domain (utype ))
|
||
+ (typeattributeset cil_gen_require files_unconfined_type)
|
||
+ (typeattributeset files_unconfined_type (utype ))
|
||
+ (typeattributeset cil_gen_require can_system_change)
|
||
+ (typeattributeset can_system_change (utype ))
|
||
+ (allow utype self (capability (net_raw)))
|
||
+ (allow utype self (netlink_generic_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
|
||
+ (allow utype self (netlink_netfilter_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
|
||
+ (allow utype self (netlink_rdma_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
|
||
+ (allow utype self (packet_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
|
||
+ (allow utype self (packet_socket (map)))
|
||
+ (allow sudo_type utype (unix_stream_socket (connectto)))
|
||
+ (allow sudo_type self (bluetooth_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
|
||
+ (allow sudo_type self (capability (net_raw)))
|
||
+ (allow sudo_type self (netlink_generic_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
|
||
+ (allow sudo_type self (netlink_netfilter_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
|
||
+ (allow sudo_type self (netlink_rdma_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
|
||
+ (allow sudo_type self (packet_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
|
||
+ (allow sudo_type self (packet_socket (map)))
|
||
+ (allow utype domain (process (getattr)))
|
||
+ (allow utype usbmon_device_t (chr_file (map)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype usbmon_device_t (chr_file (ioctl read getattr lock open)))
|
||
+ (allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow sudo_type non_auth_file_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow sudo_type non_auth_file_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow sudo_type non_auth_file_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
||
+ (allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow sudo_type non_auth_file_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow sudo_type non_auth_file_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow sudo_type etc_t (dir (getattr open search)))
|
||
+ (allow sudo_type selinux_config_t (dir (getattr open search)))
|
||
+ (allow sudo_type policy_config_t (dir (ioctl write getattr lock open add_name search)))
|
||
+ (allow sudo_type policy_config_t (file (create getattr open)))
|
||
+ (allow sudo_type policy_config_t (dir (getattr open search)))
|
||
+ (allow sudo_type policy_config_t (file (ioctl write getattr lock append open)))
|
||
+ (allow sudo_type modules_object_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow sudo_type modules_object_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow sudo_type file_type (dir (ioctl read getattr lock open search)))
|
||
+ (allow sudo_type file_type (dir (getattr open search)))
|
||
+ (allow sudo_type file_type (lnk_file (read getattr)))
|
||
+ (allow sudo_type init_var_run_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow sudo_type init_var_run_t (dir (ioctl write getattr lock open add_name search)))
|
||
+ (allow sudo_type init_var_run_t (dir (create getattr)))
|
||
+ (allow sudo_type var_t (dir (getattr open search)))
|
||
+ (allow sudo_type var_lib_t (dir (getattr open search)))
|
||
+ (allow sudo_type init_var_lib_t (dir (getattr open search)))
|
||
+ (allow sudo_type init_var_lib_t (file (ioctl read getattr map open)))
|
||
+ (allow sudo_type init_t (dir (getattr open search)))
|
||
+ (allow sudo_type init_t (file (ioctl read getattr lock open)))
|
||
+ (allow sudo_type init_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type init_var_run_t (sock_file (write)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (lnk_file (read getattr)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype iptables_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype iptables_t (process (transition)))
|
||
+ (typetransition utype iptables_exec_t process iptables_t)
|
||
+ (allow iptables_t utype (fd (use)))
|
||
+ (allow iptables_t utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow iptables_t utype (process (sigchld)))
|
||
+ (allow utype iptables_exec_t (file (map)))
|
||
+ (allow sudo_type proc_t (dir (getattr open search)))
|
||
+ (allow sudo_type proc_net_t (dir (getattr open search)))
|
||
+ (allow sudo_type proc_net_t (file (ioctl read getattr lock open)))
|
||
+ (allow sudo_type proc_t (dir (getattr open search)))
|
||
+ (allow sudo_type proc_net_t (dir (getattr open search)))
|
||
+ (allow sudo_type proc_net_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type proc_t (dir (getattr open search)))
|
||
+ (allow sudo_type proc_net_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype auditd_t (process (sigchld sigkill sigstop signull signal)))
|
||
+ (allow utype auditd_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype auditd_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype auditd_t (lnk_file (read getattr)))
|
||
+ (allow utype auditd_t (process (getattr)))
|
||
+ (allow utype auditd_etc_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype auditd_etc_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype auditd_etc_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype auditd_etc_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype auditd_log_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype auditd_log_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype auditd_log_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype auditd_log_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype auditd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype auditd_var_run_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype auditd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype auditd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype auditctl_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype auditctl_t (process (transition)))
|
||
+ (typetransition utype auditctl_exec_t process auditctl_t)
|
||
+ (allow auditctl_t utype (fd (use)))
|
||
+ (allow auditctl_t utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow auditctl_t utype (process (sigchld)))
|
||
+ (allow utype filesystem_type (dir (getattr open search)))
|
||
+ (allow utype auditd_initrc_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype initrc_t (process (transition)))
|
||
+ (typetransition utype auditd_initrc_exec_t process initrc_t)
|
||
+ (allow initrc_t utype (fd (use)))
|
||
+ (allow initrc_t utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow initrc_t utype (process (sigchld)))
|
||
+ (allow utype auditd_initrc_exec_t (file (ioctl)))
|
||
+ (allow utype etc_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (lnk_file (read getattr)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype systemd_systemctl_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow utype cgroup_t (dir (getattr open search)))
|
||
+ (allow utype cgroup_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype tmpfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype cgroup_t (dir (getattr open search)))
|
||
+ (allow utype cgroup_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype cgroup_t (dir (getattr open search)))
|
||
+ (allow utype cgroup_t (lnk_file (read getattr)))
|
||
+ (allow utype tmpfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype efivarfs_t (dir (getattr open search)))
|
||
+ (allow utype efivarfs_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_lib_t (dir (getattr open search)))
|
||
+ (allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype init_var_run_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype init_t (dir (getattr open search)))
|
||
+ (allow utype init_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype init_t (lnk_file (read getattr)))
|
||
+ (allow utype init_t (unix_stream_socket (sendto)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype init_var_run_t (dir (getattr open search)))
|
||
+ (allow utype init_var_run_t (sock_file (write getattr append open)))
|
||
+ (allow utype init_t (unix_stream_socket (connectto)))
|
||
+ (allow utype init_t (unix_stream_socket (getattr)))
|
||
+ (dontaudit utype self (process (setrlimit)))
|
||
+ (dontaudit utype self (capability (sys_resource)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_logind_var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_logind_var_run_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_logind_var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_logind_var_run_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype systemd_passwd_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow utype init_var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype systemd_passwd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype systemd_passwd_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype systemd_passwd_var_run_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow systemd_passwd_agent_t utype (process (signull)))
|
||
+ (allow systemd_passwd_agent_t utype (unix_dgram_socket (sendto)))
|
||
+ (dontaudit utype self (capability (net_admin sys_ptrace)))
|
||
+ (allow utype auditd_unit_file_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype auditd_unit_file_t (service (start stop status reload enable disable)))
|
||
+ (allow utype auditd_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype auditd_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype auditd_t (lnk_file (read getattr)))
|
||
+ (allow utype auditd_t (process (getattr)))
|
||
+ (allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype auditd_unit_file_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype auditd_unit_file_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype auditd_unit_file_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
||
+ (allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype auditd_unit_file_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype auditd_unit_file_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow utype auditd_unit_file_t (dir (getattr open search)))
|
||
+ (allow utype auditd_unit_file_t (dir (getattr relabelfrom relabelto)))
|
||
+ (allow utype auditd_unit_file_t (dir (getattr open search)))
|
||
+ (allow utype auditd_unit_file_t (file (getattr relabelfrom relabelto)))
|
||
+ (allow utype auditd_unit_file_t (dir (getattr open search)))
|
||
+ (allow utype auditd_unit_file_t (lnk_file (getattr relabelfrom relabelto)))
|
||
+ (allow utype auditd_unit_file_t (dir (getattr open search)))
|
||
+ (allow utype auditd_unit_file_t (fifo_file (getattr relabelfrom relabelto)))
|
||
+ (allow utype auditd_unit_file_t (dir (getattr open search)))
|
||
+ (allow utype auditd_unit_file_t (sock_file (getattr relabelfrom relabelto)))
|
||
+ (allow utype auditd_unit_file_t (service (start stop status reload enable disable)))
|
||
+ (allow utype self (capability2 (syslog)))
|
||
+ (allow utype syslogd_t (process (sigchld sigkill sigstop signull signal)))
|
||
+ (allow utype klogd_t (process (sigchld sigkill sigstop signull signal)))
|
||
+ (allow utype syslogd_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype syslogd_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype syslogd_t (lnk_file (read getattr)))
|
||
+ (allow utype syslogd_t (process (getattr)))
|
||
+ (allow utype klogd_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype klogd_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype klogd_t (lnk_file (read getattr)))
|
||
+ (allow utype klogd_t (process (getattr)))
|
||
+ (allow utype klogd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype klogd_var_run_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype klogd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype klogd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype klogd_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype klogd_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype klogd_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype klogd_tmp_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype syslogd_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype syslogd_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype syslogd_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype syslogd_tmp_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype syslog_conf_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype syslog_conf_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype syslog_conf_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype syslog_conf_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype etc_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (typetransition utype etc_t file syslog_conf_t)
|
||
+ (allow utype syslogd_var_lib_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype syslogd_var_lib_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype syslogd_var_lib_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype syslogd_var_lib_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype syslogd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype syslogd_var_run_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype syslogd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype syslogd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype logfile (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype logfile (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype logfile (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype logfile (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype logfile (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype logfile (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
||
+ (allow utype logfile (file (map)))
|
||
+ (allow utype logfile (dir (getattr relabelfrom relabelto)))
|
||
+ (allow utype logfile (file (getattr relabelfrom relabelto)))
|
||
+ (allow utype filesystem_type (dir (getattr open search)))
|
||
+ (allow utype syslogd_initrc_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype initrc_t (process (transition)))
|
||
+ (typetransition utype syslogd_initrc_exec_t process initrc_t)
|
||
+ (allow initrc_t utype (fd (use)))
|
||
+ (allow initrc_t utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow initrc_t utype (process (sigchld)))
|
||
+ (allow utype syslogd_initrc_exec_t (file (ioctl)))
|
||
+ (allow utype etc_t (dir (getattr open search)))
|
||
+ (allow sudo_type home_root_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow sudo_type home_root_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow sudo_type user_home_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow sudo_type user_home_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow sudo_type user_home_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
||
+ (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow sudo_type user_home_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow sudo_type user_home_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (typetransition sudo_type user_home_dir_t fifo_file user_home_t)
|
||
+ (typetransition sudo_type user_home_dir_t sock_file user_home_t)
|
||
+ (typetransition sudo_type user_home_dir_t lnk_file user_home_t)
|
||
+ (typetransition sudo_type user_home_dir_t dir user_home_t)
|
||
+ (typetransition sudo_type user_home_dir_t file user_home_t)
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type passwd_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow sudo_type passwd_t (process (transition)))
|
||
+ (typetransition sudo_type passwd_exec_t process passwd_t)
|
||
+ (allow passwd_t sudo_type (fd (use)))
|
||
+ (allow passwd_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow passwd_t sudo_type (process (sigchld)))
|
||
+ (roletransition urole syslogd_initrc_exec_t process system_r)
|
||
+ (roletransition urole auditd_initrc_exec_t process system_r)
|
||
+ (roleallow urole system_r)
|
||
+ (roleallow urole system_r)
|
||
+ (booleanif (deny_ptrace)
|
||
+ (false
|
||
+ (allow utype auditd_t (process (ptrace)))
|
||
+ (allow utype klogd_t (process (ptrace)))
|
||
+ (allow utype syslogd_t (process (ptrace)))
|
||
+ )
|
||
+ )
|
||
+ (optional confinedom_admin_commands_optional_3
|
||
+ (typeattributeset cil_gen_require tuned_t)
|
||
+ (allow utype tuned_t (dbus (send_msg)))
|
||
+ (allow tuned_t utype (dbus (send_msg)))
|
||
+ )
|
||
+ (optional confinedom_admin_commands_optional_4
|
||
+ (roleattributeset cil_gen_require wireshark_roles)
|
||
+ (typeattributeset cil_gen_require user_home_dir_t)
|
||
+ (typeattributeset cil_gen_require home_root_t)
|
||
+ (typeattributeset cil_gen_require wireshark_t)
|
||
+ (typeattributeset cil_gen_require wireshark_exec_t)
|
||
+ (typeattributeset cil_gen_require wireshark_home_t)
|
||
+ (typeattributeset cil_gen_require wireshark_tmp_t)
|
||
+ (typeattributeset cil_gen_require wireshark_tmpfs_t)
|
||
+ (roleattributeset cil_gen_require wireshark_roles)
|
||
+ (roleattributeset wireshark_roles (urole ))
|
||
+ (allow utype wireshark_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype wireshark_t (process (transition)))
|
||
+ (typetransition utype wireshark_exec_t process wireshark_t)
|
||
+ (allow wireshark_t utype (fd (use)))
|
||
+ (allow wireshark_t utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow wireshark_t utype (process (sigchld)))
|
||
+ (allow utype wireshark_t (process (sigchld sigkill sigstop signull signal ptrace)))
|
||
+ (allow utype wireshark_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype wireshark_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype wireshark_t (lnk_file (read getattr)))
|
||
+ (allow utype wireshark_t (process (getattr)))
|
||
+ (allow utype wireshark_home_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype wireshark_tmp_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype wireshark_tmpfs_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype wireshark_home_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads)))
|
||
+ (allow utype wireshark_tmp_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads)))
|
||
+ (allow utype wireshark_tmpfs_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads)))
|
||
+ (allow utype wireshark_home_t (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename watch watch_reads)))
|
||
+ (allow utype wireshark_tmpfs_t (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename watch watch_reads)))
|
||
+ (allow utype wireshark_tmpfs_t (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open)))
|
||
+ (allow utype wireshark_tmpfs_t (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype wireshark_t (shm (getattr read write associate unix_read unix_write lock)))
|
||
+ (typetransition utype user_home_dir_t dir ".wireshark" wireshark_home_t)
|
||
+ )
|
||
+ )
|
||
+)
|
||
+
|
||
+(macro confinedom_graphical_login_macro ((type utype) (role urole) (type dbusd_type))
|
||
+
|
||
+ (optional confinedom_graphical_login_optional_2
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (typeattributeset cil_gen_require utype)
|
||
+ (typeattributeset cil_gen_require user_tmpfs_t)
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require usr_t)
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset cil_gen_require port_type)
|
||
+ (typeattributeset cil_gen_require device_t)
|
||
+ (typeattributeset cil_gen_require sound_device_t)
|
||
+ (typeattributeset cil_gen_require event_device_t)
|
||
+ (typeattributeset cil_gen_require v4l_device_t)
|
||
+ (typeattributeset cil_gen_require wireless_device_t)
|
||
+ (typeattributeset cil_gen_require configfile)
|
||
+ (typeattributeset cil_gen_require etc_t)
|
||
+ (typeattributeset cil_gen_require home_root_t)
|
||
+ (typeattributeset cil_gen_require lib_t)
|
||
+ (typeattributeset cil_gen_require var_lib_t)
|
||
+ (typeattributeset cil_gen_require var_run_t)
|
||
+ (typeattributeset cil_gen_require tmp_t)
|
||
+ (typeattributeset cil_gen_require init_t)
|
||
+ (typeattributeset cil_gen_require usbfs_t)
|
||
+ (typeattributeset cil_gen_require usb_device_t)
|
||
+ (typeattributeset cil_gen_require noxattrfs)
|
||
+ (typeattributeset cil_gen_require dosfs_t)
|
||
+ (typeattributeset cil_gen_require removable_device_t)
|
||
+ (typeattributeset cil_gen_require proc_t)
|
||
+ (typeattributeset cil_gen_require sysctl_t)
|
||
+ (typeattributeset cil_gen_require sysctl_dev_t)
|
||
+ (typeattributeset cil_gen_require fonts_t)
|
||
+ (typeattributeset cil_gen_require locale_t)
|
||
+ (typeattributeset cil_gen_require mount_t)
|
||
+ (typeattributeset cil_gen_require selinux_config_t)
|
||
+ (typeattributeset cil_gen_require default_context_t)
|
||
+ (typeattributeset cil_gen_require fuse_device_t)
|
||
+ (typeattributeset cil_gen_require user_tmp_t)
|
||
+ (typeattributeset cil_gen_require user_home_t)
|
||
+ (typeattributeset cil_gen_require user_home_dir_t)
|
||
+ (typeattributeset cil_gen_require user_home_type)
|
||
+ (typeattributeset cil_gen_require userdom_filetrans_type)
|
||
+ (typeattributeset cil_gen_require nfs_t)
|
||
+ (typeattributeset cil_gen_require autofs_t)
|
||
+ (typeattributeset cil_gen_require cifs_t)
|
||
+ (typeattributeset cil_gen_require xauth_t)
|
||
+ (typeattributeset cil_gen_require iceauth_t)
|
||
+ (typeattributeset cil_gen_require dridomain)
|
||
+ (typeattributeset cil_gen_require x_userdomain)
|
||
+ (typeattributeset cil_gen_require root_xdrawable_t)
|
||
+ (typeattributeset cil_gen_require xdm_t)
|
||
+ (typeattributeset cil_gen_require xserver_t)
|
||
+ (typeattributeset cil_gen_require xproperty_t)
|
||
+ (typeattributeset cil_gen_require user_xproperty_t)
|
||
+ (typeattributeset cil_gen_require xevent_t)
|
||
+ (typeattributeset cil_gen_require client_xevent_t)
|
||
+ (typeattributeset cil_gen_require input_xevent_t)
|
||
+ (typeattributeset cil_gen_require user_input_xevent_t)
|
||
+ (typeattributeset cil_gen_require x_domain)
|
||
+ (typeattributeset cil_gen_require input_xevent_type)
|
||
+ (typeattributeset cil_gen_require xdrawable_type)
|
||
+ (typeattributeset cil_gen_require xcolormap_type)
|
||
+ (typeattributeset cil_gen_require xdm_var_run_t)
|
||
+ (typeattributeset cil_gen_require tmpfs_t)
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require userdomain)
|
||
+ (typeattributeset cil_gen_require xdm_log_t)
|
||
+ (typeattributeset cil_gen_require xdmhomewriter)
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (roletype urole user_home_dir_t)
|
||
+ (roletype urole user_home_type)
|
||
+ (roletype urole xauth_t)
|
||
+ (roletype urole iceauth_t)
|
||
+ (typeattributeset cil_gen_require xcolormap_type)
|
||
+ (typeattributeset xcolormap_type (utype ))
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset file_type (bin_t usr_t ))
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset non_security_file_type (bin_t usr_t ))
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset exec_type (bin_t usr_t ))
|
||
+ (typeattributeset cil_gen_require xdmhomewriter)
|
||
+ (typeattributeset xdmhomewriter (utype ))
|
||
+ (typeattributeset cil_gen_require xdrawable_type)
|
||
+ (typeattributeset xdrawable_type (utype ))
|
||
+ (typeattributeset cil_gen_require userdom_filetrans_type)
|
||
+ (typeattributeset userdom_filetrans_type (utype ))
|
||
+ (typeattributeset cil_gen_require x_domain)
|
||
+ (typeattributeset x_domain (utype ))
|
||
+ (typeattributeset cil_gen_require x_userdomain)
|
||
+ (typeattributeset x_userdomain (utype ))
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset entry_type (bin_t usr_t ))
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset non_auth_file_type (bin_t usr_t ))
|
||
+ (typeattributeset cil_gen_require dridomain)
|
||
+ (typeattributeset dridomain (utype ))
|
||
+ (allow utype bin_t (file (entrypoint)))
|
||
+ (allow utype bin_t (file (ioctl read getattr lock map execute open)))
|
||
+ (allow utype usr_t (file (entrypoint)))
|
||
+ (allow utype usr_t (file (ioctl read getattr lock map execute open)))
|
||
+ (allow utype port_type (tcp_socket (name_connect)))
|
||
+ (allow utype utype (process (getattr setrlimit execmem)))
|
||
+ (allow utype utype (system (ipc_info syslog_read syslog_mod syslog_console module_request module_load halt reboot status start stop enable disable reload undefined)))
|
||
+ (allow utype utype (netlink_kobject_uevent_socket (read)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype sound_device_t (chr_file (ioctl write getattr lock append open)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype sound_device_t (chr_file (ioctl read getattr lock open)))
|
||
+ (allow utype sound_device_t (chr_file (map)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype event_device_t (chr_file (ioctl read write getattr lock append)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype v4l_device_t (chr_file (ioctl read getattr lock open)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype v4l_device_t (chr_file (ioctl write getattr lock append open)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype wireless_device_t (chr_file (ioctl read write getattr lock append open)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype device_t (dir (getattr watch)))
|
||
+ (allow utype configfile (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype configfile (dir (getattr open search)))
|
||
+ (allow utype configfile (file (ioctl read getattr lock open)))
|
||
+ (allow utype configfile (dir (getattr open search)))
|
||
+ (allow utype configfile (lnk_file (read getattr)))
|
||
+ (allow utype etc_t (dir (getattr watch)))
|
||
+ (allow utype home_root_t (dir (getattr watch)))
|
||
+ (allow utype lib_t (dir (getattr watch)))
|
||
+ (allow utype usr_t (dir (getattr watch)))
|
||
+ (allow utype usr_t (file (getattr watch)))
|
||
+ (allow utype var_lib_t (dir (getattr open search)))
|
||
+ (allow utype var_lib_t (dir (getattr watch)))
|
||
+ (allow utype var_run_t (dir (getattr watch)))
|
||
+ (allow utype tmp_t (dir (getattr watch)))
|
||
+ (allow utype init_t (unix_stream_socket (ioctl read write getattr setattr lock append bind connect listen accept getopt setopt shutdown)))
|
||
+ (allow utype proc_t (dir (getattr open search)))
|
||
+ (allow utype sysctl_t (dir (getattr open search)))
|
||
+ (allow utype sysctl_dev_t (dir (getattr open search)))
|
||
+ (allow utype sysctl_dev_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype proc_t (dir (getattr open search)))
|
||
+ (allow utype sysctl_t (dir (getattr open search)))
|
||
+ (allow utype sysctl_dev_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype fonts_t (dir (getattr watch)))
|
||
+ (allow utype locale_t (dir (getattr open search)))
|
||
+ (allow utype locale_t (lnk_file (getattr watch)))
|
||
+ (allow utype mount_t (process (signal)))
|
||
+ (allow utype etc_t (dir (getattr open search)))
|
||
+ (allow utype selinux_config_t (dir (getattr open search)))
|
||
+ (allow utype default_context_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype default_context_t (dir (getattr open search)))
|
||
+ (allow utype default_context_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype fuse_device_t (chr_file (ioctl read write getattr lock append open)))
|
||
+ (allow utype user_tmp_t (file (execute)))
|
||
+ (typemember utype user_home_dir_t dir user_home_dir_t)
|
||
+ (allow utype user_home_t (dir (mounton)))
|
||
+ (allow utype user_home_t (file (entrypoint)))
|
||
+ (allow utype user_home_type (file (relabelfrom relabelto)))
|
||
+ (allow utype user_home_type (dir (relabelfrom relabelto)))
|
||
+ (allow utype user_home_type (lnk_file (relabelfrom relabelto)))
|
||
+ (allow utype user_home_type (chr_file (relabelfrom relabelto)))
|
||
+ (allow utype user_home_type (blk_file (relabelfrom relabelto)))
|
||
+ (allow utype user_home_type (sock_file (relabelfrom relabelto)))
|
||
+ (allow utype user_home_type (fifo_file (relabelfrom relabelto)))
|
||
+ (allow utype user_home_dir_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow utype user_home_dir_t (dir (getattr open search)))
|
||
+ (allow utype user_home_type (dir (getattr open search)))
|
||
+ (allow utype user_home_type (dir (getattr relabelfrom relabelto)))
|
||
+ (allow utype user_home_dir_t (dir (getattr open search)))
|
||
+ (allow utype user_home_type (dir (getattr open search)))
|
||
+ (allow utype user_home_type (file (getattr relabelfrom relabelto)))
|
||
+ (allow utype user_home_dir_t (dir (getattr open search)))
|
||
