add a few missing bits
This commit is contained in:
Chris PeBenito
parent
42e77a59e9
commit
a4bbe382c1
|
|
@ -595,6 +595,13 @@ template(`unpriv_user_template', `
|
|||
kernel_dontaudit_read_ring_buffer($1_t)
|
||||
')
|
||||
|
||||
# Allow users to rw usb devices
|
||||
tunable_policy(`user_rw_usb',`
|
||||
dev_rw_usbfs($1_t)
|
||||
',`
|
||||
dev_read_usbfs($1_t)
|
||||
')
|
||||
|
||||
# Allow users to run TCP servers (bind to ports and accept connection from
|
||||
# the same domain and outside users) disabling this forces FTP passive mode
|
||||
# and may change other protocols
|
||||
|
|
@ -699,13 +706,6 @@ template(`unpriv_user_template', `
|
|||
allow $1_t var_lib_t:dir r_dir_perms;
|
||||
allow $1_t var_lib_t:file { getattr read };
|
||||
|
||||
# Allow users to rw usb devices
|
||||
tunable_policy(`user_rw_usb',`
|
||||
rw_dir_create_file($1_t,usbdevfs_t)
|
||||
',`
|
||||
r_dir_file($1_t,usbdevfs_t)
|
||||
')
|
||||
|
||||
# Do not audit write denials to /etc/ld.so.cache.
|
||||
dontaudit $1_t ld_so_cache_t:file write;
|
||||
|
||||
|
|
@ -720,7 +720,6 @@ template(`unpriv_user_template', `
|
|||
')
|
||||
|
||||
allow $1_t initrc_t:fifo_file write;
|
||||
|
||||
') dnl end TODO
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(userdomain,1.3.0)
|
||||
policy_module(userdomain,1.3.1)
|
||||
|
||||
gen_require(`
|
||||
role sysadm_r, staff_r, user_r;
|
||||
|
|
@ -128,7 +128,8 @@ ifdef(`targeted_policy',`
|
|||
|
||||
ifdef(`enable_mls',`
|
||||
admin_user_template(secadm)
|
||||
role_change(staff, secadm)
|
||||
role_change(staff,secadm)
|
||||
role_change(sysadm,secadm)
|
||||
')
|
||||
|
||||
# this should be tunable_policy, but
|
||||
|
|
|
|||
Loading…
Reference in New Issue