553 lines
18 KiB
Plaintext
553 lines
18 KiB
Plaintext
policy_module(kernel, 1.30.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Disable kernel module loading.
|
|
## </p>
|
|
## </desc>
|
|
gen_bool(secure_mode_insmod, false)
|
|
|
|
# assertion related attributes
|
|
attribute can_load_kernmodule;
|
|
attribute can_receive_kernel_messages;
|
|
attribute can_dump_kernel;
|
|
|
|
neverallow ~can_load_kernmodule self:capability sys_module;
|
|
|
|
# domains with unconfined access to kernel resources
|
|
attribute kern_unconfined;
|
|
|
|
# regular entries in proc
|
|
attribute proc_type;
|
|
|
|
# sysctls
|
|
attribute sysctl_type;
|
|
|
|
role system_r;
|
|
role sysadm_r;
|
|
role staff_r;
|
|
role user_r;
|
|
|
|
# here until order dependence is fixed:
|
|
role unconfined_r;
|
|
|
|
ifdef(`enable_mls',`
|
|
role secadm_r;
|
|
role auditadm_r;
|
|
')
|
|
|
|
#
|
|
# kernel_t is the domain of kernel threads.
|
|
# It is also the target type when checking permissions in the system class.
|
|
#
|
|
type kernel_t, can_load_kernmodule;
|
|
domain_base_type(kernel_t)
|
|
role system_r types kernel_t;
|
|
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
|
|
|
|
#
|
|
# DebugFS
|
|
#
|
|
|
|
type debugfs_t;
|
|
files_mountpoint(debugfs_t)
|
|
fs_type(debugfs_t)
|
|
allow debugfs_t self:filesystem associate;
|
|
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
|
|
|
|
#
|
|
# kvmFS
|
|
#
|
|
|
|
type kvmfs_t;
|
|
fs_type(kvmfs_t)
|
|
genfscon kvmfs / gen_context(system_u:object_r:kvmfs_t,s0)
|
|
|
|
#
|
|
# Procfs types
|
|
#
|
|
|
|
type proc_t, proc_type;
|
|
files_mountpoint(proc_t)
|
|
fs_type(proc_t)
|
|
genfscon proc / gen_context(system_u:object_r:proc_t,s0)
|
|
genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)
|
|
|
|
type proc_afs_t, proc_type;
|
|
genfscon proc /fs/openafs gen_context(system_u:object_r:proc_afs_t,s0)
|
|
|
|
# kernel message interface
|
|
type proc_kmsg_t, proc_type;
|
|
genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh)
|
|
neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file read;
|
|
|
|
optional_policy(`
|
|
init_mountpoint(proc_kmsg_t)
|
|
')
|
|
|
|
# /proc kcore: inaccessible
|
|
type proc_kcore_t, proc_type;
|
|
neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~{ getattr mounton };
|
|
genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
|
|
|
|
optional_policy(`
|
|
init_mountpoint(proc_kcore_t)
|
|
')
|
|
|
|
type proc_mdstat_t, proc_type;
|
|
genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
|
|
|
|
type proc_net_t, proc_type;
|
|
genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
|
|
|
|
type proc_xen_t, proc_type;
|
|
files_mountpoint(proc_xen_t)
|
|
genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
|
|
|
|
#
|
|
# Sysctl types
|
|
#
|
|
|
|
# /proc/sys directory, base directory of sysctls
|
|
type sysctl_t, sysctl_type;
|
|
files_mountpoint(sysctl_t)
|
|
sid sysctl gen_context(system_u:object_r:sysctl_t,s0)
|
|
genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0)
|
|
|
|
# /proc/irq directory and files
|
|
type sysctl_irq_t, sysctl_type;
|
|
genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)
|
|
|
|
optional_policy(`
|
|
init_mountpoint(sysctl_irq_t)
|
|
')
|
|
|
|
# /proc/net/rpc directory and files
|
|
type sysctl_rpc_t, sysctl_type;
|
|
genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
|
|
|
|
# /proc/sys/crypto directory and files
|