+ (allow utype user_home_type (dir (getattr open search)))
|
||
+ (allow utype user_home_type (lnk_file (getattr relabelfrom relabelto)))
|
||
+ (allow utype user_home_dir_t (dir (getattr open search)))
|
||
+ (allow utype user_home_type (dir (getattr open search)))
|
||
+ (allow utype user_home_type (sock_file (getattr relabelfrom relabelto)))
|
||
+ (allow utype user_home_dir_t (dir (getattr open search)))
|
||
+ (allow utype user_home_type (dir (getattr open search)))
|
||
+ (allow utype user_home_type (fifo_file (getattr relabelfrom relabelto)))
|
||
+ (allow utype home_root_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (typetransition utype root_xdrawable_t x_drawable utype)
|
||
+ (typetransition utype input_xevent_t x_event user_input_xevent_t)
|
||
+ (allow utype user_input_xevent_t (x_event (send)))
|
||
+ (allow utype user_input_xevent_t (x_synthetic_event (send)))
|
||
+ (allow utype user_input_xevent_t (x_event (receive)))
|
||
+ (allow utype user_input_xevent_t (x_synthetic_event (receive)))
|
||
+ (allow utype client_xevent_t (x_event (receive)))
|
||
+ (allow utype client_xevent_t (x_synthetic_event (receive)))
|
||
+ (allow utype xevent_t (x_event (send receive)))
|
||
+ (allow utype xevent_t (x_synthetic_event (send receive)))
|
||
+ (dontaudit utype input_xevent_type (x_event (send)))
|
||
+ (allow utype xdm_t (x_drawable (read add_child manage hide)))
|
||
+ (allow utype xdm_t (x_client (destroy)))
|
||
+ (allow utype root_xdrawable_t (x_drawable (write)))
|
||
+ (allow utype xserver_t (x_server (manage)))
|
||
+ (allow utype xserver_t (x_screen (saver_setattr saver_hide saver_show show_cursor hide_cursor)))
|
||
+ (allow utype xserver_t (x_pointer (get_property set_property manage)))
|
||
+ (allow utype xserver_t (x_keyboard (read manage freeze)))
|
||
+ (allow utype tmpfs_t (dir (getattr open search)))
|
||
+ (allow utype tmp_t (dir (getattr open search)))
|
||
+ (allow utype tmp_t (lnk_file (read getattr)))
|
||
+ (allow utype tmp_t (dir (getattr open search)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype xdm_var_run_t (dir (getattr open search)))
|
||
+ (allow utype xdm_var_run_t (sock_file (write getattr append open)))
|
||
+ (allow utype xdm_t (unix_stream_socket (connectto)))
|
||
+ (allow utype user_tmp_t (dir (getattr open search)))
|
||
+ (allow utype user_tmp_t (sock_file (write getattr append open)))
|
||
+ (allow utype userdomain (unix_stream_socket (connectto)))
|
||
+ (allow utype xdm_log_t (file (getattr append)))
|
||
+ (booleanif (use_samba_home_dirs)
|
||
+ (true
|
||
+ (allow utype cifs_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow utype cifs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype cifs_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow utype cifs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype cifs_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
||
+ (allow utype cifs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype cifs_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype cifs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype cifs_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype cifs_t (dir (mounton)))
|
||
+ (allow utype cifs_t (filesystem (mount)))
|
||
+ )
|
||
+ )
|
||
+ (booleanif (use_nfs_home_dirs)
|
||
+ (true
|
||
+ (allow utype nfs_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow utype nfs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype nfs_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow utype nfs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype nfs_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
||
+ (allow utype nfs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype autofs_t (dir (getattr open search)))
|
||
+ (allow utype nfs_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype nfs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype autofs_t (dir (getattr open search)))
|
||
+ (allow utype nfs_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype autofs_t (dir (getattr open search)))
|
||
+ (allow utype nfs_t (dir (mounton)))
|
||
+ (allow utype nfs_t (filesystem (mount)))
|
||
+ )
|
||
+ )
|
||
+ (booleanif (selinuxuser_rw_noexattrfile)
|
||
+ (true
|
||
+ (allow utype removable_device_t (blk_file (ioctl write getattr lock append open)))
|
||
+ (allow utype device_t (lnk_file (read getattr)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype device_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype removable_device_t (blk_file (ioctl read getattr lock open)))
|
||
+ (allow utype device_t (lnk_file (read getattr)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype device_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype dosfs_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype dosfs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype dosfs_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype dosfs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype noxattrfs (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype noxattrfs (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype noxattrfs (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype usb_device_t (chr_file (ioctl read write getattr lock append open)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype usbfs_t (lnk_file (read getattr)))
|
||
+ (allow utype usbfs_t (dir (getattr open search)))
|
||
+ (allow utype usbfs_t (file (ioctl read write getattr lock append open)))
|
||
+ (allow utype usbfs_t (dir (getattr open search)))
|
||
+ (allow utype usbfs_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype usbfs_t (dir (getattr open search)))
|
||
+ )
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_3
|
||
+ (typeattributeset cil_gen_require var_lib_t)
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require alsa_var_lib_t)
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_lib_t (dir (getattr open search)))
|
||
+ (allow utype alsa_var_lib_t (dir (getattr open search)))
|
||
+ (allow utype alsa_var_lib_t (file (ioctl read getattr lock open)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_4
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require fwupd_cache_t)
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype fwupd_cache_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype fwupd_cache_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_5
|
||
+ ;(type dbusd_type)
|
||
+ (roletype object_r dbusd_type)
|
||
+ (typeattributeset cil_gen_require utype)
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require usr_t)
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset cil_gen_require device_t)
|
||
+ (typeattributeset cil_gen_require var_lib_t)
|
||
+ (typeattributeset cil_gen_require var_run_t)
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require system_dbusd_t)
|
||
+ (typeattributeset cil_gen_require session_dbusd_tmp_t)
|
||
+ (typeattributeset cil_gen_require dbusd_unconfined)
|
||
+ (typeattributeset cil_gen_require session_bus_type)
|
||
+ (typeattributeset cil_gen_require dbusd_exec_t)
|
||
+ (typeattributeset cil_gen_require dbusd_etc_t)
|
||
+ (typeattributeset cil_gen_require application_domain_type)
|
||
+ (typeattributeset cil_gen_require domain)
|
||
+ (typeattributeset cil_gen_require corenet_unlabeled_type)
|
||
+ (typeattributeset cil_gen_require application_exec_type)
|
||
+ (typeattributeset cil_gen_require ubac_constrained_type)
|
||
+ (typeattributeset cil_gen_require kernel_system_state_reader)
|
||
+ (typeattributeset cil_gen_require security_t)
|
||
+ (typeattributeset cil_gen_require sysfs_t)
|
||
+ (typeattributeset cil_gen_require userdom_home_manager_type)
|
||
+ (typeattributeset cil_gen_require shell_exec_t)
|
||
+ (typeattributeset cil_gen_require nsswitch_domain)
|
||
+ (typeattributeset cil_gen_require netlabel_peer_type)
|
||
+ (typeattributeset cil_gen_require syslog_client_type)
|
||
+ (typeattributeset cil_gen_require system_dbusd_var_run_t)
|
||
+ (typeattributeset cil_gen_require system_dbusd_var_lib_t)
|
||
+ (typeattributeset cil_gen_require urandom_device_t)
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (roletype urole dbusd_type)
|
||
+ (typeattributeset cil_gen_require netlabel_peer_type)
|
||
+ (typeattributeset netlabel_peer_type (dbusd_type ))
|
||
+ (typeattributeset cil_gen_require corenet_unlabeled_type)
|
||
+ (typeattributeset corenet_unlabeled_type (dbusd_type ))
|
||
+ (typeattributeset cil_gen_require syslog_client_type)
|
||
+ (typeattributeset syslog_client_type (dbusd_type ))
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset file_type (dbusd_exec_t ))
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset non_security_file_type (dbusd_exec_t ))
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset exec_type (dbusd_exec_t ))
|
||
+ (typeattributeset cil_gen_require application_domain_type)
|
||
+ (typeattributeset application_domain_type (dbusd_type ))
|
||
+ (typeattributeset cil_gen_require userdom_home_manager_type)
|
||
+ (typeattributeset userdom_home_manager_type (dbusd_type ))
|
||
+ (typeattributeset cil_gen_require ubac_constrained_type)
|
||
+ (typeattributeset ubac_constrained_type (dbusd_type ))
|
||
+ (typeattributeset cil_gen_require kernel_system_state_reader)
|
||
+ (typeattributeset kernel_system_state_reader (dbusd_type ))
|
||
+ (typeattributeset cil_gen_require application_exec_type)
|
||
+ (typeattributeset application_exec_type (dbusd_exec_t ))
|
||
+ (typeattributeset cil_gen_require nsswitch_domain)
|
||
+ (typeattributeset nsswitch_domain (dbusd_type ))
|
||
+ (typeattributeset cil_gen_require session_bus_type)
|
||
+ (typeattributeset session_bus_type (dbusd_type ))
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset entry_type (dbusd_exec_t ))
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset non_auth_file_type (dbusd_exec_t ))
|
||
+ (typeattributeset cil_gen_require domain)
|
||
+ (typeattributeset domain (dbusd_type ))
|
||
+ (allow utype system_dbusd_t (dbus (acquire_svc)))
|
||
+ (allow utype session_dbusd_tmp_t (dir (ioctl write getattr lock open add_name search)))
|
||
+ (allow utype session_dbusd_tmp_t (sock_file (create getattr setattr open)))
|
||
+ (allow dbusd_type dbusd_exec_t (file (entrypoint)))
|
||
+ (allow dbusd_type dbusd_exec_t (file (ioctl read getattr lock map execute open)))
|
||
+ (allow dbusd_type security_t (lnk_file (read getattr)))
|
||
+ (allow dbusd_type sysfs_t (filesystem (getattr)))
|
||
+ (allow dbusd_type sysfs_t (dir (getattr open search)))
|
||
+ (allow dbusd_type sysfs_t (dir (getattr open search)))
|
||
+ (allow dbusd_type security_t (filesystem (getattr)))
|
||
+ (allow utype dbusd_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto)))
|
||
+ (allow dbusd_type utype (unix_stream_socket (read write getattr accept getopt)))
|
||
+ (allow dbusd_type utype (unix_dgram_socket (sendto)))
|
||
+ (allow utype dbusd_type (dbus (acquire_svc send_msg)))
|
||
+ (allow dbusd_unconfined dbusd_type (dbus (acquire_svc send_msg)))
|
||
+ (allow utype system_dbusd_t (dbus (acquire_svc send_msg)))
|
||
+ (allow utype dbusd_type (process (noatsecure siginh rlimitinh)))
|
||
+ (allow dbusd_type utype (dbus (send_msg)))
|
||
+ (allow utype dbusd_type (dbus (send_msg)))
|
||
+ (allow dbusd_type utype (system (start reload)))
|
||
+ (allow dbusd_type session_dbusd_tmp_t (service (start stop)))
|
||
+ (allow utype session_dbusd_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype session_dbusd_tmp_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow dbusd_type dbusd_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow utype dbusd_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype dbusd_type (process (transition)))
|
||
+ ;(typetransition utype dbusd_exec_t process dbusd_type)
|
||
+ (allow dbusd_type utype (fd (use)))
|
||
+ (allow dbusd_type utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow dbusd_type utype (process (sigchld)))
|
||
+ (allow utype dbusd_type (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype dbusd_type (file (ioctl read getattr lock open)))
|
||
+ (allow utype dbusd_type (lnk_file (read getattr)))
|
||
+ (allow utype dbusd_type (process (getattr)))
|
||
+ (allow utype dbusd_type (process (sigchld sigkill sigstop signull signal)))
|
||
+ (allow dbusd_type bin_t (dir (getattr open search)))
|
||
+ (allow dbusd_type bin_t (lnk_file (read getattr)))
|
||
+ (allow dbusd_type bin_t (file (ioctl read getattr map execute open)))
|
||
+ (allow dbusd_type utype (process (transition)))
|
||
+ (allow dbusd_type usr_t (dir (getattr open search)))
|
||
+ (allow dbusd_type usr_t (lnk_file (read getattr)))
|
||
+ (allow dbusd_type usr_t (file (ioctl read getattr map execute open)))
|
||
+ (allow dbusd_type utype (process (transition)))
|
||
+ (typetransition dbusd_type bin_t process utype)
|
||
+ (typetransition dbusd_type usr_t process utype)
|
||
+ (allow dbusd_type bin_t (dir (getattr open search)))
|
||
+ (allow dbusd_type bin_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow dbusd_type bin_t (dir (getattr open search)))
|
||
+ (allow dbusd_type bin_t (lnk_file (read getattr)))
|
||
+ (allow dbusd_type shell_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow dbusd_type utype (process (transition)))
|
||
+ (typetransition dbusd_type shell_exec_t process utype)
|
||
+ (allow dbusd_type utype (process (sigkill)))
|
||
+ (allow utype dbusd_type (fd (use)))
|
||
+ (allow utype dbusd_type (fifo_file (ioctl read write getattr lock append open)))
|
||
+ (allow dbusd_type file_type (service (start stop status reload enable disable)))
|
||
+ (dontaudit dbusd_type self (capability (net_admin)))
|
||
+ (allow utype system_dbusd_t (dbus (send_msg)))
|
||
+ (allow utype self (dbus (send_msg)))
|
||
+ (allow system_dbusd_t utype (dbus (send_msg)))
|
||
+ (allow dbusd_unconfined utype (dbus (send_msg)))
|
||
+ (allow utype system_dbusd_var_lib_t (dir (getattr open search)))
|
||
+ (allow utype system_dbusd_var_lib_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype system_dbusd_var_lib_t (dir (getattr open search)))
|
||
+ (allow utype system_dbusd_var_lib_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_lib_t (dir (getattr open search)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype urandom_device_t (chr_file (ioctl read getattr lock open)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype system_dbusd_var_run_t (dir (getattr open search)))
|
||
+ (allow utype system_dbusd_var_run_t (sock_file (write getattr append open)))
|
||
+ (allow utype system_dbusd_t (unix_stream_socket (connectto)))
|
||
+ (allow utype dbusd_etc_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype dbusd_etc_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype session_dbusd_tmp_t (dir (getattr open search)))
|
||
+ (allow utype session_dbusd_tmp_t (sock_file (write getattr append open)))
|
||
+ (allow utype utype (dbus (send_msg)))
|
||
+ (booleanif (deny_ptrace)
|
||
+ (false
|
||
+ (allow utype dbusd_type (process (ptrace)))
|
||
+ )
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_6
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset cil_gen_require mozilla_exec_t)
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset file_type (mozilla_exec_t ))
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset non_security_file_type (mozilla_exec_t ))
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset exec_type (mozilla_exec_t ))
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset entry_type (mozilla_exec_t ))
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset non_auth_file_type (mozilla_exec_t ))
|
||
+ (allow utype mozilla_exec_t (file (entrypoint)))
|
||
+ (allow utype mozilla_exec_t (file (ioctl read getattr lock map execute open)))
|
||
+ (allow dbusd_type mozilla_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow dbusd_type utype (process (transition)))
|
||
+ (typetransition dbusd_type mozilla_exec_t process utype)
|
||
+ (allow utype dbusd_type (fd (use)))
|
||
+ (allow utype dbusd_type (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow utype dbusd_type (process (sigchld)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_7
|
||
+ (typeattributeset cil_gen_require systemd_unit_file_t)
|
||
+ (allow dbusd_type systemd_unit_file_t (service (start)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_8
|
||
+ (typeattributeset cil_gen_require unconfined_service_t)
|
||
+ (allow utype unconfined_service_t (dbus (send_msg)))
|
||
+ (allow unconfined_service_t utype (dbus (send_msg)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_9
|
||
+ (typeattributeset cil_gen_require accountsd_t)
|
||
+ (allow utype accountsd_t (dbus (send_msg)))
|
||
+ (allow accountsd_t utype (dbus (send_msg)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_10
|
||
+ (typeattributeset cil_gen_require avahi_t)
|
||
+ (allow utype avahi_t (dbus (send_msg)))
|
||
+ (allow avahi_t utype (dbus (send_msg)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_11
|
||
+ (typeattributeset cil_gen_require bluetooth_t)
|
||
+ (allow utype bluetooth_t (dbus (send_msg)))
|
||
+ (allow bluetooth_t utype (dbus (send_msg)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_12
|
||
+ (typeattributeset cil_gen_require colord_t)
|
||
+ (allow utype colord_t (dbus (send_msg)))
|
||
+ (allow colord_t utype (dbus (send_msg)))
|
||
+ (allow colord_t utype (dir (ioctl read getattr lock open search)))
|
||
+ (allow colord_t utype (file (ioctl read getattr lock open)))
|
||
+ (allow colord_t utype (lnk_file (read getattr)))
|
||
+ (allow colord_t utype (process (getattr)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_13
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require consolekit_t)
|
||
+ (typeattributeset cil_gen_require consolekit_log_t)
|
||
+ (typeattributeset cil_gen_require var_log_t)
|
||
+ (allow utype consolekit_t (dbus (send_msg)))
|
||
+ (allow consolekit_t utype (dbus (send_msg)))
|
||
+ (allow utype consolekit_log_t (dir (getattr open search)))
|
||
+ (allow utype consolekit_log_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_log_t (dir (getattr open search)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_14
|
||
+ (typeattributeset cil_gen_require devicekit_t)
|
||
+ (typeattributeset cil_gen_require devicekit_power_t)
|
||
+ (typeattributeset cil_gen_require devicekit_disk_t)
|
||
+ (allow utype devicekit_t (dbus (send_msg)))
|
||
+ (allow devicekit_t utype (dbus (send_msg)))
|
||
+ (allow utype devicekit_power_t (dbus (send_msg)))
|
||
+ (allow devicekit_power_t utype (dbus (send_msg)))
|
||
+ (allow utype devicekit_disk_t (dbus (send_msg)))
|
||
+ (allow devicekit_disk_t utype (dbus (send_msg)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_15
|
||
+ (typeattributeset cil_gen_require evolution_t)
|
||
+ (typeattributeset cil_gen_require evolution_alarm_t)
|
||
+ (allow utype evolution_t (dbus (send_msg)))
|
||
+ (allow evolution_t utype (dbus (send_msg)))
|
||
+ (allow utype evolution_alarm_t (dbus (send_msg)))
|
||
+ (allow evolution_alarm_t utype (dbus (send_msg)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_16
|
||
+ (typeattributeset cil_gen_require firewalld_t)
|
||
+ (allow utype firewalld_t (dbus (send_msg)))
|
||
+ (allow firewalld_t utype (dbus (send_msg)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_17
|
||
+ (typeattributeset cil_gen_require geoclue_t)
|
||
+ (allow utype geoclue_t (dbus (send_msg)))
|
||
+ (allow geoclue_t utype (dbus (send_msg)))
|
||
+ (allow geoclue_t utype (dir (ioctl read getattr lock open search)))
|
||
+ (allow geoclue_t utype (file (ioctl read getattr lock open)))
|
||
+ (allow geoclue_t utype (lnk_file (read getattr)))
|
||
+ (allow geoclue_t utype (process (getattr)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_18
|
||
+ (typeattributeset cil_gen_require gconfdefaultsm_t)
|
||
+ (allow utype gconfdefaultsm_t (dbus (send_msg)))
|
||
+ (allow gconfdefaultsm_t utype (dbus (send_msg)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_19
|
||
+ (typeattributeset cil_gen_require fprintd_t)
|
||
+ (allow utype fprintd_t (dbus (send_msg)))
|
||
+ (allow fprintd_t utype (dbus (send_msg)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_20
|
||
+ (typeattributeset cil_gen_require fwupd_t)
|
||
+ (allow utype fwupd_t (dbus (send_msg)))
|
||
+ (allow fwupd_t utype (dbus (send_msg)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_21
|
||
+ (typeattributeset cil_gen_require var_run_t)
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require hwloc_dhwd_exec_t)
|
||
+ (typeattributeset cil_gen_require hwloc_var_run_t)
|
||
+ (allow utype hwloc_dhwd_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype hwloc_var_run_t (dir (getattr open search)))
|
||
+ (allow utype hwloc_var_run_t (file (ioctl read getattr lock open)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_22
|
||
+ (typeattributeset cil_gen_require var_run_t)
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require memcached_t)
|
||
+ (typeattributeset cil_gen_require memcached_var_run_t)
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype memcached_var_run_t (dir (getattr open search)))
|
||
+ (allow utype memcached_var_run_t (sock_file (write getattr append open)))
|
||
+ (allow utype memcached_t (unix_stream_socket (connectto)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_23
|
||
+ (typeattributeset cil_gen_require modemmanager_t)
|
||
+ (allow utype modemmanager_t (dbus (send_msg)))
|
||
+ (allow modemmanager_t utype (dbus (send_msg)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_24
|
||
+ (typeattributeset cil_gen_require var_lib_t)
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require NetworkManager_t)
|
||
+ (typeattributeset cil_gen_require NetworkManager_var_lib_t)
|
||
+ (allow utype NetworkManager_t (dbus (send_msg)))
|
||
+ (allow NetworkManager_t utype (dbus (send_msg)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_lib_t (dir (getattr open search)))
|
||
+ (allow utype NetworkManager_var_lib_t (dir (getattr open search)))
|
||
+ (allow utype NetworkManager_var_lib_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype NetworkManager_var_lib_t (dir (getattr open search)))
|
||
+ (allow utype NetworkManager_var_lib_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype NetworkManager_var_lib_t (file (map)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_25
|
||
+ (typeattributeset cil_gen_require policykit_t)
|
||
+ (allow policykit_t utype (dir (ioctl read getattr lock open search)))
|
||
+ (allow policykit_t utype (file (ioctl read getattr lock open)))
|
||
+ (allow policykit_t utype (lnk_file (read getattr)))
|
||
+ (allow policykit_t utype (process (getattr)))
|
||
+ (allow utype policykit_t (dbus (send_msg)))
|
||
+ (allow policykit_t utype (dbus (send_msg)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_26
|
||
+ (typeattributeset cil_gen_require rpm_t)
|
||
+ (allow utype rpm_t (dbus (send_msg)))
|
||
+ (allow rpm_t utype (dbus (send_msg)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_27
|
||
+ (typeattributeset cil_gen_require vpnc_t)
|
||
+ (allow utype vpnc_t (dbus (send_msg)))
|
||
+ (allow vpnc_t utype (dbus (send_msg)))
|
||
+ )
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_28
|
||
+ (typeattributeset cil_gen_require var_lib_t)
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require rpm_var_lib_t)
|
||
+ (typeattributeset cil_gen_require rpm_var_cache_t)
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_lib_t (dir (getattr open search)))
|
||
+ (allow utype rpm_var_lib_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype rpm_var_lib_t (dir (getattr open search)))
|
||
+ (allow utype rpm_var_lib_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype rpm_var_lib_t (dir (getattr open search)))
|
||
+ (allow utype rpm_var_lib_t (lnk_file (read getattr)))
|
||
+ (allow utype rpm_var_lib_t (file (map)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype rpm_var_cache_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype rpm_var_cache_t (dir (getattr open search)))
|
||
+ (allow utype rpm_var_cache_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype rpm_var_cache_t (dir (getattr open search)))
|
||
+ (allow utype rpm_var_cache_t (lnk_file (read getattr)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_29
|
||
+ (typeattributeset cil_gen_require var_run_t)
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require systemd_logind_t)
|
||
+ (typeattributeset cil_gen_require systemd_timedated_t)
|
||
+ (typeattributeset cil_gen_require systemd_hostnamed_t)
|
||
+ (typeattributeset cil_gen_require systemd_localed_t)
|
||
+ (typeattributeset cil_gen_require systemd_unit_file_type)
|
||
+ (typeattributeset cil_gen_require init_script_file_type)
|
||
+ (typeattributeset cil_gen_require systemd_logind_var_run_t)
|
||
+ (typeattributeset cil_gen_require systemd_logind_sessions_t)
|
||
+ (typeattributeset cil_gen_require init_var_run_t)
|
||
+ (typeattributeset cil_gen_require systemd_machined_var_run_t)
|
||
+ (typeattributeset cil_gen_require systemd_logind_inhibit_var_run_t)
|
||
+ (allow utype systemd_logind_t (dbus (send_msg)))
|
||
+ (allow systemd_logind_t utype (dbus (send_msg)))
|
||
+ (allow systemd_logind_t utype (dir (ioctl read getattr lock open search)))
|
||
+ (allow systemd_logind_t utype (file (ioctl read getattr lock open)))
|
||
+ (allow systemd_logind_t utype (lnk_file (read getattr)))
|
||
+ (allow systemd_logind_t utype (process (getattr)))
|
||
+ (allow systemd_logind_t utype (process (signal)))
|
||
+ (allow utype systemd_logind_t (fd (use)))
|
||
+ (allow utype systemd_timedated_t (dbus (send_msg)))
|
||
+ (allow systemd_timedated_t utype (dbus (send_msg)))
|
||
+ (allow systemd_timedated_t utype (dir (ioctl read getattr lock open search)))
|
||
+ (allow systemd_timedated_t utype (file (ioctl read getattr lock open)))
|
||
+ (allow systemd_timedated_t utype (lnk_file (read getattr)))
|
||
+ (allow systemd_timedated_t utype (process (getattr)))
|
||
+ (allow utype systemd_hostnamed_t (dbus (send_msg)))
|
||
+ (allow systemd_hostnamed_t utype (dbus (send_msg)))
|
||
+ (allow systemd_hostnamed_t utype (dir (ioctl read getattr lock open search)))
|
||
+ (allow systemd_hostnamed_t utype (file (ioctl read getattr lock open)))
|
||
+ (allow systemd_hostnamed_t utype (lnk_file (read getattr)))
|
||
+ (allow systemd_hostnamed_t utype (process (getattr)))
|
||
+ (allow utype systemd_localed_t (dbus (send_msg)))
|
||
+ (allow systemd_localed_t utype (dbus (send_msg)))
|
||
+ (allow systemd_localed_t utype (dir (ioctl read getattr lock open search)))
|
||
+ (allow systemd_localed_t utype (file (ioctl read getattr lock open)))
|
||
+ (allow systemd_localed_t utype (lnk_file (read getattr)))
|
||
+ (allow systemd_localed_t utype (process (getattr)))
|
||
+ (allow utype systemd_unit_file_type (service (start stop status reload enable disable)))
|
||
+ (allow utype init_script_file_type (service (start stop status reload enable disable)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_logind_var_run_t (dir (getattr watch)))
|
||
+ (allow utype init_var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_logind_sessions_t (dir (getattr watch)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_machined_var_run_t (dir (getattr watch)))
|
||
+ (allow utype init_var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_logind_sessions_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype systemd_logind_sessions_t (dir (getattr open search)))
|
||
+ (allow utype systemd_logind_sessions_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype systemd_logind_inhibit_var_run_t (fifo_file (write)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_30
|
||
+ (typeattributeset cil_gen_require var_run_t)
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require cupsd_t)
|
||
+ (typeattributeset cil_gen_require cupsd_var_run_t)
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype cupsd_var_run_t (dir (getattr open search)))
|
||
+ (allow utype cupsd_var_run_t (sock_file (write getattr append open)))
|
||
+ (allow utype cupsd_t (unix_stream_socket (connectto)))
|
||
+ (allow utype cupsd_var_run_t (sock_file (read getattr open)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_31
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require var_run_t)
|
||
+ (typeattributeset cil_gen_require mount_t)
