Make hide_broken_symptoms unconditional.
These blocks are always enabled. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
This commit is contained in:
Chris PeBenito
parent
e580e00bb6
commit
651dc11f36
2
Makefile
2
Makefile
@ -234,7 +234,7 @@ else
|
||||
VERBOSE_FLAG = --verbose
|
||||
endif
|
||||
|
||||
M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) -D hide_broken_symptoms=true
|
||||
M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS)
|
||||
|
||||
# we need exuberant ctags; unfortunately it is named
|
||||
# differently on different distros
|
||||
|
||||
@ -20,9 +20,7 @@ interface(`consoletype_domtrans',`
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, consoletype_exec_t, consoletype_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
dontaudit consoletype_t $1:socket_class_set { read write };
|
||||
')
|
||||
dontaudit consoletype_t $1:socket_class_set { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -129,23 +129,21 @@ kernel_read_system_state(ping_t)
|
||||
|
||||
auth_use_nsswitch(ping_t)
|
||||
|
||||
init_dontaudit_use_fds(ping_t)
|
||||
|
||||
logging_send_syslog_msg(ping_t)
|
||||
|
||||
miscfiles_read_localization(ping_t)
|
||||
|
||||
userdom_use_inherited_user_terminals(ping_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
init_dontaudit_use_fds(ping_t)
|
||||
|
||||
optional_policy(`
|
||||
nagios_dontaudit_rw_log(ping_t)
|
||||
nagios_dontaudit_rw_pipes(ping_t)
|
||||
')
|
||||
optional_policy(`
|
||||
munin_append_log(ping_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
munin_append_log(ping_t)
|
||||
nagios_dontaudit_rw_log(ping_t)
|
||||
nagios_dontaudit_rw_pipes(ping_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -246,6 +246,8 @@ allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
|
||||
allow portage_fetch_t self:tcp_socket { accept listen };
|
||||
allow portage_fetch_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
|
||||
dontaudit portage_fetch_t portage_cache_t:file read;
|
||||
|
||||
allow portage_fetch_t portage_conf_t:dir list_dir_perms;
|
||||
|
||||
allow portage_fetch_t portage_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
|
||||
@ -314,10 +316,6 @@ userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
|
||||
|
||||
rsync_exec(portage_fetch_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dontaudit portage_fetch_t portage_cache_t:file read;
|
||||
')
|
||||
|
||||
tunable_policy(`portage_use_nfs',`
|
||||
fs_getattr_nfs(portage_fetch_t)
|
||||
fs_manage_nfs_dirs(portage_fetch_t)
|
||||
@ -344,15 +342,13 @@ optional_policy(`
|
||||
allow portage_sandbox_t self:process ptrace;
|
||||
dontaudit portage_sandbox_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
|
||||
# leaked descriptors
|
||||
dontaudit portage_sandbox_t portage_cache_t:dir { setattr_dir_perms };
|
||||
dontaudit portage_sandbox_t portage_cache_t:file { setattr_file_perms write };
|
||||
|
||||
allow portage_sandbox_t portage_log_t:file { create_file_perms delete_file_perms setattr_file_perms append_file_perms };
|
||||
logging_log_filetrans(portage_sandbox_t, portage_log_t, file)
|
||||
|
||||
portage_compile_domain(portage_sandbox_t)
|
||||
|
||||
auth_use_nsswitch(portage_sandbox_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
# leaked descriptors
|
||||
dontaudit portage_sandbox_t portage_cache_t:dir { setattr_dir_perms };
|
||||
dontaudit portage_sandbox_t portage_cache_t:file { setattr_file_perms write };
|
||||
')
|
||||
|
||||
@ -18,10 +18,8 @@ interface(`prelink_domtrans',`
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, prelink_exec_t, prelink_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dontaudit prelink_t $1:socket_class_set { read write };
|
||||
dontaudit prelink_t $1:fifo_file setattr_fifo_file_perms;
|
||||
')
|
||||
dontaudit prelink_t $1:socket_class_set { read write };
|
||||
dontaudit prelink_t $1:fifo_file setattr_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -102,6 +102,7 @@ libs_relabel_shared_libs(prelink_t)
|
||||
libs_delete_lib_symlinks(prelink_t)
|
||||
|
||||
miscfiles_read_localization(prelink_t)
|
||||
miscfiles_read_man_pages(prelink_t)
|
||||
|
||||
userdom_use_user_terminals(prelink_t)
|
||||
userdom_manage_user_home_content_files(prelink_t)
|
||||
@ -110,14 +111,6 @@ userdom_manage_user_home_content_files(prelink_t)
|
||||
# userdom_execmod_user_home_content_files(prelink_t)
|
||||
userdom_exec_user_home_content_files(prelink_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
miscfiles_read_man_pages(prelink_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_read_config(prelink_t)
|
||||
')
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_exec_nfs_files(prelink_t)
|
||||
fs_manage_nfs_files(prelink_t)
|
||||
@ -136,6 +129,10 @@ optional_policy(`
|
||||
cron_system_entry(prelink_t, prelink_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_read_config(prelink_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gnome_dontaudit_read_inherited_gconf_config_files(prelink_t)
|
||||
')
|
||||
|
||||
@ -73,6 +73,8 @@ template(`sudo_role_template',`
|
||||
allow $1_sudo_t self:key manage_key_perms;
|
||||
dontaudit $1_sudo_t self:capability { dac_read_search sys_ptrace };
|
||||
|
||||
dontaudit $1_sudo_t $3:socket_class_set { read write };
