mirror of
https://github.com/containers/udica
synced 2024-05-23 01:36:21 +02:00
131d228c6a
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
4381 lines
297 KiB
Plaintext
4381 lines
297 KiB
Plaintext
(typeattribute login_confinedom)
|
|
|
|
(optional confined_transition_userdomain_optional
|
|
(typeattributeset cil_gen_require init_t)
|
|
(typeattributeset cil_gen_require xdm_t)
|
|
(typeattributeset cil_gen_require login_confinedom)
|
|
(typeattributeset cil_gen_require xsession_exec_t)
|
|
(allow xdm_t xsession_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow xdm_t login_confinedom (process (transition)))
|
|
(allow login_confinedom xdm_t (fd (use)))
|
|
(allow login_confinedom xdm_t (fifo_file (ioctl read write getattr lock append open)))
|
|
(allow login_confinedom xdm_t (process (sigchld)))
|
|
)
|
|
|
|
(optional confined_xsession_spec_domtrans_conf_users_optional
|
|
(typeattributeset cil_gen_require init_t)
|
|
(typeattributeset cil_gen_require xdm_t)
|
|
(typeattributeset cil_gen_require login_confinedom)
|
|
(allow init_t login_confinedom (process (transition)))
|
|
)
|
|
|
|
(macro confinedom_admin_commands_macro ((type utype) (role urole) (type sudo_type))
|
|
(optional confinedom_admin_commands_optional_2
|
|
(roleattributeset cil_gen_require urole)
|
|
(roleattributeset cil_gen_require iptables_roles)
|
|
(typeattributeset cil_gen_require utype)
|
|
(typeattributeset cil_gen_require sudo_type)
|
|
(typeattributeset cil_gen_require domain)
|
|
(typeattributeset cil_gen_require usbmon_device_t)
|
|
(typeattributeset cil_gen_require device_t)
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset cil_gen_require selinux_config_t)
|
|
(typeattributeset cil_gen_require policy_config_t)
|
|
(typeattributeset cil_gen_require etc_t)
|
|
(typeattributeset cil_gen_require modules_object_t)
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset cil_gen_require files_unconfined_type)
|
|
(typeattributeset cil_gen_require init_var_run_t)
|
|
(typeattributeset cil_gen_require init_var_lib_t)
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require var_lib_t)
|
|
(typeattributeset cil_gen_require init_t)
|
|
(typeattributeset cil_gen_require iptables_t)
|
|
(typeattributeset cil_gen_require iptables_exec_t)
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require proc_t)
|
|
(typeattributeset cil_gen_require proc_net_t)
|
|
(typeattributeset cil_gen_require auditd_t)
|
|
(typeattributeset cil_gen_require auditd_etc_t)
|
|
(typeattributeset cil_gen_require auditd_log_t)
|
|
(typeattributeset cil_gen_require auditd_var_run_t)
|
|
(typeattributeset cil_gen_require auditd_initrc_exec_t)
|
|
(typeattributeset cil_gen_require auditd_unit_file_t)
|
|
(typeattributeset cil_gen_require auditctl_t)
|
|
(typeattributeset cil_gen_require auditctl_exec_t)
|
|
(typeattributeset cil_gen_require initrc_t)
|
|
(typeattributeset cil_gen_require initrc_transition_domain)
|
|
(typeattributeset cil_gen_require filesystem_type)
|
|
(typeattributeset cil_gen_require can_system_change)
|
|
(typeattributeset cil_gen_require systemd_systemctl_exec_t)
|
|
(typeattributeset cil_gen_require cgroup_t)
|
|
(typeattributeset cil_gen_require tmpfs_t)
|
|
(typeattributeset cil_gen_require sysfs_t)
|
|
(typeattributeset cil_gen_require efivarfs_t)
|
|
(typeattributeset cil_gen_require systemd_unit_file_type)
|
|
(typeattributeset cil_gen_require var_run_t)
|
|
(typeattributeset cil_gen_require systemd_logind_var_run_t)
|
|
(typeattributeset cil_gen_require systemd_passwd_agent_t)
|
|
(typeattributeset cil_gen_require systemd_passwd_agent_exec_t)
|
|
(typeattributeset cil_gen_require systemd_passwd_var_run_t)
|
|
(typeattributeset cil_gen_require syslogd_t)
|
|
(typeattributeset cil_gen_require klogd_t)
|
|
(typeattributeset cil_gen_require syslog_conf_t)
|
|
(typeattributeset cil_gen_require syslogd_tmp_t)
|
|
(typeattributeset cil_gen_require syslogd_var_lib_t)
|
|
(typeattributeset cil_gen_require syslogd_var_run_t)
|
|
(typeattributeset cil_gen_require klogd_var_run_t)
|
|
(typeattributeset cil_gen_require klogd_tmp_t)
|
|
(typeattributeset cil_gen_require var_log_t)
|
|
(typeattributeset cil_gen_require syslogd_initrc_exec_t)
|
|
(typeattributeset cil_gen_require logfile)
|
|
(typeattributeset cil_gen_require user_home_dir_t)
|
|
(typeattributeset cil_gen_require user_home_t)
|
|
(typeattributeset cil_gen_require user_home_type)
|
|
(typeattributeset cil_gen_require home_root_t)
|
|
(typeattributeset cil_gen_require passwd_t)
|
|
(typeattributeset cil_gen_require passwd_exec_t)
|
|
(roleattributeset cil_gen_require iptables_roles)
|
|
(roleattributeset iptables_roles (urole ))
|
|
(roleattributeset cil_gen_require urole)
|
|
(roletype urole auditctl_t)
|
|
(typeattributeset cil_gen_require initrc_transition_domain)
|
|
(typeattributeset initrc_transition_domain (utype ))
|
|
(typeattributeset cil_gen_require files_unconfined_type)
|
|
(typeattributeset files_unconfined_type (utype ))
|
|
(typeattributeset cil_gen_require can_system_change)
|
|
(typeattributeset can_system_change (utype ))
|
|
(allow utype self (capability (net_raw)))
|
|
(allow utype self (netlink_generic_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
|
|
(allow utype self (netlink_netfilter_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
|
|
(allow utype self (netlink_rdma_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
|
|
(allow utype self (packet_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
|
|
(allow utype self (packet_socket (map)))
|
|
(allow sudo_type utype (unix_stream_socket (connectto)))
|
|
(allow sudo_type self (bluetooth_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
|
|
(allow sudo_type self (capability (net_raw)))
|
|
(allow sudo_type self (netlink_generic_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
|
|
(allow sudo_type self (netlink_netfilter_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
|
|
(allow sudo_type self (netlink_rdma_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
|
|
(allow sudo_type self (packet_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
|
|
(allow sudo_type self (packet_socket (map)))
|
|
(allow utype domain (process (getattr)))
|
|
(allow utype usbmon_device_t (chr_file (map)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype usbmon_device_t (chr_file (ioctl read getattr lock open)))
|
|
(allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow sudo_type non_auth_file_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow sudo_type non_auth_file_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow sudo_type non_auth_file_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
|
(allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow sudo_type non_auth_file_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow sudo_type non_auth_file_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow sudo_type etc_t (dir (getattr open search)))
|
|
(allow sudo_type selinux_config_t (dir (getattr open search)))
|
|
(allow sudo_type policy_config_t (dir (ioctl write getattr lock open add_name search)))
|
|
(allow sudo_type policy_config_t (file (create getattr open)))
|
|
(allow sudo_type policy_config_t (dir (getattr open search)))
|
|
(allow sudo_type policy_config_t (file (ioctl write getattr lock append open)))
|
|
(allow sudo_type modules_object_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow sudo_type modules_object_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow sudo_type file_type (dir (ioctl read getattr lock open search)))
|
|
(allow sudo_type file_type (dir (getattr open search)))
|
|
(allow sudo_type file_type (lnk_file (read getattr)))
|
|
(allow sudo_type init_var_run_t (dir (ioctl read getattr lock open search)))
|
|
(allow sudo_type init_var_run_t (dir (ioctl write getattr lock open add_name search)))
|
|
(allow sudo_type init_var_run_t (dir (create getattr)))
|
|
(allow sudo_type var_t (dir (getattr open search)))
|
|
(allow sudo_type var_lib_t (dir (getattr open search)))
|
|
(allow sudo_type init_var_lib_t (dir (getattr open search)))
|
|
(allow sudo_type init_var_lib_t (file (ioctl read getattr map open)))
|
|
(allow sudo_type init_t (dir (getattr open search)))
|
|
(allow sudo_type init_t (file (ioctl read getattr lock open)))
|
|
(allow sudo_type init_t (lnk_file (read getattr)))
|
|
(allow sudo_type init_var_run_t (sock_file (write)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (lnk_file (read getattr)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype iptables_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype iptables_t (process (transition)))
|
|
(typetransition utype iptables_exec_t process iptables_t)
|
|
(allow iptables_t utype (fd (use)))
|
|
(allow iptables_t utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow iptables_t utype (process (sigchld)))
|
|
(allow utype iptables_exec_t (file (map)))
|
|
(allow sudo_type proc_t (dir (getattr open search)))
|
|
(allow sudo_type proc_net_t (dir (getattr open search)))
|
|
(allow sudo_type proc_net_t (file (ioctl read getattr lock open)))
|
|
(allow sudo_type proc_t (dir (getattr open search)))
|
|
(allow sudo_type proc_net_t (dir (getattr open search)))
|
|
(allow sudo_type proc_net_t (lnk_file (read getattr)))
|
|
(allow sudo_type proc_t (dir (getattr open search)))
|
|
(allow sudo_type proc_net_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype auditd_t (process (sigchld sigkill sigstop signull signal)))
|
|
(allow utype auditd_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype auditd_t (file (ioctl read getattr lock open)))
|
|
(allow utype auditd_t (lnk_file (read getattr)))
|
|
(allow utype auditd_t (process (getattr)))
|
|
(allow utype auditd_etc_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype auditd_etc_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype auditd_etc_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype auditd_etc_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype auditd_log_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype auditd_log_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype auditd_log_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype auditd_log_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype auditd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype auditd_var_run_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype auditd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype auditd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype auditctl_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype auditctl_t (process (transition)))
|
|
(typetransition utype auditctl_exec_t process auditctl_t)
|
|
(allow auditctl_t utype (fd (use)))
|
|
(allow auditctl_t utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow auditctl_t utype (process (sigchld)))
|
|
(allow utype filesystem_type (dir (getattr open search)))
|
|
(allow utype auditd_initrc_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype initrc_t (process (transition)))
|
|
(typetransition utype auditd_initrc_exec_t process initrc_t)
|
|
(allow initrc_t utype (fd (use)))
|
|
(allow initrc_t utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow initrc_t utype (process (sigchld)))
|
|
(allow utype auditd_initrc_exec_t (file (ioctl)))
|
|
(allow utype etc_t (dir (getattr open search)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (lnk_file (read getattr)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype systemd_systemctl_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow utype cgroup_t (dir (getattr open search)))
|
|
(allow utype cgroup_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype tmpfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype cgroup_t (dir (getattr open search)))
|
|
(allow utype cgroup_t (file (ioctl read getattr lock open)))
|
|
(allow utype cgroup_t (dir (getattr open search)))
|
|
(allow utype cgroup_t (lnk_file (read getattr)))
|
|