|
type sysctl_crypto_t, sysctl_type;
|
|
genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0)
|
|
|
|
# /proc/sys/fs directory and files
|
|
type sysctl_fs_t, sysctl_type;
|
|
files_mountpoint(sysctl_fs_t)
|
|
genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
|
|
|
|
# /proc/sys/kernel directory and files
|
|
type sysctl_kernel_t, sysctl_type;
|
|
genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
|
|
|
|
optional_policy(`
|
|
init_mountpoint(sysctl_kernel_t)
|
|
')
|
|
|
|
# /sys/kernel/ns_last_pid file
|
|
type sysctl_kernel_ns_last_pid_t, sysctl_type;
|
|
genfscon proc /sys/kernel/ns_last_pid gen_context(system_u:object_r:sysctl_kernel_ns_last_pid_t,s0)
|
|
|
|
# /proc/sys/kernel/modprobe file
|
|
type sysctl_modprobe_t, sysctl_type;
|
|
genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)
|
|
|
|
# /proc/sys/kernel/hotplug file
|
|
type sysctl_hotplug_t, sysctl_type;
|
|
genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:sysctl_hotplug_t,s0)
|
|
|
|
# /proc/sys/net directory and files
|
|
type sysctl_net_t, sysctl_type;
|
|
genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
|
|
|
|
# /proc/sys/net/unix directory and files
|
|
type sysctl_net_unix_t, sysctl_type;
|
|
genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
|
|
|
|
# /proc/sys/vm directory and files
|
|
type sysctl_vm_t, sysctl_type;
|
|
genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
|
|
|
|
type sysctl_vm_overcommit_t, sysctl_type;
|
|
genfscon proc /sys/vm/overcommit_memory gen_context(system_u:object_r:sysctl_vm_overcommit_t,s0)
|
|
|
|
# /proc/sys/dev directory and files
|
|
type sysctl_dev_t, sysctl_type;
|
|
genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
|
|
|
|
#
|
|
# unlabeled_t is the type of unlabeled objects.
|
|
# Objects that have no known labeling information or that
|
|
# have labels that are no longer valid are treated as having this type.
|
|
#
|
|
# Mountpoint permissions are for the case when a file has been assigned
|
|
# an extended attribute for the first time (old file_t). Directories
|
|
# where filesystems are mounted may never get relabeled.
|
|
#
|
|
type unlabeled_t;
|
|
kernel_rootfs_mountpoint(unlabeled_t)
|
|
fs_associate(unlabeled_t)
|
|
sid file gen_context(system_u:object_r:unlabeled_t,s0)
|
|
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
|
neverallow * unlabeled_t:file entrypoint;
|
|
|
|
# These initial sids are no longer used, and can be removed:
|
|
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
|
sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
|
|
sid icmp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
|
sid igmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
|
sid init gen_context(system_u:object_r:unlabeled_t,s0)
|
|
sid kmod gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
|
sid policy gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
|
sid scmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
|
sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0)
|
|
sid sysctl_fs gen_context(system_u:object_r:unlabeled_t,s0)
|
|
sid sysctl_kernel gen_context(system_u:object_r:unlabeled_t,s0)
|
|
sid sysctl_net gen_context(system_u:object_r:unlabeled_t,s0)
|
|
sid sysctl_net_unix gen_context(system_u:object_r:unlabeled_t,s0)
|
|
sid sysctl_vm gen_context(system_u:object_r:unlabeled_t,s0)
|
|
sid sysctl_dev gen_context(system_u:object_r:unlabeled_t,s0)
