mirror of
https://github.com/SELinuxProject/refpolicy
synced 2025-03-21 10:37:48 +00:00
Further strict systemd fixes from Russell Coker.
This commit is contained in:
Chris PeBenito
parent
95b584b5e9
commit
8527b86621
@ -324,6 +324,7 @@ ifdef(`distro_debian',`
|
||||
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/bug/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
||||
ifdef(`distro_gentoo', `
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(corecommands, 1.23.7)
|
||||
policy_module(corecommands, 1.23.8)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -3238,6 +3238,24 @@ interface(`files_mounton_etc_runtime_dirs',`
|
||||
allow $1 etc_runtime_t:dir mounton;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel to etc_runtime_t dirs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_relabelto_etc_runtime_dirs',`
|
||||
gen_require(`
|
||||
type etc_runtime_t;
|
||||
')
|
||||
|
||||
allow $1 etc_runtime_t:dir relabelto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to set the attributes of the etc_runtime files
|
||||
@ -3377,6 +3395,24 @@ interface(`files_manage_etc_runtime_files',`
|
||||
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel to etc_runtime_t files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_relabelto_etc_runtime_files',`
|
||||
gen_require(`
|
||||
type etc_runtime_t;
|
||||
')
|
||||
|
||||
allow $1 etc_runtime_t:file relabelto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, etc runtime objects with an automatic
|
||||
@ -6469,6 +6505,24 @@ interface(`files_list_pids',`
|
||||
list_dirs_pattern($1, var_t, var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create a /var/run directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_create_pid_dirs',`
|
||||
gen_require(`
|
||||
type var_run_t;
|
||||
')
|
||||
|
||||
allow $1 var_run_t:dir create_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read generic process ID files.
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(files, 1.23.11)
|
||||
policy_module(files, 1.23.12)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -826,6 +826,26 @@ interface(`fs_read_cgroup_files',`
|
||||
dev_search_sysfs($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create cgroup lnk_files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_create_cgroup_links',`
|
||||
gen_require(`
|
||||
type cgroup_t;
|
||||
')
|
||||
|
||||
create_lnk_files_pattern($1, cgroup_t, cgroup_t)
|
||||
rw_lnk_files_pattern($1, cgroup_t, cgroup_t)
|
||||
dev_search_sysfs($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Write cgroup files.
|
||||
@ -858,7 +878,6 @@ interface(`fs_write_cgroup_files', `
|
||||
interface(`fs_rw_cgroup_files',`
|
||||
gen_require(`
|
||||
type cgroup_t;
|
||||
|
||||
')
|
||||
|
||||
rw_files_pattern($1, cgroup_t, cgroup_t)
|
||||
@ -3515,6 +3534,24 @@ interface(`fs_getattr_pstore_dirs',`
|
||||
dev_search_sysfs($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel to/from pstore_t directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_relabel_pstore_dirs',`
|
||||
gen_require(`
|
||||
type pstore_t;
|
||||
')
|
||||
|
||||
relabel_dirs_pattern($1, pstore_t, pstore_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the type to associate to ramfs filesystems.
|
||||
@ -4504,6 +4541,24 @@ interface(`fs_read_tmpfs_symlinks',`
|
||||
read_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabelfrom tmpfs link files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_relabelfrom_tmpfs_symlinks',`
|
||||
gen_require(`
|
||||
type tmpfs_t;
|
||||
')
|
||||
|
||||
allow $1 tmpfs_t:lnk_file { getattr relabelfrom };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write character nodes on tmpfs filesystems.