(allow utype tmpfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype efivarfs_t (dir (getattr open search)))
|
|
(allow utype efivarfs_t (file (ioctl read getattr lock open)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_lib_t (dir (getattr open search)))
|
|
(allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search)))
|
|
(allow utype init_var_run_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype init_t (dir (getattr open search)))
|
|
(allow utype init_t (file (ioctl read getattr lock open)))
|
|
(allow utype init_t (lnk_file (read getattr)))
|
|
(allow utype init_t (unix_stream_socket (sendto)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype init_var_run_t (dir (getattr open search)))
|
|
(allow utype init_var_run_t (sock_file (write getattr append open)))
|
|
(allow utype init_t (unix_stream_socket (connectto)))
|
|
(allow utype init_t (unix_stream_socket (getattr)))
|
|
(dontaudit utype self (process (setrlimit)))
|
|
(dontaudit utype self (capability (sys_resource)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_logind_var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_logind_var_run_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_logind_var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_logind_var_run_t (file (ioctl read getattr lock open)))
|
|
(allow utype systemd_passwd_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow utype init_var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype systemd_passwd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype systemd_passwd_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype systemd_passwd_var_run_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow systemd_passwd_agent_t utype (process (signull)))
|
|
(allow systemd_passwd_agent_t utype (unix_dgram_socket (sendto)))
|
|
(dontaudit utype self (capability (net_admin sys_ptrace)))
|
|
(allow utype auditd_unit_file_t (file (ioctl read getattr lock open)))
|
|
(allow utype auditd_unit_file_t (service (start stop status reload enable disable)))
|
|
(allow utype auditd_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype auditd_t (file (ioctl read getattr lock open)))
|
|
(allow utype auditd_t (lnk_file (read getattr)))
|
|
(allow utype auditd_t (process (getattr)))
|
|
(allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype auditd_unit_file_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype auditd_unit_file_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype auditd_unit_file_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
|
(allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype auditd_unit_file_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype auditd_unit_file_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow utype auditd_unit_file_t (dir (getattr open search)))
|
|
(allow utype auditd_unit_file_t (dir (getattr relabelfrom relabelto)))
|
|
(allow utype auditd_unit_file_t (dir (getattr open search)))
|
|
(allow utype auditd_unit_file_t (file (getattr relabelfrom relabelto)))
|
|
(allow utype auditd_unit_file_t (dir (getattr open search)))
|
|
(allow utype auditd_unit_file_t (lnk_file (getattr relabelfrom relabelto)))
|
|
(allow utype auditd_unit_file_t (dir (getattr open search)))
|
|
(allow utype auditd_unit_file_t (fifo_file (getattr relabelfrom relabelto)))
|
|
(allow utype auditd_unit_file_t (dir (getattr open search)))
|
|
(allow utype auditd_unit_file_t (sock_file (getattr relabelfrom relabelto)))
|
|
(allow utype auditd_unit_file_t (service (start stop status reload enable disable)))
|
|
(allow utype self (capability2 (syslog)))
|
|
(allow utype syslogd_t (process (sigchld sigkill sigstop signull signal)))
|
|
(allow utype klogd_t (process (sigchld sigkill sigstop signull signal)))
|
|
(allow utype syslogd_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype syslogd_t (file (ioctl read getattr lock open)))
|
|
(allow utype syslogd_t (lnk_file (read getattr)))
|
|
(allow utype syslogd_t (process (getattr)))
|
|
(allow utype klogd_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype klogd_t (file (ioctl read getattr lock open)))
|
|
(allow utype klogd_t (lnk_file (read getattr)))
|
|
(allow utype klogd_t (process (getattr)))
|
|
(allow utype klogd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype klogd_var_run_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype klogd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype klogd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype klogd_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype klogd_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype klogd_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype klogd_tmp_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype syslogd_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype syslogd_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype syslogd_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype syslogd_tmp_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype syslog_conf_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype syslog_conf_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype syslog_conf_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype syslog_conf_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype etc_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(typetransition utype etc_t file syslog_conf_t)
|
|
(allow utype syslogd_var_lib_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype syslogd_var_lib_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype syslogd_var_lib_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype syslogd_var_lib_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype syslogd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype syslogd_var_run_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype syslogd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype syslogd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype logfile (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype logfile (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype logfile (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype logfile (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype logfile (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype logfile (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
|
(allow utype logfile (file (map)))
|
|
(allow utype logfile (dir (getattr relabelfrom relabelto)))
|
|
(allow utype logfile (file (getattr relabelfrom relabelto)))
|
|
(allow utype filesystem_type (dir (getattr open search)))
|
|
(allow utype syslogd_initrc_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype initrc_t (process (transition)))
|
|
(typetransition utype syslogd_initrc_exec_t process initrc_t)
|
|
(allow initrc_t utype (fd (use)))
|
|
(allow initrc_t utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow initrc_t utype (process (sigchld)))
|
|
(allow utype syslogd_initrc_exec_t (file (ioctl)))
|
|
(allow utype etc_t (dir (getattr open search)))
|
|
(allow sudo_type home_root_t (dir (ioctl read getattr lock open search)))
|
|
(allow sudo_type home_root_t (lnk_file (read getattr)))
|
|
(allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow sudo_type user_home_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow sudo_type user_home_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow sudo_type user_home_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
|
(allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow sudo_type user_home_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow sudo_type user_home_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(typetransition sudo_type user_home_dir_t fifo_file user_home_t)
|
|
(typetransition sudo_type user_home_dir_t sock_file user_home_t)
|
|
(typetransition sudo_type user_home_dir_t lnk_file user_home_t)
|
|
(typetransition sudo_type user_home_dir_t dir user_home_t)
|
|
(typetransition sudo_type user_home_dir_t file user_home_t)
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (lnk_file (read getattr)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type passwd_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow sudo_type passwd_t (process (transition)))
|
|
(typetransition sudo_type passwd_exec_t process passwd_t)
|
|
(allow passwd_t sudo_type (fd (use)))
|
|
(allow passwd_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
|
(allow passwd_t sudo_type (process (sigchld)))
|
|
(roletransition urole syslogd_initrc_exec_t process system_r)
|
|
(roletransition urole auditd_initrc_exec_t process system_r)
|
|
(roleallow urole system_r)
|
|
(roleallow urole system_r)
|
|
(booleanif (deny_ptrace)
|
|
(false
|
|
(allow utype auditd_t (process (ptrace)))
|
|
(allow utype klogd_t (process (ptrace)))
|
|
(allow utype syslogd_t (process (ptrace)))
|
|
)
|
|
)
|
|
(optional confinedom_admin_commands_optional_3
|
|
(typeattributeset cil_gen_require tuned_t)
|
|
(allow utype tuned_t (dbus (send_msg)))
|
|
(allow tuned_t utype (dbus (send_msg)))
|
|
)
|
|
(optional confinedom_admin_commands_optional_4
|
|
(roleattributeset cil_gen_require wireshark_roles)
|
|
(typeattributeset cil_gen_require user_home_dir_t)
|
|
(typeattributeset cil_gen_require home_root_t)
|
|
(typeattributeset cil_gen_require wireshark_t)
|
|
(typeattributeset cil_gen_require wireshark_exec_t)
|
|
(typeattributeset cil_gen_require wireshark_home_t)
|
|
(typeattributeset cil_gen_require wireshark_tmp_t)
|
|
(typeattributeset cil_gen_require wireshark_tmpfs_t)
|
|
(roleattributeset cil_gen_require wireshark_roles)
|
|
(roleattributeset wireshark_roles (urole ))
|
|
(allow utype wireshark_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype wireshark_t (process (transition)))
|
|
(typetransition utype wireshark_exec_t process wireshark_t)
|
|
(allow wireshark_t utype (fd (use)))
|
|
(allow wireshark_t utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow wireshark_t utype (process (sigchld)))
|
|
(allow utype wireshark_t (process (sigchld sigkill sigstop signull signal ptrace)))
|
|
(allow utype wireshark_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype wireshark_t (file (ioctl read getattr lock open)))
|
|
(allow utype wireshark_t (lnk_file (read getattr)))
|
|
(allow utype wireshark_t (process (getattr)))
|
|
(allow utype wireshark_home_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype wireshark_tmp_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype wireshark_tmpfs_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype wireshark_home_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads)))
|
|
(allow utype wireshark_tmp_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads)))
|
|
(allow utype wireshark_tmpfs_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads)))
|
|
(allow utype wireshark_home_t (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename watch watch_reads)))
|
|
(allow utype wireshark_tmpfs_t (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename watch watch_reads)))
|
|
(allow utype wireshark_tmpfs_t (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open)))
|
|
(allow utype wireshark_tmpfs_t (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype wireshark_t (shm (getattr read write associate unix_read unix_write lock)))
|
|
(typetransition utype user_home_dir_t dir ".wireshark" wireshark_home_t)
|
|
)
|
|
)
|
|
)
|
|
|
|
(macro confinedom_graphical_login_macro ((type utype) (role urole) (type dbusd_type))
|
|
|
|
(optional confinedom_graphical_login_optional_2
|
|
(roleattributeset cil_gen_require urole)
|
|
(typeattributeset cil_gen_require utype)
|
|
(typeattributeset cil_gen_require user_tmpfs_t)
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require usr_t)
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset cil_gen_require port_type)
|
|
(typeattributeset cil_gen_require device_t)
|
|
(typeattributeset cil_gen_require sound_device_t)
|
|
(typeattributeset cil_gen_require event_device_t)
|
|