|
|
sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
|
|
|
########################################
|
|
#
|
|
# kernel local policy
|
|
#
|
|
|
|
allow kernel_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
|
|
allow kernel_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
|
|
allow kernel_t self:shm create_shm_perms;
|
|
allow kernel_t self:sem create_sem_perms;
|
|
allow kernel_t self:msg { send receive };
|
|
allow kernel_t self:msgq create_msgq_perms;
|
|
allow kernel_t self:unix_dgram_socket create_socket_perms;
|
|
allow kernel_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow kernel_t self:unix_dgram_socket sendto;
|
|
allow kernel_t self:unix_stream_socket connectto;
|
|
allow kernel_t self:fifo_file rw_fifo_file_perms;
|
|
allow kernel_t self:sock_file read_sock_file_perms;
|
|
allow kernel_t self:fd use;
|
|
|
|
allow kernel_t debugfs_t:dir search_dir_perms;
|
|
|
|
allow kernel_t proc_t:dir list_dir_perms;
|
|
allow kernel_t proc_t:file read_file_perms;
|
|
allow kernel_t proc_t:lnk_file read_lnk_file_perms;
|
|
|
|
allow kernel_t proc_net_t:dir list_dir_perms;
|
|
allow kernel_t proc_net_t:file read_file_perms;
|
|
|
|
allow kernel_t proc_mdstat_t:file read_file_perms;
|
|
|
|
allow kernel_t proc_kcore_t:file getattr;
|
|
|
|
allow kernel_t proc_kmsg_t:file getattr;
|
|
|
|
allow kernel_t sysctl_kernel_t:dir list_dir_perms;
|
|
allow kernel_t sysctl_kernel_t:file read_file_perms;
|
|
allow kernel_t sysctl_t:dir list_dir_perms;
|
|
|
|
allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms;
|
|
|
|
# Other possible mount points for the root fs are in files
|
|
allow kernel_t unlabeled_t:dir mounton;
|
|
# Kernel-generated traffic e.g., TCP resets on
|
|
# connections with invalidated labels:
|
|
allow kernel_t unlabeled_t:packet send;
|
|
|
|
kernel_mounton_proc_dirs(kernel_t)
|
|
kernel_request_load_module(kernel_t)
|
|
|
|
# Allow unlabeled network traffic
|
|
allow unlabeled_t self:packet { forward_in forward_out };
|
|
corenet_in_generic_if(unlabeled_t)
|
|
corenet_in_generic_node(unlabeled_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(kernel_t)
|
|
corenet_all_recvfrom_netlabel(kernel_t)
|
|
# Kernel-generated traffic e.g., ICMP replies:
|
|
corenet_raw_sendrecv_all_if(kernel_t)
|
|
corenet_raw_sendrecv_all_nodes(kernel_t)
|
|
corenet_raw_send_generic_if(kernel_t)
|
|
# Kernel-generated traffic e.g., TCP resets:
|
|
corenet_tcp_sendrecv_all_if(kernel_t)
|
|
corenet_tcp_sendrecv_all_nodes(kernel_t)
|
|
corenet_raw_send_generic_node(kernel_t)
|
|
corenet_send_all_packets(kernel_t)
|
|
|
|
corenet_ib_access_all_pkeys(kernel_t)
|
|
corenet_ib_access_unlabeled_pkeys(kernel_t)
|
|
corenet_ib_manage_subnet_all_endports(kernel_t)
|
|
corenet_ib_manage_subnet_unlabeled_endports(kernel_t)
|
|
|
|
dev_mounton_sysfs(kernel_t)
|
|
dev_read_sysfs(kernel_t)
|
|
dev_search_usbfs(kernel_t)
|
|
# devtmpfs handling:
|
|
dev_create_generic_dirs(kernel_t)
|
|
dev_delete_generic_dirs(kernel_t)
|
|
dev_create_generic_blk_files(kernel_t)
|
|
dev_delete_generic_blk_files(kernel_t)
|
|
dev_create_generic_chr_files(kernel_t)
|
|
dev_delete_generic_chr_files(kernel_t)
|
|
dev_mounton(kernel_t)
|
|
dev_delete_generic_symlinks(kernel_t)
|
|
dev_rw_generic_chr_files(kernel_t)
|
|
dev_setattr_generic_blk_files(kernel_t)
|
|
dev_setattr_generic_chr_files(kernel_t)
|
|
dev_getattr_fs(kernel_t)
|
|
