domain: move kernel_read_crypto_sysctls to a common location
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
This commit is contained in:
Dave Sugar
parent
d2fc884d26
commit
6ff1259688
@ -44,8 +44,6 @@ logging_log_filetrans(aide_t, aide_log_t, file)
|
||||
files_read_all_files(aide_t)
|
||||
files_read_all_symlinks(aide_t)
|
||||
|
||||
kernel_read_crypto_sysctls(aide_t)
|
||||
|
||||
logging_send_audit_msgs(aide_t)
|
||||
logging_send_syslog_msg(aide_t)
|
||||
|
||||
|
||||
@ -74,7 +74,6 @@ init_read_state(cloud_init_t)
|
||||
init_stream_connect(cloud_init_t)
|
||||
|
||||
kernel_read_system_state(cloud_init_t)
|
||||
kernel_read_crypto_sysctls(cloud_init_t)
|
||||
kernel_read_kernel_sysctls(cloud_init_t)
|
||||
|
||||
libs_dontaudit_manage_lib_dirs(cloud_init_t)
|
||||
|
||||
@ -97,7 +97,6 @@ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
|
||||
|
||||
kernel_dontaudit_search_sysctl(puppet_t)
|
||||
kernel_dontaudit_search_kernel_sysctl(puppet_t)
|
||||
kernel_read_crypto_sysctls(puppet_t)
|
||||
kernel_read_kernel_sysctls(puppet_t)
|
||||
kernel_read_net_sysctls(puppet_t)
|
||||
kernel_read_network_state(puppet_t)
|
||||
@ -289,7 +288,6 @@ files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
|
||||
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
|
||||
kernel_read_network_state(puppetmaster_t)
|
||||
kernel_read_system_state(puppetmaster_t)
|
||||
kernel_read_crypto_sysctls(puppetmaster_t)
|
||||
kernel_read_kernel_sysctls(puppetmaster_t)
|
||||
|
||||
corecmd_exec_bin(puppetmaster_t)
|
||||
|
||||
@ -119,7 +119,6 @@ files_runtime_filetrans(rpm_t, rpm_runtime_t, { dir file })
|
||||
|
||||
can_exec(rpm_t, { rpm_tmp_t rpm_tmpfs_t })
|
||||
|
||||
kernel_read_crypto_sysctls(rpm_t)
|
||||
kernel_read_network_state(rpm_t)
|
||||
kernel_read_system_state(rpm_t)
|
||||
kernel_read_kernel_sysctls(rpm_t)
|
||||
@ -271,7 +270,6 @@ fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_fi
|
||||
|
||||
can_exec(rpm_script_t, { rpm_script_tmp_t rpm_script_tmpfs_t })
|
||||
|
||||
kernel_read_crypto_sysctls(rpm_script_t)
|
||||
kernel_read_kernel_sysctls(rpm_script_t)
|
||||
kernel_read_system_state(rpm_script_t)
|
||||
kernel_read_network_state(rpm_script_t)
|
||||
|
||||
@ -65,7 +65,6 @@ setattr_files_pattern(usbguard_t, usbguard_log_t, usbguard_log_t)
|
||||
|
||||
dev_rw_sysfs(usbguard_t)
|
||||
|
||||
kernel_read_crypto_sysctls(usbguard_t)
|
||||
kernel_read_kernel_sysctls(usbguard_t)
|
||||
kernel_dontaudit_getattr_proc(usbguard_t)
|
||||
|
||||
|
||||
@ -308,7 +308,6 @@ allow passwd_t self:msg { send receive };
|
||||
allow passwd_t crack_db_t:dir list_dir_perms;
|
||||
read_files_pattern(passwd_t, crack_db_t, crack_db_t)
|
||||
|
||||
kernel_read_crypto_sysctls(passwd_t)
|
||||
kernel_read_kernel_sysctls(passwd_t)
|
||||
kernel_dontaudit_getattr_proc(passwd_t)
|
||||
|
||||
|
||||
@ -151,7 +151,6 @@ kernel_associate_proc(chromium_t)
|
||||
|
||||
kernel_get_sysvipc_info(chromium_t)
|
||||
kernel_list_proc(chromium_t)
|
||||
kernel_read_crypto_sysctls(chromium_t)
|
||||
kernel_read_fs_sysctls(chromium_t)
|
||||
kernel_read_kernel_sysctls(chromium_t)
|
||||
kernel_read_net_sysctls(chromium_t)
|
||||
@ -233,7 +232,6 @@ tunable_policy(`chromium_rw_usb_dev',`
|
||||
tunable_policy(`chromium_read_system_info',`
|
||||
kernel_read_kernel_sysctls(chromium_t)
|
||||
# Memory optimizations & optimizations based on OS/version
|
||||
kernel_read_crypto_sysctls(chromium_t)
|
||||
kernel_read_system_state(chromium_t)
