712 lines
17 KiB
Text
712 lines
17 KiB
Text
|
policy_module(domain, 1.11.0)
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# Declarations
|
||
|
#
|
||
|
## <desc>
|
||
|
## <p>
|
||
|
## Allow all domains to use other domains file descriptors
|
||
|
## </p>
|
||
|
## </desc>
|
||
|
#
|
||
|
gen_tunable(domain_fd_use, true)
|
||
|
|
||
|
## <desc>
|
||
|
## <p>
|
||
|
## Allow all domains to execute in fips_mode
|
||
|
## </p>
|
||
|
## </desc>
|
||
|
#
|
||
|
gen_tunable(fips_mode, true)
|
||
|
|
||
|
## <desc>
|
||
|
## <p>
|
||
|
## Allow all domains to have the kernel load modules
|
||
|
## </p>
|
||
|
## </desc>
|
||
|
#
|
||
|
gen_tunable(domain_kernel_load_modules, false)
|
||
|
|
||
|
## <desc>
|
||
|
## <p>
|
||
|
## Control the ability to mmap a low area of the address space,
|
||
|
## as configured by /proc/sys/vm/mmap_min_addr.
|
||
|
## </p>
|
||
|
## </desc>
|
||
|
gen_tunable(mmap_low_allowed, false)
|
||
|
|
||
|
## <desc>
|
||
|
## <p>
|
||
|
## Allow all domains write to kmsg_device,
|
||
|
## while kernel is executed with systemd.log_target=kmsg parameter.
|
||
|
## </p>
|
||
|
## </desc>
|
||
|
gen_tunable(domain_can_write_kmsg, false)
|
||
|
|
||
|
## <desc>
|
||
|
## <p>
|
||
|
## Allow any process to mmap any file on system with attribute file_type.
|
||
|
## </p>
|
||
|
## </desc>
|
||
|
gen_tunable(domain_can_mmap_files, false)
|
||
|
|
||
|
# Mark process types as domains
|
||
|
attribute domain;
|
||
|
attribute named_filetrans_domain;
|
||
|
|
||
|
# Transitions only allowed from domains to other domains
|
||
|
neverallow domain ~domain:process { transition dyntransition };
|
||
|
|
||
|
# Domains that are unconfined
|
||
|
attribute unconfined_domain_type;
|
||
|
|
||
|
# Domains that can mmap low memory.
|
||
|
attribute mmap_low_domain_type;
|
||
|
neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
|
||
|
|
||
|
# Domains that can set their current context
|
||
|
# (perform dynamic transitions)
|
||
|
attribute set_curr_context;
|
||
|
|
||
|
# enabling setcurrent breaks process tranquility. If you do not
|
||
|
# know what this means or do not understand the implications of a
|
||
|
# dynamic transition, you should not be using it!!!
|
||
|
neverallow { domain -set_curr_context } self:process setcurrent;
|
||
|
|
||
|
# entrypoint executables
|
||
|
attribute entry_type;
|
||
|
|
||
|
# widely-inheritable file descriptors
|
||
|
attribute privfd;
|
||
|
|
||
|
#
|
||
|
# constraint related attributes
|
||
|
#
|
||
|
|
||
|
# [1] types that can change SELinux identity on transition
|
||
|
attribute can_change_process_identity;
|
||
|
|
||
|
# [2] types that can change SELinux role on transition
|
||
|
attribute can_change_process_role;
|
||
|
|
||
|
# [3] types that can change the SELinux identity on a filesystem
|
||
|
# object or a socket object on a create or relabel
|
||
|
attribute can_change_object_identity;
|
||
|
|
||
|
# [3] types that can change to system_u:system_r
|
||
|
attribute can_system_change;
