Merge pull request #271 from bauen1/misc-fixes-2
This commit is contained in:
Chris PeBenito
commit
9169113d42
|
|
@ -9,6 +9,7 @@
|
|||
/var/lib/debtags(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0)
|
||||
/var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0)
|
||||
/var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0)
|
||||
/var/lib/dpkg/lock-frontend -- gen_context(system_u:object_r:dpkg_lock_t,s0)
|
||||
|
||||
/usr/sbin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)
|
||||
/usr/sbin/dpkg-reconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ type dpkg_var_lib_t;
|
|||
files_type(dpkg_var_lib_t)
|
||||
|
||||
type dpkg_script_t;
|
||||
domain_type(dpkg_script_t)
|
||||
application_type(dpkg_script_t)
|
||||
domain_entry_file(dpkg_t, dpkg_var_lib_t)
|
||||
domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
|
||||
corecmd_shell_entry_type(dpkg_script_t)
|
||||
|
|
|
|||
|
|
@ -244,7 +244,6 @@ filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file)
|
|||
domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t)
|
||||
|
||||
kernel_dontaudit_search_sysctl(gpg_agent_t)
|
||||
kernel_read_core_if(gpg_agent_t)
|
||||
kernel_read_crypto_sysctls(gpg_agent_t)
|
||||
kernel_read_system_state(gpg_agent_t)
|
||||
|
||||
|
|
|
|||
|
|
@ -15,6 +15,9 @@ role thunderbird_roles types thunderbird_t;
|
|||
type thunderbird_home_t;
|
||||
userdom_user_home_content(thunderbird_home_t)
|
||||
|
||||
type thunderbird_tmp_t;
|
||||
userdom_user_tmp_file(thunderbird_tmp_t)
|
||||
|
||||
type thunderbird_tmpfs_t;
|
||||
userdom_user_tmpfs_file(thunderbird_tmpfs_t)
|
||||
|
||||
|
|
@ -42,6 +45,11 @@ manage_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t)
|
|||
manage_lnk_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t)
|
||||
userdom_user_home_dir_filetrans(thunderbird_t, thunderbird_home_t, dir, ".thunderbird")
|
||||
|
||||
manage_dirs_pattern(thunderbird_t, thunderbird_tmp_t, thunderbird_tmp_t)
|
||||
manage_files_pattern(thunderbird_t, thunderbird_tmp_t, thunderbird_tmp_t)
|
||||
manage_lnk_files_pattern(thunderbird_t, thunderbird_tmp_t, thunderbird_tmp_t)
|
||||
files_tmp_filetrans(thunderbird_t, thunderbird_tmp_t, { dir file lnk_file })
|
||||
|
||||
manage_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
|
||||
manage_lnk_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
|
||||
manage_fifo_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
|
||||
|
|
|
|||
|
|
@ -367,6 +367,7 @@ ifdef(`distro_debian',`
|
|||
|
||||
ifdef(`distro_debian',`
|
||||
/usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/openssh/agent-launch -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/bug/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -310,6 +310,7 @@ seutil_dontaudit_search_config(postfix_master_t)
|
|||
mta_manage_aliases(postfix_master_t)
|
||||
mta_etc_filetrans_aliases(postfix_master_t, file, "aliases")
|
||||
mta_etc_filetrans_aliases(postfix_master_t, file, "aliases.db")
|
||||
mta_etc_filetrans_aliases(postfix_master_t, file, "__db.aliases.db")
|
||||
mta_etc_filetrans_aliases(postfix_master_t, file, "aliasesdb-stamp")
|
||||
mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file)
|
||||
mta_read_sendmail_bin(postfix_master_t)
|
||||
|
|
|
|||
|
|
@ -118,6 +118,7 @@ userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
|
|||
|
||||
mta_etc_filetrans_aliases(sendmail_t, file, "aliases")
|
||||
mta_etc_filetrans_aliases(sendmail_t, file, "aliases.db")
|
||||
mta_etc_filetrans_aliases(sendmail_t, file, "__db.aliases.db")
|
||||