|
||||
|
||||
# Debugging (sys/kernel/debug) and device information (sys/bus and sys/devices).
|
||||
|
||||
@ -41,8 +41,6 @@ files_read_etc_files(cryfs_t)
|
||||
fs_getattr_xattr_fs(cryfs_t)
|
||||
fs_mount_fusefs(cryfs_t)
|
||||
|
||||
# For /proc/sys/crypto/fips_enabled
|
||||
kernel_read_crypto_sysctls(cryfs_t)
|
||||
# gocryptfs reads /proc/sys/fs/pipe-max-size
|
||||
kernel_read_fs_sysctls(cryfs_t)
|
||||
# gocryptfs reads /proc/sys/net/core/somaxconn
|
||||
|
||||
@ -170,7 +170,6 @@ manage_dirs_pattern(gkeyringd_domain, gnome_xdg_data_t, gnome_xdg_data_t)
|
||||
manage_files_pattern(gkeyringd_domain, gnome_xdg_data_t, gnome_xdg_data_t)
|
||||
xdg_data_filetrans(gkeyringd_domain, gnome_xdg_data_t, dir)
|
||||
|
||||
kernel_read_crypto_sysctls(gkeyringd_domain)
|
||||
kernel_read_kernel_sysctls(gkeyringd_domain)
|
||||
kernel_read_system_state(gkeyringd_domain)
|
||||
|
||||
|
||||
@ -103,7 +103,6 @@ gpg_stream_connect_agent(gpg_t)
|
||||
domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
|
||||
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
|
||||
|
||||
kernel_read_crypto_sysctls(gpg_t)
|
||||
kernel_read_sysctl(gpg_t)
|
||||
# read /proc/cpuinfo
|
||||
kernel_read_system_state(gpg_t)
|
||||
@ -244,7 +243,6 @@ filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file)
|
||||
domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t)
|
||||
|
||||
kernel_dontaudit_search_sysctl(gpg_agent_t)
|
||||
kernel_read_crypto_sysctls(gpg_agent_t)
|
||||
kernel_read_system_state(gpg_agent_t)
|
||||
|
||||
auth_use_nsswitch(gpg_agent_t)
|
||||
|
||||
@ -68,8 +68,6 @@ manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
|
||||
manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
|
||||
files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
|
||||
|
||||
# For /proc/sys/crypto/fips_enabled
|
||||
kernel_read_crypto_sysctls(irc_t)
|
||||
kernel_read_system_state(irc_t)
|
||||
|
||||
corenet_all_recvfrom_netlabel(irc_t)
|
||||
|
||||
@ -151,7 +151,6 @@ fs_tmpfs_filetrans(mplayer_t, mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo
|
||||
kernel_dontaudit_list_unlabeled(mplayer_t)
|
||||
kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
|
||||
kernel_dontaudit_read_unlabeled_files(mplayer_t)
|
||||
kernel_read_crypto_sysctls(mplayer_t)
|
||||
kernel_read_system_state(mplayer_t)
|
||||
kernel_read_kernel_sysctls(mplayer_t)
|
||||
|
||||
|
||||
@ -33,8 +33,6 @@ init_unit_file(qemu_unit_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
kernel_read_crypto_sysctls(qemu_t)
|
||||
|
||||
dev_read_sysfs(qemu_t)
|
||||
|
||||
allow qemu_t qemu_runtime_t:sock_file create_sock_file_perms;
|
||||
|
||||
@ -93,6 +93,8 @@ neverallow ~{ domain unlabeled_t } *:process *;
|
||||
allow domain self:dir list_dir_perms;
|
||||
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
|
||||
allow domain self:file rw_file_perms;
|
||||
|
||||
kernel_read_crypto_sysctls(domain)
|
||||
