various: several dontaudits
Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge
parent
95dc0f0de3
commit
69b2259c7d
|
|
@ -66,6 +66,7 @@ template(`sudo_role_template',`
|
|||
allow $1_sudo_t self:unix_dgram_socket sendto;
|
||||
allow $1_sudo_t self:unix_stream_socket connectto;
|
||||
allow $1_sudo_t self:key manage_key_perms;
|
||||
dontaudit $1_sudo_t self:capability { dac_read_search sys_ptrace };
|
||||
|
||||
allow $1_sudo_t $3:key search;
|
||||
|
||||
|
|
@ -85,6 +86,7 @@ template(`sudo_role_template',`
|
|||
kernel_read_kernel_sysctls($1_sudo_t)
|
||||
kernel_read_system_state($1_sudo_t)
|
||||
kernel_link_key($1_sudo_t)
|
||||
kernel_dontaudit_getattr_proc($1_sudo_t)
|
||||
|
||||
corecmd_exec_all_executables($1_sudo_t)
|
||||
|
||||
|
|
@ -142,6 +144,7 @@ template(`sudo_role_template',`
|
|||
userdom_manage_user_tmp_symlinks($1_sudo_t)
|
||||
userdom_setattr_user_ptys($1_sudo_t)
|
||||
userdom_use_user_terminals($1_sudo_t)
|
||||
userdom_dontaudit_rw_user_tmp_pipes($1_sudo_t)
|
||||
# for some PAM modules and for cwd
|
||||
userdom_dontaudit_search_user_home_content($1_sudo_t)
|
||||
userdom_dontaudit_search_user_home_dirs($1_sudo_t)
|
||||
|
|
|
|||
|
|
@ -334,6 +334,7 @@ allow ssh_keygen_t sshd_key_t:file manage_file_perms;
|
|||
files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
|
||||
|
||||
kernel_read_kernel_sysctls(ssh_keygen_t)
|
||||
kernel_dontaudit_getattr_proc(ssh_keygen_t)
|
||||
|
||||
fs_search_auto_mountpoints(ssh_keygen_t)
|
||||
|
||||
|
|
|
|||
|
|
@ -408,6 +408,7 @@ ifdef(`init_systemd',`
|
|||
# If /etc/localtime is missing, a watch on /etc is added.
|
||||
files_watch_etc_dirs(init_t)
|
||||
files_watch_etc_symlinks(init_t)
|
||||
files_dontaudit_write_var_dirs(init_t)
|
||||
|
||||
fs_relabel_cgroup_dirs(init_t)
|
||||
fs_list_auto_mountpoints(init_t)
|
||||
|
|
|
|||
|
|
@ -114,6 +114,7 @@ files_getattr_all_dirs(auditctl_t)
|
|||
files_getattr_all_files(auditctl_t)
|
||||
files_read_etc_files(auditctl_t)
|
||||
|
||||
kernel_dontaudit_getattr_proc(auditctl_t)
|
||||
kernel_read_kernel_sysctls(auditctl_t)
|
||||
kernel_read_proc_symlinks(auditctl_t)
|
||||
kernel_setsched(auditctl_t)
|
||||
|
|
|
|||
|
|
@ -336,6 +336,8 @@ systemd_log_parse_environment(systemd_backlight_t)
|
|||
# Allow systemd-backlight to write to /sys/class/backlight/*/brightness
|
||||
dev_rw_sysfs(systemd_backlight_t)
|
||||
|
||||
kernel_dontaudit_search_kernel_sysctl(systemd_backlight_t)
|
||||
|
||||
# for udev.conf
|
||||
files_read_etc_files(systemd_backlight_t)
|
||||
|
||||
|
|
@ -501,6 +503,7 @@ optional_policy(`
|
|||
allow systemd_hostnamed_t self:capability sys_admin;
|
||||
|
||||
kernel_read_kernel_sysctls(systemd_hostnamed_t)
|
||||
kernel_dontaudit_getattr_proc(systemd_hostnamed_t)
|
||||
|
||||
dev_read_sysfs(systemd_hostnamed_t)
|
||||
|
||||
|
|
@ -617,6 +620,7 @@ allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms;
|
|||
allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms;
|
||||
allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms;
|
||||
|
||||
kernel_dontaudit_getattr_proc(systemd_logind_t)
|
||||
kernel_read_kernel_sysctls(systemd_logind_t)