(typeattributeset cil_gen_require v4l_device_t)
|
|
(typeattributeset cil_gen_require wireless_device_t)
|
|
(typeattributeset cil_gen_require configfile)
|
|
(typeattributeset cil_gen_require etc_t)
|
|
(typeattributeset cil_gen_require home_root_t)
|
|
(typeattributeset cil_gen_require lib_t)
|
|
(typeattributeset cil_gen_require var_lib_t)
|
|
(typeattributeset cil_gen_require var_run_t)
|
|
(typeattributeset cil_gen_require tmp_t)
|
|
(typeattributeset cil_gen_require init_t)
|
|
(typeattributeset cil_gen_require usbfs_t)
|
|
(typeattributeset cil_gen_require usb_device_t)
|
|
(typeattributeset cil_gen_require noxattrfs)
|
|
(typeattributeset cil_gen_require dosfs_t)
|
|
(typeattributeset cil_gen_require removable_device_t)
|
|
(typeattributeset cil_gen_require proc_t)
|
|
(typeattributeset cil_gen_require sysctl_t)
|
|
(typeattributeset cil_gen_require sysctl_dev_t)
|
|
(typeattributeset cil_gen_require fonts_t)
|
|
(typeattributeset cil_gen_require locale_t)
|
|
(typeattributeset cil_gen_require mount_t)
|
|
(typeattributeset cil_gen_require selinux_config_t)
|
|
(typeattributeset cil_gen_require default_context_t)
|
|
(typeattributeset cil_gen_require fuse_device_t)
|
|
(typeattributeset cil_gen_require user_tmp_t)
|
|
(typeattributeset cil_gen_require user_home_t)
|
|
(typeattributeset cil_gen_require user_home_dir_t)
|
|
(typeattributeset cil_gen_require user_home_type)
|
|
(typeattributeset cil_gen_require userdom_filetrans_type)
|
|
(typeattributeset cil_gen_require nfs_t)
|
|
(typeattributeset cil_gen_require autofs_t)
|
|
(typeattributeset cil_gen_require cifs_t)
|
|
(typeattributeset cil_gen_require xauth_t)
|
|
(typeattributeset cil_gen_require iceauth_t)
|
|
(typeattributeset cil_gen_require dridomain)
|
|
(typeattributeset cil_gen_require x_userdomain)
|
|
(typeattributeset cil_gen_require root_xdrawable_t)
|
|
(typeattributeset cil_gen_require xdm_t)
|
|
(typeattributeset cil_gen_require xserver_t)
|
|
(typeattributeset cil_gen_require xproperty_t)
|
|
(typeattributeset cil_gen_require user_xproperty_t)
|
|
(typeattributeset cil_gen_require xevent_t)
|
|
(typeattributeset cil_gen_require client_xevent_t)
|
|
(typeattributeset cil_gen_require input_xevent_t)
|
|
(typeattributeset cil_gen_require user_input_xevent_t)
|
|
(typeattributeset cil_gen_require x_domain)
|
|
(typeattributeset cil_gen_require input_xevent_type)
|
|
(typeattributeset cil_gen_require xdrawable_type)
|
|
(typeattributeset cil_gen_require xcolormap_type)
|
|
(typeattributeset cil_gen_require xdm_var_run_t)
|
|
(typeattributeset cil_gen_require tmpfs_t)
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require userdomain)
|
|
(typeattributeset cil_gen_require xdm_log_t)
|
|
(typeattributeset cil_gen_require xdmhomewriter)
|
|
(roleattributeset cil_gen_require urole)
|
|
(roletype urole user_home_dir_t)
|
|
(roletype urole user_home_type)
|
|
(roletype urole xauth_t)
|
|
(roletype urole iceauth_t)
|
|
(typeattributeset cil_gen_require xcolormap_type)
|
|
(typeattributeset xcolormap_type (utype ))
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset file_type (bin_t usr_t ))
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset non_security_file_type (bin_t usr_t ))
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset exec_type (bin_t usr_t ))
|
|
(typeattributeset cil_gen_require xdmhomewriter)
|
|
(typeattributeset xdmhomewriter (utype ))
|
|
(typeattributeset cil_gen_require xdrawable_type)
|
|
(typeattributeset xdrawable_type (utype ))
|
|
(typeattributeset cil_gen_require userdom_filetrans_type)
|
|
(typeattributeset userdom_filetrans_type (utype ))
|
|
(typeattributeset cil_gen_require x_domain)
|
|
(typeattributeset x_domain (utype ))
|
|
(typeattributeset cil_gen_require x_userdomain)
|
|
(typeattributeset x_userdomain (utype ))
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset entry_type (bin_t usr_t ))
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset non_auth_file_type (bin_t usr_t ))
|
|
(typeattributeset cil_gen_require dridomain)
|
|
(typeattributeset dridomain (utype ))
|
|
(allow utype bin_t (file (entrypoint)))
|
|
(allow utype bin_t (file (ioctl read getattr lock map execute open)))
|
|
(allow utype usr_t (file (entrypoint)))
|
|
(allow utype usr_t (file (ioctl read getattr lock map execute open)))
|
|
(allow utype port_type (tcp_socket (name_connect)))
|
|
(allow utype utype (process (getattr setrlimit execmem)))
|
|
(allow utype utype (system (ipc_info syslog_read syslog_mod syslog_console module_request module_load halt reboot status start stop enable disable reload undefined)))
|
|
(allow utype utype (netlink_kobject_uevent_socket (read)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype sound_device_t (chr_file (ioctl write getattr lock append open)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype sound_device_t (chr_file (ioctl read getattr lock open)))
|
|
(allow utype sound_device_t (chr_file (map)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype event_device_t (chr_file (ioctl read write getattr lock append)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype v4l_device_t (chr_file (ioctl read getattr lock open)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype v4l_device_t (chr_file (ioctl write getattr lock append open)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype wireless_device_t (chr_file (ioctl read write getattr lock append open)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype device_t (dir (getattr watch)))
|
|
(allow utype configfile (dir (ioctl read getattr lock open search)))
|
|
(allow utype configfile (dir (getattr open search)))
|
|
(allow utype configfile (file (ioctl read getattr lock open)))
|
|
(allow utype configfile (dir (getattr open search)))
|
|
(allow utype configfile (lnk_file (read getattr)))
|
|
(allow utype etc_t (dir (getattr watch)))
|
|
(allow utype home_root_t (dir (getattr watch)))
|
|
(allow utype lib_t (dir (getattr watch)))
|
|
(allow utype usr_t (dir (getattr watch)))
|
|
(allow utype usr_t (file (getattr watch)))
|
|
(allow utype var_lib_t (dir (getattr open search)))
|
|
(allow utype var_lib_t (dir (getattr watch)))
|
|
(allow utype var_run_t (dir (getattr watch)))
|
|
(allow utype tmp_t (dir (getattr watch)))
|
|
(allow utype init_t (unix_stream_socket (ioctl read write getattr setattr lock append bind connect listen accept getopt setopt shutdown)))
|
|
(allow utype proc_t (dir (getattr open search)))
|
|
(allow utype sysctl_t (dir (getattr open search)))
|
|
(allow utype sysctl_dev_t (dir (getattr open search)))
|
|
(allow utype sysctl_dev_t (file (ioctl read getattr lock open)))
|
|
(allow utype proc_t (dir (getattr open search)))
|
|
(allow utype sysctl_t (dir (getattr open search)))
|
|
(allow utype sysctl_dev_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype fonts_t (dir (getattr watch)))
|
|
(allow utype locale_t (dir (getattr open search)))
|
|
(allow utype locale_t (lnk_file (getattr watch)))
|
|
(allow utype mount_t (process (signal)))
|
|
(allow utype etc_t (dir (getattr open search)))
|
|
(allow utype selinux_config_t (dir (getattr open search)))
|
|
(allow utype default_context_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype default_context_t (dir (getattr open search)))
|
|
(allow utype default_context_t (file (ioctl read getattr lock open)))
|
|
(allow utype fuse_device_t (chr_file (ioctl read write getattr lock append open)))
|
|
(allow utype user_tmp_t (file (execute)))
|
|
(typemember utype user_home_dir_t dir user_home_dir_t)
|
|
(allow utype user_home_t (dir (mounton)))
|
|
(allow utype user_home_t (file (entrypoint)))
|
|
(allow utype user_home_type (file (relabelfrom relabelto)))
|
|
(allow utype user_home_type (dir (relabelfrom relabelto)))
|
|
(allow utype user_home_type (lnk_file (relabelfrom relabelto)))
|
|
(allow utype user_home_type (chr_file (relabelfrom relabelto)))
|
|
(allow utype user_home_type (blk_file (relabelfrom relabelto)))
|
|
(allow utype user_home_type (sock_file (relabelfrom relabelto)))
|
|
(allow utype user_home_type (fifo_file (relabelfrom relabelto)))
|
|
(allow utype user_home_dir_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow utype user_home_dir_t (dir (getattr open search)))
|
|
(allow utype user_home_type (dir (getattr open search)))
|
|
(allow utype user_home_type (dir (getattr relabelfrom relabelto)))
|
|
(allow utype user_home_dir_t (dir (getattr open search)))
|
|
(allow utype user_home_type (dir (getattr open search)))
|
|
(allow utype user_home_type (file (getattr relabelfrom relabelto)))
|
|
(allow utype user_home_dir_t (dir (getattr open search)))
|
|
(allow utype user_home_type (dir (getattr open search)))
|
|
(allow utype user_home_type (lnk_file (getattr relabelfrom relabelto)))
|
|
(allow utype user_home_dir_t (dir (getattr open search)))
|
|
(allow utype user_home_type (dir (getattr open search)))
|
|
(allow utype user_home_type (sock_file (getattr relabelfrom relabelto)))
|
|
(allow utype user_home_dir_t (dir (getattr open search)))
|
|
(allow utype user_home_type (dir (getattr open search)))
|
|
(allow utype user_home_type (fifo_file (getattr relabelfrom relabelto)))
|
|
(allow utype home_root_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(typetransition utype root_xdrawable_t x_drawable utype)
|
|
(typetransition utype input_xevent_t x_event user_input_xevent_t)
|
|
(allow utype user_input_xevent_t (x_event (send)))
|
|
(allow utype user_input_xevent_t (x_synthetic_event (send)))
|
|
(allow utype user_input_xevent_t (x_event (receive)))
|
|
(allow utype user_input_xevent_t (x_synthetic_event (receive)))
|
|
(allow utype client_xevent_t (x_event (receive)))
|
|
(allow utype client_xevent_t (x_synthetic_event (receive)))
|
|
(allow utype xevent_t (x_event (send receive)))
|
|
(allow utype xevent_t (x_synthetic_event (send receive)))
|
|
(dontaudit utype input_xevent_type (x_event (send)))
|
|
(allow utype xdm_t (x_drawable (read add_child manage hide)))
|
|
(allow utype xdm_t (x_client (destroy)))
|
|
(allow utype root_xdrawable_t (x_drawable (write)))
|
|
(allow utype xserver_t (x_server (manage)))
|
|
(allow utype xserver_t (x_screen (saver_setattr saver_hide saver_show show_cursor hide_cursor)))
|
|
(allow utype xserver_t (x_pointer (get_property set_property manage)))
|
|
(allow utype xserver_t (x_keyboard (read manage freeze)))
|
|
(allow utype tmpfs_t (dir (getattr open search)))
|
|
(allow utype tmp_t (dir (getattr open search)))
|
|
(allow utype tmp_t (lnk_file (read getattr)))
|
|
(allow utype tmp_t (dir (getattr open search)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype xdm_var_run_t (dir (getattr open search)))
|
|
(allow utype xdm_var_run_t (sock_file (write getattr append open)))
|
|
(allow utype xdm_t (unix_stream_socket (connectto)))
|
|
(allow utype user_tmp_t (dir (getattr open search)))
|
|
(allow utype user_tmp_t (sock_file (write getattr append open)))
|
|
(allow utype userdomain (unix_stream_socket (connectto)))
|
|
(allow utype xdm_log_t (file (getattr append)))
|
|
(booleanif (use_samba_home_dirs)
|
|
(true
|
|
(allow utype cifs_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow utype cifs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype cifs_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow utype cifs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype cifs_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
|
(allow utype cifs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype cifs_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype cifs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype cifs_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype cifs_t (dir (mounton)))
|
|
(allow utype cifs_t (filesystem (mount)))
|
|
)
|
|
)
|
|
(booleanif (use_nfs_home_dirs)
|
|
(true
|
|
(allow utype nfs_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow utype nfs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype nfs_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow utype nfs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype nfs_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