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require fusermount_exec_t)
|
||
+ (typeattributeset cil_gen_require fsadm_t)
|
||
+ (typeattributeset cil_gen_require fsadm_exec_t)
|
||
+ (typeattributeset cil_gen_require mount_var_run_t)
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (roletype urole mount_t)
|
||
+ (roletype urole fsadm_t)
|
||
+ (allow utype fusermount_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype mount_t (process (transition)))
|
||
+ (typetransition utype fusermount_exec_t process mount_t)
|
||
+ (allow mount_t utype (fd (use)))
|
||
+ (allow mount_t utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow mount_t utype (process (sigchld)))
|
||
+ (allow mount_t utype (dir (ioctl read getattr lock open search)))
|
||
+ (allow mount_t utype (file (ioctl read getattr lock open)))
|
||
+ (allow mount_t utype (lnk_file (read getattr)))
|
||
+ (allow mount_t utype (process (getattr)))
|
||
+ (allow mount_t utype (unix_stream_socket (read write)))
|
||
+ (allow utype mount_t (fd (use)))
|
||
+ (allow mount_t bin_t (dir (getattr open search)))
|
||
+ (allow mount_t bin_t (lnk_file (read getattr)))
|
||
+ (allow mount_t bin_t (dir (getattr open search)))
|
||
+ (allow mount_t bin_t (dir (getattr open search)))
|
||
+ (allow mount_t fsadm_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow mount_t fsadm_t (process (transition)))
|
||
+ (typetransition mount_t fsadm_exec_t process fsadm_t)
|
||
+ (allow fsadm_t mount_t (fd (use)))
|
||
+ (allow fsadm_t mount_t (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow fsadm_t mount_t (process (sigchld)))
|
||
+ (allow utype mount_var_run_t (dir (getattr open search)))
|
||
+ (allow utype mount_var_run_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype mount_var_run_t (dir (getattr open search)))
|
||
+ (allow utype mount_var_run_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_32
|
||
+ (typeattributeset cil_gen_require home_root_t)
|
||
+ (typeattributeset cil_gen_require tmp_t)
|
||
+ (typeattributeset cil_gen_require user_tmp_t)
|
||
+ (typeattributeset cil_gen_require user_home_dir_t)
|
||
+ (typeattributeset cil_gen_require tmpfs_t)
|
||
+ (typeattributeset cil_gen_require pulseaudio_tmpfsfile)
|
||
+ (typeattributeset cil_gen_require pulseaudio_t)
|
||
+ (typeattributeset cil_gen_require pulseaudio_exec_t)
|
||
+ (typeattributeset cil_gen_require pulseaudio_tmpfs_t)
|
||
+ (typeattributeset cil_gen_require user_tmp_type)
|
||
+ (typeattributeset cil_gen_require pulseaudio_home_t)
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (roletype urole user_tmp_t)
|
||
+ (roletype urole pulseaudio_t)
|
||
+ (allow utype pulseaudio_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype pulseaudio_t (process (transition)))
|
||
+ (typetransition utype pulseaudio_exec_t process pulseaudio_t)
|
||
+ (allow pulseaudio_t utype (fd (use)))
|
||
+ (allow pulseaudio_t utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow pulseaudio_t utype (process (sigchld)))
|
||
+ (allow utype pulseaudio_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype pulseaudio_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype pulseaudio_t (lnk_file (read getattr)))
|
||
+ (allow utype pulseaudio_t (process (getattr)))
|
||
+ (allow pulseaudio_t utype (process (signull signal)))
|
||
+ (allow utype pulseaudio_t (process (sigkill signull signal)))
|
||
+ (allow utype pulseaudio_t (process2 (nnp_transition)))
|
||
+ (allow pulseaudio_t utype (dir (ioctl read getattr lock open search)))
|
||
+ (allow pulseaudio_t utype (file (ioctl read getattr lock open)))
|
||
+ (allow pulseaudio_t utype (lnk_file (read getattr)))
|
||
+ (allow pulseaudio_t utype (process (getattr)))
|
||
+ (allow pulseaudio_t utype (unix_stream_socket (connectto)))
|
||
+ (allow utype pulseaudio_t (unix_stream_socket (connectto)))
|
||
+ (allow utype pulseaudio_tmpfsfile (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype pulseaudio_tmpfs_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype pulseaudio_tmpfsfile (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads)))
|
||
+ (allow utype pulseaudio_tmpfs_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads)))
|
||
+ (typemember pulseaudio_t tmp_t dir user_tmp_t)
|
||
+ (allow pulseaudio_t user_tmp_type (dir (mounton)))
|
||
+ (allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow pulseaudio_t user_tmp_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow pulseaudio_t user_tmp_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow pulseaudio_t user_tmp_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
||
+ (allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow pulseaudio_t user_tmp_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow pulseaudio_t user_tmp_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow pulseaudio_t tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (typetransition pulseaudio_t tmp_t fifo_file user_tmp_t)
|
||
+ (typetransition pulseaudio_t tmp_t sock_file user_tmp_t)
|
||
+ (typetransition pulseaudio_t tmp_t lnk_file user_tmp_t)
|
||
+ (typetransition pulseaudio_t tmp_t dir user_tmp_t)
|
||
+ (typetransition pulseaudio_t tmp_t file user_tmp_t)
|
||
+ (allow user_tmp_t tmpfs_t (filesystem (associate)))
|
||
+ (allow pulseaudio_t tmpfs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (typetransition pulseaudio_t tmpfs_t fifo_file user_tmp_t)
|
||
+ (typetransition pulseaudio_t tmpfs_t sock_file user_tmp_t)
|
||
+ (typetransition pulseaudio_t tmpfs_t lnk_file user_tmp_t)
|
||
+ (typetransition pulseaudio_t tmpfs_t dir user_tmp_t)
|
||
+ (typetransition pulseaudio_t tmpfs_t file user_tmp_t)
|
||
+ (allow pulseaudio_t user_tmp_type (dir (getattr open search)))
|
||
+ (allow pulseaudio_t user_tmp_type (dir (getattr relabelfrom relabelto)))
|
||
+ (allow pulseaudio_t user_tmp_type (dir (getattr open search)))
|
||
+ (allow pulseaudio_t user_tmp_type (file (getattr relabelfrom relabelto)))
|
||
+ (allow pulseaudio_t user_tmp_type (dir (getattr open search)))
|
||
+ (allow pulseaudio_t user_tmp_type (lnk_file (getattr relabelfrom relabelto)))
|
||
+ (allow pulseaudio_t user_tmp_type (dir (getattr open search)))
|
||
+ (allow pulseaudio_t user_tmp_type (sock_file (getattr relabelfrom relabelto)))
|
||
+ (allow pulseaudio_t user_tmp_type (dir (getattr open search)))
|
||
+ (allow pulseaudio_t user_tmp_type (fifo_file (getattr relabelfrom relabelto)))
|
||
+ (allow pulseaudio_t user_tmp_type (file (map)))
|
||
+ (allow utype pulseaudio_t (dbus (send_msg)))
|
||
+ (allow pulseaudio_t utype (dbus (acquire_svc send_msg)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (typetransition utype user_home_dir_t file ".esd_auth" pulseaudio_home_t)
|
||
+ (typetransition utype user_home_dir_t file ".pulse-cookie" pulseaudio_home_t)
|
||
+ (typetransition utype user_home_dir_t dir ".pulse" pulseaudio_home_t)
|
||
+ (optional confinedom_graphical_login_optional_33
|
||
+ (typeattributeset cil_gen_require home_root_t)
|
||
+ (typeattributeset cil_gen_require user_home_dir_t)
|
||
+ (typeattributeset cil_gen_require config_home_t)
|
||
+ (allow utype config_home_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_dir_t (dir (getattr open search)))
|
||
+ (allow utype user_home_dir_t (lnk_file (read getattr)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (typetransition utype config_home_t dir "pulse" pulseaudio_home_t)
|
||
+ )
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_34
|
||
+ (typeattributeset cil_gen_require var_run_t)
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require var_log_t)
|
||
+ (typeattributeset cil_gen_require vdagent_log_t)
|
||
+ (typeattributeset cil_gen_require vdagent_var_run_t)
|
||
+ (typeattributeset cil_gen_require vdagent_t)
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_log_t (dir (getattr open search)))
|
||
+ (allow utype vdagent_log_t (file (getattr)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype vdagent_var_run_t (dir (getattr open search)))
|
||
+ (allow utype vdagent_var_run_t (sock_file (write getattr append open)))
|
||
+ (allow utype vdagent_t (unix_stream_socket (connectto)))
|
||
+ )
|
||
+ (optional confinedom_graphical_login_optional_35
|
||
+ (typeattributeset cil_gen_require proc_t)
|
||
+ (typeattributeset cil_gen_require rtkit_daemon_t)
|
||
+ (allow rtkit_daemon_t utype (process (getsched setsched)))
|
||
+ (allow utype proc_t (dir (getattr open search)))
|
||
+ (allow utype proc_t (dir (getattr open search)))
|
||
+ (allow rtkit_daemon_t utype (dir (ioctl read getattr lock open search)))
|
||
+ (allow rtkit_daemon_t utype (file (ioctl read getattr lock open)))
|
||
+ (allow rtkit_daemon_t utype (lnk_file (read getattr)))
|
||
+ (allow rtkit_daemon_t utype (process (getattr)))
|
||
+ (optional confinedom_graphical_login_optional_36
|
||
+ (typeattributeset cil_gen_require rtkit_daemon_t)
|
||
+ (allow utype rtkit_daemon_t (dbus (send_msg)))
|
||
+ (allow rtkit_daemon_t utype (dbus (send_msg)))
|
||
+ )
|
||
+ )
|
||
+ )
|
||
+)
|
||
+
|
||
+(macro confinedom_mozilla_usage_macro ((type utype) (role urole))
|
||
+ (optional confinedom_mozilla_usage_optional
|
||
+ (roleattributeset cil_gen_require mozilla_roles)
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (typeattributeset cil_gen_require mozilla_t)
|
||
+ (typeattributeset cil_gen_require mozilla_exec_t)
|
||
+ (typeattributeset cil_gen_require mozilla_home_t)
|
||
+ (typeattributeset cil_gen_require mozilla_tmpfs_t)
|
||
+ (typeattributeset cil_gen_require utype)
|
||
+ (optional confinedom_mozilla_usage_optional_3
|
||
+ (roleattributeset cil_gen_require mozilla_plugin_roles)
|
||
+ (roleattributeset cil_gen_require mozilla_plugin_config_roles)
|
||
+ (typeattributeset cil_gen_require mozilla_t)
|
||
+ (typeattributeset cil_gen_require mozilla_home_t)
|
||
+ (typeattributeset cil_gen_require mozilla_plugin_t)
|
||
+ (typeattributeset cil_gen_require mozilla_plugin_exec_t)
|
||
+ (typeattributeset cil_gen_require mozilla_plugin_config_t)
|
||
+ (typeattributeset cil_gen_require mozilla_plugin_config_exec_t)
|
||
+ (typeattributeset cil_gen_require mozilla_plugin_rw_t)
|
||
+ (typeattributeset cil_gen_require lib_t)
|
||
+ (typeattributeset cil_gen_require user_home_dir_t)
|
||
+ (typeattributeset cil_gen_require home_root_t)
|
||
+ (roleattributeset cil_gen_require mozilla_plugin_config_roles)
|
||
+ (roleattributeset mozilla_plugin_config_roles (urole ))
|
||
+ (roleattributeset cil_gen_require mozilla_plugin_roles)
|
||
+ (roleattributeset mozilla_plugin_roles (urole ))
|
||
+ (allow utype mozilla_t (process (noatsecure siginh rlimitinh)))
|
||
+ (allow utype mozilla_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype mozilla_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype mozilla_t (lnk_file (read getattr)))
|
||
+ (allow utype mozilla_t (process (getattr)))
|
||
+ (allow utype mozilla_t (process (sigchld sigkill sigstop signull signal)))
|
||
+ (allow utype mozilla_t (fd (use)))
|
||
+ (allow utype mozilla_t (shm (getattr associate)))
|
||
+ (allow utype mozilla_t (shm (unix_read unix_write)))
|
||
+ (allow utype mozilla_t (unix_stream_socket (connectto)))
|
||
+ (allow utype mozilla_plugin_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype mozilla_plugin_t (process (transition)))
|
||
+ (typetransition utype mozilla_plugin_exec_t process mozilla_plugin_t)
|
||
+ (allow mozilla_plugin_t utype (fd (use)))
|
||
+ (allow mozilla_plugin_t utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow mozilla_plugin_t utype (process (sigchld)))
|
||
+ (allow utype mozilla_plugin_config_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype mozilla_plugin_config_t (process (transition)))
|
||
+ (typetransition utype mozilla_plugin_config_exec_t process mozilla_plugin_config_t)
|
||
+ (allow mozilla_plugin_config_t utype (fd (use)))
|
||
+ (allow mozilla_plugin_config_t utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow mozilla_plugin_config_t utype (process (sigchld)))
|
||
+ (allow mozilla_plugin_t utype (process (signull)))
|
||
+ (dontaudit mozilla_plugin_config_t utype (file (ioctl read getattr lock)))
|
||
+ (dontaudit mozilla_plugin_t utype (process (signal)))
|
||
+ (allow utype mozilla_plugin_t (unix_stream_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown connectto)))
|
||
+ (allow utype mozilla_plugin_t (fd (use)))
|
||
+ (allow mozilla_plugin_t utype (unix_stream_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown)))
|
||
+ (allow mozilla_plugin_t utype (unix_dgram_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown sendto)))
|
||
+ (allow mozilla_plugin_t utype (shm (destroy getattr read write associate unix_read unix_write lock)))
|
||
+ (allow mozilla_plugin_t utype (sem (create destroy getattr setattr read write associate unix_read unix_write)))
|
||
+ (allow utype mozilla_plugin_t (sem (getattr read write associate unix_read unix_write)))
|
||
+ (allow utype mozilla_plugin_t (shm (getattr read write associate unix_read unix_write lock)))
|
||
+ (allow utype mozilla_plugin_t (fifo_file (ioctl read write getattr lock append open)))
|
||
+ (allow utype mozilla_plugin_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype mozilla_plugin_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype mozilla_plugin_t (lnk_file (read getattr)))
|
||
+ (allow utype mozilla_plugin_t (process (getattr)))
|
||
+ (allow mozilla_plugin_t utype (dir (ioctl read getattr lock open search)))
|
||
+ (allow mozilla_plugin_t utype (file (ioctl read getattr lock open)))
|
||
+ (allow mozilla_plugin_t utype (lnk_file (read getattr)))
|
||
+ (allow mozilla_plugin_t utype (process (getattr)))
|
||
+ (allow utype mozilla_plugin_t (process (sigchld sigkill sigstop signull signal noatsecure)))
|
||
+ (allow utype mozilla_plugin_rw_t (dir (getattr open search)))
|
||
+ (allow utype mozilla_plugin_rw_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype mozilla_plugin_rw_t (dir (getattr open search)))
|
||
+ (allow utype mozilla_plugin_rw_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype mozilla_plugin_rw_t (dir (getattr open search)))
|
||
+ (allow utype mozilla_plugin_rw_t (lnk_file (read getattr)))
|
||
+ (allow utype mozilla_plugin_rw_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow utype mozilla_plugin_t (dbus (send_msg)))
|
||
+ (allow mozilla_plugin_t utype (dbus (send_msg)))
|
||
+ (allow mozilla_plugin_t utype (process (signull)))
|
||
+ (allow utype mozilla_t (dbus (send_msg)))
|
||
+ (allow mozilla_t utype (dbus (send_msg)))
|
||
+ (allow utype mozilla_plugin_rw_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (typetransition utype user_home_dir_t dir ".webex" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t file "mozilla.pdf" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t file ".gnashpluginrc" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t dir ".IBMERS" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t dir ".lyx" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t dir ".juniper_networks" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t dir "zimbrauserdata" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t dir ".ICAClient" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t dir ".spicec" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t dir ".quakelive" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t file "abc" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t dir ".icedtea" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t dir ".icedteaplugin" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t dir ".gcjwebplugin" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t dir ".grl-podcasts" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t dir ".gnash" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t dir ".macromedia" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t dir ".adobe" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t dir ".phoenix" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t dir ".netscape" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t dir ".thunderbird" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t dir ".mozilla" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t dir ".java" mozilla_home_t)
|
||
+ (typetransition utype user_home_dir_t dir ".galeon" mozilla_home_t)
|
||
+ (typetransition utype mozilla_plugin_rw_t file "nswrapper_32_64.nppdf.so" lib_t)
|
||
+ (booleanif (deny_ptrace)
|
||
+ (false
|
||
+ (allow utype mozilla_plugin_t (process (ptrace)))
|
||
+ )
|
||
+ )
|
||
+ (optional confinedom_mozilla_usage_optional_4
|
||
+ (roleattributeset cil_gen_require lpr_roles)
|
||
+ (typeattributeset cil_gen_require lpr_t)
|
||
+ (typeattributeset cil_gen_require lpr_exec_t)
|
||
+ (roleattributeset cil_gen_require lpr_roles)
|
||
+ (roleattributeset lpr_roles (urole ))
|
||
+ (allow mozilla_plugin_t lpr_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow mozilla_plugin_t lpr_t (process (transition)))
|
||
+ (typetransition mozilla_plugin_t lpr_exec_t process lpr_t)
|
||
+ (allow lpr_t mozilla_plugin_t (fd (use)))
|
||
+ (allow lpr_t mozilla_plugin_t (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow lpr_t mozilla_plugin_t (process (sigchld)))
|
||
+ )
|
||
+ (optional confinedom_mozilla_usage_optional_5
|
||
+ (typeattributeset cil_gen_require user_home_dir_t)
|
||
+ (typeattributeset cil_gen_require home_root_t)
|
||
+ (typeattributeset cil_gen_require cache_home_t)
|
||
+ (allow utype cache_home_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_dir_t (dir (getattr open search)))
|
||
+ (allow utype user_home_dir_t (lnk_file (read getattr)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype cache_home_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_dir_t (dir (getattr open search)))
|
||
+ (allow utype user_home_dir_t (lnk_file (read getattr)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (typetransition utype cache_home_t dir "icedtea-web" mozilla_home_t)
|
||
+ (typetransition utype cache_home_t dir "mozilla" mozilla_home_t)
|
||
+ )
|
||
+ )
|
||
+ )
|
||
+)
|
||
+
|
||
+(macro confinedom_networking_macro ((type utype) (role urole))
|
||
+ (optional confinedom_networking_optional_2
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (typeattributeset cil_gen_require utype)
|
||
+ (typeattributeset cil_gen_require ping_t)
|
||
+ (typeattributeset cil_gen_require ping_exec_t)
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require traceroute_t)
|
||
+ (typeattributeset cil_gen_require traceroute_exec_t)
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (roletype urole ping_t)
|
||
+ (roletype urole traceroute_t)
|
||
+ (booleanif (selinuxuser_ping)
|
||
+ (true
|
||
+ (allow utype ping_t (process (sigkill signal)))
|
||
+ (allow ping_t utype (process (sigchld)))
|
||
+ (allow ping_t utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow ping_t utype (fd (use)))
|
||
+ (typetransition utype ping_exec_t process ping_t)
|
||
+ (allow utype ping_t (process (transition)))
|
||
+ (allow utype ping_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (lnk_file (read getattr)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype traceroute_t (process (sigkill signal)))
|
||
+ (allow traceroute_t utype (process (sigchld)))
|
||
+ (allow traceroute_t utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow traceroute_t utype (fd (use)))
|
||
+ (typetransition utype traceroute_exec_t process traceroute_t)
|
||
+ (allow utype traceroute_t (process (transition)))
|
||
+ (allow utype traceroute_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (lnk_file (read getattr)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ )
|
||
+ )
|
||
+ )
|
||
+)
|
||
+
|
||
+(macro confinedom_security_advanced_macro ((type utype) (role urole) (type sudo_type) (type userhelper_type))
|
||
+ (optional confinedom_security_advanced_optional_2
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (typeattributeset cil_gen_require utype)
|
||
+ (typeattributeset cil_gen_require sudo_type)
|
||
+ (typeattributeset cil_gen_require auditd_log_t)
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require auditd_etc_t)
|
||
+ (typeattributeset cil_gen_require etc_t)
|
||
+ (typeattributeset cil_gen_require security_t)
|
||
+ (typeattributeset cil_gen_require can_setenforce)
|
||
+ (typeattributeset cil_gen_require sysfs_t)
|
||
+ (typeattributeset cil_gen_require secure_mode_policyload_t)
|
||
+ (typeattributeset cil_gen_require boolean_type)
|
||
+ (typeattributeset cil_gen_require can_setbool)
|
||
+ (typeattributeset cil_gen_require semanage_t)
|
||
+ (typeattributeset cil_gen_require selinux_config_t)
|
||
+ (typeattributeset cil_gen_require semanage_store_t)
|
||
+ (typeattributeset cil_gen_require selinux_login_config_t)
|
||
+ (typeattributeset cil_gen_require semanage_exec_t)
|
||
+ (typeattributeset cil_gen_require usr_t)
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require setfiles_t)
|
||
+ (typeattributeset cil_gen_require setfiles_exec_t)
|
||
+ (typeattributeset cil_gen_require load_policy_t)
|
||
+ (typeattributeset cil_gen_require load_policy_exec_t)
|
||
+ (typeattributeset cil_gen_require newrole_t)
|
||
+ (typeattributeset cil_gen_require newrole_exec_t)
|
||
+ (typeattributeset cil_gen_require updpwd_t)
|
||
+ (typeattributeset cil_gen_require updpwd_exec_t)
|
||
+ (typeattributeset cil_gen_require shadow_t)
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (roletype urole semanage_t)
|
||
+ (roletype urole setfiles_t)
|
||
+ (roletype urole load_policy_t)
|
||
+ (roletype urole newrole_t)
|
||
+ (roletype urole updpwd_t)
|
||
+ (typeattributeset cil_gen_require can_setbool)
|
||
+ (typeattributeset can_setbool (utype ))
|
||
+ (typeattributeset cil_gen_require can_setenforce)
|
||
+ (typeattributeset can_setenforce (utype ))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype auditd_log_t (dir (getattr open search)))
|
||
+ (allow utype auditd_log_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype auditd_log_t (dir (getattr open search)))
|
||
+ (allow utype auditd_log_t (lnk_file (read getattr)))
|
||
+ (allow utype auditd_log_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype etc_t (dir (getattr open search)))
|
||
+ (allow utype auditd_etc_t (dir (getattr open search)))
|
||
+ (allow utype auditd_etc_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype auditd_etc_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype security_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype security_t (file (ioctl read write getattr lock append open)))
|
||
+ (allow utype sysfs_t (filesystem (getattr)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype security_t (lnk_file (read getattr)))
|
||
+ (allow utype security_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype boolean_type (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype boolean_type (file (ioctl read write getattr lock append open)))
|
||
+ (allow semanage_t utype (dir (ioctl read getattr lock open search)))
|
||
+ (allow semanage_t utype (file (ioctl read getattr lock open)))
|
||
+ (allow semanage_t utype (lnk_file (read getattr)))
|
||
+ (allow semanage_t utype (process (getattr)))
|
||
+ (allow utype semanage_t (dbus (send_msg)))
|
||
+ (allow semanage_t utype (dbus (send_msg)))
|
||
+ (allow utype etc_t (dir (getattr open search)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype semanage_store_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype semanage_store_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype semanage_store_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype semanage_store_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype semanage_store_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype semanage_store_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype semanage_store_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
||
+ (allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype etc_t (dir (getattr open search)))
|
||
+ (allow utype selinux_config_t (dir (getattr open search)))
|
||
+ (allow utype selinux_login_config_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype selinux_login_config_t (dir (getattr open search)))
|
||
+ (allow utype selinux_login_config_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype selinux_login_config_t (dir (getattr open search)))
|
||
+ (allow utype selinux_login_config_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type usr_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type semanage_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow sudo_type semanage_t (process (transition)))
|
||
+ (typetransition sudo_type semanage_exec_t process semanage_t)
|
||
+ (allow semanage_t sudo_type (fd (use)))
|
||
+ (allow semanage_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow semanage_t sudo_type (process (sigchld)))
|
||
+ (allow semanage_t usr_t (dir (getattr open search)))
|
||
+ (allow semanage_t bin_t (dir (getattr open search)))
|
||
+ (allow semanage_t bin_t (lnk_file (read getattr)))
|
||
+ (allow semanage_t bin_t (dir (getattr open search)))
|
||
+ (allow semanage_t bin_t (dir (getattr open search)))
|
||
+ (allow semanage_t setfiles_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow semanage_t setfiles_t (process (transition)))
|
||
+ (typetransition semanage_t setfiles_exec_t process setfiles_t)
|
||
+ (allow setfiles_t semanage_t (fd (use)))
|
||
+ (allow setfiles_t semanage_t (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow setfiles_t semanage_t (process (sigchld)))
|
||
+ (allow semanage_t bin_t (dir (getattr open search)))
|
||
+ (allow semanage_t bin_t (lnk_file (read getattr)))
|
||
+ (allow semanage_t bin_t (dir (getattr open search)))
|
||
+ (allow semanage_t bin_t (dir (getattr open search)))
|
||
+ (allow semanage_t load_policy_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow semanage_t load_policy_t (process (transition)))
|
||
+ (typetransition semanage_t load_policy_exec_t process load_policy_t)
|
||
+ (allow load_policy_t semanage_t (fd (use)))
|
||
+ (allow load_policy_t semanage_t (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow load_policy_t semanage_t (process (sigchld)))
|
||
+ (allow utype usr_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (lnk_file (read getattr)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype newrole_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype newrole_t (process (transition)))
|
||
+ (typetransition utype newrole_exec_t process newrole_t)
|
||
+ (allow newrole_t utype (fd (use)))
|
||
+ (allow newrole_t utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow newrole_t utype (process (sigchld)))
|
||
+ (allow newrole_t updpwd_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow newrole_t updpwd_t (process (transition)))
|
||
+ (typetransition newrole_t updpwd_exec_t process updpwd_t)
|
||
+ (allow updpwd_t newrole_t (fd (use)))
|
||
+ (allow updpwd_t newrole_t (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow updpwd_t newrole_t (process (sigchld)))
|
||
+ (dontaudit newrole_t shadow_t (file (ioctl read getattr lock open)))
|
||
+ (allow sudo_type usr_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type setfiles_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow sudo_type setfiles_t (process (transition)))
|
||
+ (typetransition sudo_type setfiles_exec_t process setfiles_t)
|
||
+ (allow setfiles_t sudo_type (fd (use)))
|
||
+ (allow setfiles_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow setfiles_t sudo_type (process (sigchld)))
|
||
+ (typetransition utype selinux_config_t dir "tmp" semanage_store_t)
|
||
+ (typetransition utype selinux_config_t dir "previous" semanage_store_t)
|
||
+ (typetransition utype selinux_config_t dir "active" semanage_store_t)
|
||
+ (typetransition utype selinux_config_t dir "modules" semanage_store_t)
|
||
+ (optional confinedom_security_advanced_optional_3
|
||
+ (typeattributeset cil_gen_require usr_t)
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require setfiles_t)
|
||
+ (typeattributeset cil_gen_require setfiles_exec_t)
|
||
+ (typeattributeset cil_gen_require namespace_init_t)
|
||
+ (typeattributeset cil_gen_require namespace_init_exec_t)
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (roletype urole setfiles_t)
|
||
+ (roletype urole namespace_init_t)
|
||