mta_etc_filetrans_aliases(sendmail_t, file, "aliasesdb-stamp")
|
||||
mta_manage_aliases(sendmail_t)
|
||||
mta_manage_queue(sendmail_t)
|
||||
|
|
@ -208,6 +209,7 @@ optional_policy(`
|
|||
optional_policy(`
|
||||
mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases")
|
||||
mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases.db")
|
||||
mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "__db.aliases.db")
|
||||
mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliasesdb-stamp")
|
||||
unconfined_domain(unconfined_sendmail_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -104,8 +104,6 @@ allow chkpwd_t shadow_t:file read_file_perms;
|
|||
files_list_etc(chkpwd_t)
|
||||
|
||||
kernel_read_crypto_sysctls(chkpwd_t)
|
||||
# is_selinux_enabled
|
||||
kernel_read_system_state(chkpwd_t)
|
||||
|
||||
domain_dontaudit_use_interactive_fds(chkpwd_t)
|
||||
|
||||
|
|
@ -120,7 +118,6 @@ files_dontaudit_search_var(chkpwd_t)
|
|||
fs_dontaudit_getattr_xattr_fs(chkpwd_t)
|
||||
|
||||
selinux_get_enforce_mode(chkpwd_t)
|
||||
selinux_getattr_fs(chkpwd_t)
|
||||
|
||||
term_dontaudit_use_console(chkpwd_t)
|
||||
term_dontaudit_use_unallocated_ttys(chkpwd_t)
|
||||
|
|
@ -134,7 +131,7 @@ logging_send_syslog_msg(chkpwd_t)
|
|||
|
||||
miscfiles_read_localization(chkpwd_t)
|
||||
|
||||
seutil_read_config(chkpwd_t)
|
||||
seutil_libselinux_linked(chkpwd_t)
|
||||
seutil_dontaudit_use_newrole_fds(chkpwd_t)
|
||||
|
||||
userdom_use_user_terminals(chkpwd_t)
|
||||
|
|
|
|||
|
|
@ -284,6 +284,8 @@ ifdef(`init_systemd',`
|
|||
manage_lnk_files_pattern(init_t, init_runtime_t, init_runtime_t)
|
||||
manage_sock_files_pattern(init_t, init_runtime_t, init_runtime_t)
|
||||
manage_dirs_pattern(init_t, init_runtime_t, init_runtime_t)
|
||||
# /memfd:systemd-state
|
||||
fs_tmpfs_filetrans(init_t, init_runtime_t, file)
|
||||
|
||||
manage_files_pattern(init_t, systemd_unit_t, systemdunit)
|
||||
|
||||
|
|
@ -317,7 +319,6 @@ ifdef(`init_systemd',`
|
|||
dev_manage_input_dev(init_t)
|
||||
dev_relabel_all_sysfs(init_t)
|
||||
dev_relabel_generic_symlinks(init_t)
|
||||
dev_read_urand(init_t)
|
||||
dev_write_kmsg(init_t)
|
||||
dev_write_urand(init_t)
|
||||
dev_rw_lvm_control(init_t)
|
||||
|
|
@ -441,9 +442,9 @@ ifdef(`init_systemd',`
|
|||
auth_manage_var_auth(init_t)
|
||||
auth_relabel_login_records(init_t)
|
||||
auth_relabel_pam_console_data_dirs(init_t)
|
||||
auth_domtrans_chk_passwd(init_t)
|
||||
|
||||
logging_manage_pid_sockets(init_t)
|
||||
logging_send_audit_msgs(init_t)
|
||||
logging_relabelto_devlog_sock_files(init_t)
|
||||
logging_relabel_generic_log_dirs(init_t)
|
||||
logging_audit_socket_activation(init_t)
|
||||
|
|
|
|||
|
|
@ -60,7 +60,12 @@ template(`systemd_role_template',`
|
|||
# Allow using file descriptors for user environment generators
|
||||
allow $3 $1_systemd_t:fd use;
|
||||
|
||||
# systemctl --user
|
||||
stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t)
|
||||
|
||||
can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })
|
||||
|
||||
dbus_system_bus_client($1_systemd_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
|
|
|
|||
|
|
@ -1083,6 +1083,8 @@ optional_policy(`
|
|||
# Rfkill local policy
|
||||
#
|
||||
|
||||
allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create getattr read setopt };
|
||||
|
||||
manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
|
||||
manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
|
||||
init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir)
|
||||
|
|
@ -1250,6 +1252,7 @@ files_manage_etc_symlinks(systemd_tmpfiles_t)
|
|||
