Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

C-005 Cleanup (Reorder perms and classes) #783

Closed
wants to merge 1 commit into from
Closed

C-005 Cleanup (Reorder perms and classes) #783

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion doc/example.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ files_tmp_file(myapp_tmp_t)
# Myapp local policy
#

allow myapp_t myapp_log_t:file { read_file_perms append_file_perms };
allow myapp_t myapp_log_t:file { append_file_perms read_file_perms };

allow myapp_t myapp_tmp_t:file manage_file_perms;
files_tmp_filetrans(myapp_t,myapp_tmp_t,file)
2 changes: 1 addition & 1 deletion policy/modules/admin/amanda.if
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@ interface(`amanda_append_log_files',`
')

logging_search_logs($1)
allow $1 amanda_log_t:file { read_file_perms append_file_perms };
allow $1 amanda_log_t:file { append_file_perms read_file_perms };
')

#######################################
Expand Down
2 changes: 1 addition & 1 deletion policy/modules/admin/amanda.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,7 @@ logging_send_syslog_msg(amanda_t)
#

allow amanda_recover_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
allow amanda_recover_t self:process { sigkill sigstop signal };
allow amanda_recover_t self:process { sigkill signal sigstop };
allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
allow amanda_recover_t self:unix_stream_socket create_socket_perms;
allow amanda_recover_t self:tcp_socket { accept listen };
Expand Down
2 changes: 1 addition & 1 deletion policy/modules/admin/anaconda.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ role system_r types anaconda_t;
#

allow anaconda_t self:process execmem;
allow anaconda_t self:passwd { rootok passwd chfn chsh };
allow anaconda_t self:passwd { chfn chsh passwd rootok };

kernel_domtrans_to(anaconda_t, anaconda_exec_t)

Expand Down
4 changes: 2 additions & 2 deletions policy/modules/admin/apt.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ logging_log_file(apt_var_log_t)
#

allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
allow apt_t self:process { signal setpgid fork };
allow apt_t self:process { fork setpgid signal };
allow apt_t self:fd use;
allow apt_t self:fifo_file rw_fifo_file_perms;
allow apt_t self:unix_dgram_socket sendto;
Expand All @@ -50,7 +50,7 @@ allow apt_t self:tcp_socket create_stream_socket_perms;
allow apt_t self:shm create_shm_perms;
allow apt_t self:sem create_sem_perms;
allow apt_t self:msgq create_msgq_perms;
allow apt_t self:msg { send receive };
allow apt_t self:msg { receive send };
allow apt_t self:netlink_route_socket r_netlink_socket_perms;

allow apt_t apt_lock_t:dir manage_dir_perms;
Expand Down
2 changes: 1 addition & 1 deletion policy/modules/admin/blueman.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ files_type(blueman_var_lib_t)
#

allow blueman_t self:capability { net_admin sys_nice };
allow blueman_t self:process { signal_perms setsched };
allow blueman_t self:process { setsched signal_perms };
allow blueman_t self:fifo_file rw_fifo_file_perms;

manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
Expand Down
4 changes: 2 additions & 2 deletions policy/modules/admin/bootloader.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ dev_node(bootloader_tmp_t)

allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio };
dontaudit bootloader_t self:capability { net_admin sys_resource };
allow bootloader_t self:process { signal_perms execmem };
allow bootloader_t self:process { execmem signal_perms };
allow bootloader_t self:fifo_file rw_fifo_file_perms;

allow bootloader_t bootloader_etc_t:file read_file_perms;
Expand Down Expand Up @@ -203,7 +203,7 @@ ifdef(`distro_redhat',`
# for memlock
allow bootloader_t self:capability ipc_lock;

allow bootloader_t boot_runtime_t:file { read_file_perms delete_file_perms };
allow bootloader_t boot_runtime_t:file { delete_file_perms read_file_perms };