+ (allow newrole_t namespace_init_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow newrole_t namespace_init_t (process (transition)))
|
||
+ (typetransition newrole_t namespace_init_exec_t process namespace_init_t)
|
||
+ (allow namespace_init_t newrole_t (fd (use)))
|
||
+ (allow namespace_init_t newrole_t (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow namespace_init_t newrole_t (process (sigchld)))
|
||
+ (allow namespace_init_t usr_t (dir (getattr open search)))
|
||
+ (allow namespace_init_t bin_t (dir (getattr open search)))
|
||
+ (allow namespace_init_t bin_t (lnk_file (read getattr)))
|
||
+ (allow namespace_init_t bin_t (dir (getattr open search)))
|
||
+ (allow namespace_init_t bin_t (dir (getattr open search)))
|
||
+ (allow namespace_init_t setfiles_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow namespace_init_t setfiles_t (process (transition)))
|
||
+ (typetransition namespace_init_t setfiles_exec_t process setfiles_t)
|
||
+ (allow setfiles_t namespace_init_t (fd (use)))
|
||
+ (allow setfiles_t namespace_init_t (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow setfiles_t namespace_init_t (process (sigchld)))
|
||
+ )
|
||
+ (optional confinedom_security_advanced_optional_4
|
||
+ (roletype object_r userhelper_type)
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require etc_t)
|
||
+ (typeattributeset cil_gen_require security_t)
|
||
+ (typeattributeset cil_gen_require sysfs_t)
|
||
+ (typeattributeset cil_gen_require selinux_config_t)
|
||
+ (typeattributeset cil_gen_require usr_t)
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require updpwd_t)
|
||
+ (typeattributeset cil_gen_require updpwd_exec_t)
|
||
+ (typeattributeset cil_gen_require shadow_t)
|
||
+ (typeattributeset cil_gen_require userhelper_type)
|
||
+ (typeattributeset cil_gen_require userhelper_exec_t)
|
||
+ (typeattributeset cil_gen_require userhelper_conf_t)
|
||
+ (typeattributeset cil_gen_require application_domain_type)
|
||
+ (typeattributeset cil_gen_require domain)
|
||
+ (typeattributeset cil_gen_require corenet_unlabeled_type)
|
||
+ (typeattributeset cil_gen_require application_exec_type)
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset cil_gen_require ubac_constrained_type)
|
||
+ (typeattributeset cil_gen_require can_change_process_role)
|
||
+ (typeattributeset cil_gen_require can_change_object_identity)
|
||
+ (typeattributeset cil_gen_require privfd)
|
||
+ (typeattributeset cil_gen_require can_change_process_identity)
|
||
+ (typeattributeset cil_gen_require sysctl_type)
|
||
+ (typeattributeset cil_gen_require proc_t)
|
||
+ (typeattributeset cil_gen_require proc_net_t)
|
||
+ (typeattributeset cil_gen_require debugfs_t)
|
||
+ (typeattributeset cil_gen_require kernel_system_state_reader)
|
||
+ (typeattributeset cil_gen_require shell_exec_t)
|
||
+ (typeattributeset cil_gen_require device_t)
|
||
+ (typeattributeset cil_gen_require urandom_device_t)
|
||
+ (typeattributeset cil_gen_require var_lib_t)
|
||
+ (typeattributeset cil_gen_require etc_runtime_t)
|
||
+ (typeattributeset cil_gen_require home_root_t)
|
||
+ (typeattributeset cil_gen_require autofs_t)
|
||
+ (typeattributeset cil_gen_require nfs_t)
|
||
+ (typeattributeset cil_gen_require devpts_t)
|
||
+ (typeattributeset cil_gen_require ttynode)
|
||
+ (typeattributeset cil_gen_require ptynode)
|
||
+ (typeattributeset cil_gen_require chkpwd_t)
|
||
+ (typeattributeset cil_gen_require chkpwd_exec_t)
|
||
+ (typeattributeset cil_gen_require auth_cache_t)
|
||
+ (typeattributeset cil_gen_require random_device_t)
|
||
+ (typeattributeset cil_gen_require nsswitch_domain)
|
||
+ (typeattributeset cil_gen_require netlabel_peer_type)
|
||
+ (typeattributeset cil_gen_require faillog_t)
|
||
+ (typeattributeset cil_gen_require var_log_t)
|
||
+ (typeattributeset cil_gen_require cert_t)
|
||
+ (typeattributeset cil_gen_require var_run_t)
|
||
+ (typeattributeset cil_gen_require pam_var_run_t)
|
||
+ (typeattributeset cil_gen_require var_auth_t)
|
||
+ (typeattributeset cil_gen_require pam_var_console_t)
|
||
+ (typeattributeset cil_gen_require syslog_client_type)
|
||
+ (typeattributeset cil_gen_require init_t)
|
||
+ (typeattributeset cil_gen_require initrc_var_run_t)
|
||
+ (typeattributeset cil_gen_require default_context_t)
|
||
+ (typeattributeset cil_gen_require unpriv_userdomain)
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (roletype urole userhelper_type)
|
||
+ (typeattributeset cil_gen_require netlabel_peer_type)
|
||
+ (typeattributeset netlabel_peer_type (userhelper_type ))
|
||
+ (typeattributeset cil_gen_require can_change_process_identity)
|
||
+ (typeattributeset can_change_process_identity (userhelper_type ))
|
||
+ (typeattributeset cil_gen_require corenet_unlabeled_type)
|
||
+ (typeattributeset corenet_unlabeled_type (userhelper_type ))
|
||
+ (typeattributeset cil_gen_require privfd)
|
||
+ (typeattributeset privfd (userhelper_type ))
|
||
+ (typeattributeset cil_gen_require syslog_client_type)
|
||
+ (typeattributeset syslog_client_type (userhelper_type ))
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset file_type (userhelper_exec_t ))
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset non_security_file_type (userhelper_exec_t ))
|
||
+ (typeattributeset cil_gen_require can_change_object_identity)
|
||
+ (typeattributeset can_change_object_identity (userhelper_type ))
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset exec_type (userhelper_exec_t ))
|
||
+ (typeattributeset cil_gen_require application_domain_type)
|
||
+ (typeattributeset application_domain_type (userhelper_type ))
|
||
+ (typeattributeset cil_gen_require ubac_constrained_type)
|
||
+ (typeattributeset ubac_constrained_type (userhelper_type ))
|
||
+ (typeattributeset cil_gen_require kernel_system_state_reader)
|
||
+ (typeattributeset kernel_system_state_reader (userhelper_type ))
|
||
+ (typeattributeset cil_gen_require can_change_process_role)
|
||
+ (typeattributeset can_change_process_role (userhelper_type ))
|
||
+ (typeattributeset cil_gen_require application_exec_type)
|
||
+ (typeattributeset application_exec_type (userhelper_exec_t ))
|
||
+ (typeattributeset cil_gen_require nsswitch_domain)
|
||
+ (typeattributeset nsswitch_domain (userhelper_type ))
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset entry_type (userhelper_exec_t ))
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset non_auth_file_type (userhelper_exec_t ))
|
||
+ (typeattributeset cil_gen_require domain)
|
||
+ (typeattributeset domain (userhelper_type ))
|
||
+ (typeattributeset cil_gen_require userhelper_type)
|
||
+ (allow userhelper_type userhelper_exec_t (file (entrypoint)))
|
||
+ (allow userhelper_type userhelper_exec_t (file (ioctl read getattr lock map execute open)))
|
||
+ (allow userhelper_type self (capability (chown dac_read_search setgid setuid net_bind_service sys_tty_config)))
|
||
+ (allow userhelper_type self (process (fork transition sigchld sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit)))
|
||
+ (allow userhelper_type self (process (setexec)))
|
||
+ (allow userhelper_type self (fd (use)))
|
||
+ (allow userhelper_type self (fifo_file (ioctl read write getattr lock append open)))
|
||
+ (allow userhelper_type self (shm (create destroy getattr setattr read write associate unix_read unix_write lock)))
|
||
+ (allow userhelper_type self (sem (create destroy getattr setattr read write associate unix_read unix_write)))
|
||
+ (allow userhelper_type self (msgq (create destroy getattr setattr read write associate unix_read unix_write enqueue)))
|
||
+ (allow userhelper_type self (msg (send receive)))
|
||
+ (allow userhelper_type self (unix_dgram_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
|
||
+ (allow userhelper_type self (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown)))
|
||
+ (allow userhelper_type self (unix_dgram_socket (sendto)))
|
||
+ (allow userhelper_type self (unix_stream_socket (connectto)))
|
||
+ (allow userhelper_type self (sock_file (read getattr open)))
|
||
+ (allow utype userhelper_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype userhelper_type (process (transition)))
|
||
+ (typetransition utype userhelper_exec_t process userhelper_type)
|
||
+ (allow userhelper_type utype (fd (use)))
|
||
+ (allow userhelper_type utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow userhelper_type utype (process (sigchld)))
|
||
+ (allow userhelper_type userhelper_conf_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow userhelper_type userhelper_conf_t (dir (getattr open search)))
|
||
+ (allow userhelper_type userhelper_conf_t (file (ioctl read write getattr lock append open)))
|
||
+ (allow userhelper_type userhelper_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (dontaudit utype userhelper_type (process (signal)))
|
||
+ (allow userhelper_type sysctl_type (dir (getattr open search)))
|
||
+ (allow userhelper_type proc_t (dir (getattr open search)))
|
||
+ (allow userhelper_type proc_net_t (dir (getattr open search)))
|
||
+ (allow userhelper_type sysctl_type (file (ioctl read getattr lock open)))
|
||
+ (allow userhelper_type proc_t (dir (getattr open search)))
|
||
+ (allow userhelper_type proc_net_t (dir (getattr open search)))
|
||
+ (allow userhelper_type sysctl_type (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type debugfs_t (filesystem (getattr)))
|
||
+ (allow userhelper_type bin_t (dir (getattr open search)))
|
||
+ (allow userhelper_type bin_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type bin_t (dir (getattr open search)))
|
||
+ (allow userhelper_type bin_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type shell_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow userhelper_type shell_exec_t (file (map)))
|
||
+ (allow userhelper_type bin_t (dir (getattr open search)))
|
||
+ (allow userhelper_type bin_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type bin_t (file (ioctl read getattr map execute open)))
|
||
+ (allow userhelper_type utype (process (transition)))
|
||
+ (allow userhelper_type usr_t (dir (getattr open search)))
|
||
+ (allow userhelper_type usr_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type usr_t (file (ioctl read getattr map execute open)))
|
||
+ (allow userhelper_type utype (process (transition)))
|
||
+ (typetransition userhelper_type bin_t process utype)
|
||
+ (typetransition userhelper_type usr_t process utype)
|
||
+ (allow userhelper_type privfd (fd (use)))
|
||
+ (allow userhelper_type privfd (process (sigchld)))
|
||
+ (allow userhelper_type device_t (dir (getattr open search)))
|
||
+ (allow userhelper_type urandom_device_t (chr_file (ioctl read getattr lock open)))
|
||
+ (allow userhelper_type device_t (dir (getattr open search)))
|
||
+ (allow userhelper_type device_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type device_t (dir (getattr open search)))
|
||
+ (allow userhelper_type device_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type var_t (dir (getattr open search)))
|
||
+ (allow userhelper_type var_lib_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type etc_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type etc_t (dir (getattr open search)))
|
||
+ (allow userhelper_type etc_t (file (ioctl read getattr lock open)))
|
||
+ (allow userhelper_type etc_t (dir (getattr open search)))
|
||
+ (allow userhelper_type etc_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type etc_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type etc_t (dir (getattr open search)))
|
||
+ (allow userhelper_type etc_runtime_t (file (ioctl read getattr lock open)))
|
||
+ (allow userhelper_type etc_t (dir (getattr open search)))
|
||
+ (allow userhelper_type etc_runtime_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type var_t (dir (getattr open search)))
|
||
+ (allow userhelper_type var_t (file (ioctl read getattr lock open)))
|
||
+ (allow userhelper_type var_t (dir (getattr open search)))
|
||
+ (allow userhelper_type var_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type home_root_t (dir (getattr open search)))
|
||
+ (allow userhelper_type home_root_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type autofs_t (dir (getattr open search)))
|
||
+ (allow userhelper_type autofs_t (dir (getattr open search)))
|
||
+ (allow userhelper_type nfs_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type nfs_t (dir (getattr open search)))
|
||
+ (allow userhelper_type nfs_t (file (ioctl read getattr lock open)))
|
||
+ (allow userhelper_type nfs_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type nfs_t (dir (getattr open search)))
|
||
+ (allow userhelper_type nfs_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type security_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type sysfs_t (filesystem (getattr)))
|
||
+ (allow userhelper_type sysfs_t (dir (getattr open search)))
|
||
+ (allow userhelper_type sysfs_t (dir (getattr open search)))
|
||
+ (allow userhelper_type security_t (filesystem (getattr)))
|
||
+ (allow userhelper_type sysfs_t (filesystem (getattr)))
|
||
+ (allow userhelper_type sysfs_t (dir (getattr open search)))
|
||
+ (allow userhelper_type sysfs_t (dir (getattr open search)))
|
||
+ (allow userhelper_type security_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type security_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type security_t (file (ioctl read write getattr lock append map open)))
|
||
+ (allow userhelper_type security_t (security (check_context)))
|
||
+ (allow userhelper_type sysfs_t (filesystem (getattr)))
|
||
+ (allow userhelper_type sysfs_t (dir (getattr open search)))
|
||
+ (allow userhelper_type sysfs_t (dir (getattr open search)))
|
||
+ (allow userhelper_type security_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type security_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type security_t (file (ioctl read write getattr lock append open)))
|
||
+ (allow userhelper_type security_t (security (compute_av)))
|
||
+ (allow userhelper_type sysfs_t (filesystem (getattr)))
|
||
+ (allow userhelper_type sysfs_t (dir (getattr open search)))
|
||
+ (allow userhelper_type sysfs_t (dir (getattr open search)))
|
||
+ (allow userhelper_type security_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type security_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type security_t (file (ioctl read write getattr lock append open)))
|
||
+ (allow userhelper_type security_t (security (compute_create)))
|
||
+ (allow userhelper_type sysfs_t (filesystem (getattr)))
|
||
+ (allow userhelper_type sysfs_t (dir (getattr open search)))
|
||
+ (allow userhelper_type sysfs_t (dir (getattr open search)))
|
||
+ (allow userhelper_type security_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type security_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type security_t (file (ioctl read write getattr lock append open)))
|
||
+ (allow userhelper_type security_t (security (compute_relabel)))
|
||
+ (allow userhelper_type sysfs_t (filesystem (getattr)))
|
||
+ (allow userhelper_type sysfs_t (dir (getattr open search)))
|
||
+ (allow userhelper_type sysfs_t (dir (getattr open search)))
|
||
+ (allow userhelper_type security_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type security_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type security_t (file (ioctl read write getattr lock append open)))
|
||
+ (allow userhelper_type security_t (security (compute_user)))
|
||
+ (allow userhelper_type device_t (dir (getattr open search)))
|
||
+ (allow userhelper_type device_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type device_t (dir (getattr open search)))
|
||
+ (allow userhelper_type device_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type devpts_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type device_t (dir (getattr open search)))
|
||
+ (allow userhelper_type device_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type device_t (dir (getattr open search)))
|
||
+ (allow userhelper_type device_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type ttynode (chr_file (getattr relabelfrom relabelto)))
|
||
+ (allow userhelper_type device_t (dir (getattr open search)))
|
||
+ (allow userhelper_type device_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type device_t (dir (getattr open search)))
|
||
+ (allow userhelper_type device_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type devpts_t (dir (getattr open search)))
|
||
+ (allow userhelper_type devpts_t (chr_file (getattr relabelfrom relabelto)))
|
||
+ (allow userhelper_type ptynode (chr_file (getattr relabelfrom relabelto)))
|
||
+ (allow userhelper_type device_t (dir (getattr open search)))
|
||
+ (allow userhelper_type device_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type device_t (dir (getattr open search)))
|
||
+ (allow userhelper_type device_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type ttynode (chr_file (ioctl read write getattr lock append open)))
|
||
+ (allow userhelper_type device_t (dir (getattr open search)))
|
||
+ (allow userhelper_type device_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type device_t (dir (getattr open search)))
|
||
+ (allow userhelper_type device_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type devpts_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type ptynode (chr_file (ioctl read write getattr lock append open)))
|
||
+ (allow userhelper_type auth_cache_t (dir (getattr open search)))
|
||
+ (allow userhelper_type bin_t (dir (getattr open search)))
|
||
+ (allow userhelper_type bin_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type bin_t (dir (getattr open search)))
|
||
+ (allow userhelper_type bin_t (dir (getattr open search)))
|
||
+ (allow userhelper_type chkpwd_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow userhelper_type chkpwd_t (process (transition)))
|
||
+ (typetransition userhelper_type chkpwd_exec_t process chkpwd_t)
|
||
+ (allow chkpwd_t userhelper_type (fd (use)))
|
||
+ (allow chkpwd_t userhelper_type (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow chkpwd_t userhelper_type (process (sigchld)))
|
||
+ (allow userhelper_type chkpwd_exec_t (file (map)))
|
||
+ (dontaudit userhelper_type shadow_t (file (ioctl read getattr lock open)))
|
||
+ (allow userhelper_type device_t (dir (getattr open search)))
|
||
+ (allow userhelper_type random_device_t (chr_file (ioctl read getattr lock open)))
|
||
+ (allow userhelper_type device_t (dir (getattr open search)))
|
||
+ (allow userhelper_type urandom_device_t (chr_file (ioctl read getattr lock open)))
|
||
+ (allow userhelper_type var_t (dir (getattr open search)))
|
||
+ (allow userhelper_type var_log_t (dir (getattr open search)))
|
||
+ (allow userhelper_type faillog_t (dir (getattr open search)))
|
||
+ (allow userhelper_type faillog_t (file (ioctl read write getattr lock append open)))
|
||
+ (allow userhelper_type self (capability (audit_write)))
|
||
+ (allow userhelper_type self (netlink_audit_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_relay nlmsg_tty_audit)))
|
||
+ (allow userhelper_type cert_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type cert_t (dir (getattr open search)))
|
||
+ (allow userhelper_type cert_t (file (ioctl read getattr lock open)))
|
||
+ (allow userhelper_type cert_t (dir (getattr open search)))
|
||
+ (allow userhelper_type cert_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type updpwd_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow userhelper_type updpwd_t (process (transition)))
|
||
+ (typetransition userhelper_type updpwd_exec_t process updpwd_t)
|
||
+ (allow updpwd_t userhelper_type (fd (use)))
|
||
+ (allow updpwd_t userhelper_type (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow updpwd_t userhelper_type (process (sigchld)))
|
||
+ (dontaudit userhelper_type shadow_t (file (ioctl read getattr lock open)))
|
||
+ (allow userhelper_type var_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type var_run_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type var_t (dir (getattr open search)))
|
||
+ (allow userhelper_type var_run_t (dir (getattr open search)))
|
||
+ (allow userhelper_type pam_var_run_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow userhelper_type pam_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow userhelper_type var_t (dir (getattr open search)))
|
||
+ (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow userhelper_type var_t (dir (getattr open search)))
|
||
+ (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow userhelper_type var_t (dir (getattr open search)))
|
||
+ (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow userhelper_type var_t (dir (getattr open search)))
|
||
+ (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow userhelper_type var_t (dir (getattr open search)))
|
||
+ (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow userhelper_type var_t (dir (getattr open search)))
|
||
+ (allow userhelper_type var_auth_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow userhelper_type var_auth_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow userhelper_type var_auth_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow userhelper_type var_auth_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow userhelper_type var_auth_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow userhelper_type var_auth_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
||
+ (allow userhelper_type var_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type var_run_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type var_t (dir (getattr open search)))
|
||
+ (allow userhelper_type var_run_t (dir (getattr open search)))
|
||
+ (allow userhelper_type pam_var_console_t (dir (getattr open search)))
|
||
+ (allow userhelper_type init_t (fd (use)))
|
||
+ (allow userhelper_type var_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type var_run_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type var_t (dir (getattr open search)))
|
||
+ (allow userhelper_type var_run_t (dir (getattr open search)))
|
||
+ (allow userhelper_type initrc_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow userhelper_type var_t (dir (getattr open search)))
|
||
+ (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow userhelper_type etc_t (dir (getattr open search)))
|
||
+ (allow userhelper_type selinux_config_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type selinux_config_t (dir (getattr open search)))
|
||
+ (allow userhelper_type selinux_config_t (file (ioctl read getattr lock open)))
|
||
+ (allow userhelper_type selinux_config_t (dir (getattr open search)))
|
||
+ (allow userhelper_type selinux_config_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type etc_t (dir (getattr open search)))
|
||
+ (allow userhelper_type selinux_config_t (dir (getattr open search)))
|
||
+ (allow userhelper_type default_context_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type default_context_t (dir (getattr open search)))
|
||
+ (allow userhelper_type default_context_t (file (ioctl read getattr lock open)))
|
||
+ (allow userhelper_type bin_t (dir (getattr open search)))
|
||
+ (allow userhelper_type bin_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type bin_t (file (ioctl read getattr map execute open)))
|
||
+ (allow userhelper_type unpriv_userdomain (process (transition)))
|
||
+ (allow userhelper_type usr_t (dir (getattr open search)))
|
||
+ (allow userhelper_type usr_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type usr_t (file (ioctl read getattr map execute open)))
|
||
+ (allow userhelper_type unpriv_userdomain (process (transition)))
|
||
+ (allow unpriv_userdomain userhelper_type (fd (use)))
|
||
+ (allow unpriv_userdomain userhelper_type (fifo_file (ioctl read write getattr lock append open)))
|
||
+ (allow unpriv_userdomain userhelper_type (process (sigchld)))
|
||
+ (allow userhelper_type entry_type (file (ioctl read getattr map execute open)))
|
||
+ (allow userhelper_type unpriv_userdomain (process (transition)))
|
||
+ (allow unpriv_userdomain userhelper_type (fd (use)))
|
||
+ (allow unpriv_userdomain userhelper_type (fifo_file (ioctl read write getattr lock append open)))
|
||
+ (allow unpriv_userdomain userhelper_type (process (sigchld)))
|
||
+ (typetransition userhelper_type var_run_t file "utmp" initrc_var_run_t)
|
||
+ (typetransition userhelper_type var_run_t dir "sudo" pam_var_run_t)
|
||
+ (typetransition userhelper_type var_run_t dir "sepermit" pam_var_run_t)
|
||
+ (typetransition userhelper_type var_run_t dir "pam_timestamp" pam_var_run_t)
|
||
+ (typetransition userhelper_type var_run_t dir "pam_ssh" pam_var_run_t)
|
||
+ (typetransition userhelper_type var_run_t dir "pam_mount" pam_var_run_t)
|
||
+ (optional confinedom_security_advanced_optional_5
|
||
+ (typeattributeset cil_gen_require etc_t)
|
||
+ (typeattributeset cil_gen_require krb5_keytab_t)
|
||
+ (allow userhelper_type etc_t (dir (getattr open search)))
|
||
+ (allow userhelper_type krb5_keytab_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type krb5_keytab_t (file (ioctl read getattr lock open)))
|
||
+ )
|
||
+ (optional confinedom_security_advanced_optional_6
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require pcscd_var_run_t)
|
||
+ (typeattributeset cil_gen_require var_run_t)
|
||
+ (typeattributeset cil_gen_require pcscd_t)
|
||
+ (allow userhelper_type var_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type var_run_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type var_t (dir (getattr open search)))
|
||
+ (allow userhelper_type var_run_t (dir (getattr open search)))
|
||
+ (allow userhelper_type pcscd_var_run_t (dir (getattr open search)))
|
||
+ (allow userhelper_type pcscd_var_run_t (file (ioctl read getattr lock open)))
|
||
+ (allow userhelper_type var_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type var_run_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type var_t (dir (getattr open search)))
|
||
+ (allow userhelper_type var_run_t (dir (getattr open search)))
|
||
+ (allow userhelper_type pcscd_var_run_t (dir (getattr open search)))
|
||
+ (allow userhelper_type pcscd_var_run_t (sock_file (write getattr append open)))
|
||
+ (allow userhelper_type pcscd_t (unix_stream_socket (connectto)))
|
||
+ )
|
||
+ (optional confinedom_security_advanced_optional_7
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require etc_t)
|
||
+ (typeattributeset cil_gen_require var_run_t)
|
||
+ (typeattributeset cil_gen_require samba_var_t)
|
||
+ (typeattributeset cil_gen_require winbind_t)
|
||
+ (typeattributeset cil_gen_require winbind_var_run_t)
|
||
+ (typeattributeset cil_gen_require smbd_var_run_t)
|
||
+ (typeattributeset cil_gen_require samba_etc_t)
|
||
+ (allow userhelper_type var_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type var_run_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type var_t (dir (getattr open search)))
|
||
+ (allow userhelper_type var_run_t (dir (getattr open search)))
|
||
+ (allow userhelper_type smbd_var_run_t (dir (getattr open search)))
|
||
+ (allow userhelper_type samba_var_t (dir (getattr open search)))
|
||
+ (allow userhelper_type winbind_var_run_t (dir (getattr open search)))
|
||
+ (allow userhelper_type winbind_var_run_t (sock_file (write getattr append open)))
|
||
+ (allow userhelper_type winbind_t (unix_stream_socket (connectto)))
|
||
+ (allow userhelper_type etc_t (dir (getattr open search)))
|
||
+ (allow userhelper_type samba_etc_t (dir (getattr open search)))
|
||
+ (allow userhelper_type samba_etc_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow userhelper_type samba_etc_t (dir (getattr open search)))
|
||
+ (allow userhelper_type samba_etc_t (file (ioctl read getattr lock open)))
|
||
+ )
|
||
+ (optional confinedom_security_advanced_optional_8
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require rpm_t)
|
||
+ (typeattributeset cil_gen_require rpm_exec_t)
|
||
+ (typeattributeset cil_gen_require rpm_transition_domain)
|
||
+ (typeattributeset cil_gen_require debuginfo_exec_t)
|
||
+ (typeattributeset cil_gen_require rpm_transition_domain)
|
||
+ (typeattributeset rpm_transition_domain (userhelper_type ))
|
||
+ (allow userhelper_type bin_t (dir (getattr open search)))
|
||