kernel_read_proc_symlinks(domain)
|
||||
# Every domain gets the key ring, so we should default
|
||||
# to no one allowed to look at it; afs kernel support creates
|
||||
|
||||
@ -30,7 +30,6 @@ manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
|
||||
manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
|
||||
files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, dir)
|
||||
|
||||
kernel_read_crypto_sysctls(accountsd_t)
|
||||
kernel_read_kernel_sysctls(accountsd_t)
|
||||
kernel_read_system_state(accountsd_t)
|
||||
|
||||
|
||||
@ -461,7 +461,6 @@ domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
|
||||
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
|
||||
|
||||
kernel_read_kernel_sysctls(httpd_t)
|
||||
kernel_read_crypto_sysctls(httpd_t)
|
||||
kernel_read_vm_sysctls(httpd_t)
|
||||
kernel_read_vm_overcommit_sysctl(httpd_t)
|
||||
kernel_read_network_state(httpd_t)
|
||||
|
||||
@ -42,8 +42,6 @@ allow bird_t bird_runtime_t:sock_file manage_sock_file_perms;
|
||||
allow bird_t bird_runtime_t:dir manage_dir_perms;
|
||||
files_runtime_filetrans(bird_t, bird_runtime_t, { sock_file dir })
|
||||
|
||||
kernel_read_crypto_sysctls(bird_t)
|
||||
|
||||
corenet_all_recvfrom_netlabel(bird_t)
|
||||
corenet_tcp_sendrecv_generic_if(bird_t)
|
||||
corenet_tcp_bind_generic_node(bird_t)
|
||||
|
||||
@ -61,7 +61,6 @@ files_runtime_filetrans(bitlbee_t, bitlbee_runtime_t, { dir file sock_file })
|
||||
|
||||
kernel_read_kernel_sysctls(bitlbee_t)
|
||||
kernel_read_system_state(bitlbee_t)
|
||||
kernel_read_crypto_sysctls(bitlbee_t)
|
||||
|
||||
corenet_all_recvfrom_netlabel(bitlbee_t)
|
||||
corenet_tcp_sendrecv_generic_if(bitlbee_t)
|
||||
|
||||
@ -87,7 +87,6 @@ domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
|
||||
|
||||
kernel_read_system_state(boinc_t)
|
||||
kernel_search_vm_sysctl(boinc_t)
|
||||
kernel_read_crypto_sysctls(boinc_t)
|
||||
kernel_read_kernel_sysctls(boinc_t)
|
||||
|
||||
corenet_all_recvfrom_netlabel(boinc_t)
|
||||
|
||||
@ -81,7 +81,6 @@ manage_files_pattern(chronyd_t, chronyd_runtime_t, chronyd_runtime_t)
|
||||
manage_sock_files_pattern(chronyd_t, chronyd_runtime_t, chronyd_runtime_t)
|
||||
files_runtime_filetrans(chronyd_t, chronyd_runtime_t, { dir file sock_file })
|
||||
|
||||
kernel_read_crypto_sysctls(chronyd_t)
|
||||
kernel_read_system_state(chronyd_t)
|
||||
kernel_read_network_state(chronyd_t)
|
||||
|
||||
|
||||
@ -108,7 +108,6 @@ read_lnk_files_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
|
||||
list_dirs_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
|
||||
|
||||
kernel_dontaudit_list_proc(clamd_t)
|
||||
kernel_read_crypto_sysctls(clamd_t)
|
||||
kernel_read_sysctl(clamd_t)
|
||||
kernel_read_kernel_sysctls(clamd_t)
|
||||
kernel_read_system_state(clamd_t)
|
||||
@ -200,7 +199,6 @@ stream_connect_pattern(freshclam_t, clamd_runtime_t, clamd_runtime_t, clamd_t)
|
||||
read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
|