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(filesystem, 1.22.8)
|
||||
policy_module(filesystem, 1.22.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -352,6 +352,7 @@ template(`ssh_role_template',`
|
||||
|
||||
allow $1_ssh_agent_t self:process { setrlimit signal };
|
||||
allow $1_ssh_agent_t self:capability setgid;
|
||||
allow $1_ssh_agent_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
|
||||
|
||||
@ -436,6 +437,7 @@ template(`ssh_role_template',`
|
||||
optional_policy(`
|
||||
xserver_use_xdm_fds($1_ssh_agent_t)
|
||||
xserver_rw_xdm_pipes($1_ssh_agent_t)
|
||||
xserver_sigchld_xdm($1_ssh_agent_t)
|
||||
')
|
||||
')
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(ssh, 2.9.3)
|
||||
policy_module(ssh, 2.9.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -155,6 +155,24 @@ interface(`fstools_manage_entry_files',`
|
||||
allow $1 fsadm_exec_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Write to fsadm_log_t
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fstools_write_log',`
|
||||
gen_require(`
|
||||
type fsadm_log_t;
|
||||
')
|
||||
|
||||
allow $1 fsadm_log_t:file write_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete filesystem tools
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(fstools, 1.20.4)
|
||||
policy_module(fstools, 1.20.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -2966,6 +2966,7 @@ interface(`init_admin',`
|
||||
init_reload($1)
|
||||
init_reload_all_units($1)
|
||||
init_shutdown_system($1)
|
||||
init_start_system($1)
|
||||
init_start_all_units($1)
|
||||
init_start_generic_units($1)
|
||||
init_stop_all_units($1)
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(init, 2.2.18)
|
||||
policy_module(init, 2.2.19)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
@ -138,6 +138,11 @@ allow init_t initrc_t:unix_stream_socket connectto;
|
||||
allow init_t init_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(init_t, init_var_run_t, file)
|
||||
|
||||
# for /run/initctl
|
||||
allow init_t init_var_run_t:fifo_file manage_fifo_file_perms;
|
||||
|
||||
allow init_t init_var_run_t:lnk_file manage_lnk_file_perms;
|
||||
|
||||
# for systemd to manage service file symlinks
|
||||
allow init_t init_var_run_t:file manage_lnk_file_perms;
|
||||
|
||||
@ -214,6 +219,11 @@ ifdef(`init_systemd',`
|
||||
# handle instances where an old labeled init script is encountered.
|
||||
typeattribute init_t init_run_all_scripts_domain;
|
||||
|
||||
# for /run/systemd/inaccessible/{chr,blk}
|
||||
allow init_t init_var_run_t:blk_file { create getattr };
|
||||
allow init_t init_var_run_t:chr_file { create getattr };
|
||||
|
||||
|
||||
allow init_t systemprocess:process { dyntransition siginh };
|
||||
allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
|
||||
allow init_t systemprocess:unix_dgram_socket create_socket_perms;
|
||||
@ -221,10 +231,10 @@ ifdef(`init_systemd',`
|
||||
allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit };
|
||||
allow init_t self:capability2 { audit_read block_suspend };
|
||||
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
allow init_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow init_t self:netlink_selinux_socket create_socket_perms;
|
||||
allow init_t self:unix_dgram_socket lock;
|
||||
|
||||
allow init_t init_var_run_t:sock_file manage_sock_file_perms;
|
||||
|
||||
allow init_t daemon:unix_stream_socket create_stream_socket_perms;
|
||||
allow init_t daemon:unix_dgram_socket create_socket_perms;
|
||||
allow init_t daemon:tcp_socket create_stream_socket_perms;
|
||||
@ -257,13 +267,11 @@ ifdef(`init_systemd',`
|
||||
kernel_getattr_proc(init_t)
|
||||
kernel_read_fs_sysctls(init_t)
|
||||
|
||||
dev_rw_autofs(init_t)
|
||||
dev_create_generic_dirs(init_t)
|
||||
dev_manage_input_dev(init_t)
|
||||
dev_relabel_all_dev_nodes(init_t)
|
||||
dev_relabel_all_sysfs(init_t)
|
||||