# new file system defaults to unlabeled, granting unlabeled access is still bad.
kernel_manage_unlabeled_dirs(bootloader_t)
Expand Down
2 changes: 1 addition & 1 deletion policy/modules/admin/certwatch.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ role certwatch_roles types certwatch_t;
#

allow certwatch_t self:capability sys_nice;
allow certwatch_t self:process { setsched getsched };
allow certwatch_t self:process { getsched setsched };

dev_read_urand(certwatch_t)

Expand Down
2 changes: 1 addition & 1 deletion policy/modules/admin/cloudinit.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ allow cloud_init_t self:fifo_file rw_fifo_file_perms;
allow cloud_init_t self:unix_dgram_socket create_socket_perms;
allow cloud_init_t self:passwd passwd;

allow cloud_init_t cloud_init_log_t:file { create_file_perms append_file_perms read setattr };
allow cloud_init_t cloud_init_log_t:file { append_file_perms create_file_perms read setattr };
logging_log_filetrans(cloud_init_t, cloud_init_log_t, file)

manage_files_pattern(cloud_init_t, cloud_init_runtime_t, cloud_init_runtime_t)
Expand Down
4 changes: 2 additions & 2 deletions policy/modules/admin/consoletype.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ init_system_domain(consoletype_t, consoletype_exec_t)
#

allow consoletype_t self:capability { sys_admin sys_tty_config };
allow consoletype_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow consoletype_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition };
allow consoletype_t self:fd use;
allow consoletype_t self:fifo_file rw_fifo_file_perms;
allow consoletype_t self:sock_file read_sock_file_perms;
Expand All @@ -27,7 +27,7 @@ allow consoletype_t self:unix_stream_socket connectto;
allow consoletype_t self:shm create_shm_perms;
allow consoletype_t self:sem create_sem_perms;
allow consoletype_t self:msgq create_msgq_perms;
allow consoletype_t self:msg { send receive };
allow consoletype_t self:msg { receive send };

kernel_use_fds(consoletype_t)
kernel_dontaudit_read_system_state(consoletype_t)
Expand Down
2 changes: 1 addition & 1 deletion policy/modules/admin/dphysswapfile.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ init_unit_file(dphysswapfile_unit_t)
# sys_admin : swapon
allow dphysswapfile_t self:capability sys_admin;
allow dphysswapfile_t self:fifo_file rw_fifo_file_perms;
allow dphysswapfile_t self:unix_stream_socket { create connect };
allow dphysswapfile_t self:unix_stream_socket { connect create };

allow dphysswapfile_t dphysswapfile_conf_t:file read_file_perms;

Expand Down
8 changes: 4 additions & 4 deletions policy/modules/admin/dpkg.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t)
#

allow dpkg_t self:capability { chown dac_override fowner fsetid kill linux_immutable mknod setgid setuid sys_nice sys_resource sys_tty_config };
allow dpkg_t self:process { setpgid fork getsched setfscreate };
allow dpkg_t self:process { fork getsched setfscreate setpgid };
allow dpkg_t self:fd use;
allow dpkg_t self:fifo_file rw_fifo_file_perms;
allow dpkg_t self:unix_dgram_socket create_socket_perms;
Expand All @@ -66,7 +66,7 @@ allow dpkg_t self:tcp_socket create_stream_socket_perms;
allow dpkg_t self:shm create_shm_perms;
allow dpkg_t self:sem create_sem_perms;
allow dpkg_t self:msgq create_msgq_perms;
allow dpkg_t self:msg { send receive };
allow dpkg_t self:msg { receive send };

allow dpkg_t dpkg_lock_t:file manage_file_perms;