||||
|
||||
kernel_dontaudit_list_proc(freshclam_t)
|
||||
kernel_read_crypto_sysctls(freshclam_t)
|
||||
kernel_read_kernel_sysctls(freshclam_t)
|
||||
kernel_read_network_state(freshclam_t)
|
||||
kernel_read_system_state(freshclam_t)
|
||||
|
||||
@ -46,7 +46,6 @@ manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
|
||||
files_var_lib_filetrans(colord_t, colord_var_lib_t, dir)
|
||||
allow colord_t colord_var_lib_t:dir watch;
|
||||
|
||||
kernel_read_crypto_sysctls(colord_t)
|
||||
kernel_read_device_sysctls(colord_t)
|
||||
kernel_read_network_state(colord_t)
|
||||
kernel_read_system_state(colord_t)
|
||||
|
||||
@ -483,7 +483,6 @@ allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
|
||||
kernel_getattr_core_if(system_cronjob_t)
|
||||
kernel_getattr_message_if(system_cronjob_t)
|
||||
|
||||
kernel_read_crypto_sysctls(system_cronjob_t)
|
||||
kernel_read_irq_sysctls(system_cronjob_t)
|
||||
kernel_read_kernel_sysctls(system_cronjob_t)
|
||||
kernel_read_network_state(system_cronjob_t)
|
||||
|
||||
@ -117,7 +117,6 @@ files_runtime_filetrans(system_dbusd_t, system_dbusd_runtime_t, { dir file })
|
||||
|
||||
can_exec(system_dbusd_t, dbusd_exec_t)
|
||||
|
||||
kernel_read_crypto_sysctls(system_dbusd_t)
|
||||
kernel_read_system_state(system_dbusd_t)
|
||||
kernel_read_kernel_sysctls(system_dbusd_t)
|
||||
|
||||
@ -302,7 +301,6 @@ manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_ru
|
||||
manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
|
||||
userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })
|
||||
|
||||
kernel_read_crypto_sysctls(session_bus_type)
|
||||
kernel_read_system_state(session_bus_type)
|
||||
kernel_read_kernel_sysctls(session_bus_type)
|
||||
|
||||
|
||||
@ -87,7 +87,6 @@ files_runtime_filetrans(devicekit_disk_t, devicekit_runtime_t, { dir file })
|
||||
kernel_getattr_message_if(devicekit_disk_t)
|
||||
kernel_list_unlabeled(devicekit_disk_t)
|
||||
kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
|
||||
kernel_read_crypto_sysctls(devicekit_disk_t)
|
||||
kernel_read_fs_sysctls(devicekit_disk_t)
|
||||
kernel_read_network_state(devicekit_disk_t)
|
||||
kernel_read_software_raid_state(devicekit_disk_t)
|
||||
|
||||
@ -64,8 +64,6 @@ manage_files_pattern(dirmngr_t, dirmngr_runtime_t, dirmngr_runtime_t)
|
||||
manage_sock_files_pattern(dirmngr_t, dirmngr_runtime_t, dirmngr_runtime_t)
|
||||
files_runtime_filetrans(dirmngr_t, dirmngr_runtime_t, { dir file })
|
||||
|
||||
kernel_read_crypto_sysctls(dirmngr_t)
|
||||
|
||||
dev_read_rand(dirmngr_t)
|
||||
dev_read_urand(dirmngr_t)
|
||||
|
||||
|
||||
@ -42,7 +42,6 @@ files_runtime_filetrans(entropyd_t, entropyd_runtime_t, file)
|
||||
|
||||
kernel_read_system_state(entropyd_t)
|
||||
kernel_rw_kernel_sysctl(entropyd_t)
|
||||
kernel_read_crypto_sysctls(entropyd_t)
|
||||
|
||||
dev_read_sysfs(entropyd_t)
|
||||
dev_read_urand(entropyd_t)
|
||||
|
||||
@ -102,7 +102,6 @@ files_tmp_filetrans(exim_t, exim_tmp_t, { dir file })