+ (allow userhelper_type bin_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type bin_t (dir (getattr open search)))
|
||
+ (allow userhelper_type bin_t (dir (getattr open search)))
|
||
+ (allow userhelper_type rpm_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow userhelper_type rpm_t (process (transition)))
|
||
+ (typetransition userhelper_type rpm_exec_t process rpm_t)
|
||
+ (allow rpm_t userhelper_type (fd (use)))
|
||
+ (allow rpm_t userhelper_type (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow rpm_t userhelper_type (process (sigchld)))
|
||
+ (allow userhelper_type bin_t (dir (getattr open search)))
|
||
+ (allow userhelper_type bin_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type bin_t (dir (getattr open search)))
|
||
+ (allow userhelper_type bin_t (dir (getattr open search)))
|
||
+ (allow userhelper_type debuginfo_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow userhelper_type rpm_t (process (transition)))
|
||
+ (typetransition userhelper_type debuginfo_exec_t process rpm_t)
|
||
+ (allow rpm_t userhelper_type (fd (use)))
|
||
+ (allow rpm_t userhelper_type (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow rpm_t userhelper_type (process (sigchld)))
|
||
+ (allow userhelper_type debuginfo_exec_t (dir (getattr open search)))
|
||
+ (allow userhelper_type debuginfo_exec_t (lnk_file (read getattr)))
|
||
+ )
|
||
+ (optional confinedom_security_advanced_optional_9
|
||
+ (typeattributeset cil_gen_require usr_t)
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset cil_gen_require sysadm_t)
|
||
+ (booleanif (secure_mode)
|
||
+ (false
|
||
+ (allow sysadm_t userhelper_type (process (sigchld)))
|
||
+ (allow sysadm_t userhelper_type (fifo_file (ioctl read write getattr lock append open)))
|
||
+ (allow sysadm_t userhelper_type (fd (use)))
|
||
+ (allow userhelper_type sysadm_t (process (transition)))
|
||
+ (allow userhelper_type entry_type (file (ioctl read getattr map execute open)))
|
||
+ (allow sysadm_t userhelper_type (process (sigchld)))
|
||
+ (allow sysadm_t userhelper_type (fifo_file (ioctl read write getattr lock append open)))
|
||
+ (allow sysadm_t userhelper_type (fd (use)))
|
||
+ (allow userhelper_type sysadm_t (process (transition)))
|
||
+ (allow userhelper_type usr_t (file (ioctl read getattr map execute open)))
|
||
+ (allow userhelper_type usr_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type usr_t (dir (getattr open search)))
|
||
+ (allow userhelper_type sysadm_t (process (transition)))
|
||
+ (allow userhelper_type bin_t (file (ioctl read getattr map execute open)))
|
||
+ (allow userhelper_type bin_t (lnk_file (read getattr)))
|
||
+ (allow userhelper_type bin_t (dir (getattr open search)))
|
||
+ )
|
||
+ )
|
||
+ )
|
||
+ )
|
||
+ )
|
||
+)
|
||
+
|
||
+(macro confinedom_security_basic_macro ((type utype) (role urole))
|
||
+ (optional confinedom_security_basic_optional_2
|
||
+ (typeattributeset cil_gen_require utype)
|
||
+ (typeattributeset cil_gen_require security_t)
|
||
+ (typeattributeset cil_gen_require can_load_policy)
|
||
+ (typeattributeset cil_gen_require sysfs_t)
|
||
+ (typeattributeset cil_gen_require can_load_policy)
|
||
+ (typeattributeset can_load_policy (utype ))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype security_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype security_t (file (ioctl read write getattr lock append open)))
|
||
+ (allow utype security_t (lnk_file (read getattr)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype security_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype security_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype security_t (lnk_file (read getattr)))
|
||
+ (allow utype security_t (security (read_policy)))
|
||
+ )
|
||
+)
|
||
+
|
||
+(macro confinedom_sudo_macro ((type utype) (role urole) (type sudo_type) (type sudo_tmp_type))
|
||
+ (optional confinedom_sudo_optional
|
||
+ ;(type sudo_type)
|
||
+ (roletype object_r sudo_type)
|
||
+ ;(type sudo_tmp_type)
|
||
+ (roletype object_r sudo_tmp_type)
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (typeattributeset cil_gen_require utype)
|
||
+ (typeattributeset cil_gen_require sudo_type)
|
||
+ (typeattributeset cil_gen_require kernel_t)
|
||
+ (typeattributeset cil_gen_require sudo_exec_t)
|
||
+ (typeattributeset cil_gen_require sudo_db_t)
|
||
+ (typeattributeset cil_gen_require sudodomain)
|
||
+ (typeattributeset cil_gen_require application_domain_type)
|
||
+ (typeattributeset cil_gen_require domain)
|
||
+ (typeattributeset cil_gen_require corenet_unlabeled_type)
|
||
+ (typeattributeset cil_gen_require application_exec_type)
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset cil_gen_require ubac_constrained_type)
|
||
+ (typeattributeset cil_gen_require privfd)
|
||
+ (typeattributeset cil_gen_require can_change_process_role)
|
||
+ (typeattributeset cil_gen_require userdom_home_manager_type)
|
||
+ (typeattributeset cil_gen_require tmpfile)
|
||
+ (typeattributeset cil_gen_require tmp_t)
|
||
+ (typeattributeset cil_gen_require polymember)
|
||
+ (typeattributeset cil_gen_require shell_exec_t)
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require usr_t)
|
||
+ (typeattributeset cil_gen_require user_home_t)
|
||
+ (typeattributeset cil_gen_require user_tmp_t)
|
||
+ (typeattributeset cil_gen_require tmpfs_t)
|
||
+ (typeattributeset cil_gen_require kernel_system_state_reader)
|
||
+ (typeattributeset cil_gen_require security_t)
|
||
+ (typeattributeset cil_gen_require sysfs_t)
|
||
+ (typeattributeset cil_gen_require selinux_config_t)
|
||
+ (typeattributeset cil_gen_require etc_t)
|
||
+ (typeattributeset cil_gen_require chkpwd_t)
|
||
+ (typeattributeset cil_gen_require chkpwd_exec_t)
|
||
+ (typeattributeset cil_gen_require shadow_t)
|
||
+ (typeattributeset cil_gen_require auth_cache_t)
|
||
+ (typeattributeset cil_gen_require device_t)
|
||
+ (typeattributeset cil_gen_require random_device_t)
|
||
+ (typeattributeset cil_gen_require urandom_device_t)
|
||
+ (typeattributeset cil_gen_require nsswitch_domain)
|
||
+ (typeattributeset cil_gen_require netlabel_peer_type)
|
||
+ (typeattributeset cil_gen_require faillog_t)
|
||
+ (typeattributeset cil_gen_require var_log_t)
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require cert_t)
|
||
+ (typeattributeset cil_gen_require updpwd_t)
|
||
+ (typeattributeset cil_gen_require updpwd_exec_t)
|
||
+ (typeattributeset cil_gen_require syslog_client_type)
|
||
+ (typeattributeset cil_gen_require syslogd_var_run_t)
|
||
+ (typeattributeset cil_gen_require devpts_t)
|
||
+ (typeattributeset cil_gen_require sshd_devpts_t)
|
||
+ (typeattributeset cil_gen_require systemd_unit_file_type)
|
||
+ (typeattributeset cil_gen_require init_script_file_type)
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (roletype urole sudo_type)
|
||
+ (roletype urole chkpwd_t)
|
||
+ (roletype urole updpwd_t)
|
||
+ (typeattributeset cil_gen_require netlabel_peer_type)
|
||
+ (typeattributeset netlabel_peer_type (sudo_type ))
|
||
+ (typeattributeset cil_gen_require corenet_unlabeled_type)
|
||
+ (typeattributeset corenet_unlabeled_type (sudo_type ))
|
||
+ (typeattributeset cil_gen_require privfd)
|
||
+ (typeattributeset privfd (sudo_type ))
|
||
+ (typeattributeset cil_gen_require syslog_client_type)
|
||
+ (typeattributeset syslog_client_type (sudo_type ))
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset file_type (sudo_exec_t sudo_tmp_type ))
|
||
+ (typeattributeset cil_gen_require tmpfile)
|
||
+ (typeattributeset tmpfile (sudo_tmp_type ))
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset non_security_file_type (sudo_exec_t sudo_tmp_type ))
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset exec_type (sudo_exec_t ))
|
||
+ (typeattributeset cil_gen_require application_domain_type)
|
||
+ (typeattributeset application_domain_type (sudo_type ))
|
||
+ (typeattributeset cil_gen_require polymember)
|
||
+ (typeattributeset polymember (sudo_tmp_type ))
|
||
+ (typeattributeset cil_gen_require userdom_home_manager_type)
|
||
+ (typeattributeset userdom_home_manager_type (sudo_type ))
|
||
+ (typeattributeset cil_gen_require ubac_constrained_type)
|
||
+ (typeattributeset ubac_constrained_type (sudo_type ))
|
||
+ (typeattributeset cil_gen_require kernel_system_state_reader)
|
||
+ (typeattributeset kernel_system_state_reader (sudo_type ))
|
||
+ (typeattributeset cil_gen_require can_change_process_role)
|
||
+ (typeattributeset can_change_process_role (sudo_type ))
|
||
+ (typeattributeset cil_gen_require application_exec_type)
|
||
+ (typeattributeset application_exec_type (sudo_exec_t ))
|
||
+ (typeattributeset cil_gen_require nsswitch_domain)
|
||
+ (typeattributeset nsswitch_domain (sudo_type ))
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset entry_type (sudo_exec_t ))
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset non_auth_file_type (sudo_exec_t sudo_tmp_type ))
|
||
+ (typeattributeset cil_gen_require sudodomain)
|
||
+ (typeattributeset sudodomain (sudo_type ))
|
||
+ (typeattributeset cil_gen_require domain)
|
||
+ (typeattributeset domain (sudo_type ))
|
||
+ (allow sudo_type kernel_t (system (module_request)))
|
||
+ (allow sudo_type sudo_exec_t (file (entrypoint)))
|
||
+ (allow sudo_type sudo_exec_t (file (ioctl read getattr lock map execute open)))
|
||
+ (allow sudo_type sudo_tmp_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow sudo_type tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (typetransition sudo_type tmp_t file sudo_tmp_type)
|
||
+ (allow sudo_type utype (dir (getattr open search)))
|
||
+ (allow sudo_type utype (file (ioctl read getattr lock open)))
|
||
+ (allow sudo_type utype (key (search)))
|
||
+ (allow sudo_type utype (unix_stream_socket (read write connectto)))
|
||
+ (allow utype sudo_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype sudo_type (process (transition)))
|
||
+ (typetransition utype sudo_exec_t process sudo_type)
|
||
+ (allow sudo_type utype (fd (use)))
|
||
+ (allow sudo_type utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow sudo_type utype (process (sigchld)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type shell_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow sudo_type utype (process (transition)))
|
||
+ (typetransition sudo_type shell_exec_t process utype)
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type bin_t (file (ioctl read getattr map execute open)))
|
||
+ (allow sudo_type utype (process (transition)))
|
||
+ (allow sudo_type usr_t (dir (getattr open search)))
|
||
+ (allow sudo_type usr_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type usr_t (file (ioctl read getattr map execute open)))
|
||
+ (allow sudo_type utype (process (transition)))
|
||
+ (typetransition sudo_type bin_t process utype)
|
||
+ (typetransition sudo_type usr_t process utype)
|
||
+ (allow sudo_type user_home_t (dir (getattr open search)))
|
||
+ (allow sudo_type user_home_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type user_home_t (file (ioctl read getattr map execute open)))
|
||
+ (allow sudo_type utype (process (transition)))
|
||
+ (typetransition sudo_type user_home_t process utype)
|
||
+ (allow sudo_type tmpfs_t (dir (getattr open search)))
|
||
+ (allow sudo_type tmp_t (dir (getattr open search)))
|
||
+ (allow sudo_type tmp_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type tmp_t (dir (getattr open search)))
|
||
+ (allow sudo_type user_tmp_t (dir (getattr open search)))
|
||
+ (allow sudo_type user_tmp_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type user_tmp_t (file (ioctl read getattr map execute open)))
|
||
+ (allow sudo_type utype (process (transition)))
|
||
+ (typetransition sudo_type user_tmp_t process utype)
|
||
+ (allow utype sudo_exec_t (file (entrypoint)))
|
||
+ (allow utype sudo_exec_t (file (ioctl read getattr lock map execute open)))
|
||
+ (allow sudo_type sudo_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow sudo_type utype (process (transition)))
|
||
+ (typetransition sudo_type sudo_exec_t process utype)
|
||
+ (allow utype sudo_type (fd (use)))
|
||
+ (allow utype sudo_type (fifo_file (ioctl read write getattr lock append open)))
|
||
+ (allow utype sudo_type (process (sigchld sigkill sigstop signull signal)))
|
||
+ (allow sudo_type security_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type sysfs_t (filesystem (getattr)))
|
||
+ (allow sudo_type sysfs_t (dir (getattr open search)))
|
||
+ (allow sudo_type sysfs_t (dir (getattr open search)))
|
||
+ (allow sudo_type security_t (filesystem (getattr)))
|
||
+ (allow sudo_type etc_t (dir (getattr open search)))
|
||
+ (allow sudo_type selinux_config_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow sudo_type selinux_config_t (dir (getattr open search)))
|
||
+ (allow sudo_type selinux_config_t (file (ioctl read getattr lock open)))
|
||
+ (allow sudo_type selinux_config_t (dir (getattr open search)))
|
||
+ (allow sudo_type selinux_config_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type auth_cache_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type chkpwd_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow sudo_type chkpwd_t (process (transition)))
|
||
+ (typetransition sudo_type chkpwd_exec_t process chkpwd_t)
|
||
+ (allow chkpwd_t sudo_type (fd (use)))
|
||
+ (allow chkpwd_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow chkpwd_t sudo_type (process (sigchld)))
|
||
+ (allow sudo_type chkpwd_exec_t (file (map)))
|
||
+ (dontaudit sudo_type shadow_t (file (ioctl read getattr lock open)))
|
||
+ (allow sudo_type device_t (dir (getattr open search)))
|
||
+ (allow sudo_type random_device_t (chr_file (ioctl read getattr lock open)))
|
||
+ (allow sudo_type device_t (dir (getattr open search)))
|
||
+ (allow sudo_type urandom_device_t (chr_file (ioctl read getattr lock open)))
|
||
+ (allow sudo_type var_t (dir (getattr open search)))
|
||
+ (allow sudo_type var_log_t (dir (getattr open search)))
|
||
+ (allow sudo_type faillog_t (dir (getattr open search)))
|
||
+ (allow sudo_type faillog_t (file (ioctl read write getattr lock append open)))
|
||
+ (allow sudo_type self (capability (audit_write)))
|
||
+ (allow sudo_type self (netlink_audit_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_relay nlmsg_tty_audit)))
|
||
+ (allow sudo_type cert_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow sudo_type cert_t (dir (getattr open search)))
|
||
+ (allow sudo_type cert_t (file (ioctl read getattr lock open)))
|
||
+ (allow sudo_type cert_t (dir (getattr open search)))
|
||
+ (allow sudo_type cert_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type updpwd_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow sudo_type updpwd_t (process (transition)))
|
||
+ (typetransition sudo_type updpwd_exec_t process updpwd_t)
|
||
+ (allow updpwd_t sudo_type (fd (use)))
|
||
+ (allow updpwd_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow updpwd_t sudo_type (process (sigchld)))
|
||
+ (dontaudit sudo_type shadow_t (file (ioctl read getattr lock open)))
|
||
+ (allow sudo_type updpwd_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow sudo_type updpwd_t (process (transition)))
|
||
+ (typetransition sudo_type updpwd_exec_t process updpwd_t)
|
||
+ (allow updpwd_t sudo_type (fd (use)))
|
||
+ (allow updpwd_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow updpwd_t sudo_type (process (sigchld)))
|
||
+ (dontaudit sudo_type shadow_t (file (ioctl read getattr lock open)))
|
||
+ (allow sudo_type syslogd_var_run_t (dir (getattr open search)))
|
||
+ (allow sudo_type syslogd_var_run_t (file (ioctl read getattr lock open map)))
|
||
+ (allow sudo_type syslogd_var_run_t (dir (getattr open search)))
|
||
+ (allow sudo_type syslogd_var_run_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow sudo_type device_t (dir (getattr open search)))
|
||
+ (allow sudo_type device_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow sudo_type device_t (dir (getattr open search)))
|
||
+ (allow sudo_type device_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type devpts_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow sudo_type devpts_t (chr_file (ioctl read write getattr lock append open)))
|
||
+ (allow sudo_type devpts_t (chr_file (setattr)))
|
||
+ (allow sudo_type sshd_devpts_t (chr_file (ioctl read write getattr lock append)))
|
||
+ (allow sudo_type systemd_unit_file_type (service (start stop status reload enable disable)))
|
||
+ (allow sudo_type init_script_file_type (service (start stop status reload enable disable)))
|
||
+ (optional confinedom_sudo_optional_3
|
||
+ (typeattributeset cil_gen_require etc_t)
|
||
+ (typeattributeset cil_gen_require krb5_keytab_t)
|
||
+ (allow sudo_type etc_t (dir (getattr open search)))
|
||
+ (allow sudo_type krb5_keytab_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow sudo_type krb5_keytab_t (file (ioctl read getattr lock open)))
|
||
+ )
|
||
+ (optional confinedom_sudo_optional_4
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require pcscd_var_run_t)
|
||
+ (typeattributeset cil_gen_require var_run_t)
|
||
+ (typeattributeset cil_gen_require pcscd_t)
|
||
+ (allow sudo_type var_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type var_run_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type var_t (dir (getattr open search)))
|
||
+ (allow sudo_type var_run_t (dir (getattr open search)))
|
||
+ (allow sudo_type pcscd_var_run_t (dir (getattr open search)))
|
||
+ (allow sudo_type pcscd_var_run_t (file (ioctl read getattr lock open)))
|
||
+ (allow sudo_type var_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type var_run_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type var_t (dir (getattr open search)))
|
||
+ (allow sudo_type var_run_t (dir (getattr open search)))
|
||
+ (allow sudo_type pcscd_var_run_t (dir (getattr open search)))
|
||
+ (allow sudo_type pcscd_var_run_t (sock_file (write getattr append open)))
|
||
+ (allow sudo_type pcscd_t (unix_stream_socket (connectto)))
|
||
+ )
|
||
+ (optional confinedom_sudo_optional_5
|
||
+ (typeattributeset cil_gen_require etc_t)
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require var_run_t)
|
||
+ (typeattributeset cil_gen_require samba_var_t)
|
||
+ (typeattributeset cil_gen_require winbind_t)
|
||
+ (typeattributeset cil_gen_require winbind_var_run_t)
|
||
+ (typeattributeset cil_gen_require smbd_var_run_t)
|
||
+ (typeattributeset cil_gen_require samba_etc_t)
|
||
+ (allow sudo_type var_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type var_run_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type var_t (dir (getattr open search)))
|
||
+ (allow sudo_type var_run_t (dir (getattr open search)))
|
||
+ (allow sudo_type smbd_var_run_t (dir (getattr open search)))
|
||
+ (allow sudo_type samba_var_t (dir (getattr open search)))
|
||
+ (allow sudo_type winbind_var_run_t (dir (getattr open search)))
|
||
+ (allow sudo_type winbind_var_run_t (sock_file (write getattr append open)))
|
||
+ (allow sudo_type winbind_t (unix_stream_socket (connectto)))
|
||
+ (allow sudo_type etc_t (dir (getattr open search)))
|
||
+ (allow sudo_type samba_etc_t (dir (getattr open search)))
|
||
+ (allow sudo_type samba_etc_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow sudo_type samba_etc_t (dir (getattr open search)))
|
||
+ (allow sudo_type samba_etc_t (file (ioctl read getattr lock open)))
|
||
+ )
|
||
+ (optional confinedom_sudo_optional_6
|
||
+ (typeattributeset cil_gen_require mta_user_agent)
|
||
+ (typeattributeset cil_gen_require user_mail_t)
|
||
+ (typeattributeset cil_gen_require sendmail_exec_t)
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (roletype urole mta_user_agent)
|
||
+ (roletype urole user_mail_t)
|
||
+ (allow sudo_type sendmail_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow sudo_type user_mail_t (process (transition)))
|
||
+ (typetransition sudo_type sendmail_exec_t process user_mail_t)
|
||
+ (allow user_mail_t sudo_type (fd (use)))
|
||
+ (allow user_mail_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow user_mail_t sudo_type (process (sigchld)))
|
||
+ (allow sudo_type sendmail_exec_t (lnk_file (read getattr)))
|
||
+ (allow mta_user_agent sudo_type (fd (use)))
|
||
+ (allow mta_user_agent sudo_type (process (sigchld)))
|
||
+ (allow mta_user_agent sudo_type (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow sudo_type user_mail_t (process (signal)))
|
||
+ (optional confinedom_sudo_optional_7
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require exim_t)
|
||
+ (typeattributeset cil_gen_require exim_exec_t)
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (roletype urole exim_t)
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type exim_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow sudo_type exim_t (process (transition)))
|
||
+ (typetransition sudo_type exim_exec_t process exim_t)
|
||
+ (allow exim_t sudo_type (fd (use)))
|
||
+ (allow exim_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow exim_t sudo_type (process (sigchld)))
|
||
+ )
|
||
+ (optional confinedom_sudo_optional_8
|
||
+ (typeattributeset cil_gen_require mailman_mail_t)
|
||
+ (typeattributeset cil_gen_require mailman_mail_exec_t)
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (roletype urole mailman_mail_t)
|
||
+ (allow mta_user_agent mailman_mail_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow mta_user_agent mailman_mail_t (process (transition)))
|
||
+ (typetransition mta_user_agent mailman_mail_exec_t process mailman_mail_t)
|
||
+ (allow mailman_mail_t mta_user_agent (fd (use)))
|
||
+ (allow mailman_mail_t mta_user_agent (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow mailman_mail_t mta_user_agent (process (sigchld)))
|
||
+ )
|
||
+ )
|
||
+ (optional confinedom_sudo_optional_9
|
||
+ (roleattributeset cil_gen_require rpm_script_roles)
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require rpm_t)
|
||
+ (typeattributeset cil_gen_require rpm_script_t)
|
||
+ (typeattributeset cil_gen_require rpm_exec_t)
|
||
+ (typeattributeset cil_gen_require rpm_transition_domain)
|
||
+ (typeattributeset cil_gen_require debuginfo_exec_t)
|
||
+ (typeattributeset cil_gen_require can_system_change)
|
||
+ (roleattributeset cil_gen_require rpm_script_roles)
|
||
+ (roleattributeset rpm_script_roles (urole ))
|
||
+ (typeattributeset cil_gen_require rpm_transition_domain)
|
||
+ (typeattributeset rpm_transition_domain (sudo_type ))
|
||
+ (typeattributeset cil_gen_require can_system_change)
|
||
+ (typeattributeset can_system_change (sudo_type ))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type rpm_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow sudo_type rpm_t (process (transition)))
|
||
+ (typetransition sudo_type rpm_exec_t process rpm_t)
|
||
+ (allow rpm_t sudo_type (fd (use)))
|
||
+ (allow rpm_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow rpm_t sudo_type (process (sigchld)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type debuginfo_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow sudo_type rpm_t (process (transition)))
|
||
+ (typetransition sudo_type debuginfo_exec_t process rpm_t)
|
||
+ (allow rpm_t sudo_type (fd (use)))
|
||
+ (allow rpm_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow rpm_t sudo_type (process (sigchld)))
|
||
+ (allow sudo_type debuginfo_exec_t (dir (getattr open search)))
|
||
+ (allow sudo_type debuginfo_exec_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type rpm_script_t (process (transition)))
|
||
+ (allow sudo_type rpm_script_t (fd (use)))
|
||
+ (allow rpm_script_t sudo_type (fd (use)))
|
||
+ (allow rpm_script_t sudo_type (fifo_file (ioctl read write getattr lock append open)))
|
||
+ (allow rpm_script_t sudo_type (process (sigchld)))
|
||
+ )
|
||
+ (optional confinedom_sudo_optional_10
|
||
+ (typeattributeset cil_gen_require tmp_t)
|
||
+ (typeattributeset cil_gen_require tmpfs_t)
|
||
+ (typeattributeset cil_gen_require security_t)
|
||
+ (typeattributeset cil_gen_require sysfs_t)
|
||
+ (typeattributeset cil_gen_require selinux_config_t)
|
||
+ (typeattributeset cil_gen_require etc_t)
|
||
+ (typeattributeset cil_gen_require krb5_host_rcache_t)
|
||
+ (typeattributeset cil_gen_require can_change_object_identity)
|
||
+ (typeattributeset cil_gen_require default_context_t)
|
||
+ (typeattributeset cil_gen_require file_context_t)
|
||
+ (typeattributeset cil_gen_require krb5_conf_t)
|
||
+ (typeattributeset cil_gen_require krb5_home_t)
|
||
+ (typeattributeset cil_gen_require can_change_object_identity)
|
||
+ (typeattributeset can_change_object_identity (sudo_type ))
|
||
+ (allow sudo_type etc_t (dir (getattr open search)))
|
||
+ (allow sudo_type krb5_conf_t (file (ioctl read getattr lock open)))
|
||
+ (allow sudo_type krb5_home_t (file (ioctl read getattr lock open)))
|
||
+ (booleanif (kerberos_enabled)
|
||
+ (true
|
||
+ (allow sudo_type tmp_t (dir (getattr open search)))
|
||
+ (allow sudo_type tmp_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type tmp_t (dir (getattr open search)))
|
||
+ (allow sudo_type tmpfs_t (dir (getattr open search)))
|
||
+ (allow sudo_type krb5_host_rcache_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow sudo_type krb5_host_rcache_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow sudo_type tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow sudo_type tmp_t (dir (getattr open search)))
|
||
+ (allow sudo_type tmp_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type tmp_t (dir (getattr open search)))
|
||
+ (allow sudo_type tmpfs_t (dir (getattr open search)))
|
||
+ (allow sudo_type file_context_t (file (map)))
|
||
+ (allow sudo_type file_context_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type file_context_t (dir (getattr open search)))
|
||
+ (allow sudo_type file_context_t (file (ioctl read getattr lock open)))
|
||
+ (allow sudo_type file_context_t (dir (getattr open search)))
|
||
+ (allow sudo_type file_context_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow sudo_type file_context_t (dir (getattr open search)))
|
||
+ (allow sudo_type selinux_config_t (dir (getattr open search)))
|
||
+ (allow sudo_type default_context_t (dir (getattr open search)))
|
||
+ (allow sudo_type etc_t (dir (getattr open search)))
|
||
+ (allow sudo_type security_t (security (check_context)))
|
||
+ (allow sudo_type security_t (file (ioctl read write getattr lock append map open)))
|
||
+ (allow sudo_type security_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow sudo_type security_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type sysfs_t (dir (getattr open search)))
|
||
+ (allow sudo_type sysfs_t (dir (getattr open search)))
|
||
+ (allow sudo_type sysfs_t (filesystem (getattr)))
|
||
+ (allow sudo_type self (process (setfscreate)))
|
||
+ )
|
||
+ )
|
||
+ )
|
||
+ (optional confinedom_sudo_optional_11
|
||
+ (typeattributeset cil_gen_require systemd_systemctl_exec_t)
|
||
+ (allow sudo_type systemd_systemctl_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow sudo_type utype (process (transition)))
|
||
+ (typetransition sudo_type systemd_systemctl_exec_t process utype)
|
||
+ (allow utype systemd_systemctl_exec_t (file (entrypoint)))
|
||
+ )
|
||
+ (optional confinedom_sudo_optional_12
|
||
+ (typeattributeset cil_gen_require tmp_t)
|
||
+ (typeattributeset cil_gen_require user_tmp_t)
|
||
+ (typeattributeset cil_gen_require tmpfs_t)
|
||
+ (allow sudo_type user_tmp_t (sock_file (write getattr append open)))
|
||
+ (allow sudo_type tmpfs_t (dir (getattr open search)))
|
||
+ (allow sudo_type tmp_t (dir (getattr open search)))
|
||
+ (allow sudo_type tmp_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type tmp_t (dir (getattr open search)))
|
||
+ (optional confinedom_sudo_optional_13
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require passwd_t)
|
||
+ (typeattributeset cil_gen_require passwd_exec_t)
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (lnk_file (read getattr)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type bin_t (dir (getattr open search)))
|
||
+ (allow sudo_type passwd_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow sudo_type passwd_t (process (transition)))
|
||
+ (typetransition sudo_type passwd_exec_t process passwd_t)
|
||
+ (allow passwd_t sudo_type (fd (use)))
|
||