|
(allow utype nfs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype autofs_t (dir (getattr open search)))
|
|
(allow utype nfs_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype nfs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype autofs_t (dir (getattr open search)))
|
|
(allow utype nfs_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype autofs_t (dir (getattr open search)))
|
|
(allow utype nfs_t (dir (mounton)))
|
|
(allow utype nfs_t (filesystem (mount)))
|
|
)
|
|
)
|
|
(booleanif (selinuxuser_rw_noexattrfile)
|
|
(true
|
|
(allow utype removable_device_t (blk_file (ioctl write getattr lock append open)))
|
|
(allow utype device_t (lnk_file (read getattr)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype device_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype removable_device_t (blk_file (ioctl read getattr lock open)))
|
|
(allow utype device_t (lnk_file (read getattr)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype device_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype dosfs_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype dosfs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype dosfs_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype dosfs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype noxattrfs (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype noxattrfs (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype noxattrfs (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype usb_device_t (chr_file (ioctl read write getattr lock append open)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype usbfs_t (lnk_file (read getattr)))
|
|
(allow utype usbfs_t (dir (getattr open search)))
|
|
(allow utype usbfs_t (file (ioctl read write getattr lock append open)))
|
|
(allow utype usbfs_t (dir (getattr open search)))
|
|
(allow utype usbfs_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype usbfs_t (dir (getattr open search)))
|
|
)
|
|
)
|
|
(optional confinedom_graphical_login_optional_3
|
|
(typeattributeset cil_gen_require var_lib_t)
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require alsa_var_lib_t)
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_lib_t (dir (getattr open search)))
|
|
(allow utype alsa_var_lib_t (dir (getattr open search)))
|
|
(allow utype alsa_var_lib_t (file (ioctl read getattr lock open)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_4
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require fwupd_cache_t)
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype fwupd_cache_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype fwupd_cache_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_5
|
|
;(type dbusd_type)
|
|
(roletype object_r dbusd_type)
|
|
(typeattributeset cil_gen_require utype)
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require usr_t)
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset cil_gen_require device_t)
|
|
(typeattributeset cil_gen_require var_lib_t)
|
|
(typeattributeset cil_gen_require var_run_t)
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require system_dbusd_t)
|
|
(typeattributeset cil_gen_require session_dbusd_tmp_t)
|
|
(typeattributeset cil_gen_require dbusd_unconfined)
|
|
(typeattributeset cil_gen_require session_bus_type)
|
|
(typeattributeset cil_gen_require dbusd_exec_t)
|
|
(typeattributeset cil_gen_require dbusd_etc_t)
|
|
(typeattributeset cil_gen_require application_domain_type)
|
|
(typeattributeset cil_gen_require domain)
|
|
(typeattributeset cil_gen_require corenet_unlabeled_type)
|
|
(typeattributeset cil_gen_require application_exec_type)
|
|
(typeattributeset cil_gen_require ubac_constrained_type)
|
|
(typeattributeset cil_gen_require kernel_system_state_reader)
|
|
(typeattributeset cil_gen_require security_t)
|
|
(typeattributeset cil_gen_require sysfs_t)
|
|
(typeattributeset cil_gen_require userdom_home_manager_type)
|
|
(typeattributeset cil_gen_require shell_exec_t)
|
|
(typeattributeset cil_gen_require nsswitch_domain)
|
|
(typeattributeset cil_gen_require netlabel_peer_type)
|
|
(typeattributeset cil_gen_require syslog_client_type)
|
|
(typeattributeset cil_gen_require system_dbusd_var_run_t)
|
|
(typeattributeset cil_gen_require system_dbusd_var_lib_t)
|
|
(typeattributeset cil_gen_require urandom_device_t)
|
|
(roleattributeset cil_gen_require urole)
|
|
(roletype urole dbusd_type)
|
|
(typeattributeset cil_gen_require netlabel_peer_type)
|
|
(typeattributeset netlabel_peer_type (dbusd_type ))
|
|
(typeattributeset cil_gen_require corenet_unlabeled_type)
|
|
(typeattributeset corenet_unlabeled_type (dbusd_type ))
|
|
(typeattributeset cil_gen_require syslog_client_type)
|
|
(typeattributeset syslog_client_type (dbusd_type ))
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset file_type (dbusd_exec_t ))
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset non_security_file_type (dbusd_exec_t ))
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset exec_type (dbusd_exec_t ))
|
|
(typeattributeset cil_gen_require application_domain_type)
|
|
(typeattributeset application_domain_type (dbusd_type ))
|
|
(typeattributeset cil_gen_require userdom_home_manager_type)
|
|
(typeattributeset userdom_home_manager_type (dbusd_type ))
|
|
(typeattributeset cil_gen_require ubac_constrained_type)
|
|
(typeattributeset ubac_constrained_type (dbusd_type ))
|
|
(typeattributeset cil_gen_require kernel_system_state_reader)
|
|
(typeattributeset kernel_system_state_reader (dbusd_type ))
|
|
(typeattributeset cil_gen_require application_exec_type)
|
|
(typeattributeset application_exec_type (dbusd_exec_t ))
|
|
(typeattributeset cil_gen_require nsswitch_domain)
|
|
(typeattributeset nsswitch_domain (dbusd_type ))
|
|
(typeattributeset cil_gen_require session_bus_type)
|
|
(typeattributeset session_bus_type (dbusd_type ))
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset entry_type (dbusd_exec_t ))
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset non_auth_file_type (dbusd_exec_t ))
|
|
(typeattributeset cil_gen_require domain)
|
|
(typeattributeset domain (dbusd_type ))
|
|
(allow utype system_dbusd_t (dbus (acquire_svc)))
|
|
(allow utype session_dbusd_tmp_t (dir (ioctl write getattr lock open add_name search)))
|
|
(allow utype session_dbusd_tmp_t (sock_file (create getattr setattr open)))
|
|
(allow dbusd_type dbusd_exec_t (file (entrypoint)))
|
|
(allow dbusd_type dbusd_exec_t (file (ioctl read getattr lock map execute open)))
|
|
(allow dbusd_type security_t (lnk_file (read getattr)))
|
|
(allow dbusd_type sysfs_t (filesystem (getattr)))
|
|
(allow dbusd_type sysfs_t (dir (getattr open search)))
|
|
(allow dbusd_type sysfs_t (dir (getattr open search)))
|
|
(allow dbusd_type security_t (filesystem (getattr)))
|
|
(allow utype dbusd_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto)))
|
|
(allow dbusd_type utype (unix_stream_socket (read write getattr accept getopt)))
|
|
(allow dbusd_type utype (unix_dgram_socket (sendto)))
|
|
(allow utype dbusd_type (dbus (acquire_svc send_msg)))
|
|
(allow dbusd_unconfined dbusd_type (dbus (acquire_svc send_msg)))
|
|
(allow utype system_dbusd_t (dbus (acquire_svc send_msg)))
|
|
(allow utype dbusd_type (process (noatsecure siginh rlimitinh)))
|
|
(allow dbusd_type utype (dbus (send_msg)))
|
|
(allow utype dbusd_type (dbus (send_msg)))
|
|
(allow dbusd_type utype (system (start reload)))
|
|
(allow dbusd_type session_dbusd_tmp_t (service (start stop)))
|
|
(allow utype session_dbusd_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype session_dbusd_tmp_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow dbusd_type dbusd_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow utype dbusd_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype dbusd_type (process (transition)))
|
|
;(typetransition utype dbusd_exec_t process dbusd_type)
|
|
(allow dbusd_type utype (fd (use)))
|
|
(allow dbusd_type utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow dbusd_type utype (process (sigchld)))
|
|
(allow utype dbusd_type (dir (ioctl read getattr lock open search)))
|
|
(allow utype dbusd_type (file (ioctl read getattr lock open)))
|
|
(allow utype dbusd_type (lnk_file (read getattr)))
|
|
(allow utype dbusd_type (process (getattr)))
|
|
(allow utype dbusd_type (process (sigchld sigkill sigstop signull signal)))
|
|
(allow dbusd_type bin_t (dir (getattr open search)))
|
|
(allow dbusd_type bin_t (lnk_file (read getattr)))
|
|
(allow dbusd_type bin_t (file (ioctl read getattr map execute open)))
|
|
(allow dbusd_type utype (process (transition)))
|
|
(allow dbusd_type usr_t (dir (getattr open search)))
|
|
(allow dbusd_type usr_t (lnk_file (read getattr)))
|
|
(allow dbusd_type usr_t (file (ioctl read getattr map execute open)))
|
|
(allow dbusd_type utype (process (transition)))
|
|
(typetransition dbusd_type bin_t process utype)
|
|
(typetransition dbusd_type usr_t process utype)
|
|
(allow dbusd_type bin_t (dir (getattr open search)))
|
|
(allow dbusd_type bin_t (dir (ioctl read getattr lock open search)))
|
|
(allow dbusd_type bin_t (dir (getattr open search)))
|
|
(allow dbusd_type bin_t (lnk_file (read getattr)))
|
|
(allow dbusd_type shell_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow dbusd_type utype (process (transition)))
|
|
(typetransition dbusd_type shell_exec_t process utype)
|
|
(allow dbusd_type utype (process (sigkill)))
|
|
(allow utype dbusd_type (fd (use)))
|
|
(allow utype dbusd_type (fifo_file (ioctl read write getattr lock append open)))
|
|
(allow dbusd_type file_type (service (start stop status reload enable disable)))
|
|
(dontaudit dbusd_type self (capability (net_admin)))
|
|
(allow utype system_dbusd_t (dbus (send_msg)))
|
|
(allow utype self (dbus (send_msg)))
|
|
(allow system_dbusd_t utype (dbus (send_msg)))
|
|
(allow dbusd_unconfined utype (dbus (send_msg)))
|
|
(allow utype system_dbusd_var_lib_t (dir (getattr open search)))
|
|
(allow utype system_dbusd_var_lib_t (file (ioctl read getattr lock open)))
|
|
(allow utype system_dbusd_var_lib_t (dir (getattr open search)))
|
|
(allow utype system_dbusd_var_lib_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_lib_t (dir (getattr open search)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype urandom_device_t (chr_file (ioctl read getattr lock open)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype system_dbusd_var_run_t (dir (getattr open search)))
|
|
(allow utype system_dbusd_var_run_t (sock_file (write getattr append open)))
|
|
(allow utype system_dbusd_t (unix_stream_socket (connectto)))
|
|
(allow utype dbusd_etc_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype dbusd_etc_t (file (ioctl read getattr lock open)))
|
|
(allow utype session_dbusd_tmp_t (dir (getattr open search)))
|
|
(allow utype session_dbusd_tmp_t (sock_file (write getattr append open)))
|
|
(allow utype utype (dbus (send_msg)))
|
|
(booleanif (deny_ptrace)
|
|
(false
|
|
(allow utype dbusd_type (process (ptrace)))
|
|
)
|
|
)
|
|
(optional confinedom_graphical_login_optional_6
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset cil_gen_require mozilla_exec_t)
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset file_type (mozilla_exec_t ))
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset non_security_file_type (mozilla_exec_t ))
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset exec_type (mozilla_exec_t ))
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset entry_type (mozilla_exec_t ))
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset non_auth_file_type (mozilla_exec_t ))
|
|
(allow utype mozilla_exec_t (file (entrypoint)))
|
|
(allow utype mozilla_exec_t (file (ioctl read getattr lock map execute open)))
|
|
(allow dbusd_type mozilla_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow dbusd_type utype (process (transition)))