|
||||
|
||||
# By default, revert to the calling domain when a shell is executed.
|
||||
corecmd_shell_domtrans($1_sudo_t, $2)
|
||||
corecmd_bin_domtrans($1_sudo_t, $2)
|
||||
@ -143,10 +145,6 @@ template(`sudo_role_template',`
|
||||
userdom_dontaudit_search_user_home_content($1_sudo_t)
|
||||
userdom_dontaudit_search_user_home_dirs($1_sudo_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
dontaudit $1_sudo_t $3:socket_class_set { read write };
|
||||
')
|
||||
|
||||
tunable_policy(`sudo_allow_user_exec_domains',`
|
||||
allow $1_sudo_t $3:key search;
|
||||
|
||||
|
||||
@ -18,9 +18,7 @@ interface(`usermanage_domtrans_chfn',`
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, chfn_exec_t, chfn_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dontaudit chfn_t $1:socket_class_set { read write };
|
||||
')
|
||||
dontaudit chfn_t $1:socket_class_set { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -66,9 +64,7 @@ interface(`usermanage_domtrans_groupadd',`
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, groupadd_exec_t, groupadd_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dontaudit groupadd_t $1:socket_class_set { read write };
|
||||
')
|
||||
dontaudit groupadd_t $1:socket_class_set { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -115,9 +111,7 @@ interface(`usermanage_domtrans_passwd',`
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, passwd_exec_t, passwd_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dontaudit passwd_t $1:socket_class_set { read write };
|
||||
')
|
||||
dontaudit passwd_t $1:socket_class_set { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -264,9 +258,7 @@ interface(`usermanage_domtrans_useradd',`
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, useradd_exec_t, useradd_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dontaudit useradd_t $1:socket_class_set { read write };
|
||||
')
|
||||
dontaudit useradd_t $1:socket_class_set { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -264,12 +264,9 @@ miscfiles_read_localization(gpg_agent_t)
|
||||
userdom_use_user_terminals(gpg_agent_t)
|
||||
userdom_search_user_home_dirs(gpg_agent_t)
|
||||
userdom_search_user_runtime(gpg_agent_t)
|
||||
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
|
||||
userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file })
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
|
||||
')
|
||||
|
||||
tunable_policy(`gpg_agent_env_file',`
|
||||
userdom_manage_user_home_content_dirs(gpg_agent_t)
|
||||
userdom_manage_user_home_content_files(gpg_agent_t)
|
||||
|
||||
@ -44,11 +44,9 @@ interface(`seunshare_run',`
|
||||
|
||||
allow $1 seunshare_t:process signal_perms;
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
|
||||
dontaudit seunshare_t $1:udp_socket rw_socket_perms;
|
||||
dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
|
||||
')
|
||||
dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
|
||||
dontaudit seunshare_t $1:udp_socket rw_socket_perms;
|
||||
dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -27,6 +27,8 @@ corecmd_exec_bin(seunshare_t)
|
||||
files_read_etc_files(seunshare_t)
|
||||
files_mounton_all_poly_members(seunshare_t)
|
||||
|
||||
fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
|
||||
|
||||
auth_use_nsswitch(seunshare_t)
|
||||
|
||||
logging_send_syslog_msg(seunshare_t)
|
||||
@ -35,10 +37,6 @@ miscfiles_read_localization(seunshare_t)
|
||||
|
||||
userdom_use_user_terminals(seunshare_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
|
||||
|
||||
optional_policy(`
|
||||
mozilla_dontaudit_manage_user_home_files(seunshare_t)
|
||||
')
|
||||
optional_policy(`
|
||||
mozilla_dontaudit_manage_user_home_files(seunshare_t)
|
||||
')
|
||||
|
||||
@ -103,6 +103,12 @@ kernel_dontaudit_link_key(domain)
|
||||
# create child processes in the domain
|