|
||||
|
||||
manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)
|
||||
|
||||
kernel_read_crypto_sysctls(exim_t)
|
||||
kernel_read_kernel_sysctls(exim_t)
|
||||
kernel_read_network_state(exim_t)
|
||||
kernel_dontaudit_read_system_state(exim_t)
|
||||
|
||||
@ -62,7 +62,6 @@ manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
|
||||
mmap_read_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
|
||||
fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, { dir file })
|
||||
|
||||
kernel_read_crypto_sysctls(firewalld_t)
|
||||
kernel_read_network_state(firewalld_t)
|
||||
kernel_read_system_state(firewalld_t)
|
||||
kernel_request_load_module(firewalld_t)
|
||||
|
||||
@ -38,8 +38,6 @@ manage_sock_files_pattern(isnsd_t, isnsd_runtime_t, isnsd_runtime_t)
|
||||
manage_files_pattern(isnsd_t, isnsd_runtime_t, isnsd_runtime_t)
|
||||
files_runtime_filetrans(isnsd_t, isnsd_runtime_t, { file sock_file })
|
||||
|
||||
kernel_read_crypto_sysctls(isnsd_t)
|
||||
|
||||
corenet_all_recvfrom_netlabel(isnsd_t)
|
||||
corenet_tcp_sendrecv_generic_if(isnsd_t)
|
||||
corenet_tcp_sendrecv_generic_node(isnsd_t)
|
||||
|
||||
@ -207,7 +207,6 @@ allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_p
|
||||
|
||||
can_exec(lpr_t, lpr_exec_t)
|
||||
|
||||
kernel_read_crypto_sysctls(lpr_t)
|
||||
kernel_read_kernel_sysctls(lpr_t)
|
||||
|
||||
corenet_all_recvfrom_netlabel(lpr_t)
|
||||
|
||||
@ -125,7 +125,6 @@ allow mailman_cgi_t mailman_runtime_t:sock_file manage_sock_file_perms;
|
||||
fs_tmpfs_filetrans(mailman_cgi_t, mailman_cgi_tmpfs_t, file)
|
||||
allow mailman_cgi_t mailman_cgi_tmpfs_t:file { map manage_file_perms };
|
||||
|
||||
kernel_read_crypto_sysctls(mailman_cgi_t)
|
||||
kernel_read_net_sysctls(mailman_cgi_t)
|
||||
kernel_read_system_state(mailman_cgi_t)
|
||||
kernel_read_vm_overcommit_sysctl(mailman_cgi_t)
|
||||
|
||||
@ -58,9 +58,6 @@ manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t)
|
||||
manage_files_pattern(mon_t, mon_runtime_t, mon_runtime_t)
|
||||
files_runtime_filetrans(mon_t, mon_runtime_t, file)
|
||||
|
||||
# to read fips_enabled
|
||||
kernel_read_crypto_sysctls(mon_t)
|
||||
|
||||
kernel_read_kernel_sysctls(mon_t)
|
||||
kernel_read_network_state(mon_t)
|
||||
kernel_read_system_state(mon_t)
|
||||
|
||||
@ -74,7 +74,6 @@ allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t })
|
||||
|
||||
kernel_read_crypto_sysctls(user_mail_domain)
|
||||
kernel_read_system_state(user_mail_domain)
|
||||
kernel_read_kernel_sysctls(user_mail_domain)
|
||||
kernel_read_network_state(user_mail_domain)
|
||||
|
||||
@ -93,7 +93,6 @@ files_runtime_filetrans(NetworkManager_t, NetworkManager_runtime_t, { dir file s
|
||||
|
||||
can_exec(NetworkManager_t, { NetworkManager_exec_t NetworkManager_initrc_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
|
||||
|
||||
kernel_read_crypto_sysctls(NetworkManager_t)
|
||||
kernel_read_system_state(NetworkManager_t)