|
|
(typetransition dbusd_type mozilla_exec_t process utype)
|
|
(allow utype dbusd_type (fd (use)))
|
|
(allow utype dbusd_type (fifo_file (ioctl read write getattr lock append)))
|
|
(allow utype dbusd_type (process (sigchld)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_7
|
|
(typeattributeset cil_gen_require systemd_unit_file_t)
|
|
(allow dbusd_type systemd_unit_file_t (service (start)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_8
|
|
(typeattributeset cil_gen_require unconfined_service_t)
|
|
(allow utype unconfined_service_t (dbus (send_msg)))
|
|
(allow unconfined_service_t utype (dbus (send_msg)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_9
|
|
(typeattributeset cil_gen_require accountsd_t)
|
|
(allow utype accountsd_t (dbus (send_msg)))
|
|
(allow accountsd_t utype (dbus (send_msg)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_10
|
|
(typeattributeset cil_gen_require avahi_t)
|
|
(allow utype avahi_t (dbus (send_msg)))
|
|
(allow avahi_t utype (dbus (send_msg)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_11
|
|
(typeattributeset cil_gen_require bluetooth_t)
|
|
(allow utype bluetooth_t (dbus (send_msg)))
|
|
(allow bluetooth_t utype (dbus (send_msg)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_12
|
|
(typeattributeset cil_gen_require colord_t)
|
|
(allow utype colord_t (dbus (send_msg)))
|
|
(allow colord_t utype (dbus (send_msg)))
|
|
(allow colord_t utype (dir (ioctl read getattr lock open search)))
|
|
(allow colord_t utype (file (ioctl read getattr lock open)))
|
|
(allow colord_t utype (lnk_file (read getattr)))
|
|
(allow colord_t utype (process (getattr)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_13
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require consolekit_t)
|
|
(typeattributeset cil_gen_require consolekit_log_t)
|
|
(typeattributeset cil_gen_require var_log_t)
|
|
(allow utype consolekit_t (dbus (send_msg)))
|
|
(allow consolekit_t utype (dbus (send_msg)))
|
|
(allow utype consolekit_log_t (dir (getattr open search)))
|
|
(allow utype consolekit_log_t (file (ioctl read getattr lock open)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_log_t (dir (getattr open search)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_14
|
|
(typeattributeset cil_gen_require devicekit_t)
|
|
(typeattributeset cil_gen_require devicekit_power_t)
|
|
(typeattributeset cil_gen_require devicekit_disk_t)
|
|
(allow utype devicekit_t (dbus (send_msg)))
|
|
(allow devicekit_t utype (dbus (send_msg)))
|
|
(allow utype devicekit_power_t (dbus (send_msg)))
|
|
(allow devicekit_power_t utype (dbus (send_msg)))
|
|
(allow utype devicekit_disk_t (dbus (send_msg)))
|
|
(allow devicekit_disk_t utype (dbus (send_msg)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_15
|
|
(typeattributeset cil_gen_require evolution_t)
|
|
(typeattributeset cil_gen_require evolution_alarm_t)
|
|
(allow utype evolution_t (dbus (send_msg)))
|
|
(allow evolution_t utype (dbus (send_msg)))
|
|
(allow utype evolution_alarm_t (dbus (send_msg)))
|
|
(allow evolution_alarm_t utype (dbus (send_msg)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_16
|
|
(typeattributeset cil_gen_require firewalld_t)
|
|
(allow utype firewalld_t (dbus (send_msg)))
|
|
(allow firewalld_t utype (dbus (send_msg)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_17
|
|
(typeattributeset cil_gen_require geoclue_t)
|
|
(allow utype geoclue_t (dbus (send_msg)))
|
|
(allow geoclue_t utype (dbus (send_msg)))
|
|
(allow geoclue_t utype (dir (ioctl read getattr lock open search)))
|
|
(allow geoclue_t utype (file (ioctl read getattr lock open)))
|
|
(allow geoclue_t utype (lnk_file (read getattr)))
|
|
(allow geoclue_t utype (process (getattr)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_18
|
|
(typeattributeset cil_gen_require gconfdefaultsm_t)
|
|
(allow utype gconfdefaultsm_t (dbus (send_msg)))
|
|
(allow gconfdefaultsm_t utype (dbus (send_msg)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_19
|
|
(typeattributeset cil_gen_require fprintd_t)
|
|
(allow utype fprintd_t (dbus (send_msg)))
|
|
(allow fprintd_t utype (dbus (send_msg)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_20
|
|
(typeattributeset cil_gen_require fwupd_t)
|
|
(allow utype fwupd_t (dbus (send_msg)))
|
|
(allow fwupd_t utype (dbus (send_msg)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_21
|
|
(typeattributeset cil_gen_require var_run_t)
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require hwloc_dhwd_exec_t)
|
|
(typeattributeset cil_gen_require hwloc_var_run_t)
|
|
(allow utype hwloc_dhwd_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype hwloc_var_run_t (dir (getattr open search)))
|
|
(allow utype hwloc_var_run_t (file (ioctl read getattr lock open)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_22
|
|
(typeattributeset cil_gen_require var_run_t)
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require memcached_t)
|
|
(typeattributeset cil_gen_require memcached_var_run_t)
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype memcached_var_run_t (dir (getattr open search)))
|
|
(allow utype memcached_var_run_t (sock_file (write getattr append open)))
|
|
(allow utype memcached_t (unix_stream_socket (connectto)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_23
|
|
(typeattributeset cil_gen_require modemmanager_t)
|
|
(allow utype modemmanager_t (dbus (send_msg)))
|
|
(allow modemmanager_t utype (dbus (send_msg)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_24
|
|
(typeattributeset cil_gen_require var_lib_t)
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require NetworkManager_t)
|
|
(typeattributeset cil_gen_require NetworkManager_var_lib_t)
|
|
(allow utype NetworkManager_t (dbus (send_msg)))
|
|
(allow NetworkManager_t utype (dbus (send_msg)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_lib_t (dir (getattr open search)))
|
|
(allow utype NetworkManager_var_lib_t (dir (getattr open search)))
|
|
(allow utype NetworkManager_var_lib_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype NetworkManager_var_lib_t (dir (getattr open search)))
|
|
(allow utype NetworkManager_var_lib_t (file (ioctl read getattr lock open)))
|
|
(allow utype NetworkManager_var_lib_t (file (map)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_25
|
|
(typeattributeset cil_gen_require policykit_t)
|
|
(allow policykit_t utype (dir (ioctl read getattr lock open search)))
|
|
(allow policykit_t utype (file (ioctl read getattr lock open)))
|
|
(allow policykit_t utype (lnk_file (read getattr)))
|
|
(allow policykit_t utype (process (getattr)))
|
|
(allow utype policykit_t (dbus (send_msg)))
|
|
(allow policykit_t utype (dbus (send_msg)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_26
|
|
(typeattributeset cil_gen_require rpm_t)
|
|
(allow utype rpm_t (dbus (send_msg)))
|
|
(allow rpm_t utype (dbus (send_msg)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_27
|
|
(typeattributeset cil_gen_require vpnc_t)
|
|
(allow utype vpnc_t (dbus (send_msg)))
|
|
(allow vpnc_t utype (dbus (send_msg)))
|
|
)
|
|
)
|
|
(optional confinedom_graphical_login_optional_28
|
|
(typeattributeset cil_gen_require var_lib_t)
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require rpm_var_lib_t)
|
|
(typeattributeset cil_gen_require rpm_var_cache_t)
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_lib_t (dir (getattr open search)))
|
|
(allow utype rpm_var_lib_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype rpm_var_lib_t (dir (getattr open search)))
|
|
(allow utype rpm_var_lib_t (file (ioctl read getattr lock open)))
|
|
(allow utype rpm_var_lib_t (dir (getattr open search)))
|
|
(allow utype rpm_var_lib_t (lnk_file (read getattr)))
|
|
(allow utype rpm_var_lib_t (file (map)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype rpm_var_cache_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype rpm_var_cache_t (dir (getattr open search)))
|
|
(allow utype rpm_var_cache_t (file (ioctl read getattr lock open)))
|
|
(allow utype rpm_var_cache_t (dir (getattr open search)))
|
|
(allow utype rpm_var_cache_t (lnk_file (read getattr)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_29
|
|
(typeattributeset cil_gen_require var_run_t)
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require systemd_logind_t)
|
|
(typeattributeset cil_gen_require systemd_timedated_t)
|
|
(typeattributeset cil_gen_require systemd_hostnamed_t)
|
|
(typeattributeset cil_gen_require systemd_localed_t)
|
|
(typeattributeset cil_gen_require systemd_unit_file_type)
|
|
(typeattributeset cil_gen_require init_script_file_type)
|
|
(typeattributeset cil_gen_require systemd_logind_var_run_t)
|
|
(typeattributeset cil_gen_require systemd_logind_sessions_t)
|
|
(typeattributeset cil_gen_require init_var_run_t)
|
|
(typeattributeset cil_gen_require systemd_machined_var_run_t)
|
|
(typeattributeset cil_gen_require systemd_logind_inhibit_var_run_t)
|
|
(allow utype systemd_logind_t (dbus (send_msg)))
|
|
(allow systemd_logind_t utype (dbus (send_msg)))
|
|
(allow systemd_logind_t utype (dir (ioctl read getattr lock open search)))
|
|
(allow systemd_logind_t utype (file (ioctl read getattr lock open)))
|
|
(allow systemd_logind_t utype (lnk_file (read getattr)))
|
|
(allow systemd_logind_t utype (process (getattr)))
|
|
(allow systemd_logind_t utype (process (signal)))
|
|
(allow utype systemd_logind_t (fd (use)))
|
|
(allow utype systemd_timedated_t (dbus (send_msg)))
|
|
(allow systemd_timedated_t utype (dbus (send_msg)))
|
|
(allow systemd_timedated_t utype (dir (ioctl read getattr lock open search)))
|
|
(allow systemd_timedated_t utype (file (ioctl read getattr lock open)))
|
|
(allow systemd_timedated_t utype (lnk_file (read getattr)))
|
|
(allow systemd_timedated_t utype (process (getattr)))
|
|
(allow utype systemd_hostnamed_t (dbus (send_msg)))
|
|
(allow systemd_hostnamed_t utype (dbus (send_msg)))
|
|
(allow systemd_hostnamed_t utype (dir (ioctl read getattr lock open search)))
|
|
(allow systemd_hostnamed_t utype (file (ioctl read getattr lock open)))
|
|
(allow systemd_hostnamed_t utype (lnk_file (read getattr)))
|
|
(allow systemd_hostnamed_t utype (process (getattr)))
|
|
(allow utype systemd_localed_t (dbus (send_msg)))
|
|
(allow systemd_localed_t utype (dbus (send_msg)))
|
|
(allow systemd_localed_t utype (dir (ioctl read getattr lock open search)))
|
|
(allow systemd_localed_t utype (file (ioctl read getattr lock open)))
|
|
(allow systemd_localed_t utype (lnk_file (read getattr)))
|
|
(allow systemd_localed_t utype (process (getattr)))
|
|
(allow utype systemd_unit_file_type (service (start stop status reload enable disable)))
|
|
(allow utype init_script_file_type (service (start stop status reload enable disable)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_logind_var_run_t (dir (getattr watch)))
|
|
(allow utype init_var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_logind_sessions_t (dir (getattr watch)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_machined_var_run_t (dir (getattr watch)))
|
|
(allow utype init_var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_logind_sessions_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype systemd_logind_sessions_t (dir (getattr open search)))
|
|
(allow utype systemd_logind_sessions_t (file (ioctl read getattr lock open)))
|
|
(allow utype systemd_logind_inhibit_var_run_t (fifo_file (write)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_30
|
|
(typeattributeset cil_gen_require var_run_t)
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require cupsd_t)
|
|
(typeattributeset cil_gen_require cupsd_var_run_t)
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype cupsd_var_run_t (dir (getattr open search)))
|
|
(allow utype cupsd_var_run_t (sock_file (write getattr append open)))
|
|
(allow utype cupsd_t (unix_stream_socket (connectto)))
|
|