Expand Down Expand Up @@ -201,7 +201,7 @@ optional_policy(`
#

allow dpkg_script_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setfcap setgid setuid sys_chroot sys_nice sys_ptrace };
allow dpkg_script_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow dpkg_script_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setfscreate setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition };
allow dpkg_script_t self:fd use;
allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
Expand All @@ -211,7 +211,7 @@ allow dpkg_script_t self:unix_stream_socket connectto;
allow dpkg_script_t self:shm create_shm_perms;
allow dpkg_script_t self:sem create_sem_perms;
allow dpkg_script_t self:msgq create_msgq_perms;
allow dpkg_script_t self:msg { send receive };
allow dpkg_script_t self:msg { receive send };
allow dpkg_script_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow dpkg_script_t self:udp_socket create_socket_perms;

Expand Down
4 changes: 2 additions & 2 deletions policy/modules/admin/firstboot.te
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
policy_module(firstboot)

gen_require(`
class passwd { passwd chfn chsh rootok };
class passwd { chfn chsh passwd rootok };
')

########################################
Expand Down Expand Up @@ -33,7 +33,7 @@ allow firstboot_t self:capability { dac_override setgid };
allow firstboot_t self:process setfscreate;
allow firstboot_t self:fifo_file rw_fifo_file_perms;
allow firstboot_t self:tcp_socket { accept listen };
allow firstboot_t self:passwd { rootok passwd chfn chsh };
allow firstboot_t self:passwd { chfn chsh passwd rootok };

allow firstboot_t firstboot_etc_t:file read_file_perms;

Expand Down
6 changes: 3 additions & 3 deletions policy/modules/admin/logrotate.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,11 +36,11 @@ init_unit_file(logrotate_unit_t)
#

# sys_ptrace is for systemctl
allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource };
allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_ptrace sys_resource };
dontaudit logrotate_t self:cap_userns sys_ptrace;
# systemctl asks for net_admin
dontaudit logrotate_t self:capability net_admin;
allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow logrotate_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share siginh signal_perms transition };
allow logrotate_t self:fd use;
allow logrotate_t self:key manage_key_perms;
allow logrotate_t self:fifo_file rw_fifo_file_perms;
Expand All @@ -49,7 +49,7 @@ allow logrotate_t self:unix_stream_socket { accept connectto listen };
allow logrotate_t self:shm create_shm_perms;
allow logrotate_t self:sem create_sem_perms;
allow logrotate_t self:msgq create_msgq_perms;
allow logrotate_t self:msg { send receive };
allow logrotate_t self:msg { receive send };

allow logrotate_t logrotate_lock_t:file manage_file_perms;
files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
Expand Down
2 changes: 1 addition & 1 deletion policy/modules/admin/logwatch.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ role system_r types logwatch_mail_t;
#

allow logwatch_t self:capability { dac_override dac_read_search setgid };
allow logwatch_t self:process { signal getsched };
allow logwatch_t self:process { getsched signal };
allow logwatch_t self:fifo_file rw_fifo_file_perms;
allow logwatch_t self:unix_stream_socket { accept listen };

Expand Down
2 changes: 1 addition & 1 deletion policy/modules/admin/mcelog.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ tunable_policy(`mcelog_foreground',`
')

tunable_policy(`mcelog_server',`
allow mcelog_t self:unix_stream_socket { listen accept };
allow mcelog_t self:unix_stream_socket { accept listen };
')

tunable_policy(`mcelog_syslog',`
Expand Down
6 changes: 3 additions & 3 deletions policy/modules/admin/netutils.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,8 +112,8 @@ allow ping_t self:capability { net_raw setuid };
allow ping_t self:process { getcap setcap };
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
allow ping_t self:rawip_socket { bind create getattr getopt ioctl read setopt write };
allow ping_t self:packet_socket { bind create getopt ioctl read setopt write };
allow ping_t self:netlink_route_socket create_netlink_socket_perms;
allow ping_t self:icmp_socket create_socket_perms;