||||
allow domain self:process { fork sigchld };
|
||||
|
||||
# This check is in the general socket
|
||||
# listen code, before protocol-specific
|
||||
# listen function is called, so bad calls
|
||||
# to listen on UDP sockets should be silenced
|
||||
dontaudit domain self:udp_socket listen;
|
||||
|
||||
# lockdown checks were removed in 5.16. The class will be removed
|
||||
# from the policy in the future. For reference:
|
||||
# https://lore.kernel.org/selinux/163243191040.178880.4295195865966623164.stgit@olly
|
||||
@ -119,14 +125,6 @@ term_use_controlling_term(domain)
|
||||
# list the root directory
|
||||
files_list_root(domain)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
# This check is in the general socket
|
||||
# listen code, before protocol-specific
|
||||
# listen function is called, so bad calls
|
||||
# to listen on UDP sockets should be silenced
|
||||
dontaudit domain self:udp_socket listen;
|
||||
')
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
optional_policy(`
|
||||
shutdown_sigchld(domain)
|
||||
|
||||
@ -281,25 +281,24 @@ read_lnk_files_pattern(abrt_helper_t, abrt_runtime_t, abrt_runtime_t)
|
||||
|
||||
corecmd_read_all_executables(abrt_helper_t)
|
||||
|
||||
dev_dontaudit_read_all_blk_files(abrt_helper_t)
|
||||
dev_dontaudit_read_all_chr_files(abrt_helper_t)
|
||||
dev_dontaudit_write_all_chr_files(abrt_helper_t)
|
||||
dev_dontaudit_write_all_blk_files(abrt_helper_t)
|
||||
|
||||
domain_read_all_domains_state(abrt_helper_t)
|
||||
|
||||
fs_list_inotifyfs(abrt_helper_t)
|
||||
fs_getattr_all_fs(abrt_helper_t)
|
||||
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
|
||||
|
||||
auth_use_nsswitch(abrt_helper_t)
|
||||
|
||||
term_dontaudit_use_all_ttys(abrt_helper_t)
|
||||
term_dontaudit_use_all_ptys(abrt_helper_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
|
||||
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
|
||||
dev_dontaudit_read_all_blk_files(abrt_helper_t)
|
||||
dev_dontaudit_read_all_chr_files(abrt_helper_t)
|
||||
dev_dontaudit_write_all_chr_files(abrt_helper_t)
|
||||
dev_dontaudit_write_all_blk_files(abrt_helper_t)
|
||||
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
|
||||
')
|
||||
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
|
||||
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
|
||||
|
||||
#######################################
|
||||
#
|
||||
|
||||
@ -515,7 +515,7 @@ auth_use_nsswitch(httpd_t)
|
||||
|
||||
init_rw_inherited_script_tmp_files(httpd_t)
|
||||
|
||||
libs_read_lib_files(httpd_t)
|
||||
libs_exec_lib_files(httpd_t)
|
||||
|
||||
logging_send_syslog_msg(httpd_t)
|
||||
|
||||
@ -536,10 +536,6 @@ ifdef(`TODO',`
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
libs_exec_lib_files(httpd_t)
|
||||
')
|
||||
|
||||
ifdef(`init_systemd', `
|
||||
systemd_use_passwd_agent(httpd_t)
|
||||
')
|
||||
|
||||
@ -91,6 +91,7 @@ template(`dbus_role_template',`
|
||||
dontaudit $1_dbusd_t self:cap_userns sys_ptrace;
|
||||
|
||||
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
|
||||
dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
|
||||
|
||||
allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
|
||||
allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms };
|
||||
@ -109,10 +110,6 @@ template(`dbus_role_template',`
|
||||
|
||||
auth_use_nsswitch($1_dbusd_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
systemd_read_logind_runtime_files($1_dbusd_t)
|
||||
systemd_user_daemon_domain($1, dbusd_exec_t, $1_dbusd_t)
|
||||
@ -567,6 +564,8 @@ interface(`dbus_system_domain',`
|
||||
|
||||
role system_r types $1;
|
||||
|
||||
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
|
||||
|
||||
domtrans_pattern(system_dbusd_t, $2, $1)
|
||||
|
||||
dbus_system_bus_client($1)
|
||||
@ -579,10 +578,6 @@ interface(`dbus_system_domain',`
