more packets
This commit is contained in:
parent
006e998287
commit
72fcec8c66
|
@ -161,13 +161,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
|
||||||
# kernel local policy
|
# kernel local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
# Use capabilities. need to investigate which capabilities are actually used
|
|
||||||
allow kernel_t self:capability *;
|
allow kernel_t self:capability *;
|
||||||
|
|
||||||
# Other possible mount points for the root fs are in files
|
|
||||||
allow kernel_t unlabeled_t:dir mounton;
|
|
||||||
|
|
||||||
# old general_domain_access()
|
|
||||||
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow kernel_t self:shm create_shm_perms;
|
allow kernel_t self:shm create_shm_perms;
|
||||||
allow kernel_t self:sem create_sem_perms;
|
allow kernel_t self:sem create_sem_perms;
|
||||||
|
@ -181,20 +175,27 @@ allow kernel_t self:fifo_file rw_file_perms;
|
||||||
allow kernel_t self:sock_file r_file_perms;
|
allow kernel_t self:sock_file r_file_perms;
|
||||||
allow kernel_t self:fd use;
|
allow kernel_t self:fd use;
|
||||||
|
|
||||||
# old general_proc_read_access():
|
|
||||||
allow kernel_t proc_t:dir r_dir_perms;
|
allow kernel_t proc_t:dir r_dir_perms;
|
||||||
allow kernel_t proc_t:{ lnk_file file } r_file_perms;
|
allow kernel_t proc_t:{ lnk_file file } r_file_perms;
|
||||||
|
|
||||||
allow kernel_t proc_net_t:dir r_dir_perms;
|
allow kernel_t proc_net_t:dir r_dir_perms;
|
||||||
allow kernel_t proc_net_t:file r_file_perms;
|
allow kernel_t proc_net_t:file r_file_perms;
|
||||||
|
|
||||||
allow kernel_t proc_mdstat_t:file r_file_perms;
|
allow kernel_t proc_mdstat_t:file r_file_perms;
|
||||||
|
|
||||||
allow kernel_t proc_kcore_t:file getattr;
|
allow kernel_t proc_kcore_t:file getattr;
|
||||||
|
|
||||||
allow kernel_t proc_kmsg_t:file getattr;
|
allow kernel_t proc_kmsg_t:file getattr;
|
||||||
allow kernel_t sysctl_t:dir r_dir_perms;
|
|
||||||
allow kernel_t sysctl_kernel_t:dir r_dir_perms;
|
allow kernel_t sysctl_kernel_t:dir r_dir_perms;
|
||||||
allow kernel_t sysctl_kernel_t:file r_file_perms;
|
allow kernel_t sysctl_kernel_t:file r_file_perms;
|
||||||
|
allow kernel_t sysctl_t:dir r_dir_perms;
|
||||||
|
|
||||||
# cjp: this seems questionable
|
# Other possible mount points for the root fs are in files
|
||||||
allow kernel_t unlabeled_t:fifo_file rw_file_perms;
|
allow kernel_t unlabeled_t:dir mounton;
|
||||||
|
# Kernel-generated traffic e.g., TCP resets on
|
||||||
|
# connections with invalidated labels:
|
||||||
|
allow kernel_t unlabeled_t:packet send;
|
||||||
|
|
||||||
corenet_non_ipsec_sendrecv(kernel_t)
|
corenet_non_ipsec_sendrecv(kernel_t)
|
||||||
# Kernel-generated traffic e.g., ICMP replies:
|
# Kernel-generated traffic e.g., ICMP replies:
|
||||||
|
|
|
@ -376,18 +376,17 @@ kernel_read_network_state(nmbd_t)
|
||||||
kernel_read_software_raid_state(nmbd_t)
|
kernel_read_software_raid_state(nmbd_t)
|
||||||
kernel_read_system_state(nmbd_t)
|
kernel_read_system_state(nmbd_t)
|
||||||
|
|
||||||
|
corenet_non_ipsec_sendrecv(nmbd_t)
|
||||||
corenet_tcp_sendrecv_all_if(nmbd_t)
|
corenet_tcp_sendrecv_all_if(nmbd_t)
|
||||||
corenet_udp_sendrecv_all_if(nmbd_t)
|
corenet_udp_sendrecv_all_if(nmbd_t)
|
||||||
corenet_raw_sendrecv_all_if(nmbd_t)
|
|
||||||
corenet_tcp_sendrecv_all_nodes(nmbd_t)
|
corenet_tcp_sendrecv_all_nodes(nmbd_t)
|
||||||
corenet_udp_sendrecv_all_nodes(nmbd_t)
|
corenet_udp_sendrecv_all_nodes(nmbd_t)
|
||||||
corenet_raw_sendrecv_all_nodes(nmbd_t)
|
|
||||||
corenet_tcp_sendrecv_all_ports(nmbd_t)
|
corenet_tcp_sendrecv_all_ports(nmbd_t)
|
||||||
corenet_udp_sendrecv_all_ports(nmbd_t)
|
corenet_udp_sendrecv_all_ports(nmbd_t)
|
||||||
corenet_non_ipsec_sendrecv(nmbd_t)
|
|
||||||
corenet_tcp_bind_all_nodes(nmbd_t)
|
|
||||||
corenet_udp_bind_all_nodes(nmbd_t)
|
corenet_udp_bind_all_nodes(nmbd_t)
|
||||||
corenet_udp_bind_nmbd_port(nmbd_t)
|
corenet_udp_bind_nmbd_port(nmbd_t)
|
||||||
|
corenet_sendrecv_nmbd_server_packets(nmbd_t)
|
||||||
|
corenet_sendrecv_nmbd_client_packets(nmbd_t)
|
||||||
|
|
||||||
dev_read_sysfs(nmbd_t)
|
dev_read_sysfs(nmbd_t)
|
||||||
dev_getattr_mtrr_dev(nmbd_t)
|
dev_getattr_mtrr_dev(nmbd_t)
|
||||||
|
|
Loading…
Reference in New Issue