Expand Down Expand Up @@ -163,7 +163,7 @@ allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
allow traceroute_t self:process signal;
allow traceroute_t self:netlink_generic_socket create_socket_perms;
allow traceroute_t self:rawip_socket create_socket_perms;
allow traceroute_t self:packet_socket { map create_socket_perms };
allow traceroute_t self:packet_socket { create_socket_perms map };
allow traceroute_t self:udp_socket create_socket_perms;

can_exec(traceroute_t, traceroute_exec_t)
Expand Down
6 changes: 3 additions & 3 deletions policy/modules/admin/portage.if
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,13 +71,13 @@ interface(`portage_compile_domain',`

allow $1 self:capability { chown dac_override fowner fsetid mknod net_raw setgid setuid };
dontaudit $1 self:capability sys_chroot;
allow $1 self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
allow $1 self:process { dyntransition execmem getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share siginh signal_perms transition };
allow $1 self:fd use;
allow $1 self:fifo_file rw_fifo_file_perms;
allow $1 self:shm create_shm_perms;
allow $1 self:sem create_sem_perms;
allow $1 self:msgq create_msgq_perms;
allow $1 self:msg { send receive };
allow $1 self:msg { receive send };
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 self:unix_stream_socket create_stream_socket_perms;
allow $1 self:unix_dgram_socket sendto;
Expand All @@ -96,7 +96,7 @@ interface(`portage_compile_domain',`

# write compile logs
allow $1 portage_log_t:dir setattr_dir_perms;
allow $1 portage_log_t:file { write_file_perms setattr_file_perms };
allow $1 portage_log_t:file { setattr_file_perms write_file_perms };

# Support live ebuilds (-9999)
manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
Expand Down
2 changes: 1 addition & 1 deletion policy/modules/admin/portage.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -353,7 +353,7 @@ dontaudit portage_sandbox_t self:netlink_route_socket create_netlink_socket_perm
dontaudit portage_sandbox_t portage_cache_t:dir { setattr_dir_perms };
dontaudit portage_sandbox_t portage_cache_t:file { setattr_file_perms write };

allow portage_sandbox_t portage_log_t:file { create_file_perms delete_file_perms setattr_file_perms append_file_perms };
allow portage_sandbox_t portage_log_t:file { append_file_perms create_file_perms delete_file_perms setattr_file_perms };
logging_log_filetrans(portage_sandbox_t, portage_log_t, file)

allow portage_sandbox_t portage_tmp_t:dir watch;
Expand Down
6 changes: 3 additions & 3 deletions policy/modules/admin/prelink.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,10 +53,10 @@ append_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
logging_log_filetrans(prelink_t, prelink_log_t, file)

allow prelink_t prelink_tmp_t:file { manage_file_perms mmap_exec_file_perms relabel_file_perms execmod };
allow prelink_t prelink_tmp_t:file { execmod manage_file_perms mmap_exec_file_perms relabel_file_perms };
files_tmp_filetrans(prelink_t, prelink_tmp_t, file)

allow prelink_t prelink_tmpfs_t:file { manage_file_perms mmap_exec_file_perms relabel_file_perms execmod };
allow prelink_t prelink_tmpfs_t:file { execmod manage_file_perms mmap_exec_file_perms relabel_file_perms };
fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file)

manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
Expand Down Expand Up @@ -156,7 +156,7 @@ optional_policy(`

optional_policy(`
allow prelink_cron_system_t self:capability setuid;
allow prelink_cron_system_t self:process { setsched setfscreate signal };
allow prelink_cron_system_t self:process { setfscreate setsched signal };
allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
allow prelink_cron_system_t self:unix_dgram_socket create_socket_perms;