|
||
|
|
||
|
# [4] types that have attribute 1 can change the SELinux
|
||
|
# identity only if the target domain has this attribute.
|
||
|
# Types that have attribute 2 can change the SELinux role
|
||
|
# only if the target domain has this attribute.
|
||
|
attribute process_user_target;
|
||
|
|
||
|
# For cron jobs
|
||
|
# [5] types used for cron daemons
|
||
|
attribute cron_source_domain;
|
||
|
# [6] types used for cron jobs
|
||
|
attribute cron_job_domain;
|
||
|
|
||
|
# [7] types that are unconditionally exempt from
|
||
|
# SELinux identity and role change constraints
|
||
|
attribute process_uncond_exempt; # add userhelperdomain to this one
|
||
|
|
||
|
neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
|
||
|
neverallow ~{ domain unlabeled_t } *:process *;
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# Rules applied to all domains
|
||
|
#
|
||
|
|
||
|
allow domain domain:anon_inode common_anon_inode_perms;
|
||
|
# read /proc/(pid|self) entries
|
||
|
allow domain self:dir { list_dir_perms watch_dir_perms };
|
||
|
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
|
||
|
allow domain self:file rw_file_perms;
|
||
|
allow domain self:fifo_file rw_fifo_file_perms;
|
||
|
allow domain self:sem create_sem_perms;
|
||
|
allow domain self:shm create_shm_perms;
|
||
|
|
||
|
kernel_getattr_proc(domain)
|
||
|
kernel_read_proc_symlinks(domain)
|
||
|
kernel_read_crypto_sysctls(domain)
|
||
|
kernel_read_usermodehelper_state(domain)
|
||
|
kernel_read_vm_overcommit_sysctls(domain)
|
||
|
|
||
|
# Every domain gets the key ring, so we should default
|
||
|
# to no one allowed to look at it; afs kernel support creates
|
||
|
# a keyring
|
||
|
kernel_dontaudit_search_key(domain)
|
||
|
kernel_dontaudit_link_key(domain)
|
||
|
kernel_dontaudit_search_debugfs(domain)
|
||
|
|
||
|
# create child processes in the domain
|
||
|
allow domain self:process { getcap fork getsched signal_perms };
|
||
|
|
||
|
# Use trusted objects in /dev
|
||
|
dev_read_cpu_online(domain)
|
||
|
dev_rw_null(domain)
|
||
|
dev_rw_zero(domain)
|
||
|
term_use_controlling_term(domain)
|
||
|
|
||
|
# Allow all domains stat /sys. It is needed by services reading hardware
|
||
|
# state information, but there is no harm to allow it to all domains in general.
|
||
|
|
||
|
dev_getattr_sysfs_fs(domain)
|
||
|
|
||
|
# Allow all domains to read /dev/urandom. It is needed by all apps/services
|
||
|
# linked to libgcrypt. There is no harm to allow it by default.
|
||
|
dev_read_urand(domain)
|
||
|
|
||
|
# list the root directory
|
||
|
files_list_root(domain)
|
||
|
# allow all domains to search through base_file_type directory, since users
|
||
|
# sometimes place labels within these directories. (samba_share_t) for example.
|
||
|
files_search_base_file_types(domain)
|
||
|
|
||
|
files_read_inherited_tmp_files(domain)
|
||
|
files_append_inherited_tmp_files(domain)
|
||
|
files_mmap_usr_files(domain)
|
||
|
files_read_all_base_ro_files(domain)
|
||
|
files_dontaudit_getattr_kernel_symbol_table(domain)
|
||
|
files_dontaudit_map_all_dirs(domain)
|
||
|
|
||
|
fs_dontaudit_map_all_dirs(domain)
|
||
|
|
||
|
# All executables should be able to search the directory they are in
|
||
|
corecmd_search_bin(domain)
|
||
|
|
||
|
optional_policy(`
|
||
|
userdom_search_admin_dir(domain)
|
||
|
')
|
||
|
|
||
|
tunable_policy(`domain_can_write_kmsg',`
|
||
|
dev_write_kmsg(domain)
|
||
|
')
|
||
|
|
||
|
tunable_policy(`domain_kernel_load_modules',`
|
||
|
kernel_request_load_module(domain)
|
||
|
')
|
||
|
|
||
|
tunable_policy(`domain_can_mmap_files',`
|
||
|
allow domain file_type:file map;
|
||
|
allow domain file_type:chr_file map;
|
||
|
allow domain file_type:blk_file map;
|
||
|
allow domain file_type:lnk_file map;
|
||
|
')
|
||
|
|
||
|
ifdef(`hide_broken_symptoms',`
|
||
|
# This check is in the general socket
|
||
|
# listen code, before protocol-specific
|
||
|
# listen function is called, so bad calls
|
||
|
# to listen on UDP sockets should be silenced
|
||
|
dontaudit domain self:udp_socket listen;
|
||
|
')
