reorder
This commit is contained in:
parent
d6b0f3712f
commit
a154cd45f3
|
@ -193,8 +193,25 @@ allow kernel_t security_t:file rw_file_perms;
|
|||
allow kernel_t security_t:security load_policy;
|
||||
auditallow kernel_t security_t:security load_policy;
|
||||
|
||||
# Kernel-generated traffic e.g., ICMP replies:
|
||||
corenet_raw_sendrecv_all_if(kernel_t)
|
||||
corenet_raw_sendrecv_all_nodes(kernel_t)
|
||||
# Kernel-generated traffic e.g., TCP resets:
|
||||
corenet_raw_sendrecv_all_ifaces(kernel_t)
|
||||
corenet_raw_sendrecv_all_nodes(kernel_t)
|
||||
|
||||
terminal_use_console(kernel_t)
|
||||
|
||||
# Mount root file system. Used when loading a policy
|
||||
# from initrd, then mounting the root filesystem
|
||||
fs_mount_all_fs(kernel_t)
|
||||
|
||||
corecommands_execute_shell(kernel_t)
|
||||
corecommands_read_system_programs_directory(kernel_t)
|
||||
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
|
||||
corecommands_execute_general_programs(kernel_t)
|
||||
|
||||
domain_signal_all_domains(kernel_t)
|
||||
|
||||
files_read_root_dir(kernel_t)
|
||||
files_list_home_directories(kernel_t)
|
||||
|
@ -205,39 +222,15 @@ init_sigchld(kernel_t)
|
|||
libraries_use_dynamic_loader(kernel_t)
|
||||
libraries_use_shared_libraries(kernel_t)
|
||||
|
||||
selinux_read_config(kernel_t)
|
||||
selinux_read_binary_policy(kernel_t)
|
||||
|
||||
terminal_use_console(kernel_t)
|
||||
domain_signal_all_domains(kernel_t)
|
||||
|
||||
# Mount root file system. Used when loading a policy
|
||||
# from initrd, then mounting the root filesystem
|
||||
fs_mount_all_fs(kernel_t)
|
||||
|
||||
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
|
||||
corecommands_execute_general_programs(kernel_t)
|
||||
|
||||
logging_send_system_log_message(kernel_t)
|
||||
|
||||
# Kernel-generated traffic, e.g. ICMP replies.
|
||||
corenetwork_sendrecv_raw_on_all_interfaces(kernel_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes(kernel_t)
|
||||
|
||||
# Kernel-generated traffic, e.g. TCP resets.
|
||||
corenetwork_sendrecv_tcp_on_all_interfaces(kernel_t)
|
||||
corenetwork_sendrecv_tcp_on_all_nodes(kernel_t)
|
||||
selinux_read_config(kernel_t)
|
||||
selinux_read_binary_policy(kernel_t)
|
||||
|
||||
neverallow ~can_load_policy security_t:security load_policy;
|
||||
neverallow ~can_setenforce security_t:security setenforce;
|
||||
neverallow ~can_setsecparam security_t:security setsecparam;
|
||||
|
||||
# enabling dyntransition breaks process tranquility. If you dont
|
||||
# know what this means or dont understand the implications of a
|
||||
# dynamic transition, you shouldnt be using it!!!
|
||||
neverallow * *:process { setcurrent dyntransition };
|
||||
|
||||
neverallow ~can_load_kernmodule *:capability sys_module;
|
||||
neverallow ~can_load_kernmodule self:capability sys_module;
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
@ -11,3 +11,8 @@ attribute entry_type;
|
|||
attribute privfd;
|
||||
|
||||
neverallow domain ~domain:process { transition dyntransition };
|
||||
|
||||
# enabling setcurrent breaks process tranquility. If you do not
|
||||
# know what this means or do not understand the implications of a
|
||||
# dynamic transition, you should not be using it!!!
|
||||
neverallow * *:process setcurrent;
|
||||
|
|
Loading…
Reference in New Issue