Expand Down
6 changes: 3 additions & 3 deletions policy/modules/admin/puppet.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ files_tmp_file(puppetmaster_tmp_t)
#

allow puppet_t self:capability { chown dac_override fowner fsetid setgid setuid sys_admin sys_nice sys_tty_config };
allow puppet_t self:process { signal signull getsched setsched };
allow puppet_t self:process { getsched setsched signal signull };
allow puppet_t self:fifo_file rw_fifo_file_perms;
allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
allow puppet_t self:tcp_socket { accept listen };
Expand Down Expand Up @@ -257,7 +257,7 @@ optional_policy(`
#

allow puppetmaster_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config };
allow puppetmaster_t self:process { signal_perms getsched setsched };
allow puppetmaster_t self:process { getsched setsched signal_perms };
allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
allow puppetmaster_t self:netlink_route_socket nlmsg_write;
allow puppetmaster_t self:socket create;
Expand All @@ -277,7 +277,7 @@ logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms };

allow puppetmaster_t puppet_runtime_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms };
allow puppetmaster_t puppet_runtime_t:dir { create_dir_perms relabel_dir_perms setattr_dir_perms };
allow puppetmaster_t puppet_runtime_t:file manage_file_perms;
files_runtime_filetrans(puppetmaster_t, puppet_runtime_t, { file dir })

Expand Down
2 changes: 1 addition & 1 deletion policy/modules/admin/quota.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ files_runtime_file(quota_nld_runtime_t)
# Local policy
#

allow quota_t self:capability { dac_override sys_admin linux_immutable };
allow quota_t self:capability { dac_override linux_immutable sys_admin};
dontaudit quota_t self:capability sys_tty_config;
allow quota_t self:process signal_perms;

Expand Down
10 changes: 5 additions & 5 deletions policy/modules/admin/rpm.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,8 +82,8 @@ files_tmpfs_file(rpm_script_tmpfs_t)
# rpm Local policy
#

allow rpm_t self:capability { chown dac_read_search dac_override fowner fsetid ipc_lock mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config };
allow rpm_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
allow rpm_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config };
allow rpm_t self:process { dyntransition execmem getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setexec setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share siginh signal_perms transition };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_fifo_file_perms;
allow rpm_t self:unix_dgram_socket sendto;
Expand All @@ -93,7 +93,7 @@ allow rpm_t self:tcp_socket { accept listen };
allow rpm_t self:shm create_shm_perms;
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
allow rpm_t self:msg { receive send };
allow rpm_t self:file rw_file_perms;
allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms;

Expand Down Expand Up @@ -258,15 +258,15 @@ optional_policy(`
#

allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setgid setuid sys_admin sys_chroot sys_nice sys_rawio };
allow rpm_script_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem execstack setkeycreate setsockcreate getrlimit };
allow rpm_script_t self:process { dyntransition execmem execstack getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket sendto;
allow rpm_script_t self:unix_stream_socket { accept connectto listen };
allow rpm_script_t self:shm create_shm_perms;
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
allow rpm_script_t self:msg { receive send };
allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;

allow rpm_script_t rpm_t:netlink_route_socket { read write };
Expand Down
2 changes: 1 addition & 1 deletion policy/modules/admin/samhain.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ ifdef(`enable_mls',`

allow samhain_domain self:capability { dac_override dac_read_search fowner ipc_lock };
dontaudit samhain_domain self:capability { sys_ptrace sys_resource };
allow samhain_domain self:process { setsched setrlimit signull };
allow samhain_domain self:process { setrlimit setsched signull };
allow samhain_domain self:fd use;
allow samhain_domain self:fifo_file rw_fifo_file_perms;

Expand Down
2 changes: 1 addition & 1 deletion policy/modules/admin/sosreport.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ optional_policy(`

allow sosreport_t self:capability { dac_override kill net_admin net_raw setuid sys_admin sys_nice };
dontaudit sosreport_t self:capability sys_ptrace;
allow sosreport_t self:process { setsched setpgid signal_perms };
allow sosreport_t self:process { setpgid setsched signal_perms };
allow sosreport_t self:fifo_file rw_fifo_file_perms;
allow sosreport_t self:tcp_socket { accept listen };
allow sosreport_t self:unix_stream_socket { accept listen };
Expand Down
Loading