|
||||
|
||||
dev_getattr_dri_dev(systemd_logind_t)
|
||||
|
|
@ -822,6 +826,7 @@ optional_policy(`
|
|||
kernel_load_module(systemd_modules_load_t)
|
||||
kernel_read_kernel_sysctls(systemd_modules_load_t)
|
||||
kernel_request_load_module(systemd_modules_load_t)
|
||||
kernel_dontaudit_getattr_proc(systemd_modules_load_t)
|
||||
|
||||
dev_read_sysfs(systemd_modules_load_t)
|
||||
|
||||
|
|
@ -858,6 +863,7 @@ kernel_read_kernel_sysctls(systemd_networkd_t)
|
|||
kernel_read_network_state(systemd_networkd_t)
|
||||
kernel_request_load_module(systemd_networkd_t)
|
||||
kernel_rw_net_sysctls(systemd_networkd_t)
|
||||
kernel_dontaudit_getattr_proc(systemd_networkd_t)
|
||||
|
||||
corecmd_bin_entry_type(systemd_networkd_t)
|
||||
corecmd_exec_bin(systemd_networkd_t)
|
||||
|
|
@ -1196,6 +1202,7 @@ dev_read_sysfs(systemd_resolved_t)
|
|||
kernel_read_crypto_sysctls(systemd_resolved_t)
|
||||
kernel_read_kernel_sysctls(systemd_resolved_t)
|
||||
kernel_read_net_sysctls(systemd_resolved_t)
|
||||
kernel_dontaudit_getattr_proc(systemd_resolved_t)
|
||||
|
||||
corenet_tcp_bind_generic_node(systemd_resolved_t)
|
||||
corenet_tcp_bind_dns_port(systemd_resolved_t)
|
||||
|
|
@ -1263,6 +1270,7 @@ allow systemd_sessions_t systemd_sessions_runtime_t:file manage_file_perms;
|
|||
files_runtime_filetrans(systemd_sessions_t, systemd_sessions_runtime_t, file)
|
||||
|
||||
kernel_read_kernel_sysctls(systemd_sessions_t)
|
||||
kernel_dontaudit_getattr_proc(systemd_sessions_t)
|
||||
|
||||
selinux_get_fs_mount(systemd_sessions_t)
|
||||
selinux_use_status_page(systemd_sessions_t)
|
||||
|
|
@ -1581,6 +1589,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t)
|
|||
fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
|
||||
|
||||
kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
|
||||
kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)
|
||||
|
||||
selinux_use_status_page(systemd_user_runtime_dir_t)
|
||||
|
||||
|
|
|
|||
|
|
@ -131,6 +131,7 @@ files_exec_etc_files(udev_t)
|
|||
files_getattr_generic_locks(udev_t)
|
||||
files_search_mnt(udev_t)
|
||||
files_dontaudit_getattr_default_files(udev_t)
|
||||
files_dontaudit_getattr_home_dir(udev_t)
|
||||
files_dontaudit_getattr_lost_found_dirs(udev_t)
|
||||
files_dontaudit_getattr_tmp_dirs(udev_t)
|
||||
|
||||
|
|
@ -199,6 +200,7 @@ sysnet_signal_dhcpc(udev_t)
|
|||
sysnet_manage_config(udev_t)
|
||||
sysnet_etc_filetrans_config(udev_t)
|
||||
|
||||
userdom_dontaudit_getattr_user_home_dirs(udev_t)
|
||||
userdom_dontaudit_search_user_home_content(udev_t)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
|
|
|
|||
|
|
@ -3105,6 +3105,25 @@ interface(`userdom_manage_user_tmp_pipes',`
|
|||
userdom_search_user_runtime($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read and write
|
||||
## temporary pipes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_dontaudit_rw_user_tmp_pipes',`
|
||||
gen_require(`
|
||||
type user_tmp_t;
|
||||
')
|
||||
|
||||
dontaudit $1 user_tmp_t:fifo_file rw_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete user
|
||||
|
|
|
|||
Loading…
Reference in New Issue