+ (allow passwd_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow passwd_t sudo_type (process (sigchld)))
|
||
+ )
|
||
+ )
|
||
+ )
|
||
+)
|
||
+
|
||
+(macro confinedom_user_login_macro ((type utype) (role urole) (type gkeyringd_type) (type dbusd_type) (boolean exec_content_bool))
|
||
+ (optional confinedom_user_login_optional_2
|
||
+ (roletype object_r utype)
|
||
+ (typeattributeset cil_gen_require userdomain)
|
||
+ (typeattributeset cil_gen_require login_confinedom)
|
||
+ (typeattributeset cil_gen_require user_devpts_t)
|
||
+ (typeattributeset cil_gen_require user_tty_device_t)
|
||
+ (typeattributeset cil_gen_require shell_exec_t)
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset cil_gen_require domain)
|
||
+ (typeattributeset cil_gen_require corenet_unlabeled_type)
|
||
+ (typeattributeset cil_gen_require process_user_target)
|
||
+ (typeattributeset cil_gen_require ubac_constrained_type)
|
||
+ (typeattributeset cil_gen_require userdom_filetrans_type)
|
||
+ (typeattributeset cil_gen_require user_tmp_t)
|
||
+ (typeattributeset cil_gen_require user_tmp_type)
|
||
+ (typeattributeset cil_gen_require tmp_t)
|
||
+ (typeattributeset cil_gen_require tmpfs_t)
|
||
+ (typeattributeset cil_gen_require user_home_dir_t)
|
||
+ (typeattributeset cil_gen_require user_home_t)
|
||
+ (typeattributeset cil_gen_require user_home_type)
|
||
+ (typeattributeset cil_gen_require home_root_t)
|
||
+ (typeattributeset cil_gen_require user_home_content_type)
|
||
+ (typeattributeset cil_gen_require polymember)
|
||
+ (typeattributeset cil_gen_require nfs_t)
|
||
+ (typeattributeset cil_gen_require cifs_t)
|
||
+ (typeattributeset cil_gen_require bsdpty_device_t)
|
||
+ (typeattributeset cil_gen_require devpts_t)
|
||
+ (typeattributeset cil_gen_require ptmx_t)
|
||
+ (typeattributeset cil_gen_require device_t)
|
||
+ (typeattributeset cil_gen_require ttynode)
|
||
+ (typeattributeset cil_gen_require ptynode)
|
||
+ (typeattributeset cil_gen_require console_device_t)
|
||
+ (typeattributeset cil_gen_require tty_device_t)
|
||
+ (typeattributeset cil_gen_require server_ptynode)
|
||
+ (typeattributeset cil_gen_require device_node)
|
||
+ (typeattributeset cil_gen_require virtio_device_t)
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require base_ro_file_type)
|
||
+ (typeattributeset cil_gen_require application_exec_type)
|
||
+ (typeattributeset cil_gen_require chkpwd_t)
|
||
+ (typeattributeset cil_gen_require chkpwd_exec_t)
|
||
+ (typeattributeset cil_gen_require shadow_t)
|
||
+ (typeattributeset cil_gen_require updpwd_t)
|
||
+ (typeattributeset cil_gen_require updpwd_exec_t)
|
||
+ (typeattributeset cil_gen_require passwd_file_t)
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require var_lib_t)
|
||
+ (typeattributeset cil_gen_require var_run_t)
|
||
+ (typeattributeset cil_gen_require init_t)
|
||
+ (typeattributeset cil_gen_require nsswitch_domain)
|
||
+ (typeattributeset cil_gen_require netlabel_peer_type)
|
||
+ (typeattributeset cil_gen_require boot_t)
|
||
+ (typeattributeset cil_gen_require cgroup_t)
|
||
+ (typeattributeset cil_gen_require filesystem_type)
|
||
+ (typeattributeset cil_gen_require fs_t)
|
||
+ (typeattributeset cil_gen_require sysfs_t)
|
||
+ (typeattributeset cil_gen_require init_exec_t)
|
||
+ (typeattributeset cil_gen_require systemd_systemctl_exec_t)
|
||
+ (typeattributeset cil_gen_require efivarfs_t)
|
||
+ (typeattributeset cil_gen_require systemd_unit_file_type)
|
||
+ (typeattributeset cil_gen_require init_var_run_t)
|
||
+ (typeattributeset cil_gen_require systemd_logind_var_run_t)
|
||
+ (typeattributeset cil_gen_require systemd_passwd_agent_t)
|
||
+ (typeattributeset cil_gen_require systemd_passwd_agent_exec_t)
|
||
+ (typeattributeset cil_gen_require systemd_passwd_var_run_t)
|
||
+ (typeattributeset cil_gen_require kernel_t)
|
||
+ (typeattributeset cil_gen_require sysctl_type)
|
||
+ (typeattributeset cil_gen_require proc_t)
|
||
+ (typeattributeset cil_gen_require proc_net_t)
|
||
+ (typeattributeset cil_gen_require syslog_client_type)
|
||
+ (typeattributeset cil_gen_require locale_t)
|
||
+ (typeattributeset cil_gen_require mount_var_run_t)
|
||
+ (typeattributeset cil_gen_require sound_device_t)
|
||
+ (typeattributeset cil_gen_require security_t)
|
||
+ (typeattributeset cil_gen_require kernel_system_state_reader)
|
||
+ (typeattributeset cil_gen_require selinux_config_t)
|
||
+ (typeattributeset cil_gen_require etc_t)
|
||
+ (typeattributeset cil_gen_require default_context_t)
|
||
+ (typeattributeset cil_gen_require file_context_t)
|
||
+ (typeattributeset cil_gen_require fixed_disk_device_t)
|
||
+ (typeattributeset cil_gen_require systemd_hostnamed_t)
|
||
+ (typeattributeset cil_gen_require systemd_tmpfiles_exec_t)
|
||
+ (typeattributeset cil_gen_require udev_var_run_t)
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (roletype urole utype)
|
||
+ (roletype urole user_tmp_t)
|
||
+ (typeattributeset cil_gen_require netlabel_peer_type)
|
||
+ (typeattributeset netlabel_peer_type (utype ))
|
||
+ (typeattributeset cil_gen_require login_confinedom)
|
||
+ (typeattributeset login_confinedom (utype ))
|
||
+ (typeattributeset cil_gen_require corenet_unlabeled_type)
|
||
+ (typeattributeset corenet_unlabeled_type (utype ))
|
||
+ (typeattributeset cil_gen_require syslog_client_type)
|
||
+ (typeattributeset syslog_client_type (utype ))
|
||
+ (typeattributeset cil_gen_require device_node)
|
||
+ (typeattributeset device_node (user_devpts_t ))
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset file_type (utype shell_exec_t ))
|
||
+ (typeattributeset cil_gen_require ptynode)
|
||
+ (typeattributeset ptynode (user_devpts_t ))
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset non_security_file_type (utype shell_exec_t ))
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset exec_type (shell_exec_t ))
|
||
+ (typeattributeset cil_gen_require user_home_content_type)
|
||
+ (typeattributeset user_home_content_type (utype ))
|
||
+ (typeattributeset cil_gen_require polymember)
|
||
+ (typeattributeset polymember (utype ))
|
||
+ (typeattributeset cil_gen_require ubac_constrained_type)
|
||
+ (typeattributeset ubac_constrained_type (utype ))
|
||
+ (typeattributeset cil_gen_require kernel_system_state_reader)
|
||
+ (typeattributeset kernel_system_state_reader (utype ))
|
||
+ (typeattributeset cil_gen_require userdom_filetrans_type)
|
||
+ (typeattributeset userdom_filetrans_type (utype ))
|
||
+ (typeattributeset cil_gen_require nsswitch_domain)
|
||
+ (typeattributeset nsswitch_domain (utype ))
|
||
+ (typeattributeset cil_gen_require user_home_type)
|
||
+ (typeattributeset user_home_type (utype ))
|
||
+ (typeattributeset cil_gen_require userdomain)
|
||
+ (typeattributeset userdomain (utype ))
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset entry_type (shell_exec_t ))
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset non_auth_file_type (utype shell_exec_t ))
|
||
+ (typeattributeset cil_gen_require domain)
|
||
+ (typeattributeset domain (utype ))
|
||
+ (typeattributeset cil_gen_require process_user_target)
|
||
+ (typeattributeset process_user_target (utype ))
|
||
+ (allow utype shell_exec_t (file (entrypoint)))
|
||
+ (allow utype shell_exec_t (file (ioctl read getattr lock map execute open)))
|
||
+ (allow utype user_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype user_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_tmp_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (typemember utype tmp_t dir user_tmp_t)
|
||
+ (allow utype user_tmp_type (dir (mounton)))
|
||
+ (allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_tmp_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_tmp_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_tmp_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
||
+ (allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_tmp_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_tmp_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow utype tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (typetransition utype tmp_t fifo_file user_tmp_t)
|
||
+ (typetransition utype tmp_t sock_file user_tmp_t)
|
||
+ (typetransition utype tmp_t lnk_file user_tmp_t)
|
||
+ (typetransition utype tmp_t dir user_tmp_t)
|
||
+ (typetransition utype tmp_t file user_tmp_t)
|
||
+ (allow user_tmp_t tmpfs_t (filesystem (associate)))
|
||
+ (allow utype tmpfs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (typetransition utype tmpfs_t fifo_file user_tmp_t)
|
||
+ (typetransition utype tmpfs_t sock_file user_tmp_t)
|
||
+ (typetransition utype tmpfs_t lnk_file user_tmp_t)
|
||
+ (typetransition utype tmpfs_t dir user_tmp_t)
|
||
+ (typetransition utype tmpfs_t file user_tmp_t)
|
||
+ (allow utype user_tmp_type (dir (getattr open search)))
|
||
+ (allow utype user_tmp_type (dir (getattr relabelfrom relabelto)))
|
||
+ (allow utype user_tmp_type (dir (getattr open search)))
|
||
+ (allow utype user_tmp_type (file (getattr relabelfrom relabelto)))
|
||
+ (allow utype user_tmp_type (dir (getattr open search)))
|
||
+ (allow utype user_tmp_type (lnk_file (getattr relabelfrom relabelto)))
|
||
+ (allow utype user_tmp_type (dir (getattr open search)))
|
||
+ (allow utype user_tmp_type (sock_file (getattr relabelfrom relabelto)))
|
||
+ (allow utype user_tmp_type (dir (getattr open search)))
|
||
+ (allow utype user_tmp_type (fifo_file (getattr relabelfrom relabelto)))
|
||
+ (allow utype user_tmp_type (file (map)))
|
||
+ (allow utype home_root_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_home_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (typetransition utype user_home_dir_t fifo_file user_home_t)
|
||
+ (typetransition utype user_home_dir_t sock_file user_home_t)
|
||
+ (typetransition utype user_home_dir_t lnk_file user_home_t)
|
||
+ (typetransition utype user_home_dir_t dir user_home_t)
|
||
+ (typetransition utype user_home_dir_t file user_home_t)
|
||
+ (allow login_confinedom self (capability (mknod)))
|
||
+ (allow login_confinedom user_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow login_confinedom user_tmp_t (chr_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow login_confinedom tmpfs_t (dir (getattr open search)))
|
||
+ (allow login_confinedom tmp_t (dir (getattr open search)))
|
||
+ (allow login_confinedom tmp_t (lnk_file (read getattr)))
|
||
+ (allow login_confinedom tmp_t (dir (getattr open search)))
|
||
+ (allow utype user_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype user_tmp_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow utype tmpfs_t (dir (getattr open search)))
|
||
+ (allow utype tmp_t (dir (getattr open search)))
|
||
+ (allow utype tmp_t (lnk_file (read getattr)))
|
||
+ (allow utype tmp_t (dir (getattr open search)))
|
||
+ (allow utype user_home_t (filesystem (associate)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype device_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype device_t (lnk_file (read getattr)))
|
||
+ (allow utype ptmx_t (chr_file (ioctl read write getattr lock append open)))
|
||
+ (allow utype devpts_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype devpts_t (filesystem (getattr)))
|
||
+ (dontaudit utype bsdpty_device_t (chr_file (read write getattr)))
|
||
+ (typetransition utype devpts_t chr_file user_devpts_t)
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype device_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype device_t (lnk_file (read getattr)))
|
||
+ (allow utype devpts_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype devpts_t (chr_file (ioctl read write getattr lock append open)))
|
||
+ (allow utype ttynode (chr_file (ioctl read write getattr lock append open)))
|
||
+ (allow utype ptynode (chr_file (ioctl read write getattr lock append open)))
|
||
+ (allow utype console_device_t (chr_file (ioctl read write getattr lock append open)))
|
||
+ (allow utype tty_device_t (chr_file (ioctl read write getattr lock append open)))
|
||
+ (allow user_devpts_t devpts_t (filesystem (associate)))
|
||
+ (allow utype user_devpts_t (chr_file (setattr)))
|
||
+ (typechange utype server_ptynode chr_file user_devpts_t)
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype device_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype device_t (lnk_file (read getattr)))
|
||
+ (allow utype virtio_device_t (chr_file (ioctl read write getattr lock append open)))
|
||
+ (allow utype utype (capability (chown dac_read_search setgid setuid audit_write)))
|
||
+ (allow utype utype (dbus (acquire_svc)))
|
||
+ (allow utype utype (process (setsched setcap setfscreate setsockcreate)))
|
||
+ (allow utype utype (netlink_audit_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_write nlmsg_relay)))
|
||
+ (allow utype utype (netlink_kobject_uevent_socket (create getattr bind getopt setopt)))
|
||
+ (allow utype utype (unix_dgram_socket (ioctl create bind connect getopt setopt sendto)))
|
||
+ (allow utype utype (unix_stream_socket (connectto)))
|
||
+ (allow utype utype (context (contains)))
|
||
+ (dontaudit utype exec_type (file (execute execute_no_trans)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (lnk_file (read getattr)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype bin_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow utype base_ro_file_type (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (lnk_file (read getattr)))
|
||
+ (allow utype shell_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow utype shell_exec_t (file (map)))
|
||
+ (allow utype application_exec_type (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (lnk_file (read getattr)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype chkpwd_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype chkpwd_t (process (transition)))
|
||
+ (typetransition utype chkpwd_exec_t process chkpwd_t)
|
||
+ (allow chkpwd_t utype (fd (use)))
|
||
+ (allow chkpwd_t utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow chkpwd_t utype (process (sigchld)))
|
||
+ (dontaudit utype shadow_t (file (read getattr)))
|
||
+ (allow utype updpwd_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype updpwd_t (process (transition)))
|
||
+ (typetransition utype updpwd_exec_t process updpwd_t)
|
||
+ (allow updpwd_t utype (fd (use)))
|
||
+ (allow updpwd_t utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow updpwd_t utype (process (sigchld)))
|
||
+ (dontaudit utype shadow_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype passwd_file_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype init_t (dbus (send_msg)))
|
||
+ (allow init_t utype (dbus (send_msg)))
|
||
+ (dontaudit utype boot_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (dontaudit utype boot_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype cgroup_t (filesystem (getattr)))
|
||
+ (allow utype filesystem_type (dir (getattr)))
|
||
+ (allow utype tmpfs_t (filesystem (getattr)))
|
||
+ (allow utype fs_t (filesystem (getattr)))
|
||
+ (allow utype cgroup_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype cgroup_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype tmpfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype cgroup_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype cgroup_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype cgroup_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype cgroup_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
||
+ (allow utype tmpfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype tmpfs_t (dir (getattr open search)))
|
||
+ (allow utype tmpfs_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype filesystem_type (dir (getattr open search)))
|
||
+ (allow utype init_exec_t (file (entrypoint)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (lnk_file (read getattr)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype init_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow utype init_t (system (status)))
|
||
+ (allow utype init_t (service (status)))
|
||
+ (allow utype kernel_t (unix_dgram_socket (sendto)))
|
||
+ (allow utype sysctl_type (dir (getattr open search)))
|
||
+ (allow utype proc_t (dir (getattr open search)))
|
||
+ (allow utype proc_net_t (dir (getattr open search)))
|
||
+ (allow utype sysctl_type (file (ioctl read getattr lock open)))
|
||
+ (allow utype proc_t (dir (getattr open search)))
|
||
+ (allow utype proc_net_t (dir (getattr open search)))
|
||
+ (allow utype sysctl_type (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype proc_t (dir (getattr open search)))
|
||
+ (allow utype proc_net_t (dir (getattr open search)))
|
||
+ (allow utype proc_net_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype proc_t (dir (getattr open search)))
|
||
+ (allow utype proc_net_t (dir (getattr open search)))
|
||
+ (allow utype proc_net_t (lnk_file (read getattr)))
|
||
+ (allow utype proc_t (dir (getattr open search)))
|
||
+ (allow utype proc_net_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype kernel_t (system (module_request)))
|
||
+ (allow utype kernel_t (unix_stream_socket (getattr connectto)))
|
||
+ (allow utype locale_t (dir (getattr open search)))
|
||
+ (allow utype locale_t (lnk_file (getattr watch)))
|
||
+ (allow utype mount_var_run_t (dir (getattr open search)))
|
||
+ (allow utype mount_var_run_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype mount_var_run_t (dir (getattr open search)))
|
||
+ (allow utype mount_var_run_t (dir (ioctl read getattr lock open search watch watch_reads)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype mount_var_run_t (dir (getattr open search)))
|
||
+ (allow utype mount_var_run_t (dir (getattr watch)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype sound_device_t (chr_file (getattr)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (lnk_file (read getattr)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype proc_t (dir (getattr open search)))
|
||
+ (allow utype proc_t (dir (getattr open search)))
|
||
+ (allow utype domain (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype domain (dir (getattr open search)))
|
||
+ (allow utype domain (file (ioctl read getattr lock open)))
|
||
+ (allow utype domain (dir (getattr open search)))
|
||
+ (allow utype domain (lnk_file (read getattr)))
|
||
+ (allow utype sysfs_t (filesystem (getattr)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype security_t (lnk_file (read getattr)))
|
||
+ (allow utype security_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype security_t (file (ioctl read write getattr lock append open)))
|
||
+ (allow utype security_t (security (compute_av)))
|
||
+ (allow utype sysfs_t (filesystem (getattr)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype security_t (lnk_file (read getattr)))
|
||
+ (allow utype security_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype security_t (file (ioctl read write getattr lock append open)))
|
||
+ (allow utype security_t (security (compute_create)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype security_t (lnk_file (read getattr)))
|
||
+ (allow utype sysfs_t (filesystem (getattr)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype security_t (filesystem (getattr)))
|
||
+ (allow utype security_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype security_t (file (ioctl read getattr map open)))
|
||
+ (allow utype security_t (lnk_file (read getattr)))
|
||
+ (allow utype etc_t (dir (getattr open search)))
|
||
+ (allow utype selinux_config_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype selinux_config_t (dir (getattr open search)))
|
||
+ (allow utype selinux_config_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype selinux_config_t (dir (getattr open search)))
|
||
+ (allow utype selinux_config_t (lnk_file (read getattr)))
|
||
+ (allow utype etc_t (dir (getattr open search)))
|
||
+ (allow utype selinux_config_t (dir (getattr open search)))
|
||
+ (allow utype default_context_t (dir (getattr open search)))
|
||
+ (allow utype file_context_t (dir (getattr open search)))
|
||
+ (allow utype file_context_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype file_context_t (dir (getattr open search)))
|
||
+ (allow utype file_context_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype file_context_t (dir (getattr open search)))
|
||
+ (allow utype file_context_t (lnk_file (read getattr)))
|
||
+ (allow utype file_context_t (file (map)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype device_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype device_t (lnk_file (read getattr)))
|
||
+ (allow utype fixed_disk_device_t (blk_file (getattr)))
|
||
+ (allow utype systemd_hostnamed_t (dbus (send_msg)))
|
||
+ (allow systemd_hostnamed_t utype (dbus (send_msg)))
|
||
+ (allow systemd_hostnamed_t utype (dir (ioctl read getattr lock open search)))
|
||
+ (allow systemd_hostnamed_t utype (file (ioctl read getattr lock open)))
|
||
+ (allow systemd_hostnamed_t utype (lnk_file (read getattr)))
|
||
+ (allow systemd_hostnamed_t utype (process (getattr)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (lnk_file (read getattr)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype systemd_systemctl_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow utype cgroup_t (dir (getattr open search)))
|
||
+ (allow utype cgroup_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype tmpfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype cgroup_t (dir (getattr open search)))
|
||
+ (allow utype cgroup_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype cgroup_t (dir (getattr open search)))
|
||
+ (allow utype cgroup_t (lnk_file (read getattr)))
|
||
+ (allow utype tmpfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype efivarfs_t (dir (getattr open search)))
|
||
+ (allow utype efivarfs_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_lib_t (dir (getattr open search)))
|
||
+ (allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype init_var_run_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype init_t (dir (getattr open search)))
|
||
+ (allow utype init_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype init_t (lnk_file (read getattr)))
|
||
+ (allow utype init_t (unix_stream_socket (sendto)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype init_var_run_t (dir (getattr open search)))
|
||
+ (allow utype init_var_run_t (sock_file (write getattr append open)))
|
||
+ (allow utype init_t (unix_stream_socket (connectto)))
|
||
+ (allow utype init_t (unix_stream_socket (getattr)))
|
||
+ (dontaudit utype self (process (setrlimit)))
|
||
+ (dontaudit utype self (capability (sys_resource)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_logind_var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_logind_var_run_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_logind_var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_logind_var_run_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype systemd_passwd_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow utype init_var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype systemd_passwd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype systemd_passwd_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype systemd_passwd_var_run_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow systemd_passwd_agent_t utype (process (signull)))
|
||
+ (allow systemd_passwd_agent_t utype (unix_dgram_socket (sendto)))
|
||
+ (dontaudit utype self (capability (net_admin sys_ptrace)))
|
||
+ (allow utype systemd_tmpfiles_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow utype systemd_passwd_var_run_t (dir (getattr watch)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_lib_t (dir (getattr open search)))
|
||
+ (allow utype systemd_unit_file_type (file (ioctl read getattr lock open)))
|
||
+ (allow utype systemd_unit_file_type (lnk_file (read getattr)))
|
||
+ (allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype device_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype device_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype udev_var_run_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype udev_var_run_t (dir (getattr open search)))
|
||
+ (allow utype udev_var_run_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype udev_var_run_t (dir (getattr open search)))
|
||
+ (allow utype udev_var_run_t (lnk_file (read getattr)))
|
||
+ (roleallow system_r urole)
|
||
+ (booleanif (deny_bluetooth)
|
||
+ (false
|
||
+ (allow utype self (bluetooth_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown)))
|
||
+ )
|
||
+ )
|
||
+ (booleanif (and (exec_content_bool) (use_samba_home_dirs))
|
||
+ (true
|
||
+ (allow utype cifs_t (file (ioctl read getattr map execute open execute_no_trans)))
|
||
+ (allow utype cifs_t (dir (getattr open search)))
|
||
+ (allow utype cifs_t (dir (ioctl read getattr lock open search)))
|
||
+ )
|
||
+ )
|
||
+ (booleanif (and (exec_content_bool) (use_nfs_home_dirs))
|
||
+ (true
|
||
+ (allow utype nfs_t (file (ioctl read getattr map execute open execute_no_trans)))
|
||
+ (allow utype nfs_t (dir (getattr open search)))
|
||
+ (allow utype nfs_t (dir (ioctl read getattr lock open search)))
|
||
+ )
|
||
+ )
|
||
+ (booleanif (exec_content_bool)
|
||
+ (true
|
||
+ (allow utype user_home_type (file (ioctl read getattr map execute open execute_no_trans)))
|
||
+ (allow utype user_home_dir_t (dir (getattr open search)))
|
||
+ (allow utype user_home_type (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype tmp_t (dir (getattr open search)))
|
||
+ (allow utype tmp_t (lnk_file (read getattr)))
|
||
+ (allow utype tmp_t (dir (getattr open search)))
|
||
+ (allow utype tmpfs_t (dir (getattr open search)))
|
||
+ (allow utype user_tmp_t (file (ioctl read getattr map execute open execute_no_trans)))
|
||
+ (allow utype user_tmp_t (dir (getattr open search)))
|
||
+ (allow utype user_tmp_t (file (entrypoint)))
|
||
+ )
|
||
+ )
|
||
+ (optional confinedom_user_login_optional_3
|
||
+ (typeattributeset cil_gen_require sssd_public_t)
|
||
+ (typeattributeset cil_gen_require sssd_var_lib_t)
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require var_lib_t)
|
||
+ (typeattributeset cil_gen_require sssd_t)
|
||
+ (typeattributeset cil_gen_require var_run_t)
|
||
+ (allow utype sssd_var_lib_t (dir (getattr open search)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_lib_t (dir (getattr open search)))
|
||
+ (allow utype sssd_public_t (dir (getattr open search)))
|
||
+ (allow utype sssd_public_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype sssd_public_t (dir (getattr open search)))
|
||
+ (allow utype sssd_public_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype sssd_public_t (file (map)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype sssd_var_lib_t (dir (getattr open search)))
|
||
+ (allow utype sssd_var_lib_t (sock_file (write getattr append open)))
|
||
+ (allow utype sssd_t (unix_stream_socket (connectto)))
|
||
+ )
|
||
+ (optional confinedom_user_login_optional_4
|
||
+ (typeattributeset cil_gen_require tmpfs_t)
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require var_lib_t)
|
||
+ (typeattributeset cil_gen_require var_run_t)
|
||
+ (typeattributeset cil_gen_require init_t)
|
||
+ (typeattributeset cil_gen_require cgroup_t)
|
||
+ (typeattributeset cil_gen_require sysfs_t)
|
||
+ (typeattributeset cil_gen_require systemd_systemctl_exec_t)
|
||
+ (typeattributeset cil_gen_require efivarfs_t)
|
||
+ (typeattributeset cil_gen_require systemd_unit_file_type)
|
||
+ (typeattributeset cil_gen_require init_var_run_t)
|
||
+ (typeattributeset cil_gen_require systemd_logind_var_run_t)
|
||
+ (typeattributeset cil_gen_require systemd_passwd_agent_t)
|
||
+ (typeattributeset cil_gen_require systemd_passwd_agent_exec_t)
|
||
+ (typeattributeset cil_gen_require systemd_passwd_var_run_t)
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (lnk_file (read getattr)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype systemd_systemctl_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow utype cgroup_t (dir (getattr open search)))
|
||
+ (allow utype cgroup_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype tmpfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype cgroup_t (dir (getattr open search)))
|
||