|
||||
ifdef(`init_systemd',`
|
||||
init_daemon_domain($1, $2)
|
||||
')
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -216,10 +216,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
arpwatch_manage_tmp_files(system_mail_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
|
||||
')
|
||||
arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -316,10 +313,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
arpwatch_manage_tmp_files(mta_user_agent)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
|
||||
')
|
||||
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
|
||||
|
||||
optional_policy(`
|
||||
cron_read_system_job_tmp_files(mta_user_agent)
|
||||
|
||||
@ -363,6 +363,8 @@ files_search_spool(smbd_t)
|
||||
files_dontaudit_getattr_all_dirs(smbd_t)
|
||||
files_dontaudit_list_all_mountpoints(smbd_t)
|
||||
files_list_mnt(smbd_t)
|
||||
files_dontaudit_getattr_default_dirs(smbd_t)
|
||||
files_dontaudit_getattr_boot_dirs(smbd_t)
|
||||
|
||||
fs_getattr_all_fs(smbd_t)
|
||||
fs_getattr_all_dirs(smbd_t)
|
||||
@ -396,12 +398,6 @@ userdom_signal_all_users(smbd_t)
|
||||
userdom_home_filetrans_user_home_dir(smbd_t)
|
||||
userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
files_dontaudit_getattr_default_dirs(smbd_t)
|
||||
files_dontaudit_getattr_boot_dirs(smbd_t)
|
||||
fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`allow_smbd_anon_write',`
|
||||
miscfiles_manage_public_files(smbd_t)
|
||||
')
|
||||
|
||||
@ -450,6 +450,7 @@ tunable_policy(`virt_use_evdev',`
|
||||
#
|
||||
|
||||
allow virtd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace };
|
||||
dontaudit virtd_t self:capability { sys_module sys_ptrace };
|
||||
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
|
||||
allow virtd_t self:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
|
||||
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
|
||||
@ -691,10 +692,6 @@ sysnet_domtrans_ifconfig(virtd_t)
|
||||
|
||||
userdom_read_all_users_state(virtd_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dontaudit virtd_t self:capability { sys_module sys_ptrace };
|
||||
')
|
||||
|
||||
tunable_policy(`virt_use_fusefs',`
|
||||
fs_manage_fusefs_dirs(virtd_t)
|
||||
fs_manage_fusefs_files(virtd_t)
|
||||
|
||||
@ -18,9 +18,7 @@ interface(`iptables_domtrans',`
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, iptables_exec_t, iptables_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
dontaudit iptables_t $1:socket_class_set { read write };
|
||||
')
|
||||
dontaudit iptables_t $1:socket_class_set { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -70,6 +70,7 @@ corenet_relabelto_all_packets(iptables_t)
|
||||
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
|
||||
|
||||
dev_read_sysfs(iptables_t)
|
||||
dev_dontaudit_write_mtrr(iptables_t)
|
||||
|
||||
fs_getattr_xattr_fs(iptables_t)
|
||||
fs_search_auto_mountpoints(iptables_t)
|
||||
@ -100,9 +101,7 @@ sysnet_dns_name_resolve(iptables_t)
|
||||
|
||||
userdom_use_inherited_user_terminals(iptables_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dev_dontaudit_write_mtrr(iptables_t)
|
||||
')
|
||||
|
||||
|
||||
optional_policy(`
|
||||
# iptables may try to rw /ptmx in a container
|
||||
|
||||
@ -98,26 +98,14 @@ logging_send_syslog_msg(ldconfig_t)
|
||||
userdom_use_user_terminals(ldconfig_t)
|
||||
userdom_use_all_users_fds(ldconfig_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(ldconfig_t)
|
||||
')
|
||||
')
|
||||
ifdef(`distro_gentoo',`
|
||||
# leaked fds from portage
|
||||
files_dontaudit_rw_var_files(ldconfig_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
ifdef(`distro_gentoo',`
|
||||
# leaked fds from portage
|
||||
files_dontaudit_rw_var_files(ldconfig_t)
|
||||
|
||||
optional_policy(`
|
||||
portage_dontaudit_search_tmp(ldconfig_t)
|
||||