dev_getattr_sysfs(kernel_t)
|
|
dev_write_kmsg(kernel_t)
|
|
|
|
# Mount root file system. Used when loading a policy
|
|
# from initrd, then mounting the root filesystem
|
|
fs_mount_all_fs(kernel_t)
|
|
fs_unmount_all_fs(kernel_t)
|
|
|
|
fs_getattr_tmpfs(kernel_t)
|
|
fs_getattr_tmpfs_dirs(kernel_t)
|
|
fs_manage_tmpfs_dirs(kernel_t)
|
|
fs_manage_tmpfs_files(kernel_t)
|
|
fs_manage_tmpfs_sockets(kernel_t)
|
|
fs_delete_tmpfs_symlinks(kernel_t)
|
|
fs_read_all_inherited_image_files(kernel_t)
|
|
|
|
mls_rangetrans_source(kernel_t)
|
|
mls_process_set_level(kernel_t)
|
|
|
|
selinux_getattr_fs(kernel_t)
|
|
selinux_load_policy(kernel_t)
|
|
|
|
term_getattr_pty_fs(kernel_t)
|
|
term_use_console(kernel_t)
|
|
term_use_generic_ptys(kernel_t)
|
|
|
|
# for kdevtmpfs
|
|
term_setattr_unlink_unallocated_ttys(kernel_t)
|
|
|
|
corecmd_exec_shell(kernel_t)
|
|
corecmd_list_bin(kernel_t)
|
|
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
|
|
corecmd_exec_bin(kernel_t)
|
|
|
|
domain_signal_all_domains(kernel_t)
|
|
domain_search_all_domains_state(kernel_t)
|
|
|
|
files_getattr_rootfs(kernel_t)
|
|
files_manage_root_dir(kernel_t)
|
|
files_delete_root_files(kernel_t)
|
|
files_exec_root_files(kernel_t)
|
|
files_delete_root_symlinks(kernel_t)
|
|
files_delete_root_chr_files(kernel_t)
|
|
files_list_root(kernel_t)
|
|
files_list_etc(kernel_t)
|
|
files_getattr_etc_runtime_dirs(kernel_t)
|
|
files_mounton_etc_runtime_dirs(kernel_t)
|
|
files_list_home(kernel_t)
|
|
files_read_usr_files(kernel_t)
|
|
|
|
mcs_process_set_categories(kernel_t)
|
|
|
|
mls_process_read_all_levels(kernel_t)
|
|
mls_process_write_all_levels(kernel_t)
|
|
mls_file_write_all_levels(kernel_t)
|
|
mls_file_read_all_levels(kernel_t)
|
|
|
|
ifdef(`distro_redhat',`
|
|
# Bugzilla 222337
|
|
fs_rw_tmpfs_chr_files(kernel_t)
|
|
')
|
|
|
|
ifdef(`init_systemd',`
|
|
optional_policy(`
|
|
dev_manage_input_dev(kernel_t)
|
|
dev_filetrans_input_dev(kernel_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
selinux_compute_create_context(kernel_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
storage_dev_filetrans_fixed_disk(kernel_t)
|
|
storage_setattr_fixed_disk_dev(kernel_t)
|
|
storage_create_fixed_disk_dev(kernel_t)
|
|
storage_delete_fixed_disk_dev(kernel_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
# loop devices
|
|
fstools_use_fds(kernel_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
init_sigchld(kernel_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
libs_use_ld_so(kernel_t)
|
|
libs_use_shared_libs(kernel_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
logging_manage_generic_logs(kernel_t)
|
|
logging_send_syslog_msg(kernel_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mount_use_fds(kernel_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind(kernel_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dev_ioctl_dri_dev(kernel_t)
|
|
|
|
plymouthd_delete_runtime_files(kernel_t)
|
|
plymouthd_read_runtime_files(kernel_t)
|
|
plymouthd_read_spool_files(kernel_t)
|
|
plymouthd_rw_lib_files(kernel_t)
|
|
|
|
term_use_ptmx(kernel_t)
|
|
term_use_unallocated_ttys(kernel_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# nfs kernel server needs kernel UDP access. It is less risky and painful
|
|
# to just give it everything.
|
|
allow kernel_t self:tcp_socket create_stream_socket_perms;
|
|
allow kernel_t self:udp_socket create_socket_perms;