+ (allow utype cgroup_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype cgroup_t (dir (getattr open search)))
|
||
+ (allow utype cgroup_t (lnk_file (read getattr)))
|
||
+ (allow utype tmpfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype efivarfs_t (dir (getattr open search)))
|
||
+ (allow utype efivarfs_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_lib_t (dir (getattr open search)))
|
||
+ (allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype init_var_run_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype init_t (dir (getattr open search)))
|
||
+ (allow utype init_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype init_t (lnk_file (read getattr)))
|
||
+ (allow utype init_t (unix_stream_socket (sendto)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype init_var_run_t (dir (getattr open search)))
|
||
+ (allow utype init_var_run_t (sock_file (write getattr append open)))
|
||
+ (allow utype init_t (unix_stream_socket (connectto)))
|
||
+ (allow utype init_t (unix_stream_socket (getattr)))
|
||
+ (dontaudit utype self (process (setrlimit)))
|
||
+ (dontaudit utype self (capability (sys_resource)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_logind_var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_logind_var_run_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_logind_var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_logind_var_run_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype systemd_passwd_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow utype init_var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype systemd_passwd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype systemd_passwd_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype systemd_passwd_var_run_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow systemd_passwd_agent_t utype (process (signull)))
|
||
+ (allow systemd_passwd_agent_t utype (unix_dgram_socket (sendto)))
|
||
+ (dontaudit utype self (capability (net_admin sys_ptrace)))
|
||
+ (optional confinedom_user_login_optional_5
|
||
+ (typeattributeset cil_gen_require bluetooth_t)
|
||
+ (allow utype bluetooth_t (dbus (send_msg)))
|
||
+ (allow bluetooth_t utype (dbus (send_msg)))
|
||
+ )
|
||
+ (optional confinedom_user_login_optional_6
|
||
+ (typeattributeset cil_gen_require shell_exec_t)
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset cil_gen_require domain)
|
||
+ (typeattributeset cil_gen_require corenet_unlabeled_type)
|
||
+ (typeattributeset cil_gen_require ubac_constrained_type)
|
||
+ (typeattributeset cil_gen_require device_t)
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require base_ro_file_type)
|
||
+ (typeattributeset cil_gen_require application_exec_type)
|
||
+ (typeattributeset cil_gen_require chkpwd_t)
|
||
+ (typeattributeset cil_gen_require chkpwd_exec_t)
|
||
+ (typeattributeset cil_gen_require shadow_t)
|
||
+ (typeattributeset cil_gen_require updpwd_t)
|
||
+ (typeattributeset cil_gen_require updpwd_exec_t)
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require nsswitch_domain)
|
||
+ (typeattributeset cil_gen_require netlabel_peer_type)
|
||
+ (typeattributeset cil_gen_require syslog_client_type)
|
||
+ (typeattributeset cil_gen_require kernel_system_state_reader)
|
||
+ (typeattributeset cil_gen_require cronjob_t)
|
||
+ (typeattributeset cil_gen_require crontab_t)
|
||
+ (typeattributeset cil_gen_require crontab_exec_t)
|
||
+ (typeattributeset cil_gen_require user_cron_spool_t)
|
||
+ (typeattributeset cil_gen_require crond_t)
|
||
+ (typeattributeset cil_gen_require application_domain_type)
|
||
+ (typeattributeset cil_gen_require auth_cache_t)
|
||
+ (typeattributeset cil_gen_require random_device_t)
|
||
+ (typeattributeset cil_gen_require urandom_device_t)
|
||
+ (typeattributeset cil_gen_require faillog_t)
|
||
+ (typeattributeset cil_gen_require var_log_t)
|
||
+ (typeattributeset cil_gen_require cert_t)
|
||
+ (typeattributeset cil_gen_require userdom_home_reader_type)
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (roletype urole cronjob_t)
|
||
+ (roletype urole crontab_t)
|
||
+ (typeattributeset cil_gen_require netlabel_peer_type)
|
||
+ (typeattributeset netlabel_peer_type (utype ))
|
||
+ (typeattributeset cil_gen_require corenet_unlabeled_type)
|
||
+ (typeattributeset corenet_unlabeled_type (utype ))
|
||
+ (typeattributeset cil_gen_require syslog_client_type)
|
||
+ (typeattributeset syslog_client_type (utype ))
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset file_type (crontab_exec_t ))
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset non_security_file_type (crontab_exec_t ))
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset exec_type (crontab_exec_t ))
|
||
+ (typeattributeset cil_gen_require application_domain_type)
|
||
+ (typeattributeset application_domain_type (utype ))
|
||
+ (typeattributeset cil_gen_require ubac_constrained_type)
|
||
+ (typeattributeset ubac_constrained_type (utype ))
|
||
+ (typeattributeset cil_gen_require kernel_system_state_reader)
|
||
+ (typeattributeset kernel_system_state_reader (utype ))
|
||
+ (typeattributeset cil_gen_require application_exec_type)
|
||
+ (typeattributeset application_exec_type (crontab_exec_t ))
|
||
+ (typeattributeset cil_gen_require nsswitch_domain)
|
||
+ (typeattributeset nsswitch_domain (utype ))
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset entry_type (crontab_exec_t ))
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset non_auth_file_type (crontab_exec_t ))
|
||
+ (typeattributeset cil_gen_require userdom_home_reader_type)
|
||
+ (typeattributeset userdom_home_reader_type (utype ))
|
||
+ (typeattributeset cil_gen_require domain)
|
||
+ (typeattributeset domain (utype ))
|
||
+ (allow utype crontab_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype crontab_t (process (transition)))
|
||
+ (typetransition utype crontab_exec_t process crontab_t)
|
||
+ (allow crontab_t utype (fd (use)))
|
||
+ (allow crontab_t utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow crontab_t utype (process (sigchld)))
|
||
+ (dontaudit crond_t utype (process (noatsecure siginh rlimitinh)))
|
||
+ (allow utype crond_t (process (sigchld)))
|
||
+ (allow utype user_cron_spool_t (file (ioctl read write getattr)))
|
||
+ (allow utype crontab_t (process (sigchld sigkill sigstop signull signal)))
|
||
+ (allow utype crontab_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype crontab_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype crontab_t (lnk_file (read getattr)))
|
||
+ (allow utype crontab_t (process (getattr)))
|
||
+ (allow utype crontab_exec_t (file (entrypoint)))
|
||
+ (allow utype crontab_exec_t (file (ioctl read getattr lock map execute open)))
|
||
+ (allow utype auth_cache_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (lnk_file (read getattr)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype chkpwd_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype chkpwd_t (process (transition)))
|
||
+ (typetransition utype chkpwd_exec_t process chkpwd_t)
|
||
+ (allow chkpwd_t utype (fd (use)))
|
||
+ (allow chkpwd_t utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow chkpwd_t utype (process (sigchld)))
|
||
+ (allow utype chkpwd_exec_t (file (map)))
|
||
+ (dontaudit utype shadow_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype random_device_t (chr_file (ioctl read getattr lock open)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype urandom_device_t (chr_file (ioctl read getattr lock open)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_log_t (dir (getattr open search)))
|
||
+ (allow utype faillog_t (dir (getattr open search)))
|
||
+ (allow utype faillog_t (file (ioctl read write getattr lock append open)))
|
||
+ (allow utype self (capability (audit_write)))
|
||
+ (allow utype self (netlink_audit_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_relay nlmsg_tty_audit)))
|
||
+ (allow utype cert_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype cert_t (dir (getattr open search)))
|
||
+ (allow utype cert_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype cert_t (dir (getattr open search)))
|
||
+ (allow utype cert_t (lnk_file (read getattr)))
|
||
+ (allow utype updpwd_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype updpwd_t (process (transition)))
|
||
+ (typetransition utype updpwd_exec_t process updpwd_t)
|
||
+ (allow updpwd_t utype (fd (use)))
|
||
+ (allow updpwd_t utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow updpwd_t utype (process (sigchld)))
|
||
+ (dontaudit utype shadow_t (file (ioctl read getattr lock open)))
|
||
+ (allow crontab_t bin_t (dir (getattr open search)))
|
||
+ (allow crontab_t bin_t (lnk_file (read getattr)))
|
||
+ (allow crontab_t bin_t (dir (getattr open search)))
|
||
+ (allow crontab_t bin_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow crontab_t bin_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow crontab_t base_ro_file_type (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow crontab_t bin_t (dir (getattr open search)))
|
||
+ (allow crontab_t bin_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow crontab_t bin_t (dir (getattr open search)))
|
||
+ (allow crontab_t bin_t (lnk_file (read getattr)))
|
||
+ (allow crontab_t shell_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow crontab_t shell_exec_t (file (map)))
|
||
+ (booleanif (cron_userdomain_transition)
|
||
+ (true
|
||
+ (allow utype cronjob_t (process (getattr)))
|
||
+ (allow utype cronjob_t (lnk_file (read getattr)))
|
||
+ (allow utype cronjob_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype cronjob_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype cronjob_t (process (sigchld sigkill sigstop signull signal)))
|
||
+ (allow utype crond_t (fifo_file (ioctl read write getattr lock append open)))
|
||
+ (allow utype user_cron_spool_t (file (entrypoint)))
|
||
+ (allow crond_t utype (key (view read write search link setattr create)))
|
||
+ (allow crond_t utype (fd (use)))
|
||
+ (allow crond_t utype (process (transition)))
|
||
+ )
|
||
+ (false
|
||
+ (dontaudit utype cronjob_t (process (sigchld sigkill sigstop signull signal)))
|
||
+ (dontaudit utype crond_t (fifo_file (ioctl read write getattr lock append open)))
|
||
+ (dontaudit utype user_cron_spool_t (file (entrypoint)))
|
||
+ (dontaudit crond_t utype (key (view read write search link setattr create)))
|
||
+ (dontaudit crond_t utype (fd (use)))
|
||
+ (dontaudit crond_t utype (process (transition)))
|
||
+ )
|
||
+ )
|
||
+ (booleanif (deny_ptrace)
|
||
+ (false
|
||
+ (allow utype crontab_t (process (ptrace)))
|
||
+ )
|
||
+ )
|
||
+ (optional confinedom_user_login_optional_7
|
||
+ (typeattributeset cil_gen_require etc_t)
|
||
+ (typeattributeset cil_gen_require krb5_keytab_t)
|
||
+ (allow utype etc_t (dir (getattr open search)))
|
||
+ (allow utype krb5_keytab_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype krb5_keytab_t (file (ioctl read getattr lock open)))
|
||
+ )
|
||
+ (optional confinedom_user_login_optional_8
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require var_run_t)
|
||
+ (typeattributeset cil_gen_require pcscd_var_run_t)
|
||
+ (typeattributeset cil_gen_require pcscd_t)
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype pcscd_var_run_t (dir (getattr open search)))
|
||
+ (allow utype pcscd_var_run_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype pcscd_var_run_t (dir (getattr open search)))
|
||
+ (allow utype pcscd_var_run_t (sock_file (write getattr append open)))
|
||
+ (allow utype pcscd_t (unix_stream_socket (connectto)))
|
||
+ )
|
||
+ (optional confinedom_user_login_optional_9
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require var_run_t)
|
||
+ (typeattributeset cil_gen_require etc_t)
|
||
+ (typeattributeset cil_gen_require samba_var_t)
|
||
+ (typeattributeset cil_gen_require winbind_t)
|
||
+ (typeattributeset cil_gen_require winbind_var_run_t)
|
||
+ (typeattributeset cil_gen_require smbd_var_run_t)
|
||
+ (typeattributeset cil_gen_require samba_etc_t)
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype smbd_var_run_t (dir (getattr open search)))
|
||
+ (allow utype samba_var_t (dir (getattr open search)))
|
||
+ (allow utype winbind_var_run_t (dir (getattr open search)))
|
||
+ (allow utype winbind_var_run_t (sock_file (write getattr append open)))
|
||
+ (allow utype winbind_t (unix_stream_socket (connectto)))
|
||
+ (allow utype etc_t (dir (getattr open search)))
|
||
+ (allow utype samba_etc_t (dir (getattr open search)))
|
||
+ (allow utype samba_etc_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype samba_etc_t (dir (getattr open search)))
|
||
+ (allow utype samba_etc_t (file (ioctl read getattr lock open)))
|
||
+ )
|
||
+ (optional confinedom_user_login_optional_10
|
||
+ (typeattributeset cil_gen_require system_dbusd_t)
|
||
+ (allow cronjob_t utype (dbus (send_msg)))
|
||
+ )
|
||
+ )
|
||
+ (optional confinedom_user_login_optional_11
|
||
+ ;(type dbusd_type)
|
||
+ (roletype object_r dbusd_type)
|
||
+ (typeattributeset cil_gen_require utype)
|
||
+ (typeattributeset cil_gen_require shell_exec_t)
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset cil_gen_require domain)
|
||
+ (typeattributeset cil_gen_require corenet_unlabeled_type)
|
||
+ (typeattributeset cil_gen_require ubac_constrained_type)
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require application_exec_type)
|
||
+ (typeattributeset cil_gen_require nsswitch_domain)
|
||
+ (typeattributeset cil_gen_require netlabel_peer_type)
|
||
+ (typeattributeset cil_gen_require sysfs_t)
|
||
+ (typeattributeset cil_gen_require syslog_client_type)
|
||
+ (typeattributeset cil_gen_require security_t)
|
||
+ (typeattributeset cil_gen_require kernel_system_state_reader)
|
||
+ (typeattributeset cil_gen_require application_domain_type)
|
||
+ (typeattributeset cil_gen_require system_dbusd_t)
|
||
+ (typeattributeset cil_gen_require session_dbusd_tmp_t)
|
||
+ (typeattributeset cil_gen_require dbusd_unconfined)
|
||
+ (typeattributeset cil_gen_require session_bus_type)
|
||
+ (typeattributeset cil_gen_require dbusd_exec_t)
|
||
+ (typeattributeset cil_gen_require dbusd_etc_t)
|
||
+ (typeattributeset cil_gen_require userdom_home_manager_type)
|
||
+ (typeattributeset cil_gen_require usr_t)
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (roletype urole dbusd_type)
|
||
+ (typeattributeset cil_gen_require netlabel_peer_type)
|
||
+ (typeattributeset netlabel_peer_type (dbusd_type ))
|
||
+ (typeattributeset cil_gen_require corenet_unlabeled_type)
|
||
+ (typeattributeset corenet_unlabeled_type (dbusd_type ))
|
||
+ (typeattributeset cil_gen_require syslog_client_type)
|
||
+ (typeattributeset syslog_client_type (dbusd_type ))
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset file_type (dbusd_exec_t ))
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset non_security_file_type (dbusd_exec_t ))
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset exec_type (dbusd_exec_t ))
|
||
+ (typeattributeset cil_gen_require application_domain_type)
|
||
+ (typeattributeset application_domain_type (dbusd_type ))
|
||
+ (typeattributeset cil_gen_require userdom_home_manager_type)
|
||
+ (typeattributeset userdom_home_manager_type (dbusd_type ))
|
||
+ (typeattributeset cil_gen_require ubac_constrained_type)
|
||
+ (typeattributeset ubac_constrained_type (dbusd_type ))
|
||
+ (typeattributeset cil_gen_require kernel_system_state_reader)
|
||
+ (typeattributeset kernel_system_state_reader (dbusd_type ))
|
||
+ (typeattributeset cil_gen_require application_exec_type)
|
||
+ (typeattributeset application_exec_type (dbusd_exec_t ))
|
||
+ (typeattributeset cil_gen_require nsswitch_domain)
|
||
+ (typeattributeset nsswitch_domain (dbusd_type ))
|
||
+ (typeattributeset cil_gen_require session_bus_type)
|
||
+ (typeattributeset session_bus_type (dbusd_type ))
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset entry_type (dbusd_exec_t ))
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset non_auth_file_type (dbusd_exec_t ))
|
||
+ (typeattributeset cil_gen_require domain)
|
||
+ (typeattributeset domain (dbusd_type ))
|
||
+ (allow utype session_dbusd_tmp_t (dir (ioctl write getattr lock open add_name search)))
|
||
+ (allow utype session_dbusd_tmp_t (sock_file (create getattr setattr open)))
|
||
+ (allow utype system_dbusd_t (dbus (send_msg)))
|
||
+ (allow dbusd_type dbusd_exec_t (file (entrypoint)))
|
||
+ (allow dbusd_type dbusd_exec_t (file (ioctl read getattr lock map execute open)))
|
||
+ (allow dbusd_type security_t (lnk_file (read getattr)))
|
||
+ (allow dbusd_type sysfs_t (filesystem (getattr)))
|
||
+ (allow dbusd_type sysfs_t (dir (getattr open search)))
|
||
+ (allow dbusd_type sysfs_t (dir (getattr open search)))
|
||
+ (allow dbusd_type security_t (filesystem (getattr)))
|
||
+ (allow utype dbusd_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto)))
|
||
+ (allow dbusd_type utype (unix_stream_socket (read write getattr accept getopt)))
|
||
+ (allow dbusd_type utype (unix_dgram_socket (sendto)))
|
||
+ (allow utype dbusd_type (dbus (acquire_svc send_msg)))
|
||
+ (allow dbusd_unconfined dbusd_type (dbus (acquire_svc send_msg)))
|
||
+ (allow utype system_dbusd_t (dbus (acquire_svc send_msg)))
|
||
+ (allow utype dbusd_type (process (noatsecure siginh rlimitinh)))
|
||
+ (allow dbusd_type utype (dbus (send_msg)))
|
||
+ (allow utype dbusd_type (dbus (send_msg)))
|
||
+ (allow dbusd_type utype (system (start reload)))
|
||
+ (allow dbusd_type session_dbusd_tmp_t (service (start stop)))
|
||
+ (allow utype session_dbusd_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype session_dbusd_tmp_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow dbusd_type dbusd_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow utype dbusd_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype dbusd_type (process (transition)))
|
||
+ (typetransition utype dbusd_exec_t process dbusd_type)
|
||
+ (allow dbusd_type utype (fd (use)))
|
||
+ (allow dbusd_type utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow dbusd_type utype (process (sigchld)))
|
||
+ (allow utype dbusd_type (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype dbusd_type (file (ioctl read getattr lock open)))
|
||
+ (allow utype dbusd_type (lnk_file (read getattr)))
|
||
+ (allow utype dbusd_type (process (getattr)))
|
||
+ (allow utype dbusd_type (process (sigchld sigkill sigstop signull signal)))
|
||
+ (allow dbusd_type bin_t (dir (getattr open search)))
|
||
+ (allow dbusd_type bin_t (lnk_file (read getattr)))
|
||
+ (allow dbusd_type bin_t (file (ioctl read getattr map execute open)))
|
||
+ (allow dbusd_type utype (process (transition)))
|
||
+ (allow dbusd_type usr_t (dir (getattr open search)))
|
||
+ (allow dbusd_type usr_t (lnk_file (read getattr)))
|
||
+ (allow dbusd_type usr_t (file (ioctl read getattr map execute open)))
|
||
+ (allow dbusd_type utype (process (transition)))
|
||
+ (typetransition dbusd_type bin_t process utype)
|
||
+ (typetransition dbusd_type usr_t process utype)
|
||
+ (allow dbusd_type bin_t (dir (getattr open search)))
|
||
+ (allow dbusd_type bin_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow dbusd_type bin_t (dir (getattr open search)))
|
||
+ (allow dbusd_type bin_t (lnk_file (read getattr)))
|
||
+ (allow dbusd_type shell_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow dbusd_type utype (process (transition)))
|
||
+ (typetransition dbusd_type shell_exec_t process utype)
|
||
+ (allow dbusd_type utype (process (sigkill)))
|
||
+ (allow utype dbusd_type (fd (use)))
|
||
+ (allow utype dbusd_type (fifo_file (ioctl read write getattr lock append open)))
|
||
+ (allow dbusd_type file_type (service (start stop status reload enable disable)))
|
||
+ (dontaudit dbusd_type self (capability (net_admin)))
|
||
+ (allow utype session_dbusd_tmp_t (dir (getattr open search)))
|
||
+ (allow utype session_dbusd_tmp_t (sock_file (write getattr append open)))
|
||
+ (booleanif (deny_ptrace)
|
||
+ (false
|
||
+ (allow utype dbusd_type (process (ptrace)))
|
||
+ )
|
||
+ )
|
||
+ (optional confinedom_user_login_optional_12
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset cil_gen_require mozilla_exec_t)
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset file_type (mozilla_exec_t ))
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset non_security_file_type (mozilla_exec_t ))
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset exec_type (mozilla_exec_t ))
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset entry_type (mozilla_exec_t ))
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset non_auth_file_type (mozilla_exec_t ))
|
||
+ (allow utype mozilla_exec_t (file (entrypoint)))
|
||
+ (allow utype mozilla_exec_t (file (ioctl read getattr lock map execute open)))
|
||
+ (allow dbusd_type mozilla_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow dbusd_type utype (process (transition)))
|
||
+ (typetransition dbusd_type mozilla_exec_t process utype)
|
||
+ (allow utype dbusd_type (fd (use)))
|
||
+ (allow utype dbusd_type (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow utype dbusd_type (process (sigchld)))
|
||
+ )
|
||
+ (optional confinedom_user_login_optional_13
|
||
+ (typeattributeset cil_gen_require systemd_unit_file_t)
|
||
+ (allow dbusd_type systemd_unit_file_t (service (start)))
|
||
+ )
|
||
+ )
|
||
+ (optional confinedom_user_login_optional_14
|
||
+ ;(type gkeyringd_type)
|
||
+ (roletype object_r gkeyringd_type)
|
||
+ (roleattributeset cil_gen_require gconfd_roles)
|
||
+ (typeattributeset cil_gen_require shell_exec_t)
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset cil_gen_require domain)
|
||
+ (typeattributeset cil_gen_require corenet_unlabeled_type)
|
||
+ (typeattributeset cil_gen_require process_user_target)
|
||
+ (typeattributeset cil_gen_require ubac_constrained_type)
|
||
+ (typeattributeset cil_gen_require user_tmp_t)
|
||
+ (typeattributeset cil_gen_require tmp_t)
|
||
+ (typeattributeset cil_gen_require tmpfs_t)
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require application_exec_type)
|
||
+ (typeattributeset cil_gen_require nsswitch_domain)
|
||
+ (typeattributeset cil_gen_require netlabel_peer_type)
|
||
+ (typeattributeset cil_gen_require syslog_client_type)
|
||
+ (typeattributeset cil_gen_require kernel_system_state_reader)
|
||
+ (typeattributeset cil_gen_require application_domain_type)
|
||
+ (typeattributeset cil_gen_require userdom_home_manager_type)
|
||
+ (typeattributeset cil_gen_require usr_t)
|
||
+ (typeattributeset cil_gen_require gnomedomain)
|
||
+ (typeattributeset cil_gen_require gkeyringd_domain)
|
||
+ (typeattributeset cil_gen_require gnome_home_type)
|
||
+ (typeattributeset cil_gen_require gkeyringd_exec_t)
|
||
+ (typeattributeset cil_gen_require gkeyringd_tmp_t)
|
||
+ (typeattributeset cil_gen_require gconfd_t)
|
||
+ (typeattributeset cil_gen_require gconfd_exec_t)
|
||
+ (typeattributeset cil_gen_require gconf_tmp_t)
|
||
+ (typeattributeset cil_gen_require cache_home_t)
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (roletype urole gkeyringd_type)
|
||
+ (roleattributeset cil_gen_require gconfd_roles)
|
||
+ (roleattributeset gconfd_roles (urole ))
|
||
+ (typeattributeset cil_gen_require netlabel_peer_type)
|
||
+ (typeattributeset netlabel_peer_type (gkeyringd_type ))
|
||
+ (typeattributeset cil_gen_require corenet_unlabeled_type)
|
||
+ (typeattributeset corenet_unlabeled_type (gkeyringd_type ))
|
||
+ (typeattributeset cil_gen_require syslog_client_type)
|
||
+ (typeattributeset syslog_client_type (gkeyringd_type ))
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset file_type (gkeyringd_exec_t ))
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset non_security_file_type (gkeyringd_exec_t ))
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset exec_type (gkeyringd_exec_t ))
|
||
+ (typeattributeset cil_gen_require application_domain_type)
|
||
+ (typeattributeset application_domain_type (gkeyringd_type ))
|
||
+ (typeattributeset cil_gen_require userdom_home_manager_type)
|
||
+ (typeattributeset userdom_home_manager_type (gkeyringd_type ))
|
||
+ (typeattributeset cil_gen_require ubac_constrained_type)
|
||
+ (typeattributeset ubac_constrained_type (gkeyringd_type ))
|
||
+ (typeattributeset cil_gen_require kernel_system_state_reader)
|
||
+ (typeattributeset kernel_system_state_reader (gkeyringd_type ))
|
||
+ (typeattributeset cil_gen_require gnomedomain)
|
||
+ (typeattributeset gnomedomain (gkeyringd_type ))
|
||
+ (typeattributeset cil_gen_require application_exec_type)
|
||
+ (typeattributeset application_exec_type (gkeyringd_exec_t ))
|
||
+ (typeattributeset cil_gen_require gkeyringd_domain)
|
||
+ (typeattributeset gkeyringd_domain (gkeyringd_type ))
|
||
+ (typeattributeset cil_gen_require nsswitch_domain)
|
||
+ (typeattributeset nsswitch_domain (gkeyringd_type ))
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset entry_type (gkeyringd_exec_t ))
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset non_auth_file_type (gkeyringd_exec_t ))
|
||
+ (typeattributeset cil_gen_require domain)
|
||
+ (typeattributeset domain (gkeyringd_type ))
|
||
+ (typeattributeset cil_gen_require process_user_target)
|
||
+ (typeattributeset process_user_target (gkeyringd_type ))
|
||
+ (allow gkeyringd_type gkeyringd_exec_t (file (entrypoint)))
|
||
+ (allow gkeyringd_type gkeyringd_exec_t (file (ioctl read getattr lock map execute open)))
|
||
+ (allow utype gconfd_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype gconfd_t (process (transition)))
|
||
+ (typetransition utype gconfd_exec_t process gconfd_t)
|
||
+ (allow gconfd_t utype (fd (use)))
|
||
+ (allow gconfd_t utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow gconfd_t utype (process (sigchld)))
|
||
+ (allow utype gconfd_t (process (sigchld sigkill sigstop signull signal)))
|
||
+ (allow utype gconfd_t (unix_stream_socket (connectto)))
|
||
+ (allow utype gconfd_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype gconfd_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype gconfd_t (lnk_file (read getattr)))
|
||
+ (allow utype gconfd_t (process (getattr)))
|
||
+ (allow gkeyringd_type utype (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto)))
|
||
+ (allow gkeyringd_type self (process (setsched)))
|
||
+ (allow utype gkeyringd_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype gkeyringd_type (process (transition)))
|
||
+ (typetransition utype gkeyringd_exec_t process gkeyringd_type)
|
||
+ (allow gkeyringd_type utype (fd (use)))
|
||
+ (allow gkeyringd_type utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow gkeyringd_type utype (process (sigchld)))
|
||
+ (allow utype gnome_home_type (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype gkeyringd_tmp_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype gconf_tmp_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow utype gnome_home_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads)))
|
||
+ (allow utype gkeyringd_tmp_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads)))
|
||
+ (allow utype gconf_tmp_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads)))
|
||
+ (allow utype gkeyringd_tmp_t (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open)))
|
||
+ (allow utype gkeyringd_type (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype gkeyringd_type (file (ioctl read getattr lock open)))
|
||
+ (allow utype gkeyringd_type (lnk_file (read getattr)))
|
||
+ (allow utype gkeyringd_type (process (getattr)))
|
||
+ (allow utype gkeyringd_type (process (sigchld sigkill sigstop signull signal)))
|
||
+ (dontaudit utype gkeyringd_exec_t (file (entrypoint)))
|
||
+ (allow gkeyringd_type utype (process (sigkill)))
|
||
+ (allow utype gkeyringd_type (fd (use)))
|
||
+ (allow utype gkeyringd_type (fifo_file (ioctl read write getattr lock append open)))
|
||
+ (allow utype gkeyringd_type (dbus (acquire_svc)))
|
||
+ (allow utype gkeyringd_tmp_t (dir (getattr open search)))
|
||
+ (allow utype gkeyringd_tmp_t (sock_file (write getattr append open)))
|
||
+ (allow utype gkeyringd_type (unix_stream_socket (connectto)))
|
||
+ (allow gkeyringd_type bin_t (dir (getattr open search)))
|
||
+ (allow gkeyringd_type bin_t (lnk_file (read getattr)))