fs_getattr_tmpfs(systemd_tmpfiles_t)
|
||||
fs_getattr_xattr_fs(systemd_tmpfiles_t)
|
||||
fs_list_tmpfs(systemd_tmpfiles_t)
|
||||
fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
|
||||
|
||||
selinux_get_fs_mount(systemd_tmpfiles_t)
|
||||
selinux_search_fs(systemd_tmpfiles_t)
|
||||
|
|
@ -1346,14 +1349,17 @@ systemd_log_parse_environment(systemd_update_done_t)
|
|||
# User session (systemd --user) local policy
|
||||
#
|
||||
|
||||
allow systemd_user_session_type self:bpf { prog_load prog_run };
|
||||
allow systemd_user_session_type self:capability { dac_read_search sys_resource };
|
||||
dontaudit systemd_user_session_type self:capability dac_override;
|
||||
allow systemd_user_session_type self:process { setfscreate setsockcreate };
|
||||
allow systemd_user_session_type self:fifo_file rw_fifo_file_perms;
|
||||
allow systemd_user_session_type self:process { setfscreate setsockcreate setcap getcap };
|
||||
allow systemd_user_session_type self:udp_socket create_socket_perms;
|
||||
allow systemd_user_session_type self:unix_stream_socket create_stream_socket_perms;
|
||||
allow systemd_user_session_type self:netlink_kobject_uevent_socket { bind create getattr read setopt };
|
||||
|
||||
allow systemd_user_session_type systemd_user_runtime_t:dir manage_dir_perms;
|
||||
allow systemd_user_session_type systemd_user_runtime_t:lnk_file manage_lnk_file_perms;
|
||||
allow systemd_user_session_type systemd_user_runtime_t:sock_file { create write };
|
||||
userdom_user_runtime_filetrans(systemd_user_session_type, systemd_user_runtime_t, dir)
|
||||
|
||||
|
|
@ -1369,32 +1375,44 @@ can_exec(systemd_user_session_type, systemd_generator_exec_t)
|
|||
dev_write_sysfs_dirs(systemd_user_session_type)
|
||||
dev_read_sysfs(systemd_user_session_type)
|
||||
|
||||
domain_getattr_all_entry_files(systemd_user_session_type)
|
||||
|
||||
files_read_etc_files(systemd_user_session_type)
|
||||
files_list_usr(systemd_user_session_type)
|
||||
# /etc/localtime
|
||||
files_watch_etc_symlinks(systemd_user_session_type)
|
||||
|
||||
fs_getattr_cgroup(systemd_user_session_type)
|
||||
fs_getattr_tmpfs(systemd_user_session_type)
|
||||
fs_rw_cgroup_files(systemd_user_session_type)
|
||||
fs_manage_cgroup_dirs(systemd_user_session_type)
|
||||
|
||||
# for /run/systemd/notify
|
||||
init_dgram_send(systemd_user_session_type)
|
||||
init_signal(systemd_user_session_type)
|
||||
|
||||
# for /proc/sys/fs/nr_open
|
||||
kernel_read_fs_sysctls(systemd_user_session_type)
|
||||
kernel_read_kernel_sysctls(systemd_user_session_type)
|
||||
|
||||
mount_list_runtime(systemd_user_session_type)
|
||||
|
||||
selinux_compute_access_vector(systemd_user_session_type)
|
||||
selinux_compute_create_context(systemd_user_session_type)
|
||||
|
||||
storage_getattr_fixed_disk_dev(systemd_user_session_type)
|
||||
|
||||
# for /run/systemd/notify
|
||||
init_dgram_send(systemd_user_session_type)
|
||||
init_signal(systemd_user_session_type)
|
||||
|
||||
logging_send_audit_msgs(systemd_user_session_type)
|
||||
|
||||
miscfiles_read_localization(systemd_user_session_type)
|
||||
|
||||
mount_list_runtime(systemd_user_session_type)
|
||||
mount_watch_runtime_dirs(systemd_user_session_type)
|
||||
|
||||
# for systemd to read udev status
|
||||
udev_read_pid_files(systemd_user_session_type)
|
||||
udev_list_pids(systemd_user_session_type)
|
||||
|
||||
seutil_libselinux_linked(systemd_user_session_type)
|
||||
|
||||
#########################################
|
||||
#
|
||||
# systemd-user-runtime-dir local policy
|
||||
|
|
|
|||
Loading…
Reference in New Issue