(allow utype cupsd_var_run_t (sock_file (read getattr open)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_31
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require var_run_t)
|
|
(typeattributeset cil_gen_require mount_t)
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require fusermount_exec_t)
|
|
(typeattributeset cil_gen_require fsadm_t)
|
|
(typeattributeset cil_gen_require fsadm_exec_t)
|
|
(typeattributeset cil_gen_require mount_var_run_t)
|
|
(roleattributeset cil_gen_require urole)
|
|
(roletype urole mount_t)
|
|
(roletype urole fsadm_t)
|
|
(allow utype fusermount_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype mount_t (process (transition)))
|
|
(typetransition utype fusermount_exec_t process mount_t)
|
|
(allow mount_t utype (fd (use)))
|
|
(allow mount_t utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow mount_t utype (process (sigchld)))
|
|
(allow mount_t utype (dir (ioctl read getattr lock open search)))
|
|
(allow mount_t utype (file (ioctl read getattr lock open)))
|
|
(allow mount_t utype (lnk_file (read getattr)))
|
|
(allow mount_t utype (process (getattr)))
|
|
(allow mount_t utype (unix_stream_socket (read write)))
|
|
(allow utype mount_t (fd (use)))
|
|
(allow mount_t bin_t (dir (getattr open search)))
|
|
(allow mount_t bin_t (lnk_file (read getattr)))
|
|
(allow mount_t bin_t (dir (getattr open search)))
|
|
(allow mount_t bin_t (dir (getattr open search)))
|
|
(allow mount_t fsadm_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow mount_t fsadm_t (process (transition)))
|
|
(typetransition mount_t fsadm_exec_t process fsadm_t)
|
|
(allow fsadm_t mount_t (fd (use)))
|
|
(allow fsadm_t mount_t (fifo_file (ioctl read write getattr lock append)))
|
|
(allow fsadm_t mount_t (process (sigchld)))
|
|
(allow utype mount_var_run_t (dir (getattr open search)))
|
|
(allow utype mount_var_run_t (file (ioctl read getattr lock open)))
|
|
(allow utype mount_var_run_t (dir (getattr open search)))
|
|
(allow utype mount_var_run_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_32
|
|
(typeattributeset cil_gen_require home_root_t)
|
|
(typeattributeset cil_gen_require tmp_t)
|
|
(typeattributeset cil_gen_require user_tmp_t)
|
|
(typeattributeset cil_gen_require user_home_dir_t)
|
|
(typeattributeset cil_gen_require tmpfs_t)
|
|
(typeattributeset cil_gen_require pulseaudio_tmpfsfile)
|
|
(typeattributeset cil_gen_require pulseaudio_t)
|
|
(typeattributeset cil_gen_require pulseaudio_exec_t)
|
|
(typeattributeset cil_gen_require pulseaudio_tmpfs_t)
|
|
(typeattributeset cil_gen_require user_tmp_type)
|
|
(typeattributeset cil_gen_require pulseaudio_home_t)
|
|
(roleattributeset cil_gen_require urole)
|
|
(roletype urole user_tmp_t)
|
|
(roletype urole pulseaudio_t)
|
|
(allow utype pulseaudio_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype pulseaudio_t (process (transition)))
|
|
(typetransition utype pulseaudio_exec_t process pulseaudio_t)
|
|
(allow pulseaudio_t utype (fd (use)))
|
|
(allow pulseaudio_t utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow pulseaudio_t utype (process (sigchld)))
|
|
(allow utype pulseaudio_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype pulseaudio_t (file (ioctl read getattr lock open)))
|
|
(allow utype pulseaudio_t (lnk_file (read getattr)))
|
|
(allow utype pulseaudio_t (process (getattr)))
|
|
(allow pulseaudio_t utype (process (signull signal)))
|
|
(allow utype pulseaudio_t (process (sigkill signull signal)))
|
|
(allow utype pulseaudio_t (process2 (nnp_transition)))
|
|
(allow pulseaudio_t utype (dir (ioctl read getattr lock open search)))
|
|
(allow pulseaudio_t utype (file (ioctl read getattr lock open)))
|
|
(allow pulseaudio_t utype (lnk_file (read getattr)))
|
|
(allow pulseaudio_t utype (process (getattr)))
|
|
(allow pulseaudio_t utype (unix_stream_socket (connectto)))
|
|
(allow utype pulseaudio_t (unix_stream_socket (connectto)))
|
|
(allow utype pulseaudio_tmpfsfile (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype pulseaudio_tmpfs_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype pulseaudio_tmpfsfile (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads)))
|
|
(allow utype pulseaudio_tmpfs_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads)))
|
|
(typemember pulseaudio_t tmp_t dir user_tmp_t)
|
|
(allow pulseaudio_t user_tmp_type (dir (mounton)))
|
|
(allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow pulseaudio_t user_tmp_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow pulseaudio_t user_tmp_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow pulseaudio_t user_tmp_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
|
(allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow pulseaudio_t user_tmp_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow pulseaudio_t user_tmp_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow pulseaudio_t tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(typetransition pulseaudio_t tmp_t fifo_file user_tmp_t)
|
|
(typetransition pulseaudio_t tmp_t sock_file user_tmp_t)
|
|
(typetransition pulseaudio_t tmp_t lnk_file user_tmp_t)
|
|
(typetransition pulseaudio_t tmp_t dir user_tmp_t)
|
|
(typetransition pulseaudio_t tmp_t file user_tmp_t)
|
|
(allow user_tmp_t tmpfs_t (filesystem (associate)))
|
|
(allow pulseaudio_t tmpfs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(typetransition pulseaudio_t tmpfs_t fifo_file user_tmp_t)
|
|
(typetransition pulseaudio_t tmpfs_t sock_file user_tmp_t)
|
|
(typetransition pulseaudio_t tmpfs_t lnk_file user_tmp_t)
|
|
(typetransition pulseaudio_t tmpfs_t dir user_tmp_t)
|
|
(typetransition pulseaudio_t tmpfs_t file user_tmp_t)
|
|
(allow pulseaudio_t user_tmp_type (dir (getattr open search)))
|
|
(allow pulseaudio_t user_tmp_type (dir (getattr relabelfrom relabelto)))
|
|
(allow pulseaudio_t user_tmp_type (dir (getattr open search)))
|
|
(allow pulseaudio_t user_tmp_type (file (getattr relabelfrom relabelto)))
|
|
(allow pulseaudio_t user_tmp_type (dir (getattr open search)))
|
|
(allow pulseaudio_t user_tmp_type (lnk_file (getattr relabelfrom relabelto)))
|
|
(allow pulseaudio_t user_tmp_type (dir (getattr open search)))
|
|
(allow pulseaudio_t user_tmp_type (sock_file (getattr relabelfrom relabelto)))
|
|
(allow pulseaudio_t user_tmp_type (dir (getattr open search)))
|
|
(allow pulseaudio_t user_tmp_type (fifo_file (getattr relabelfrom relabelto)))
|
|
(allow pulseaudio_t user_tmp_type (file (map)))
|
|
(allow utype pulseaudio_t (dbus (send_msg)))
|
|
(allow pulseaudio_t utype (dbus (acquire_svc send_msg)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(typetransition utype user_home_dir_t file ".esd_auth" pulseaudio_home_t)
|
|
(typetransition utype user_home_dir_t file ".pulse-cookie" pulseaudio_home_t)
|
|
(typetransition utype user_home_dir_t dir ".pulse" pulseaudio_home_t)
|
|
(optional confinedom_graphical_login_optional_33
|
|
(typeattributeset cil_gen_require home_root_t)
|
|
(typeattributeset cil_gen_require user_home_dir_t)
|
|
(typeattributeset cil_gen_require config_home_t)
|
|
(allow utype config_home_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_dir_t (dir (getattr open search)))
|
|
(allow utype user_home_dir_t (lnk_file (read getattr)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(typetransition utype config_home_t dir "pulse" pulseaudio_home_t)
|
|
)
|
|
)
|
|
(optional confinedom_graphical_login_optional_34
|
|
(typeattributeset cil_gen_require var_run_t)
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require var_log_t)
|
|
(typeattributeset cil_gen_require vdagent_log_t)
|
|
(typeattributeset cil_gen_require vdagent_var_run_t)
|
|
(typeattributeset cil_gen_require vdagent_t)
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_log_t (dir (getattr open search)))
|
|
(allow utype vdagent_log_t (file (getattr)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype vdagent_var_run_t (dir (getattr open search)))
|
|
(allow utype vdagent_var_run_t (sock_file (write getattr append open)))
|
|
(allow utype vdagent_t (unix_stream_socket (connectto)))
|
|
)
|
|
(optional confinedom_graphical_login_optional_35
|
|
(typeattributeset cil_gen_require proc_t)
|
|
(typeattributeset cil_gen_require rtkit_daemon_t)
|
|
(allow rtkit_daemon_t utype (process (getsched setsched)))
|
|
(allow utype proc_t (dir (getattr open search)))
|
|
(allow utype proc_t (dir (getattr open search)))
|
|
(allow rtkit_daemon_t utype (dir (ioctl read getattr lock open search)))
|
|
(allow rtkit_daemon_t utype (file (ioctl read getattr lock open)))
|
|
(allow rtkit_daemon_t utype (lnk_file (read getattr)))
|
|
(allow rtkit_daemon_t utype (process (getattr)))
|
|
(optional confinedom_graphical_login_optional_36
|
|
(typeattributeset cil_gen_require rtkit_daemon_t)
|
|
(allow utype rtkit_daemon_t (dbus (send_msg)))
|
|
(allow rtkit_daemon_t utype (dbus (send_msg)))
|
|
)
|
|
)
|
|
)
|
|
)
|
|
|
|
(macro confinedom_mozilla_usage_macro ((type utype) (role urole))
|
|
(optional confinedom_mozilla_usage_optional
|
|
(roleattributeset cil_gen_require mozilla_roles)
|
|
(roleattributeset cil_gen_require urole)
|
|
(typeattributeset cil_gen_require mozilla_t)
|
|
(typeattributeset cil_gen_require mozilla_exec_t)
|
|
(typeattributeset cil_gen_require mozilla_home_t)
|
|
(typeattributeset cil_gen_require mozilla_tmpfs_t)
|
|
(typeattributeset cil_gen_require utype)
|
|
(optional confinedom_mozilla_usage_optional_3
|
|
(roleattributeset cil_gen_require mozilla_plugin_roles)
|
|
(roleattributeset cil_gen_require mozilla_plugin_config_roles)
|
|
(typeattributeset cil_gen_require mozilla_t)
|
|
(typeattributeset cil_gen_require mozilla_home_t)
|
|
(typeattributeset cil_gen_require mozilla_plugin_t)
|
|
(typeattributeset cil_gen_require mozilla_plugin_exec_t)
|
|
(typeattributeset cil_gen_require mozilla_plugin_config_t)
|
|
(typeattributeset cil_gen_require mozilla_plugin_config_exec_t)
|
|
(typeattributeset cil_gen_require mozilla_plugin_rw_t)
|
|
(typeattributeset cil_gen_require lib_t)
|
|
(typeattributeset cil_gen_require user_home_dir_t)
|
|
(typeattributeset cil_gen_require home_root_t)
|
|
(roleattributeset cil_gen_require mozilla_plugin_config_roles)
|
|
(roleattributeset mozilla_plugin_config_roles (urole ))
|
|
(roleattributeset cil_gen_require mozilla_plugin_roles)
|
|
(roleattributeset mozilla_plugin_roles (urole ))
|
|
(allow utype mozilla_t (process (noatsecure siginh rlimitinh)))
|
|
(allow utype mozilla_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype mozilla_t (file (ioctl read getattr lock open)))
|
|
(allow utype mozilla_t (lnk_file (read getattr)))
|
|
(allow utype mozilla_t (process (getattr)))
|
|
(allow utype mozilla_t (process (sigchld sigkill sigstop signull signal)))
|
|
(allow utype mozilla_t (fd (use)))
|
|
(allow utype mozilla_t (shm (getattr associate)))
|
|
(allow utype mozilla_t (shm (unix_read unix_write)))
|
|
(allow utype mozilla_t (unix_stream_socket (connectto)))
|
|
(allow utype mozilla_plugin_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype mozilla_plugin_t (process (transition)))
|
|
(typetransition utype mozilla_plugin_exec_t process mozilla_plugin_t)
|
|
(allow mozilla_plugin_t utype (fd (use)))
|
|
(allow mozilla_plugin_t utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow mozilla_plugin_t utype (process (sigchld)))
|
|
(allow utype mozilla_plugin_config_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype mozilla_plugin_config_t (process (transition)))
|
|
(typetransition utype mozilla_plugin_config_exec_t process mozilla_plugin_config_t)
|
|
(allow mozilla_plugin_config_t utype (fd (use)))
|
|
(allow mozilla_plugin_config_t utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow mozilla_plugin_config_t utype (process (sigchld)))
|
|
(allow mozilla_plugin_t utype (process (signull)))
|
|
(dontaudit mozilla_plugin_config_t utype (file (ioctl read getattr lock)))
|
|
(dontaudit mozilla_plugin_t utype (process (signal)))
|
|
(allow utype mozilla_plugin_t (unix_stream_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown connectto)))