dev_relabel_generic_symlinks(init_t)
|
||||
dev_read_urand(init_t)
|
||||
dev_write_kmsg(init_t)
|
||||
|
||||
domain_read_all_domains_state(init_t)
|
||||
|
||||
@ -271,17 +279,16 @@ ifdef(`init_systemd',`
|
||||
files_list_usr(init_t)
|
||||
files_list_var(init_t)
|
||||
files_list_var_lib(init_t)
|
||||
files_relabel_all_lock_dirs(init_t)
|
||||
files_mounton_root(init_t)
|
||||
files_search_pids(init_t)
|
||||
files_relabel_all_pids(init_t)
|
||||
files_relabelto_etc_runtime_dirs(init_t)
|
||||
files_relabelto_etc_runtime_files(init_t)
|
||||
files_read_all_locks(init_t)
|
||||
files_search_kernel_modules(init_t)
|
||||
# for privatetmp functions
|
||||
files_manage_generic_tmp_dirs(init_t)
|
||||
files_mounton_tmp(init_t)
|
||||
|
||||
fs_manage_cgroup_dirs(init_t)
|
||||
fs_relabel_cgroup_dirs(init_t)
|
||||
fs_rw_cgroup_files(init_t)
|
||||
fs_list_auto_mountpoints(init_t)
|
||||
@ -290,6 +297,7 @@ ifdef(`init_systemd',`
|
||||
fs_getattr_tmpfs(init_t)
|
||||
fs_read_tmpfs_files(init_t)
|
||||
fs_read_cgroup_files(init_t)
|
||||
fs_relabel_pstore_dirs(init_t)
|
||||
fs_dontaudit_getattr_xattr_fs(init_t)
|
||||
# for privatetmp functions
|
||||
fs_relabel_tmpfs_dirs(init_t)
|
||||
@ -309,19 +317,19 @@ ifdef(`init_systemd',`
|
||||
selinux_compute_create_context(init_t)
|
||||
selinux_compute_access_vector(init_t)
|
||||
|
||||
term_relabel_pty_dirs(init_t)
|
||||
|
||||
logging_manage_pid_sockets(init_t)
|
||||
logging_send_audit_msgs(init_t)
|
||||
logging_relabelto_devlog_sock_files(init_t)
|
||||
|
||||
seutil_read_file_contexts(init_t)
|
||||
|
||||
systemd_manage_passwd_runtime_symlinks(init_t)
|
||||
systemd_use_passwd_agent(init_t)
|
||||
|
||||
# udevd is a "systemd kobject uevent socket activated daemon"
|
||||
udev_create_kobject_uevent_sockets(init_t)
|
||||
|
||||
# for systemd to read udev status
|
||||
udev_read_pid_files(init_t)
|
||||
|
||||
optional_policy(`
|
||||
clock_read_adjtime(init_t)
|
||||
')
|
||||
@ -331,7 +339,6 @@ ifdef(`init_systemd',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(init_t)
|
||||
dbus_connect_system_bus(init_t)
|
||||
')
|
||||
|
||||
@ -355,6 +362,13 @@ ifdef(`distro_debian',`
|
||||
|
||||
allow init_t initrc_var_run_t:file manage_file_perms;
|
||||
fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
|
||||
fs_manage_tmpfs_files(initrc_t)
|
||||
|
||||
sysnet_manage_config(initrc_t)
|
||||
|
||||
optional_policy(`
|
||||
postfix_read_config(initrc_t)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
@ -369,6 +383,12 @@ ifdef(`distro_redhat',`
|
||||
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
modutils_read_module_config(init_t)
|
||||
modutils_read_module_deps(init_t)
|
||||
modutils_read_module_objects(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
auth_rw_login_records(init_t)
|
||||
')
|
||||
@ -521,7 +541,6 @@ domain_kill_all_domains(initrc_t)
|
||||
domain_signal_all_domains(initrc_t)
|
||||
domain_signull_all_domains(initrc_t)
|
||||
domain_sigstop_all_domains(initrc_t)
|
||||
domain_sigstop_all_domains(initrc_t)
|
||||
domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getattr_all_domains(initrc_t)
|
||||
@ -639,7 +658,6 @@ ifdef(`distro_debian',`
|
||||
kernel_getattr_core_if(initrc_t)
|
||||
|
||||
dev_getattr_generic_blk_files(initrc_t)
|
||||
dev_setattr_generic_dirs(initrc_t)
|
||||
|
||||
fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)
|
||||
|
||||
@ -670,7 +688,6 @@ ifdef(`distro_gentoo',`
|
||||
allow initrc_t self:process setfscreate;
|
||||
dev_create_null_dev(initrc_t)
|
||||
dev_create_zero_dev(initrc_t)
|
||||
dev_create_generic_dirs(initrc_t)
|
||||
term_create_console_dev(initrc_t)
|
||||
|
||||
# unfortunately /sbin/rc does stupid tricks
|
||||
@ -693,8 +710,6 @@ ifdef(`distro_gentoo',`
|
||||
# init scripts touch this
|
||||
clock_dontaudit_write_adjtime(initrc_t)
|
||||
|
||||
logging_send_audit_msgs(initrc_t)