|
||
+ (allow gkeyringd_type bin_t (file (ioctl read getattr map execute open)))
|
||
+ (allow gkeyringd_type utype (process (transition)))
|
||
+ (allow gkeyringd_type usr_t (dir (getattr open search)))
|
||
+ (allow gkeyringd_type usr_t (lnk_file (read getattr)))
|
||
+ (allow gkeyringd_type usr_t (file (ioctl read getattr map execute open)))
|
||
+ (allow gkeyringd_type utype (process (transition)))
|
||
+ (typetransition gkeyringd_type bin_t process utype)
|
||
+ (typetransition gkeyringd_type usr_t process utype)
|
||
+ (allow gkeyringd_type bin_t (dir (getattr open search)))
|
||
+ (allow gkeyringd_type bin_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow gkeyringd_type bin_t (dir (getattr open search)))
|
||
+ (allow gkeyringd_type bin_t (lnk_file (read getattr)))
|
||
+ (allow gkeyringd_type shell_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow gkeyringd_type utype (process (transition)))
|
||
+ (typetransition gkeyringd_type shell_exec_t process utype)
|
||
+ (allow utype gconf_tmp_t (dir (getattr open search)))
|
||
+ (allow utype tmpfs_t (dir (getattr open search)))
|
||
+ (allow utype tmp_t (dir (getattr open search)))
|
||
+ (allow utype tmp_t (lnk_file (read getattr)))
|
||
+ (allow utype tmp_t (dir (getattr open search)))
|
||
+ (allow utype user_tmp_t (dir (getattr open search)))
|
||
+ (allow utype gkeyringd_tmp_t (dir (getattr open search)))
|
||
+ (allow utype gkeyringd_tmp_t (sock_file (write getattr append open)))
|
||
+ (allow utype gkeyringd_domain (unix_stream_socket (connectto)))
|
||
+ (allow utype cache_home_t (dir (getattr open search)))
|
||
+ (allow utype cache_home_t (sock_file (write getattr append open)))
|
||
+ (allow utype gkeyringd_domain (unix_stream_socket (connectto)))
|
||
+ (allow gkeyringd_type utype (dir (ioctl read getattr lock open search)))
|
||
+ (allow gkeyringd_type utype (file (ioctl read getattr lock open)))
|
||
+ (allow gkeyringd_type utype (lnk_file (read getattr)))
|
||
+ (allow gkeyringd_type utype (process (getattr)))
|
||
+ (allow gkeyringd_type user_tmp_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow gkeyringd_type user_tmp_t (sock_file (read write getattr append)))
|
||
+ (allow gkeyringd_type tmpfs_t (dir (getattr open search)))
|
||
+ (allow gkeyringd_type tmp_t (dir (getattr open search)))
|
||
+ (allow gkeyringd_type tmp_t (lnk_file (read getattr)))
|
||
+ (allow gkeyringd_type tmp_t (dir (getattr open search)))
|
||
+ (allow gkeyringd_type utype (dbus (acquire_svc send_msg)))
|
||
+ (allow utype gkeyringd_type (dbus (send_msg)))
|
||
+ (optional confinedom_user_login_optional_15
|
||
+ (typeattributeset cil_gen_require user_home_dir_t)
|
||
+ (typeattributeset cil_gen_require home_root_t)
|
||
+ (typeattributeset cil_gen_require system_dbusd_t)
|
||
+ (typeattributeset cil_gen_require session_bus_type)
|
||
+ (typeattributeset cil_gen_require dbusd_type)
|
||
+ (typeattributeset cil_gen_require gnome_home_t)
|
||
+ (typeattributeset cil_gen_require data_home_t)
|
||
+ (typeattributeset cil_gen_require gconf_home_t)
|
||
+ (allow dbusd_type gkeyringd_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow dbusd_type gkeyringd_type (process (transition)))
|
||
+ (typetransition dbusd_type gkeyringd_exec_t process gkeyringd_type)
|
||
+ (allow gkeyringd_type dbusd_type (fd (use)))
|
||
+ (allow gkeyringd_type dbusd_type (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow gkeyringd_type dbusd_type (process (sigchld)))
|
||
+ (allow gkeyringd_type session_bus_type (dbus (send_msg)))
|
||
+ (allow gkeyringd_type self (dbus (send_msg)))
|
||
+ (allow gkeyringd_type session_bus_type (unix_stream_socket (connectto)))
|
||
+ (allow session_bus_type gkeyringd_type (process (sigkill)))
|
||
+ (allow gkeyringd_type session_bus_type (dbus (acquire_svc)))
|
||
+ (allow gkeyringd_type system_dbusd_t (unix_stream_socket (connectto)))
|
||
+ (allow gkeyringd_type system_dbusd_t (dbus (send_msg)))
|
||
+ (allow gkeyringd_type user_home_dir_t (dir (getattr open search)))
|
||
+ (allow gkeyringd_type user_home_dir_t (lnk_file (read getattr)))
|
||
+ (allow gkeyringd_type home_root_t (dir (getattr open search)))
|
||
+ (allow gkeyringd_type home_root_t (lnk_file (read getattr)))
|
||
+ (allow gkeyringd_type gnome_home_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow gkeyringd_type data_home_t (dir (getattr open search)))
|
||
+ (allow gkeyringd_type gconf_home_t (dir (getattr open search)))
|
||
+ (allow gkeyringd_type data_home_t (file (ioctl read getattr lock open)))
|
||
+ (allow gkeyringd_type data_home_t (dir (getattr open search)))
|
||
+ (allow gkeyringd_type gconf_home_t (dir (getattr open search)))
|
||
+ (allow gkeyringd_type data_home_t (lnk_file (read getattr)))
|
||
+ (allow gkeyringd_type data_home_t (dir (getattr open search)))
|
||
+ (allow gkeyringd_type gconf_home_t (dir (getattr open search)))
|
||
+ (allow gkeyringd_type data_home_t (dir (ioctl read getattr lock open search)))
|
||
+ (optional confinedom_user_login_optional_16
|
||
+ (typeattributeset cil_gen_require proc_t)
|
||
+ (typeattributeset cil_gen_require telepathy_mission_control_t)
|
||
+ (typeattributeset cil_gen_require telepathy_gabble_t)
|
||
+ (allow gkeyringd_type proc_t (dir (getattr open search)))
|
||
+ (allow gkeyringd_type proc_t (dir (getattr open search)))
|
||
+ (allow gkeyringd_type telepathy_mission_control_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow gkeyringd_type telepathy_mission_control_t (file (ioctl read getattr lock open)))
|
||
+ (allow gkeyringd_type telepathy_mission_control_t (lnk_file (read getattr)))
|
||
+ (allow gkeyringd_type telepathy_mission_control_t (process (getattr)))
|
||
+ (allow telepathy_gabble_t gkeyringd_tmp_t (dir (getattr open search)))
|
||
+ (allow telepathy_gabble_t gkeyringd_tmp_t (sock_file (write getattr append open)))
|
||
+ (allow telepathy_gabble_t gkeyringd_type (unix_stream_socket (connectto)))
|
||
+ )
|
||
+ (optional confinedom_user_login_optional_17
|
||
+ (typeattributeset cil_gen_require systemd_logind_t)
|
||
+ (allow gkeyringd_type systemd_logind_t (dbus (send_msg)))
|
||
+ (allow systemd_logind_t gkeyringd_type (dbus (send_msg)))
|
||
+ (allow systemd_logind_t gkeyringd_type (dir (ioctl read getattr lock open search)))
|
||
+ (allow systemd_logind_t gkeyringd_type (file (ioctl read getattr lock open)))
|
||
+ (allow systemd_logind_t gkeyringd_type (lnk_file (read getattr)))
|
||
+ (allow systemd_logind_t gkeyringd_type (process (getattr)))
|
||
+ (allow systemd_logind_t gkeyringd_type (process (signal)))
|
||
+ (allow gkeyringd_type systemd_logind_t (fd (use)))
|
||
+ )
|
||
+ )
|
||
+ (optional confinedom_user_login_optional_18
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require ssh_agent_exec_t)
|
||
+ (allow gkeyringd_type bin_t (dir (getattr open search)))
|
||
+ (allow gkeyringd_type bin_t (lnk_file (read getattr)))
|
||
+ (allow gkeyringd_type bin_t (dir (getattr open search)))
|
||
+ (allow gkeyringd_type bin_t (dir (getattr open search)))
|
||
+ (allow gkeyringd_type ssh_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ )
|
||
+ )
|
||
+ (optional confinedom_user_login_optional_19
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require var_lib_t)
|
||
+ (typeattributeset cil_gen_require locate_var_lib_t)
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_lib_t (dir (getattr open search)))
|
||
+ (allow utype locate_var_lib_t (dir (getattr open search)))
|
||
+ (allow utype locate_var_lib_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype locate_var_lib_t (dir (ioctl read getattr lock open search)))
|
||
+ )
|
||
+ (optional confinedom_user_login_optional_20
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require mail_spool_t)
|
||
+ (typeattributeset cil_gen_require var_spool_t)
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_spool_t (dir (getattr open search)))
|
||
+ (allow utype mail_spool_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype mail_spool_t (dir (getattr open search)))
|
||
+ (allow utype mail_spool_t (file (getattr)))
|
||
+ (allow utype mail_spool_t (dir (getattr open search)))
|
||
+ (allow utype mail_spool_t (lnk_file (read getattr)))
|
||
+ )
|
||
+ )
|
||
+ )
|
||
+)
|
||
+
|
||
+(macro confined_ssh_connect_macro ((type utype) (role urole) (type ssh_agent_type))
|
||
+ (optional confined_ssh_connect_macro_optional
|
||
+ (typeattributeset cil_gen_require sshd_t)
|
||
+ (typeattributeset cil_gen_require ptmx_t)
|
||
+ (typeattributeset cil_gen_require device_t)
|
||
+ (typeattributeset cil_gen_require sshd_devpts_t)
|
||
+ (typeattributeset cil_gen_require ssh_server)
|
||
+ (typeattributeset cil_gen_require ssh_t)
|
||
+ (typeattributeset cil_gen_require ssh_exec_t)
|
||
+ (typeattributeset cil_gen_require ssh_tmpfs_t)
|
||
+ (typeattributeset cil_gen_require ssh_home_t)
|
||
+ (typeattributeset cil_gen_require ssh_agent_exec_t)
|
||
+ (typeattributeset cil_gen_require ssh_keysign_t)
|
||
+ (typeattributeset cil_gen_require ssh_agent_tmp_t)
|
||
+ (typeattributeset cil_gen_require cache_home_t)
|
||
+ (typeattributeset cil_gen_require application_domain_type)
|
||
+ (typeattributeset cil_gen_require domain)
|
||
+ (typeattributeset cil_gen_require corenet_unlabeled_type)
|
||
+ (typeattributeset cil_gen_require application_exec_type)
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset cil_gen_require ubac_constrained_type)
|
||
+ (typeattributeset cil_gen_require privfd)
|
||
+ (typeattributeset cil_gen_require user_home_dir_t)
|
||
+ (typeattributeset cil_gen_require home_root_t)
|
||
+ (typeattributeset cil_gen_require user_tmp_type)
|
||
+ (typeattributeset cil_gen_require user_tmp_t)
|
||
+ (typeattributeset cil_gen_require tmp_t)
|
||
+ (typeattributeset cil_gen_require tmpfs_t)
|
||
+ (typeattributeset cil_gen_require kernel_system_state_reader)
|
||
+ (typeattributeset cil_gen_require shell_exec_t)
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require usr_t)
|
||
+ (typeattributeset cil_gen_require nsswitch_domain)
|
||
+ (typeattributeset cil_gen_require netlabel_peer_type)
|
||
+ (typeattributeset cil_gen_require syslog_client_type)
|
||
+ (typeattributeset cil_gen_require tty_device_t)
|
||
+ (typeattributeset cil_gen_require user_home_t)
|
||
+ (typeattributeset cil_gen_require userdom_home_manager_type)
|
||
+ (typeattributeset cil_gen_require ssh_keygen_exec_t)
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (roletype object_r ssh_agent_type)
|
||
+ (roletype urole ssh_t)
|
||
+ (roletype urole ssh_agent_type)
|
||
+ (roletype urole user_tmp_t)
|
||
+ (typeattributeset cil_gen_require netlabel_peer_type)
|
||
+ (typeattributeset netlabel_peer_type (ssh_agent_type ))
|
||
+ (typeattributeset cil_gen_require corenet_unlabeled_type)
|
||
+ (typeattributeset corenet_unlabeled_type (ssh_agent_type ))
|
||
+ (typeattributeset cil_gen_require privfd)
|
||
+ (typeattributeset privfd (ssh_agent_type ))
|
||
+ (typeattributeset cil_gen_require syslog_client_type)
|
||
+ (typeattributeset syslog_client_type (ssh_agent_type ))
|
||
+ (typeattributeset cil_gen_require file_type)
|
||
+ (typeattributeset file_type (ssh_agent_exec_t ))
|
||
+ (typeattributeset cil_gen_require non_security_file_type)
|
||
+ (typeattributeset non_security_file_type (ssh_agent_exec_t ))
|
||
+ (typeattributeset cil_gen_require exec_type)
|
||
+ (typeattributeset exec_type (ssh_agent_exec_t ))
|
||
+ (typeattributeset cil_gen_require application_domain_type)
|
||
+ (typeattributeset application_domain_type (ssh_agent_type ))
|
||
+ (typeattributeset cil_gen_require userdom_home_manager_type)
|
||
+ (typeattributeset userdom_home_manager_type (ssh_agent_type ))
|
||
+ (typeattributeset cil_gen_require ubac_constrained_type)
|
||
+ (typeattributeset ubac_constrained_type (ssh_agent_type ))
|
||
+ (typeattributeset cil_gen_require ssh_agent_type)
|
||
+ (typeattributeset cil_gen_require kernel_system_state_reader)
|
||
+ (typeattributeset kernel_system_state_reader (ssh_agent_type ))
|
||
+ (typeattributeset cil_gen_require application_exec_type)
|
||
+ (typeattributeset application_exec_type (ssh_agent_exec_t ))
|
||
+ (typeattributeset cil_gen_require nsswitch_domain)
|
||
+ (typeattributeset nsswitch_domain (ssh_agent_type ))
|
||
+ (typeattributeset cil_gen_require entry_type)
|
||
+ (typeattributeset entry_type (ssh_agent_exec_t ))
|
||
+ (typeattributeset cil_gen_require non_auth_file_type)
|
||
+ (typeattributeset non_auth_file_type (ssh_agent_exec_t ))
|
||
+ (typeattributeset cil_gen_require domain)
|
||
+ (typeattributeset domain (ssh_agent_type ))
|
||
+ (allow sshd_t utype (process (dyntransition)))
|
||
+ (allow utype sshd_t (process (sigchld)))
|
||
+ (allow sshd_t utype (process (sigkill sigstop signull signal getattr)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype device_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype device_t (dir (getattr open search)))
|
||
+ (allow utype device_t (lnk_file (read getattr)))
|
||
+ (allow utype ptmx_t (chr_file (ioctl read write getattr lock append open)))
|
||
+ (allow utype sshd_devpts_t (chr_file (ioctl read write getattr lock append)))
|
||
+ (allow ssh_agent_type ssh_agent_exec_t (file (entrypoint)))
|
||
+ (allow ssh_agent_type ssh_agent_exec_t (file (ioctl read getattr lock map execute open)))
|
||
+ (allow utype ssh_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype ssh_t (process (transition)))
|
||
+ (typetransition utype ssh_exec_t process ssh_t)
|
||
+ (allow ssh_t utype (fd (use)))
|
||
+ (allow ssh_t utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow ssh_t utype (process (sigchld)))
|
||
+ (allow utype ssh_server (unix_stream_socket (ioctl read write getattr setattr lock append bind connect listen accept getopt setopt shutdown)))
|
||
+ (allow utype ssh_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype ssh_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype ssh_t (lnk_file (read getattr)))
|
||
+ (allow utype ssh_t (process (getattr)))
|
||
+ (allow utype ssh_t (process (sigchld sigkill sigstop signull signal)))
|
||
+ (allow ssh_t utype (unix_stream_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown)))
|
||
+ (allow ssh_t utype (unix_stream_socket (connectto)))
|
||
+ (allow ssh_t utype (key (view read write search link setattr create)))
|
||
+ (allow utype ssh_t (key (view read write search)))
|
||
+ (allow utype ssh_home_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype ssh_home_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype ssh_home_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype ssh_home_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
||
+ (allow utype ssh_home_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype ssh_home_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow utype user_home_dir_t (dir (getattr open search)))
|
||
+ (allow utype user_home_dir_t (lnk_file (read getattr)))
|
||
+ (allow utype home_root_t (dir (getattr open search)))
|
||
+ (allow utype home_root_t (lnk_file (read getattr)))
|
||
+ (typemember ssh_t tmp_t dir user_tmp_t)
|
||
+ (allow ssh_t user_tmp_type (dir (mounton)))
|
||
+ (allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow ssh_t user_tmp_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
||
+ (allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow ssh_t user_tmp_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow ssh_t user_tmp_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
||
+ (allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow ssh_t user_tmp_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow ssh_t user_tmp_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow ssh_t tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (typetransition ssh_t tmp_t fifo_file user_tmp_t)
|
||
+ (typetransition ssh_t tmp_t sock_file user_tmp_t)
|
||
+ (typetransition ssh_t tmp_t lnk_file user_tmp_t)
|
||
+ (typetransition ssh_t tmp_t dir user_tmp_t)
|
||
+ (typetransition ssh_t tmp_t file user_tmp_t)
|
||
+ (allow user_tmp_t tmpfs_t (filesystem (associate)))
|
||
+ (allow ssh_t tmpfs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (typetransition ssh_t tmpfs_t fifo_file user_tmp_t)
|
||
+ (typetransition ssh_t tmpfs_t sock_file user_tmp_t)
|
||
+ (typetransition ssh_t tmpfs_t lnk_file user_tmp_t)
|
||
+ (typetransition ssh_t tmpfs_t dir user_tmp_t)
|
||
+ (typetransition ssh_t tmpfs_t file user_tmp_t)
|
||
+ (allow ssh_t user_tmp_type (dir (getattr open search)))
|
||
+ (allow ssh_t user_tmp_type (dir (getattr relabelfrom relabelto)))
|
||
+ (allow ssh_t user_tmp_type (dir (getattr open search)))
|
||
+ (allow ssh_t user_tmp_type (file (getattr relabelfrom relabelto)))
|
||
+ (allow ssh_t user_tmp_type (dir (getattr open search)))
|
||
+ (allow ssh_t user_tmp_type (lnk_file (getattr relabelfrom relabelto)))
|
||
+ (allow ssh_t user_tmp_type (dir (getattr open search)))
|
||
+ (allow ssh_t user_tmp_type (sock_file (getattr relabelfrom relabelto)))
|
||
+ (allow ssh_t user_tmp_type (dir (getattr open search)))
|
||
+ (allow ssh_t user_tmp_type (fifo_file (getattr relabelfrom relabelto)))
|
||
+ (allow ssh_t user_tmp_type (file (map)))
|
||
+ (allow ssh_agent_type utype (process (signull)))
|
||
+ (allow ssh_agent_type ssh_agent_type (process (signull)))
|
||
+ (allow ssh_agent_type self (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto)))
|
||
+ (allow utype ssh_agent_tmp_t (dir (getattr open search)))
|
||
+ (allow utype ssh_agent_tmp_t (sock_file (write getattr append open)))
|
||
+ (allow utype ssh_agent_type (unix_stream_socket (connectto)))
|
||
+ (allow utype cache_home_t (dir (getattr open search)))
|
||
+ (allow utype cache_home_t (sock_file (write getattr append open)))
|
||
+ (allow utype ssh_agent_type (unix_stream_socket (connectto)))
|
||
+ (allow utype ssh_agent_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown)))
|
||
+ (allow utype ssh_agent_type (process (sigchld sigkill sigstop signull signal)))
|
||
+ (allow utype ssh_agent_type (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype ssh_agent_type (file (ioctl read getattr lock open)))
|
||
+ (allow utype ssh_agent_type (lnk_file (read getattr)))
|
||
+ (allow utype ssh_agent_type (process (getattr)))
|
||
+ (allow ssh_agent_type ssh_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow utype ssh_agent_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype ssh_agent_type (process (transition)))
|
||
+ (typetransition utype ssh_agent_exec_t process ssh_agent_type)
|
||
+ (allow ssh_agent_type utype (fd (use)))
|
||
+ (allow ssh_agent_type utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow ssh_agent_type utype (process (sigchld)))
|
||
+ (allow ssh_agent_type bin_t (dir (getattr open search)))
|
||
+ (allow ssh_agent_type bin_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow ssh_agent_type bin_t (dir (getattr open search)))
|
||
+ (allow ssh_agent_type bin_t (lnk_file (read getattr)))
|
||
+ (allow ssh_agent_type shell_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow ssh_agent_type utype (process (transition)))
|
||
+ (typetransition ssh_agent_type shell_exec_t process utype)
|
||
+ (allow ssh_agent_type bin_t (dir (getattr open search)))
|
||
+ (allow ssh_agent_type bin_t (lnk_file (read getattr)))
|
||
+ (allow ssh_agent_type bin_t (file (ioctl read getattr map execute open)))
|
||
+ (allow ssh_agent_type utype (process (transition)))
|
||
+ (allow ssh_agent_type usr_t (dir (getattr open search)))
|
||
+ (allow ssh_agent_type usr_t (lnk_file (read getattr)))
|
||
+ (allow ssh_agent_type usr_t (file (ioctl read getattr map execute open)))
|
||
+ (allow ssh_agent_type utype (process (transition)))
|
||
+ (typetransition ssh_agent_type bin_t process utype)
|
||
+ (typetransition ssh_agent_type usr_t process utype)
|
||
+ (allow ssh_agent_type device_t (dir (getattr open search)))
|
||
+ (allow ssh_agent_type device_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow ssh_agent_type device_t (dir (getattr open search)))
|
||
+ (allow ssh_agent_type device_t (lnk_file (read getattr)))
|
||
+ (allow ssh_agent_type tty_device_t (chr_file (ioctl read write getattr lock append open)))
|
||
+ (allow ssh_agent_type user_home_t (file (ioctl read getattr map execute open)))
|
||
+ (allow ssh_agent_type utype (process (transition)))
|
||
+ (typetransition ssh_agent_type user_home_t process utype)
|
||
+ (allow ssh_agent_type user_home_dir_t (dir (getattr open search)))
|
||
+ (allow ssh_agent_type home_root_t (dir (getattr open search)))
|
||
+ (allow ssh_agent_type home_root_t (lnk_file (read getattr)))
|
||
+ (allow utype ssh_keygen_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ )
|
||
+)
|
||
+
|
||
+(macro confined_use_basic_commands_macro ((type utype) (role urole))
|
||
+ (optional confined_use_basic_commands_optional_2
|
||
+ (roleattributeset cil_gen_require urole)
|
||
+ (typeattributeset cil_gen_require init_var_lib_t)
|
||
+ (typeattributeset cil_gen_require utype)
|
||
+ (typeattributeset cil_gen_require login_confinedom)
|
||
+ (typeattributeset cil_gen_require var_t)
|
||
+ (typeattributeset cil_gen_require var_lib_t)
|
||
+ (typeattributeset cil_gen_require init_t)
|
||
+ (typeattributeset cil_gen_require var_log_t)
|
||
+ (typeattributeset cil_gen_require syslogd_var_run_t)
|
||
+ (typeattributeset cil_gen_require systemd_unit_file_type)
|
||
+ (typeattributeset cil_gen_require systemd_systemctl_exec_t)
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require cgroup_t)
|
||
+ (typeattributeset cil_gen_require tmpfs_t)
|
||
+ (typeattributeset cil_gen_require sysfs_t)
|
||
+ (typeattributeset cil_gen_require efivarfs_t)
|
||
+ (typeattributeset cil_gen_require init_var_run_t)
|
||
+ (typeattributeset cil_gen_require var_run_t)
|
||
+ (typeattributeset cil_gen_require systemd_logind_var_run_t)
|
||
+ (typeattributeset cil_gen_require systemd_passwd_agent_t)
|
||
+ (typeattributeset cil_gen_require systemd_passwd_agent_exec_t)
|
||
+ (typeattributeset cil_gen_require systemd_passwd_var_run_t)
|
||
+ (allow utype utype (process (setpgid)))
|
||
+ (allow utype utype (system (status)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_lib_t (dir (getattr open search)))
|
||
+ (allow utype init_var_lib_t (dir (getattr open search)))
|
||
+ (allow utype init_var_lib_t (file (ioctl read getattr map open)))
|
||
+ (allow utype init_t (process (signal)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_log_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype var_log_t (file (map)))
|
||
+ (allow utype var_log_t (dir (getattr open search)))
|
||
+ (allow utype var_log_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype var_log_t (dir (getattr open search)))
|
||
+ (allow utype var_log_t (lnk_file (read getattr)))
|
||
+ (allow utype syslogd_var_run_t (dir (getattr open search)))
|
||
+ (allow utype syslogd_var_run_t (file (ioctl read getattr lock open map)))
|
||
+ (allow utype syslogd_var_run_t (dir (getattr open search)))
|
||
+ (allow utype syslogd_var_run_t (dir (ioctl read getattr lock open search)))
|
||
+ ;corecmd_bin_entry_type(utype)
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (lnk_file (read getattr)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (file (entrypoint)))
|
||
+ (allow utype bin_t (file (ioctl read getattr lock map execute open)))
|
||
+ (allow utype usr_t (file (entrypoint)))
|
||
+ (allow utype usr_t (file (ioctl read getattr lock map execute open)))
|
||
+ (allow utype systemd_systemctl_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow utype cgroup_t (dir (getattr open search)))
|
||
+ (allow utype cgroup_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype tmpfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype cgroup_t (dir (getattr open search)))
|
||
+ (allow utype cgroup_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype cgroup_t (dir (getattr open search)))
|
||
+ (allow utype cgroup_t (lnk_file (read getattr)))
|
||
+ (allow utype tmpfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype sysfs_t (dir (getattr open search)))
|
||
+ (allow utype efivarfs_t (dir (getattr open search)))
|
||
+ (allow utype efivarfs_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_lib_t (dir (getattr open search)))
|
||
+ (allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype init_var_run_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype init_t (dir (getattr open search)))
|
||
+ (allow utype init_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype init_t (lnk_file (read getattr)))
|
||
+ (allow utype init_t (unix_stream_socket (sendto)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype init_var_run_t (dir (getattr open search)))
|
||
+ (allow utype init_var_run_t (sock_file (write getattr append open)))
|
||
+ (allow utype init_t (unix_stream_socket (connectto)))
|
||
+ (allow utype init_t (unix_stream_socket (getattr)))
|
||
+ (dontaudit utype self (process (setrlimit)))
|
||
+ (dontaudit utype self (capability (sys_resource)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_logind_var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_logind_var_run_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype var_t (lnk_file (read getattr)))
|
||
+ (allow utype var_run_t (lnk_file (read getattr)))
|
||
+ (allow utype var_t (dir (getattr open search)))
|
||
+ (allow utype var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_logind_var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_logind_var_run_t (file (ioctl read getattr lock open)))
|
||
+ (allow utype systemd_passwd_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
||
+ (allow utype init_var_run_t (dir (getattr open search)))
|
||
+ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype systemd_passwd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
||
+ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype systemd_passwd_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
||
+ (allow utype systemd_passwd_var_run_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||
+ (allow systemd_passwd_agent_t utype (process (signull)))
|
||
+ (allow systemd_passwd_agent_t utype (unix_dgram_socket (sendto)))
|
||
+ (dontaudit utype self (capability (net_admin sys_ptrace)))
|
||
+ (allow utype systemd_unit_file_type (service (status)))
|
||
+ (optional confined_use_basic_commands_optional_3
|
||
+ (typeattributeset cil_gen_require adjtime_t)
|
||
+ (typeattributeset cil_gen_require etc_t)
|
||
+ (allow utype etc_t (dir (ioctl read getattr lock open search)))
|
||
+ (allow utype adjtime_t (file (ioctl read getattr lock open)))
|
||
+ )
|
||
+ (optional confined_use_basic_commands_optional_4
|
||
+ (typeattributeset cil_gen_require mandb_cache_t)
|
||
+ (allow utype mandb_cache_t (file (map)))
|
||
+ )
|
||
+ (optional confined_use_basic_commands_optional_5
|
||
+ (roleattributeset cil_gen_require passwd_roles)
|
||
+ (typeattributeset cil_gen_require bin_t)
|
||
+ (typeattributeset cil_gen_require passwd_t)
|
||
+ (typeattributeset cil_gen_require passwd_exec_t)
|
||
+ (roleattributeset cil_gen_require passwd_roles)
|
||
+ (roleattributeset passwd_roles (urole ))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (lnk_file (read getattr)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype bin_t (dir (getattr open search)))
|
||
+ (allow utype passwd_exec_t (file (ioctl read getattr map execute open)))
|
||
+ (allow utype passwd_t (process (transition)))
|
||
+ (typetransition utype passwd_exec_t process passwd_t)
|
||
+ (allow passwd_t utype (fd (use)))
|
||
+ (allow passwd_t utype (fifo_file (ioctl read write getattr lock append)))
|
||
+ (allow passwd_t utype (process (sigchld)))
|
||
+ )
|
||
+ )
|
||
+)
|
||
+
|
||
+;(call confinedom_admin_commands_macro (u_t u_r u_sudo_t))
|
||
+;(call confinedom_graphical_login_macro (u_t u_r u_dbus_t))
|
||
+;(call confinedom_mozilla_usage_macro (u_t u_r))
|
||
+;(call confinedom_networking_macro (u_t u_r))
|
||
+;(call confinedom_security_advanced_macro (u_t u_r u_sudo_t u_userhelper_t))
|
||
+;(call confinedom_security_basic_macro (u_t u_r))
|
||
+;(call confinedom_sudo_macro (u_t u_r u_sudo_t u_sudo_tmp_t))
|
||
+;(call confinedom_user_login_macro (u_t u_r u_gkeyringd_t u_dbus_t u_exec_content))
|
||
+;(call confined_ssh_connect_macro (u_t u_r u_ssh_agent_t))
|
||
+;(call confined_use_basic_commands_macro (u_t u_r))
|
||
--
|
||
2.41.0
|
||
|