|
||||
kernel_read_network_state(NetworkManager_t)
|
||||
kernel_read_kernel_sysctls(NetworkManager_t)
|
||||
|
||||
@ -95,7 +95,6 @@ can_exec(ntpd_t, ntpd_exec_t)
|
||||
kernel_read_kernel_sysctls(ntpd_t)
|
||||
kernel_read_system_state(ntpd_t)
|
||||
kernel_read_network_state(ntpd_t)
|
||||
kernel_read_crypto_sysctls(ntpd_t)
|
||||
kernel_request_load_module(ntpd_t)
|
||||
|
||||
corenet_all_recvfrom_netlabel(ntpd_t)
|
||||
|
||||
@ -172,7 +172,6 @@ fs_read_cgroup_files(pcs_snmp_agent_t)
|
||||
|
||||
kernel_read_kernel_sysctls(pcs_snmp_agent_t)
|
||||
kernel_read_system_state(pcs_snmp_agent_t)
|
||||
kernel_read_crypto_sysctls(pcs_snmp_agent_t)
|
||||
|
||||
init_search_runtime(pcs_snmp_agent_t)
|
||||
init_read_state(pcs_snmp_agent_t)
|
||||
|
||||
@ -87,7 +87,6 @@ can_exec(policykit_t, policykit_exec_t)
|
||||
domtrans_pattern(policykit_t, policykit_auth_exec_t, policykit_auth_t)
|
||||
domtrans_pattern(policykit_t, policykit_resolve_exec_t, policykit_resolve_t)
|
||||
|
||||
kernel_read_crypto_sysctls(policykit_t)
|
||||
kernel_read_kernel_sysctls(policykit_t)
|
||||
kernel_read_system_state(policykit_t)
|
||||
|
||||
|
||||
@ -517,7 +517,6 @@ manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
|
||||
manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
|
||||
manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
|
||||
|
||||
kernel_read_crypto_sysctls(spamd_update_t)
|
||||
kernel_search_fs_sysctls(spamd_update_t)
|
||||
kernel_read_system_state(spamd_update_t)
|
||||
|
||||
|
||||
@ -222,7 +222,6 @@ template(`ssh_server_template', `
|
||||
|
||||
kernel_read_kernel_sysctls($1_t)
|
||||
kernel_read_network_state($1_t)
|
||||
kernel_read_crypto_sysctls($1_t)
|
||||
|
||||
corenet_all_recvfrom_netlabel($1_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_t)
|
||||
|
||||
@ -248,7 +248,6 @@ files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
|
||||
corecmd_exec_bin(sshd_t)
|
||||
|
||||
kernel_link_key(sshd_t)
|
||||
kernel_read_crypto_sysctls(sshd_t)
|
||||
kernel_search_key(sshd_t)
|
||||
|
||||
term_use_all_ptys(sshd_t)
|
||||
@ -341,7 +340,6 @@ allow ssh_keygen_t sshd_key_t:file manage_file_perms;
|
||||
files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
|
||||
|
||||
kernel_read_kernel_sysctls(ssh_keygen_t)
|
||||
kernel_read_crypto_sysctls(ssh_keygen_t)
|
||||
kernel_dontaudit_getattr_proc(ssh_keygen_t)
|
||||
kernel_dontaudit_read_system_state(ssh_keygen_t)
|
||||
|
||||
|
||||
@ -27,7 +27,6 @@ allow tpm2_abrmd_t self:fifo_file rw_inherited_fifo_file_perms;
|
||||
|
||||
dev_rw_tpm(tpm2_abrmd_t)
|
||||
|
||||
kernel_read_crypto_sysctls(tpm2_abrmd_t)
|
||||
kernel_read_system_state(tpm2_abrmd_t)
|
||||
|
||||
logging_send_syslog_msg(tpm2_abrmd_t)
|
||||
@ -48,7 +47,6 @@ dev_rw_tpm(tpm2_t)
|
||||
|
||||
files_read_etc_files(tpm2_t)
|
||||
|
||||
kernel_read_crypto_sysctls(tpm2_t)
|
||||
kernel_read_system_state(tpm2_t)
|
||||
|
||||