portage_dontaudit_rw_tmp_files(ldconfig_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
|
||||
')
|
||||
optional_policy(`
|
||||
portage_dontaudit_search_tmp(ldconfig_t)
|
||||
portage_dontaudit_rw_tmp_files(ldconfig_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -126,6 +126,8 @@ storage_rw_fuse(mount_t)
|
||||
|
||||
term_use_all_terms(mount_t)
|
||||
term_dontaudit_manage_pty_dirs(mount_t)
|
||||
# for a bug in the X server
|
||||
term_dontaudit_use_ptmx(mount_t)
|
||||
|
||||
auth_use_nsswitch(mount_t)
|
||||
|
||||
@ -194,13 +196,6 @@ optional_policy(`
|
||||
acpi_use_fds(mount_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
# for a bug in the X server
|
||||
term_dontaudit_use_ptmx(mount_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
container_getattr_fs(mount_t)
|
||||
')
|
||||
|
||||
@ -171,6 +171,9 @@ allow load_policy_t self:capability dac_override;
|
||||
read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t)
|
||||
allow load_policy_t policy_config_t:file map;
|
||||
|
||||
# leaked file descriptors.
|
||||
dontaudit load_policy_t selinux_config_t:file write;
|
||||
|
||||
dev_read_urand(load_policy_t)
|
||||
|
||||
domain_use_interactive_fds(load_policy_t)
|
||||
@ -205,17 +208,13 @@ ifdef(`distro_ubuntu',`
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
# cjp: cover up stray file descriptors.
|
||||
dontaudit load_policy_t selinux_config_t:file write;
|
||||
|
||||
optional_policy(`
|
||||
unconfined_dontaudit_read_pipes(load_policy_t)
|
||||
')
|
||||
optional_policy(`
|
||||
portage_dontaudit_use_fds(load_policy_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
portage_dontaudit_use_fds(load_policy_t)
|
||||
# leaked file descriptors
|
||||
unconfined_dontaudit_read_pipes(load_policy_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -682,18 +681,17 @@ ifdef(`distro_ubuntu',`
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
optional_policy(`
|
||||
udev_dontaudit_rw_dgram_sockets(setfiles_t)
|
||||
')
|
||||
|
||||
# cjp: cover up stray file descriptors.
|
||||
optional_policy(`
|
||||
unconfined_dontaudit_read_pipes(setfiles_t)
|
||||
unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
apt_use_fds(setfiles_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# leaked file descriptors
|
||||
udev_dontaudit_rw_dgram_sockets(setfiles_t)
|
||||
')
|
||||
|
||||
# cjp: cover up stray file descriptors.
|
||||
optional_policy(`
|
||||
unconfined_dontaudit_read_pipes(setfiles_t)
|
||||
unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
|
||||
')
|
||||
|
||||
@ -325,6 +325,7 @@ kernel_rw_net_sysctls(ifconfig_t)
|
||||
corenet_rw_tun_tap_dev(ifconfig_t)
|
||||
|
||||
dev_read_sysfs(ifconfig_t)
|
||||
dev_dontaudit_rw_cardmgr(ifconfig_t)
|
||||
# for IPSEC setup:
|
||||
dev_read_urand(ifconfig_t)
|
||||
|
||||
@ -374,16 +375,6 @@ ifdef(`distro_ubuntu',`
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
optional_policy(`
|
||||
dev_dontaudit_rw_cardmgr(ifconfig_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_dontaudit_rw_dgram_sockets(ifconfig_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
devicekit_read_runtime_files(ifconfig_t)
|
||||
devicekit_append_inherited_log_files(ifconfig_t)
|
||||
@ -406,6 +397,10 @@ optional_policy(`
|
||||
ppp_use_fds(ifconfig_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_dontaudit_rw_dgram_sockets(ifconfig_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_dontaudit_rw_pipes(ifconfig_t)
|
||||
')
|
||||
|
||||
@ -83,7 +83,7 @@ ifeq ($(QUIET),y)
|
||||
verbose := @
|
||||
endif
|
||||
|
||||
M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS)
|
||||
M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS)
|
||||
|
||||
# policy headers
|
||||
m4support = $(wildcard $(HEADERDIR)/support/*.spt)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user