|
||
|
|
||
|
tunable_policy(`global_ssp',`
|
||
|
# enable reading of urandom for all domains:
|
||
|
# this should be enabled when all programs
|
||
|
# are compiled with ProPolice/SSP
|
||
|
# stack smashing protection.
|
||
|
dev_read_urand(domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
afs_rw_cache(domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
libs_use_ld_so(domain)
|
||
|
libs_use_shared_libs(domain)
|
||
|
libs_read_lib_files(domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
miscfiles_read_localization(domain)
|
||
|
miscfiles_read_man_pages(domain)
|
||
|
miscfiles_read_fonts(domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
setrans_translate_context(domain)
|
||
|
')
|
||
|
|
||
|
# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
|
||
|
optional_policy(`
|
||
|
xserver_dontaudit_use_xdm_fds(domain)
|
||
|
xserver_dontaudit_rw_xdm_pipes(domain)
|
||
|
xserver_dontaudit_append_xdm_home_files(domain)
|
||
|
xserver_dontaudit_write_log(domain)
|
||
|
xserver_dontaudit_xdm_rw_stream_sockets(domain)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# Unconfined access to this module
|
||
|
#
|
||
|
|
||
|
# unconfined access also allows constraints, but this
|
||
|
# is handled in the interface as typeattribute cannot
|
||
|
# be used on an attribute.
|
||
|
|
||
|
# allow special io_uring features
|
||
|
allow unconfined_domain_type domain:io_uring override_creds;
|
||
|
allow unconfined_domain_type self:io_uring sqpoll;
|
||
|
files_io_uring_cmd_on_all_files(unconfined_domain_type)
|
||
|
|
||
|
# allow using the user_namespace class
|
||
|
allow unconfined_domain_type self:user_namespace create;
|
||
|
|
||
|
# Use bpf tools
|
||
|
allow unconfined_domain_type domain:bpf { map_create map_read map_write prog_load prog_run };
|
||
|
|
||
|
allow unconfined_domain_type self:lnk_file setattr;
|
||
|
|
||
|
# Use/sendto/connectto sockets created by any domain.
|
||
|
allow unconfined_domain_type self:cap_userns all_cap_userns_perms;
|
||
|
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
|
||
|
|
||
|
allow unconfined_domain_type domain:system all_system_perms;
|
||
|
# Use descriptors and pipes created by any domain.
|
||
|
allow unconfined_domain_type domain:fd use;
|
||
|
allow unconfined_domain_type domain:fifo_file rw_file_perms;
|
||
|
|
||
|
allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
|
||
|
|
||
|
# Act upon any other process.
|
||
|
allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap };
|
||
|
tunable_policy(`deny_ptrace',`',`
|
||
|
allow unconfined_domain_type domain:process ptrace;
|
||
|
')