|
|
|
|
# nfs kernel server needs kernel UDP access. It is less risky and painful
|
|
# to just give it everything.
|
|
corenet_udp_sendrecv_generic_if(kernel_t)
|
|
corenet_udp_sendrecv_generic_node(kernel_t)
|
|
corenet_udp_bind_generic_node(kernel_t)
|
|
corenet_sendrecv_portmap_client_packets(kernel_t)
|
|
corenet_sendrecv_generic_server_packets(kernel_t)
|
|
|
|
fs_getattr_xattr_fs(kernel_t)
|
|
|
|
auth_dontaudit_getattr_shadow(kernel_t)
|
|
|
|
sysnet_read_config(kernel_t)
|
|
|
|
rpc_manage_nfs_ro_content(kernel_t)
|
|
rpc_manage_nfs_rw_content(kernel_t)
|
|
rpc_tcp_rw_nfs_sockets(kernel_t)
|
|
rpc_udp_rw_nfs_sockets(kernel_t)
|
|
|
|
optional_policy(`
|
|
gssproxy_stream_connect(kernel_t)
|
|
')
|
|
|
|
tunable_policy(`nfs_export_all_ro',`
|
|
fs_getattr_noxattr_fs(kernel_t)
|
|
fs_list_noxattr_fs(kernel_t)
|
|
fs_read_noxattr_fs_files(kernel_t)
|
|
fs_read_noxattr_fs_symlinks(kernel_t)
|
|
|
|
files_list_non_auth_dirs(kernel_t)
|
|
files_read_non_auth_files(kernel_t)
|
|
files_read_non_auth_symlinks(kernel_t)
|
|
')
|
|
|
|
tunable_policy(`nfs_export_all_rw',`
|
|
fs_getattr_noxattr_fs(kernel_t)
|
|
fs_list_noxattr_fs(kernel_t)
|
|
fs_read_noxattr_fs_files(kernel_t)
|
|
fs_read_noxattr_fs_symlinks(kernel_t)
|
|
|
|
files_manage_non_auth_files(kernel_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_read_config(kernel_t)
|
|
seutil_read_bin_policy(kernel_t)
|
|
seutil_domtrans_setfiles(kernel_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_domain_noaudit(kernel_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Unlabeled process local policy
|
|
#
|
|
|
|
optional_policy(`
|
|
# If you load a new policy that removes active domains, processes can
|
|
# get stuck if you do not allow unlabeled processes to signal init.
|
|
# If you load an incompatible policy, you should probably reboot,
|
|
# since you may have compromised system security.
|
|
init_sigchld(unlabeled_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Kernel module loading policy
|
|
#
|
|
|
|
if(secure_mode_insmod) {
|
|
dontaudit can_load_kernmodule self:capability sys_module;
|
|
dontaudit can_load_kernmodule self:system module_load;
|
|
|
|
files_dontaudit_load_kernel_modules(can_load_kernmodule)
|
|
|
|
# load_module() calls stop_machine() which
|
|
# calls sched_setscheduler()
|
|
# gt: there seems to be no trace of the above, at
|
|
# least in kernel versions greater than 2.6.37...
|
|
dontaudit can_load_kernmodule self:capability sys_nice;
|
|
dontaudit can_load_kernmodule kernel_t:process setsched;
|
|
dontaudit can_load_kernmodule kernel_t:key search;
|
|
} else {
|
|
allow can_load_kernmodule self:capability sys_module;
|
|
allow can_load_kernmodule self:system module_load;
|
|
|
|
files_load_kernel_modules(can_load_kernmodule)
|
|
|
|
# load_module() calls stop_machine() which
|
|
# calls sched_setscheduler()
|
|
# gt: there seems to be no trace of the above, at
|
|
# least in kernel versions greater than 2.6.37...
|
|
allow can_load_kernmodule self:capability sys_nice;
|
|
kernel_search_key(can_load_kernmodule)
|
|
kernel_setsched(can_load_kernmodule)
|
|
}
|
|
|
|
########################################
|
|
#
|
|
# Rules for unconfined access to this module
|
|
#
|
|
|
|
allow kern_unconfined proc_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton audit_access execmod watch };
|
|
allow kern_unconfined proc_type:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open audit_access execmod watch };
|
|
allow kern_unconfined proc_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton audit_access watch };
|
|
|
|
allow kern_unconfined sysctl_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton audit_access execmod watch };
|
|
allow kern_unconfined sysctl_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton audit_access watch };
|
|
|
|
allow kern_unconfined kernel_t:system { ipc_info syslog_read syslog_mod syslog_console module_request module_load halt reboot status start stop enable disable reload };
|
|
|
|
allow kern_unconfined unlabeled_t:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton audit_access watch };
|
|
allow kern_unconfined unlabeled_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open audit_access execmod watch };
|
|
allow kern_unconfined unlabeled_t:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton audit_access execmod watch };
|
|
allow kern_unconfined unlabeled_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton audit_access execmod watch };
|
|
allow kern_unconfined unlabeled_t:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton audit_access execmod watch };
|
|
allow kern_unconfined unlabeled_t:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton audit_access watch };
|
|
allow kern_unconfined unlabeled_t:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod watch };
|
|
allow kern_unconfined unlabeled_t:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch };
|
|
allow kern_unconfined unlabeled_t:association { sendto recvfrom setcontext polmatch };
|
|
allow kern_unconfined unlabeled_t:packet { send recv relabelto forward_in forward_out };
|
|
allow kern_unconfined unlabeled_t:process { fork signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh setcurrent setkeycreate setsockcreate getrlimit };
|