RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
selinux-refpolicy/policy/modules/system
History
Nicolas Iooss 27f4846ff8 userdomain: no longer allow unprivileged users to read kernel symbols 
Unprivileged users don't need to read kallsyms and /boot/System.map.

This allow rule was introduced in the initial revision of userdomain.if in
2005, with commit b16c6b8c32a631a2e66265f6f60b664222760972:

    # cjp: why?
    bootloader_read_kernel_symbol_table($1_t)
 		2014-04-04 15:52:17 -04:00
..
application.fc
application.if
application.te
authlogin.fc authlogin: Sudo file context specification did not catch paths (squash me) 2013-09-26 09:25:27 -04:00
authlogin.if authlogin.if: Add auth_create_pam_console_data_dirs and auth_pid_filetrans_pam_var_console interfaces 2012-12-07 00:27:38 -05:00
authlogin.te Bump module versions for release. 2014-03-11 08:16:57 -04:00
clock.fc
clock.if Rearrange interfaces in files, clock, and udev. 2012-10-30 14:16:30 -04:00
clock.te Bump module versions for release. 2014-03-11 08:16:57 -04:00
fstools.fc Label fatsort as fsadm_exec_t. 2014-02-15 14:39:32 -05:00
fstools.if
fstools.te Bump module versions for release. 2014-03-11 08:16:57 -04:00
getty.fc
getty.if
getty.te Bump module versions for release. 2013-04-24 16:14:52 -04:00
hostname.fc
hostname.if
hostname.te Bump module versions for release. 2014-03-11 08:16:57 -04:00
hotplug.fc
hotplug.if
hotplug.te Bump module versions for release. 2014-03-11 08:16:57 -04:00
init.fc Label /var/run/initctl as initctl_t 2013-01-23 07:08:38 -05:00
init.if Change behavior of init_run_daemon() 2014-01-16 14:42:00 -05:00
init.te Bump module versions for release. 2014-03-11 08:16:57 -04:00
ipsec.fc
ipsec.if
ipsec.te Bump module versions for release. 2013-04-24 16:14:52 -04:00
iptables.fc Add conntrack fc entry. 2013-04-05 09:45:04 -04:00
iptables.if
iptables.te Bump module versions for release. 2014-03-11 08:16:57 -04:00
libraries.fc Whitespace fix in libraries. 2013-12-06 08:48:04 -05:00
libraries.if
libraries.te Bump module versions for release. 2014-03-11 08:16:57 -04:00
locallogin.fc
locallogin.if
locallogin.te Bump module versions for release. 2014-03-11 08:16:57 -04:00
logging.fc Add fcontext for rsyslog pidfile 2014-01-31 21:54:40 -05:00
logging.if
logging.te Bump module versions for release. 2014-03-11 08:16:57 -04:00
lvm.fc udev-acl.ck lists /run/udev/tags/udev-acl udev blocks suspend, and compromises kernel 2013-09-27 16:35:28 -04:00
lvm.if
lvm.te Bump module versions for release. 2014-03-11 08:16:57 -04:00
metadata.xml
miscfiles.fc Whitespace fix in miscfiles.fc. 2012-11-26 11:07:16 -05:00
miscfiles.if Adjust man cache interface names. 2012-11-26 11:07:32 -05:00
miscfiles.te Bump module versions for release. 2013-04-24 16:14:52 -04:00
modutils.fc
modutils.if
modutils.te Bump module versions for release. 2014-03-11 08:16:57 -04:00
mount.fc Rearrange ZFS fc entries. 2014-01-21 08:55:28 -05:00
mount.if Fix read loopback file interface. 2014-02-08 11:35:57 -05:00
mount.te Bump module versions for release. 2014-03-11 08:16:57 -04:00
netlabel.fc
netlabel.if
netlabel.te
selinuxutil.fc Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store_t 2014-01-16 16:12:44 -05:00
selinuxutil.if Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store_t 2014-01-16 16:12:44 -05:00
selinuxutil.te Bump module versions for release. 2014-03-11 08:16:57 -04:00
setrans.fc
setrans.if
setrans.te Bump module versions for release. 2014-03-11 08:16:57 -04:00
sysnetwork.fc sysnetwork: Debian stores network interface configuration in /run/network (ifstate), That directory is created by the /etc/init.d/networking script. 2013-09-27 14:39:29 -04:00
sysnetwork.if hostname: do not audit attempts by hostname to read and write dhcpc udp sockets (looks like a leaked fd) 2013-09-27 15:13:19 -04:00
sysnetwork.te Bump module versions for release. 2014-03-11 08:16:57 -04:00
udev.fc udev: in debian udevadm is located in /bin/udevadm 2013-12-03 11:34:15 -05:00
udev.if udev.if: Call files_search_pid instead of files_search_var_lib in udev_manage_pid_files 2013-01-23 07:09:05 -05:00
udev.te Bump module versions for release. 2014-03-11 08:16:57 -04:00
unconfined.fc
unconfined.if Unconfined domains have unconfined access to all of dbus rather than only system bus 2013-09-26 10:14:30 -04:00
unconfined.te Bump module versions for release. 2014-03-11 08:16:57 -04:00
userdomain.fc
userdomain.if userdomain: no longer allow unprivileged users to read kernel symbols 2014-04-04 15:52:17 -04:00
userdomain.te Bump module versions for release. 2014-03-11 08:16:57 -04:00