|
||
|
|
||
|
# Create/access any System V IPC objects.
|
||
|
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
||
|
allow unconfined_domain_type domain:msg { send receive };
|
||
|
|
||
|
# For /proc/pid
|
||
|
allow unconfined_domain_type domain:dir { list_dir_perms watch_dir_perms };
|
||
|
allow unconfined_domain_type domain:file manage_file_perms;
|
||
|
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||
|
|
||
|
# act on all domains keys
|
||
|
allow unconfined_domain_type domain:key *;
|
||
|
|
||
|
allow unconfined_domain_type domain:perf_event rw_inherited_perf_event_perms;
|
||
|
|
||
|
kernel_manage_perf_event(unconfined_domain_type)
|
||
|
|
||
|
corenet_filetrans_all_named_dev(named_filetrans_domain)
|
||
|
|
||
|
dev_filetrans_all_named_dev(named_filetrans_domain)
|
||
|
|
||
|
# receive from all domains over labeled networking
|
||
|
domain_all_recvfrom_all_domains(unconfined_domain_type)
|
||
|
|
||
|
files_filetrans_named_content(named_filetrans_domain)
|
||
|
files_filetrans_system_conf_named_files(named_filetrans_domain)
|
||
|
files_config_all_files(unconfined_domain_type)
|
||
|
dev_config_null_dev_service(unconfined_domain_type)
|
||
|
|
||
|
optional_policy(`
|
||
|
miscfiles_filetrans_named_content_letsencrypt(unconfined_domain_type)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
kdump_filetrans_named_content(unconfined_domain_type)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
fstools_filetrans_named_content_fsadm(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
ipa_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
locallogin_filetrans_home_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
mandb_filetrans_named_home_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
ppp_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
snapper_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
seutil_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
wine_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
storage_filetrans_all_named_dev(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
term_filetrans_all_named_dev(named_filetrans_domain)
|
||
|
|
||
|
optional_policy(`
|
||
|
init_disable_services(unconfined_domain_type)
|
||
|
init_enable_services(unconfined_domain_type)
|
||
|
init_reload_services(unconfined_domain_type)
|
||
|
init_status(unconfined_domain_type)
|
||
|
init_reboot(unconfined_domain_type)
|
||
|
init_halt(unconfined_domain_type)
|
||
|
init_undefined(unconfined_domain_type)
|
||
|
init_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
# Allow manage transient unit files
|
||
|
optional_policy(`
|
||
|
init_start_transient_unit(unconfined_domain_type)
|
||
|
init_stop_transient_unit(unconfined_domain_type)
|
||
|
init_status_transient_unit(unconfined_domain_type)
|
||
|
init_reload_transient_unit(unconfined_domain_type)
|
||
|
init_enable_transient_unit(unconfined_domain_type)
|
||
|
init_disable_transient_unit(unconfined_domain_type)
|
||
|
')
|
||
|
|
||
|
|
||
|
optional_policy(`
|
||
|
libs_filetrans_named_content(unconfined_domain_type)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
auth_filetrans_named_content(named_filetrans_domain)
|
||
|
auth_filetrans_admin_home_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
libs_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
logging_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
miscfiles_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
abrt_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
alsa_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
apache_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
apcupsd_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
bootloader_filetrans_config(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
clock_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
cups_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
cvs_filetrans_home_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
dbus_filetrans_named_content_system(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
devicekit_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
dnsmasq_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
gnome_filetrans_admin_home_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
iscsi_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
iptables_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
kerberos_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
mta_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
mplayer_filetrans_home_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
modules_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
mysql_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
networkmanager_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
ntp_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
nx_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
plymouthd_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
postgresql_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
postfix_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
prelink_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
pulseaudio_filetrans_admin_home_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
quota_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
rpcbind_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