miscfiles_read_generic_certs(tpm2_t)
|
||||
|
||||
@ -575,7 +575,6 @@ stream_connect_pattern(virtd_t, virt_runtime_t, virtlogd_run_t, virtlogd_t)
|
||||
|
||||
can_exec(virtd_t, virt_tmp_t)
|
||||
|
||||
kernel_read_crypto_sysctls(virtd_t)
|
||||
kernel_read_system_state(virtd_t)
|
||||
kernel_read_network_state(virtd_t)
|
||||
kernel_rw_net_sysctls(virtd_t)
|
||||
@ -843,7 +842,6 @@ virt_manage_images(virsh_t)
|
||||
virt_manage_config(virsh_t)
|
||||
virt_stream_connect(virsh_t)
|
||||
|
||||
kernel_read_crypto_sysctls(virsh_t)
|
||||
kernel_read_system_state(virsh_t)
|
||||
kernel_read_network_state(virsh_t)
|
||||
kernel_read_kernel_sysctls(virsh_t)
|
||||
|
||||
@ -377,7 +377,6 @@ manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
|
||||
manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
|
||||
logging_log_filetrans(xdm_t, xserver_log_t, file)
|
||||
|
||||
kernel_read_crypto_sysctls(xdm_t)
|
||||
kernel_read_system_state(xdm_t)
|
||||
kernel_read_kernel_sysctls(xdm_t)
|
||||
kernel_read_net_sysctls(xdm_t)
|
||||
@ -684,7 +683,6 @@ allow xserver_t xauth_home_t:file read_file_perms;
|
||||
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
|
||||
logging_log_filetrans(xserver_t, xserver_log_t, file)
|
||||
|
||||
kernel_read_crypto_sysctls(xserver_t)
|
||||
kernel_read_system_state(xserver_t)
|
||||
kernel_read_device_sysctls(xserver_t)
|
||||
kernel_read_modprobe_sysctls(xserver_t)
|
||||
|
||||
@ -114,7 +114,6 @@ dontaudit chkpwd_t self:process getcap;
|
||||
allow chkpwd_t shadow_t:file read_file_perms;
|
||||
files_list_etc(chkpwd_t)
|
||||
|
||||
kernel_read_crypto_sysctls(chkpwd_t)
|
||||
kernel_dontaudit_search_kernel_sysctl(chkpwd_t)
|
||||
kernel_dontaudit_read_kernel_sysctl(chkpwd_t)
|
||||
kernel_dontaudit_getattr_proc(chkpwd_t)
|
||||
|
||||
@ -66,7 +66,6 @@ files_runtime_filetrans(iscsid_t, iscsi_runtime_t, file)
|
||||
|
||||
can_exec(iscsid_t, iscsid_exec_t)
|
||||
|
||||
kernel_read_crypto_sysctls(iscsid_t)
|
||||
kernel_read_network_state(iscsid_t)
|
||||
kernel_read_system_state(iscsid_t)
|
||||
kernel_request_load_module(iscsid_t)
|
||||
|
||||
@ -244,7 +244,6 @@ allow sulogin_t self:msgq create_msgq_perms;
|
||||
allow sulogin_t self:msg { send receive };
|
||||
|
||||
kernel_read_system_state(sulogin_t)
|
||||
kernel_read_crypto_sysctls(sulogin_t)
|
||||
kernel_stream_connect(sulogin_t)
|
||||
kernel_use_fds(sulogin_t)
|
||||
# because file systems are not mounted:
|
||||
|
||||
@ -442,7 +442,6 @@ allow syslogd_t syslogd_runtime_t:file map;
|
||||
manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
|
||||
files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)
|
||||
|
||||
kernel_read_crypto_sysctls(syslogd_t)
|
||||
kernel_read_system_state(syslogd_t)
|
||||
kernel_read_network_state(syslogd_t)
|
||||
kernel_read_kernel_sysctls(syslogd_t)
|
||||
|
||||
@ -121,8 +121,6 @@ kernel_dontaudit_search_unlabeled(lvm_t)
|
||||
# it has no reason to need this
|
||||