|
||||
|
||||
# for integrated run_init to read run_init_type.
|
||||
# happens during boot (/sbin/rc execs init scripts)
|
||||
seutil_read_default_contexts(initrc_t)
|
||||
@ -830,21 +845,24 @@ ifdef(`init_systemd',`
|
||||
|
||||
allow init_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow init_t self:process { setsockcreate setfscreate setrlimit };
|
||||
allow init_t self:process { getcap setcap };
|
||||
allow init_t self:process { getcap setcap getsched setsched };
|
||||
allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
|
||||
allow init_t self:netlink_selinux_socket create_socket_perms;
|
||||
# Until systemd is fixed
|
||||
allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
|
||||
allow init_t self:udp_socket create_socket_perms;
|
||||
allow init_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow init_t initrc_t:unix_dgram_socket create_socket_perms;
|
||||
allow initrc_t init_t:system { status reboot halt reload };
|
||||
allow initrc_t init_t:system { start status reboot halt reload };
|
||||
allow init_t self:capability2 audit_read;
|
||||
manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
|
||||
files_lock_filetrans(initrc_t, initrc_lock_t, file)
|
||||
|
||||
manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t)
|
||||
allow initrc_t init_var_run_t:file create_file_perms;
|
||||
allow initrc_t init_var_run_t:lnk_file create_lnk_file_perms;
|
||||
allow initrc_t init_var_run_t:service { start status };
|
||||
|
||||
manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
|
||||
manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
|
||||
@ -861,14 +879,16 @@ ifdef(`init_systemd',`
|
||||
|
||||
kernel_dgram_send(initrc_t)
|
||||
kernel_list_unlabeled(init_t)
|
||||
kernel_read_network_state(init_t)
|
||||
kernel_load_module(init_t)
|
||||
kernel_rw_kernel_sysctl(init_t)
|
||||
kernel_rw_net_sysctls(init_t)
|
||||
kernel_read_all_sysctls(init_t)
|
||||
kernel_read_software_raid_state(init_t)
|
||||
kernel_unmount_debugfs(init_t)
|
||||
kernel_setsched(init_t)
|
||||
kernel_rw_unix_sysctls(init_t)
|
||||
|
||||
auth_manage_var_auth(init_t)
|
||||
auth_relabel_login_records(init_t)
|
||||
auth_relabel_pam_console_data_dirs(init_t)
|
||||
|
||||
@ -876,10 +896,10 @@ ifdef(`init_systemd',`
|
||||
# in the initrc_t domain, as would be
|
||||
# done in traditional sysvinit/upstart.
|
||||
corecmd_bin_entry_type(initrc_t)
|
||||
corecmd_shell_entry_type(initrc_t)
|
||||
corecmd_bin_domtrans(init_t, initrc_t)
|
||||
corecmd_shell_domtrans(init_t, initrc_t)
|
||||
|
||||
dev_create_generic_dirs(initrc_t)
|
||||
dev_write_kmsg(init_t)
|
||||
dev_write_urand(init_t)
|
||||
dev_rw_lvm_control(init_t)
|
||||
@ -894,6 +914,7 @@ ifdef(`init_systemd',`
|
||||
dev_relabel_all_dev_files(init_t)
|
||||
dev_manage_sysfs_dirs(init_t)
|
||||
dev_relabel_sysfs_dirs(init_t)
|
||||
dev_read_usbfs(initrc_t)
|
||||
# systemd writes to /dev/watchdog on shutdown
|
||||
dev_write_watchdog(init_t)
|
||||
|
||||
@ -903,13 +924,13 @@ ifdef(`init_systemd',`
|
||||
files_create_all_pid_sockets(init_t)
|
||||
files_create_all_spool_sockets(init_t)
|
||||
files_create_lock_dirs(init_t)
|
||||
files_create_pid_dirs(initrc_t)
|
||||
files_delete_all_pids(init_t)
|
||||
files_delete_all_spool_sockets(init_t)
|
||||
files_exec_generic_pid_files(init_t)
|
||||
files_get_etc_unit_status(initrc_t)
|
||||
files_list_locks(init_t)
|
||||
files_list_spool(init_t)
|
||||
files_list_var(init_t)
|
||||
files_manage_all_pid_dirs(init_t)
|
||||
files_manage_generic_tmp_dirs(init_t)
|
||||
files_manage_urandom_seed(init_t)
|
||||
@ -922,28 +943,28 @@ ifdef(`init_systemd',`
|
||||
files_setattr_pid_dirs(initrc_t)
|
||||
files_unmount_all_file_type_fs(init_t)
|
||||
|
||||