|
|
(allow utype mozilla_plugin_t (fd (use)))
|
|
(allow mozilla_plugin_t utype (unix_stream_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown)))
|
|
(allow mozilla_plugin_t utype (unix_dgram_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown sendto)))
|
|
(allow mozilla_plugin_t utype (shm (destroy getattr read write associate unix_read unix_write lock)))
|
|
(allow mozilla_plugin_t utype (sem (create destroy getattr setattr read write associate unix_read unix_write)))
|
|
(allow utype mozilla_plugin_t (sem (getattr read write associate unix_read unix_write)))
|
|
(allow utype mozilla_plugin_t (shm (getattr read write associate unix_read unix_write lock)))
|
|
(allow utype mozilla_plugin_t (fifo_file (ioctl read write getattr lock append open)))
|
|
(allow utype mozilla_plugin_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype mozilla_plugin_t (file (ioctl read getattr lock open)))
|
|
(allow utype mozilla_plugin_t (lnk_file (read getattr)))
|
|
(allow utype mozilla_plugin_t (process (getattr)))
|
|
(allow mozilla_plugin_t utype (dir (ioctl read getattr lock open search)))
|
|
(allow mozilla_plugin_t utype (file (ioctl read getattr lock open)))
|
|
(allow mozilla_plugin_t utype (lnk_file (read getattr)))
|
|
(allow mozilla_plugin_t utype (process (getattr)))
|
|
(allow utype mozilla_plugin_t (process (sigchld sigkill sigstop signull signal noatsecure)))
|
|
(allow utype mozilla_plugin_rw_t (dir (getattr open search)))
|
|
(allow utype mozilla_plugin_rw_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype mozilla_plugin_rw_t (dir (getattr open search)))
|
|
(allow utype mozilla_plugin_rw_t (file (ioctl read getattr lock open)))
|
|
(allow utype mozilla_plugin_rw_t (dir (getattr open search)))
|
|
(allow utype mozilla_plugin_rw_t (lnk_file (read getattr)))
|
|
(allow utype mozilla_plugin_rw_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow utype mozilla_plugin_t (dbus (send_msg)))
|
|
(allow mozilla_plugin_t utype (dbus (send_msg)))
|
|
(allow mozilla_plugin_t utype (process (signull)))
|
|
(allow utype mozilla_t (dbus (send_msg)))
|
|
(allow mozilla_t utype (dbus (send_msg)))
|
|
(allow utype mozilla_plugin_rw_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(typetransition utype user_home_dir_t dir ".webex" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t file "mozilla.pdf" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t file ".gnashpluginrc" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t dir ".IBMERS" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t dir ".lyx" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t dir ".juniper_networks" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t dir "zimbrauserdata" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t dir ".ICAClient" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t dir ".spicec" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t dir ".quakelive" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t file "abc" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t dir ".icedtea" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t dir ".icedteaplugin" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t dir ".gcjwebplugin" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t dir ".grl-podcasts" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t dir ".gnash" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t dir ".macromedia" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t dir ".adobe" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t dir ".phoenix" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t dir ".netscape" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t dir ".thunderbird" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t dir ".mozilla" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t dir ".java" mozilla_home_t)
|
|
(typetransition utype user_home_dir_t dir ".galeon" mozilla_home_t)
|
|
(typetransition utype mozilla_plugin_rw_t file "nswrapper_32_64.nppdf.so" lib_t)
|
|
(booleanif (deny_ptrace)
|
|
(false
|
|
(allow utype mozilla_plugin_t (process (ptrace)))
|
|
)
|
|
)
|
|
(optional confinedom_mozilla_usage_optional_4
|
|
(roleattributeset cil_gen_require lpr_roles)
|
|
(typeattributeset cil_gen_require lpr_t)
|
|
(typeattributeset cil_gen_require lpr_exec_t)
|
|
(roleattributeset cil_gen_require lpr_roles)
|
|
(roleattributeset lpr_roles (urole ))
|
|
(allow mozilla_plugin_t lpr_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow mozilla_plugin_t lpr_t (process (transition)))
|
|
(typetransition mozilla_plugin_t lpr_exec_t process lpr_t)
|
|
(allow lpr_t mozilla_plugin_t (fd (use)))
|
|
(allow lpr_t mozilla_plugin_t (fifo_file (ioctl read write getattr lock append)))
|
|
(allow lpr_t mozilla_plugin_t (process (sigchld)))
|
|
)
|
|
(optional confinedom_mozilla_usage_optional_5
|
|
(typeattributeset cil_gen_require user_home_dir_t)
|
|
(typeattributeset cil_gen_require home_root_t)
|
|
(typeattributeset cil_gen_require cache_home_t)
|
|
(allow utype cache_home_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_dir_t (dir (getattr open search)))
|
|
(allow utype user_home_dir_t (lnk_file (read getattr)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype cache_home_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_dir_t (dir (getattr open search)))
|
|
(allow utype user_home_dir_t (lnk_file (read getattr)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(typetransition utype cache_home_t dir "icedtea-web" mozilla_home_t)
|
|
(typetransition utype cache_home_t dir "mozilla" mozilla_home_t)
|
|
)
|
|
)
|
|
)
|
|
)
|
|
|
|
(macro confinedom_networking_macro ((type utype) (role urole))
|
|
(optional confinedom_networking_optional_2
|
|
(roleattributeset cil_gen_require urole)
|
|
(typeattributeset cil_gen_require utype)
|
|
(typeattributeset cil_gen_require ping_t)
|
|
(typeattributeset cil_gen_require ping_exec_t)
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require traceroute_t)
|
|
(typeattributeset cil_gen_require traceroute_exec_t)
|
|
(roleattributeset cil_gen_require urole)
|
|
(roletype urole ping_t)
|
|
(roletype urole traceroute_t)
|
|
(booleanif (selinuxuser_ping)
|
|
(true
|
|
(allow utype ping_t (process (sigkill signal)))
|
|
(allow ping_t utype (process (sigchld)))
|
|
(allow ping_t utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow ping_t utype (fd (use)))
|
|
(typetransition utype ping_exec_t process ping_t)
|
|
(allow utype ping_t (process (transition)))
|
|
(allow utype ping_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (lnk_file (read getattr)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype traceroute_t (process (sigkill signal)))
|
|
(allow traceroute_t utype (process (sigchld)))
|
|
(allow traceroute_t utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow traceroute_t utype (fd (use)))
|
|
(typetransition utype traceroute_exec_t process traceroute_t)
|
|
(allow utype traceroute_t (process (transition)))
|
|
(allow utype traceroute_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (lnk_file (read getattr)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
)
|
|
)
|
|
)
|
|
)
|
|
|
|
(macro confinedom_security_advanced_macro ((type utype) (role urole) (type sudo_type) (type userhelper_type))
|
|
(optional confinedom_security_advanced_optional_2
|
|
(roleattributeset cil_gen_require urole)
|
|
(typeattributeset cil_gen_require utype)
|
|
(typeattributeset cil_gen_require sudo_type)
|
|
(typeattributeset cil_gen_require auditd_log_t)
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require auditd_etc_t)
|
|
(typeattributeset cil_gen_require etc_t)
|
|
(typeattributeset cil_gen_require security_t)
|
|
(typeattributeset cil_gen_require can_setenforce)
|
|
(typeattributeset cil_gen_require sysfs_t)
|
|
(typeattributeset cil_gen_require secure_mode_policyload_t)
|
|
(typeattributeset cil_gen_require boolean_type)
|
|
(typeattributeset cil_gen_require can_setbool)
|
|
(typeattributeset cil_gen_require semanage_t)
|
|
(typeattributeset cil_gen_require selinux_config_t)
|
|
(typeattributeset cil_gen_require semanage_store_t)
|
|
(typeattributeset cil_gen_require selinux_login_config_t)
|
|
(typeattributeset cil_gen_require semanage_exec_t)
|
|
(typeattributeset cil_gen_require usr_t)
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require setfiles_t)
|
|
(typeattributeset cil_gen_require setfiles_exec_t)
|
|
(typeattributeset cil_gen_require load_policy_t)
|
|
(typeattributeset cil_gen_require load_policy_exec_t)
|
|
(typeattributeset cil_gen_require newrole_t)
|
|
(typeattributeset cil_gen_require newrole_exec_t)
|
|
(typeattributeset cil_gen_require updpwd_t)
|
|
(typeattributeset cil_gen_require updpwd_exec_t)
|
|
(typeattributeset cil_gen_require shadow_t)
|
|
(roleattributeset cil_gen_require urole)
|
|
(roletype urole semanage_t)
|
|
(roletype urole setfiles_t)
|
|
(roletype urole load_policy_t)
|
|
(roletype urole newrole_t)
|
|
(roletype urole updpwd_t)
|
|
(typeattributeset cil_gen_require can_setbool)
|
|
(typeattributeset can_setbool (utype ))
|
|
(typeattributeset cil_gen_require can_setenforce)
|
|
(typeattributeset can_setenforce (utype ))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype auditd_log_t (dir (getattr open search)))
|
|
(allow utype auditd_log_t (file (ioctl read getattr lock open)))
|
|
(allow utype auditd_log_t (dir (getattr open search)))
|
|
(allow utype auditd_log_t (lnk_file (read getattr)))
|
|
(allow utype auditd_log_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype etc_t (dir (getattr open search)))
|
|
(allow utype auditd_etc_t (dir (getattr open search)))
|
|
(allow utype auditd_etc_t (file (ioctl read getattr lock open)))
|
|
(allow utype auditd_etc_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype security_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype security_t (file (ioctl read write getattr lock append open)))
|
|
(allow utype sysfs_t (filesystem (getattr)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype security_t (lnk_file (read getattr)))
|
|
(allow utype security_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype boolean_type (dir (ioctl read getattr lock open search)))
|
|
(allow utype boolean_type (file (ioctl read write getattr lock append open)))
|
|
(allow semanage_t utype (dir (ioctl read getattr lock open search)))
|
|
(allow semanage_t utype (file (ioctl read getattr lock open)))
|
|
(allow semanage_t utype (lnk_file (read getattr)))
|
|
(allow semanage_t utype (process (getattr)))
|
|
(allow utype semanage_t (dbus (send_msg)))
|
|
(allow semanage_t utype (dbus (send_msg)))
|
|
(allow utype etc_t (dir (getattr open search)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype semanage_store_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype semanage_store_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype semanage_store_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype semanage_store_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype semanage_store_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype semanage_store_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype semanage_store_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
|
(allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype etc_t (dir (getattr open search)))
|
|
(allow utype selinux_config_t (dir (getattr open search)))
|
|
(allow utype selinux_login_config_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype selinux_login_config_t (dir (getattr open search)))
|
|
(allow utype selinux_login_config_t (file (ioctl read getattr lock open)))
|
|
(allow utype selinux_login_config_t (dir (getattr open search)))
|
|
(allow utype selinux_login_config_t (lnk_file (read getattr)))
|
|
(allow sudo_type usr_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (lnk_file (read getattr)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type semanage_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow sudo_type semanage_t (process (transition)))