kernel_dontaudit_getattr_core_if(lvm_t)
|
||||
kernel_use_fds(lvm_t)
|
||||
# for systemd-cryptsetup
|
||||
kernel_read_crypto_sysctls(lvm_t)
|
||||
kernel_search_debugfs(lvm_t)
|
||||
# multipath
|
||||
kernel_read_vm_overcommit_sysctl(lvm_t)
|
||||
|
||||
@ -54,7 +54,6 @@ can_exec(kmod_t, kmod_exec_t)
|
||||
|
||||
kernel_load_module(kmod_t)
|
||||
kernel_request_load_module(kmod_t)
|
||||
kernel_read_crypto_sysctls(kmod_t)
|
||||
kernel_read_system_state(kmod_t)
|
||||
kernel_read_network_state(kmod_t)
|
||||
kernel_write_proc_files(kmod_t)
|
||||
|
||||
@ -434,7 +434,6 @@ kernel_read_kernel_sysctls(systemd_coredump_t)
|
||||
kernel_read_system_state(systemd_coredump_t)
|
||||
kernel_rw_pipes(systemd_coredump_t)
|
||||
kernel_use_fds(systemd_coredump_t)
|
||||
kernel_read_crypto_sysctls(systemd_coredump_t)
|
||||
|
||||
corecmd_exec_bin(systemd_coredump_t)
|
||||
corecmd_read_all_executables(systemd_coredump_t)
|
||||
@ -594,7 +593,6 @@ fs_get_xattr_fs_quotas(systemd_homed_t)
|
||||
fs_getattr_all_fs(systemd_homed_t)
|
||||
|
||||
kernel_read_kernel_sysctls(systemd_homed_t)
|
||||
kernel_read_crypto_sysctls(systemd_homed_t)
|
||||
kernel_read_system_state(systemd_homed_t)
|
||||
|
||||
systemd_log_parse_environment(systemd_homed_t)
|
||||
@ -666,7 +664,6 @@ kernel_get_sysvipc_info(systemd_homework_t)
|
||||
kernel_request_load_module(systemd_homework_t)
|
||||
|
||||
kernel_read_kernel_sysctls(systemd_homework_t)
|
||||
kernel_read_crypto_sysctls(systemd_homework_t)
|
||||
kernel_read_system_state(systemd_homework_t)
|
||||
|
||||
# loopback:
|
||||
@ -740,8 +737,6 @@ selinux_use_status_page(systemd_hw_t)
|
||||
init_read_state(systemd_hw_t)
|
||||
init_search_runtime(systemd_hw_t)
|
||||
|
||||
kernel_read_crypto_sysctls(systemd_hw_t)
|
||||
|
||||
seutil_read_config(systemd_hw_t)
|
||||
seutil_read_file_contexts(systemd_hw_t)
|
||||
|
||||
@ -774,7 +769,6 @@ optional_policy(`
|
||||
dontaudit systemd_log_parse_env_type self:capability net_admin;
|
||||
|
||||
kernel_read_system_state(systemd_log_parse_env_type)
|
||||
kernel_read_crypto_sysctls(systemd_log_parse_env_type)
|
||||
|
||||
dev_write_kmsg(systemd_log_parse_env_type)
|
||||
|
||||
@ -1430,7 +1424,6 @@ init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir)
|
||||
|
||||
dev_read_sysfs(systemd_resolved_t)
|
||||
|
||||
kernel_read_crypto_sysctls(systemd_resolved_t)
|
||||
kernel_read_kernel_sysctls(systemd_resolved_t)
|
||||
kernel_read_net_sysctls(systemd_resolved_t)
|
||||
kernel_dontaudit_getattr_proc(systemd_resolved_t)
|
||||
|
||||
@ -102,7 +102,6 @@ kernel_search_key(udev_t)
|
||||
kernel_get_sysvipc_info(udev_t)
|
||||
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
|
||||
kernel_rw_net_sysctls(udev_t)
|
||||
kernel_read_crypto_sysctls(udev_t)
|
||||
kernel_read_network_state(udev_t)
|
||||
kernel_read_software_raid_state(udev_t)
|
||||
kernel_dontaudit_search_unlabeled(udev_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user