fs_create_cgroup_links(init_t)
|
||||
fs_getattr_all_fs(init_t)
|
||||
fs_list_auto_mountpoints(init_t)
|
||||
fs_manage_cgroup_dirs(init_t)
|
||||
fs_manage_cgroup_files(init_t)
|
||||
fs_manage_hugetlbfs_dirs(init_t)
|
||||
fs_manage_tmpfs_dirs(init_t)
|
||||
fs_mount_all_fs(init_t)
|
||||
fs_remount_all_fs(init_t)
|
||||
fs_relabelfrom_tmpfs_symlinks(init_t)
|
||||
fs_unmount_all_fs(init_t)
|
||||
fs_search_cgroup_dirs(daemon)
|
||||
|
||||
# for logsave in strict configuration
|
||||
fstools_write_log(initrc_t)
|
||||
|
||||
init_get_all_units_status(initrc_t)
|
||||
init_manage_var_lib_files(initrc_t)
|
||||
init_read_script_state(init_t)
|
||||
init_rw_stream_sockets(initrc_t)
|
||||
init_stop_all_units(initrc_t)
|
||||
init_stream_connect(initrc_t)
|
||||
|
||||
# Create /etc/audit.rules.prev after firstboot remediation
|
||||
logging_manage_audit_config(initrc_t)
|
||||
|
||||
selinux_compute_create_context(init_t)
|
||||
selinux_set_enforce_mode(initrc_t)
|
||||
selinux_unmount_fs(init_t)
|
||||
selinux_validate_context(init_t)
|
||||
@ -992,7 +1013,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dev_read_usbfs(initrc_t)
|
||||
bluetooth_read_config(initrc_t)
|
||||
')
|
||||
|
||||
@ -1076,8 +1096,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dev_read_usbfs(initrc_t)
|
||||
|
||||
# init scripts run /etc/hotplug/usb.rc
|
||||
hotplug_read_config(initrc_t)
|
||||
|
||||
@ -1266,17 +1284,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
domain_role_change_exemption(initrc_t)
|
||||
|
||||
mcs_file_read_all(initrc_t)
|
||||
mcs_file_write_all(initrc_t)
|
||||
mcs_killall(initrc_t)
|
||||
|
||||
unconfined_domain(initrc_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# system-config-services causes avc messages that should be dontaudited
|
||||
unconfined_dontaudit_rw_pipes(daemon)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mono_domtrans(initrc_t)
|
||||
')
|
||||
|
||||
@ -37,6 +37,25 @@ interface(`modutils_read_module_deps',`
|
||||
allow $1 modules_dep_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the kernel modules.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`modutils_read_module_objects',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
')
|
||||
|
||||
files_list_kernel_modules($1)
|
||||
allow $1 modules_object_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the configuration options used when
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(modutils, 1.17.4)
|
||||
policy_module(modutils, 1.17.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -78,6 +78,12 @@ template(`userdom_base_user_template',`
|
||||
dev_dontaudit_getattr_all_blk_files($1_t)
|
||||
dev_dontaudit_getattr_all_chr_files($1_t)
|
||||
|
||||
# for X session unlock
|
||||
allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
|
||||
|
||||
# for KDE
|
||||
allow $1_t self:netlink_kobject_uevent_socket connected_socket_perms;
|
||||
|
||||
# When the user domain runs ps, there will be a number of access
|
||||
# denials when ps tries to search /proc. Do not audit these denials.
|
||||
domain_dontaudit_read_all_domains_state($1_t)
|
||||
@ -108,6 +114,14 @@ template(`userdom_base_user_template',`
|
||||
|
||||
sysnet_read_config($1_t)
|
||||
|
||||
# kdeinit wants systemd status
|
||||
init_get_system_status($1_t)
|
||||
|
||||
optional_policy(`
|
||||
apt_read_cache($1_t)
|
||||
apt_read_db($1_t)
|
||||
')
|
||||
|
||||
tunable_policy(`allow_execmem',`
|
||||
# Allow loading DSOs that require executable stack.
|
||||
allow $1_t self:process execmem;
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(userdomain, 4.13.8)
|
||||
policy_module(userdomain, 4.13.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
Loading…
Reference in New Issue
Block a user