rsync_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
sysnet_filetrans_named_content(named_filetrans_domain)
|
||
|
sysnet_filetrans_named_content_ifconfig(named_filetrans_domain)
|
||
|
sysnet_filetrans_named_content(unconfined_domain_type)
|
||
|
sysnet_filetrans_named_content_ifconfig(unconfined_domain_type)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
systemd_chat_resolved(domain)
|
||
|
systemd_login_status(unconfined_domain_type)
|
||
|
systemd_login_reboot(unconfined_domain_type)
|
||
|
systemd_login_halt(unconfined_domain_type)
|
||
|
systemd_login_undefined(unconfined_domain_type)
|
||
|
systemd_resolved_write_pid_sock_files(domain)
|
||
|
systemd_filetrans_named_content(named_filetrans_domain)
|
||
|
systemd_filetrans_named_hostname(named_filetrans_domain)
|
||
|
systemd_filetrans_home_content(named_filetrans_domain)
|
||
|
systemd_dontaudit_write_inherited_logind_sessions_pipes(domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
sssd_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
tftp_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
userdom_user_home_dir_filetrans_user_home_content(named_filetrans_domain, { dir file lnk_file fifo_file sock_file })
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
ssh_filetrans_admin_home_content(named_filetrans_domain)
|
||
|
ssh_filetrans_keys(unconfined_domain_type)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
userdom_filetrans_named_user_tmp_files(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
virt_filetrans_named_content(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
selinux_getattr_fs(domain)
|
||
|
selinux_search_fs(domain)
|
||
|
selinux_dontaudit_read_fs(domain)
|
||
|
|
||
|
optional_policy(`
|
||
|
seutil_dontaudit_read_config(domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
init_sigchld(domain)
|
||
|
init_signull(domain)
|
||
|
init_read_machineid(domain)
|
||
|
')
|
||
|
|
||
|
ifdef(`distro_redhat',`
|
||
|
files_search_mnt(domain)
|
||
|
')
|
||
|
|
||
|
# these seem questionable:
|
||
|
|
||
|
optional_policy(`
|
||
|
abrt_domtrans_helper(domain)
|
||
|
abrt_read_pid_files(domain)
|
||
|
abrt_read_state(domain)
|
||
|
abrt_signull(domain)
|
||
|
abrt_append_cache(domain)
|
||
|
abrt_rw_fifo_file(domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
# A workaround to handle additional permissions check
|
||
|
# introduced as an involuntary result of a kernel change
|
||
|
automount_write_pipes(domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
sosreport_append_tmp_files(domain)
|
||
|
')
|
||
|
|
||
|
tunable_policy(`domain_fd_use',`
|
||
|
# Allow all domains to use fds past to them
|
||
|
allow domain domain:fd use;
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
cron_dontaudit_write_system_job_tmp_files(domain)
|
||
|
cron_rw_pipes(domain)
|
||
|
cron_rw_system_job_pipes(domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
devicekit_dbus_chat_power(domain)
|
||
|
')
|
||
|
|
||
|
ifdef(`hide_broken_symptoms',`
|
||
|
dontaudit domain self:capability { net_admin };
|
||
|
dontaudit domain self:udp_socket listen;
|
||
|
allow domain domain:key { link search };
|
||
|
dontaudit domain domain:socket_class_set { read write };
|
||
|
dontaudit domain self:capability sys_module;
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
ica_filetrans_named_content(domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
ipsec_match_default_spd(domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
miscfiles_read_pkcs11_modules(domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
ifdef(`hide_broken_symptoms',`
|
||
|
afs_rw_udp_sockets(domain)
|
||
|
')
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
rolekit_dbus_chat(domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
vmtools_unconfined_dbus_chat(domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
ssh_rw_pipes(domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
unconfined_dontaudit_rw_pipes(domain)
|
||
|
unconfined_server_dontaudit_rw_pipes(domain)
|
||
|
unconfined_sigchld(domain)
|
||
|
')
|
||
|
|
||
|
# broken kernel
|
||
|
dontaudit can_change_object_identity can_change_object_identity:key link;
|
||
|
dontaudit domain self:file create;
|
||
|
|
||
|
ifdef(`distro_redhat',`
|
||
|
optional_policy(`
|
||
|
unconfined_use_fds(domain)
|
||
|
')
|
||
|
')
|
||
|
|
||
|
# these seem questionable:
|
||
|
|
||
|
optional_policy(`
|
||
|
puppet_rw_tmp(domain)
|
||
|
')
|
||
|
|
||
|
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
|
||
|
|
||
|
optional_policy(`
|
||
|
rkhunter_append_lib_files(domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
rpm_rw_script_inherited_pipes(domain)
|
||
|
rpm_use_fds(domain)
|
||
|
rpm_read_pipes(domain)
|
||
|
rpm_search_log(domain)
|
||
|
rpm_append_tmp_files(domain)
|
||
|
rpm_dontaudit_leaks(domain)
|
||
|
rpm_read_script_tmp_files(domain)
|
||
|
rpm_named_filetrans(named_filetrans_domain)
|
||
|
')
|
||
|
|
||
|
tunable_policy(`fips_mode',`
|
||
|
allow domain self:fifo_file manage_fifo_file_perms;
|
||
|
kernel_read_kernel_sysctls(domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
tunable_policy(`fips_mode',`
|
||
|
prelink_exec(domain)
|
||
|
')
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
container_spc_stream_connect(domain)
|
||
|
')
|