|
|
(typetransition sudo_type semanage_exec_t process semanage_t)
|
|
(allow semanage_t sudo_type (fd (use)))
|
|
(allow semanage_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
|
(allow semanage_t sudo_type (process (sigchld)))
|
|
(allow semanage_t usr_t (dir (getattr open search)))
|
|
(allow semanage_t bin_t (dir (getattr open search)))
|
|
(allow semanage_t bin_t (lnk_file (read getattr)))
|
|
(allow semanage_t bin_t (dir (getattr open search)))
|
|
(allow semanage_t bin_t (dir (getattr open search)))
|
|
(allow semanage_t setfiles_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow semanage_t setfiles_t (process (transition)))
|
|
(typetransition semanage_t setfiles_exec_t process setfiles_t)
|
|
(allow setfiles_t semanage_t (fd (use)))
|
|
(allow setfiles_t semanage_t (fifo_file (ioctl read write getattr lock append)))
|
|
(allow setfiles_t semanage_t (process (sigchld)))
|
|
(allow semanage_t bin_t (dir (getattr open search)))
|
|
(allow semanage_t bin_t (lnk_file (read getattr)))
|
|
(allow semanage_t bin_t (dir (getattr open search)))
|
|
(allow semanage_t bin_t (dir (getattr open search)))
|
|
(allow semanage_t load_policy_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow semanage_t load_policy_t (process (transition)))
|
|
(typetransition semanage_t load_policy_exec_t process load_policy_t)
|
|
(allow load_policy_t semanage_t (fd (use)))
|
|
(allow load_policy_t semanage_t (fifo_file (ioctl read write getattr lock append)))
|
|
(allow load_policy_t semanage_t (process (sigchld)))
|
|
(allow utype usr_t (dir (getattr open search)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (lnk_file (read getattr)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype newrole_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype newrole_t (process (transition)))
|
|
(typetransition utype newrole_exec_t process newrole_t)
|
|
(allow newrole_t utype (fd (use)))
|
|
(allow newrole_t utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow newrole_t utype (process (sigchld)))
|
|
(allow newrole_t updpwd_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow newrole_t updpwd_t (process (transition)))
|
|
(typetransition newrole_t updpwd_exec_t process updpwd_t)
|
|
(allow updpwd_t newrole_t (fd (use)))
|
|
(allow updpwd_t newrole_t (fifo_file (ioctl read write getattr lock append)))
|
|
(allow updpwd_t newrole_t (process (sigchld)))
|
|
(dontaudit newrole_t shadow_t (file (ioctl read getattr lock open)))
|
|
(allow sudo_type usr_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (lnk_file (read getattr)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type setfiles_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow sudo_type setfiles_t (process (transition)))
|
|
(typetransition sudo_type setfiles_exec_t process setfiles_t)
|
|
(allow setfiles_t sudo_type (fd (use)))
|
|
(allow setfiles_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
|
(allow setfiles_t sudo_type (process (sigchld)))
|
|
(typetransition utype selinux_config_t dir "tmp" semanage_store_t)
|
|
(typetransition utype selinux_config_t dir "previous" semanage_store_t)
|
|
(typetransition utype selinux_config_t dir "active" semanage_store_t)
|
|
(typetransition utype selinux_config_t dir "modules" semanage_store_t)
|
|
(optional confinedom_security_advanced_optional_3
|
|
(typeattributeset cil_gen_require usr_t)
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require setfiles_t)
|
|
(typeattributeset cil_gen_require setfiles_exec_t)
|
|
(typeattributeset cil_gen_require namespace_init_t)
|
|
(typeattributeset cil_gen_require namespace_init_exec_t)
|
|
(roleattributeset cil_gen_require urole)
|
|
(roletype urole setfiles_t)
|
|
(roletype urole namespace_init_t)
|
|
(allow newrole_t namespace_init_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow newrole_t namespace_init_t (process (transition)))
|
|
(typetransition newrole_t namespace_init_exec_t process namespace_init_t)
|
|
(allow namespace_init_t newrole_t (fd (use)))
|
|
(allow namespace_init_t newrole_t (fifo_file (ioctl read write getattr lock append)))
|
|
(allow namespace_init_t newrole_t (process (sigchld)))
|
|
(allow namespace_init_t usr_t (dir (getattr open search)))
|
|
(allow namespace_init_t bin_t (dir (getattr open search)))
|
|
(allow namespace_init_t bin_t (lnk_file (read getattr)))
|
|
(allow namespace_init_t bin_t (dir (getattr open search)))
|
|
(allow namespace_init_t bin_t (dir (getattr open search)))
|
|
(allow namespace_init_t setfiles_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow namespace_init_t setfiles_t (process (transition)))
|
|
(typetransition namespace_init_t setfiles_exec_t process setfiles_t)
|
|
(allow setfiles_t namespace_init_t (fd (use)))
|
|
(allow setfiles_t namespace_init_t (fifo_file (ioctl read write getattr lock append)))
|
|
(allow setfiles_t namespace_init_t (process (sigchld)))
|
|
)
|
|
(optional confinedom_security_advanced_optional_4
|
|
(roletype object_r userhelper_type)
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require etc_t)
|
|
(typeattributeset cil_gen_require security_t)
|
|
(typeattributeset cil_gen_require sysfs_t)
|
|
(typeattributeset cil_gen_require selinux_config_t)
|
|
(typeattributeset cil_gen_require usr_t)
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require updpwd_t)
|
|
(typeattributeset cil_gen_require updpwd_exec_t)
|
|
(typeattributeset cil_gen_require shadow_t)
|
|
(typeattributeset cil_gen_require userhelper_type)
|
|
(typeattributeset cil_gen_require userhelper_exec_t)
|
|
(typeattributeset cil_gen_require userhelper_conf_t)
|
|
(typeattributeset cil_gen_require application_domain_type)
|
|
(typeattributeset cil_gen_require domain)
|
|
(typeattributeset cil_gen_require corenet_unlabeled_type)
|
|
(typeattributeset cil_gen_require application_exec_type)
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset cil_gen_require ubac_constrained_type)
|
|
(typeattributeset cil_gen_require can_change_process_role)
|
|
(typeattributeset cil_gen_require can_change_object_identity)
|
|
(typeattributeset cil_gen_require privfd)
|
|
(typeattributeset cil_gen_require can_change_process_identity)
|
|
(typeattributeset cil_gen_require sysctl_type)
|
|
(typeattributeset cil_gen_require proc_t)
|
|
(typeattributeset cil_gen_require proc_net_t)
|
|
(typeattributeset cil_gen_require debugfs_t)
|
|
(typeattributeset cil_gen_require kernel_system_state_reader)
|
|
(typeattributeset cil_gen_require shell_exec_t)
|
|
(typeattributeset cil_gen_require device_t)
|
|
(typeattributeset cil_gen_require urandom_device_t)
|
|
(typeattributeset cil_gen_require var_lib_t)
|
|
(typeattributeset cil_gen_require etc_runtime_t)
|
|
(typeattributeset cil_gen_require home_root_t)
|
|
(typeattributeset cil_gen_require autofs_t)
|
|
(typeattributeset cil_gen_require nfs_t)
|
|
(typeattributeset cil_gen_require devpts_t)
|
|
(typeattributeset cil_gen_require ttynode)
|
|
(typeattributeset cil_gen_require ptynode)
|
|
(typeattributeset cil_gen_require chkpwd_t)
|
|
(typeattributeset cil_gen_require chkpwd_exec_t)
|
|
(typeattributeset cil_gen_require auth_cache_t)
|
|
(typeattributeset cil_gen_require random_device_t)
|
|
(typeattributeset cil_gen_require nsswitch_domain)
|
|
(typeattributeset cil_gen_require netlabel_peer_type)
|
|
(typeattributeset cil_gen_require faillog_t)
|
|
(typeattributeset cil_gen_require var_log_t)
|
|
(typeattributeset cil_gen_require cert_t)
|
|
(typeattributeset cil_gen_require var_run_t)
|
|
(typeattributeset cil_gen_require pam_var_run_t)
|
|
(typeattributeset cil_gen_require var_auth_t)
|
|
(typeattributeset cil_gen_require pam_var_console_t)
|
|
(typeattributeset cil_gen_require syslog_client_type)
|
|
(typeattributeset cil_gen_require init_t)
|
|
(typeattributeset cil_gen_require initrc_var_run_t)
|
|
(typeattributeset cil_gen_require default_context_t)
|
|
(typeattributeset cil_gen_require unpriv_userdomain)
|
|
(roleattributeset cil_gen_require urole)
|
|
(roletype urole userhelper_type)
|
|
(typeattributeset cil_gen_require netlabel_peer_type)
|
|
(typeattributeset netlabel_peer_type (userhelper_type ))
|
|
(typeattributeset cil_gen_require can_change_process_identity)
|
|
(typeattributeset can_change_process_identity (userhelper_type ))
|
|
(typeattributeset cil_gen_require corenet_unlabeled_type)
|
|
(typeattributeset corenet_unlabeled_type (userhelper_type ))
|
|
(typeattributeset cil_gen_require privfd)
|
|
(typeattributeset privfd (userhelper_type ))
|
|
(typeattributeset cil_gen_require syslog_client_type)
|
|
(typeattributeset syslog_client_type (userhelper_type ))
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset file_type (userhelper_exec_t ))
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset non_security_file_type (userhelper_exec_t ))
|
|
(typeattributeset cil_gen_require can_change_object_identity)
|
|
(typeattributeset can_change_object_identity (userhelper_type ))
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset exec_type (userhelper_exec_t ))
|
|
(typeattributeset cil_gen_require application_domain_type)
|
|
(typeattributeset application_domain_type (userhelper_type ))
|
|
(typeattributeset cil_gen_require ubac_constrained_type)
|
|
(typeattributeset ubac_constrained_type (userhelper_type ))
|
|
(typeattributeset cil_gen_require kernel_system_state_reader)
|
|
(typeattributeset kernel_system_state_reader (userhelper_type ))
|
|
(typeattributeset cil_gen_require can_change_process_role)
|
|
(typeattributeset can_change_process_role (userhelper_type ))
|
|
(typeattributeset cil_gen_require application_exec_type)
|
|
(typeattributeset application_exec_type (userhelper_exec_t ))
|
|
(typeattributeset cil_gen_require nsswitch_domain)
|
|
(typeattributeset nsswitch_domain (userhelper_type ))
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset entry_type (userhelper_exec_t ))
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset non_auth_file_type (userhelper_exec_t ))
|
|
(typeattributeset cil_gen_require domain)
|
|
(typeattributeset domain (userhelper_type ))
|
|
(typeattributeset cil_gen_require userhelper_type)
|
|
(allow userhelper_type userhelper_exec_t (file (entrypoint)))
|
|
(allow userhelper_type userhelper_exec_t (file (ioctl read getattr lock map execute open)))
|
|
(allow userhelper_type self (capability (chown dac_read_search setgid setuid net_bind_service sys_tty_config)))
|
|
(allow userhelper_type self (process (fork transition sigchld sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit)))
|
|
(allow userhelper_type self (process (setexec)))
|
|
(allow userhelper_type self (fd (use)))
|
|
(allow userhelper_type self (fifo_file (ioctl read write getattr lock append open)))
|
|
(allow userhelper_type self (shm (create destroy getattr setattr read write associate unix_read unix_write lock)))
|
|
(allow userhelper_type self (sem (create destroy getattr setattr read write associate unix_read unix_write)))
|
|
(allow userhelper_type self (msgq (create destroy getattr setattr read write associate unix_read unix_write enqueue)))
|
|
(allow userhelper_type self (msg (send receive)))
|
|
(allow userhelper_type self (unix_dgram_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
|
|
(allow userhelper_type self (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown)))
|
|
(allow userhelper_type self (unix_dgram_socket (sendto)))
|
|
(allow userhelper_type self (unix_stream_socket (connectto)))
|
|
(allow userhelper_type self (sock_file (read getattr open)))
|
|
(allow utype userhelper_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype userhelper_type (process (transition)))
|
|
(typetransition utype userhelper_exec_t process userhelper_type)
|
|
(allow userhelper_type utype (fd (use)))
|
|
(allow userhelper_type utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow userhelper_type utype (process (sigchld)))
|
|
(allow userhelper_type userhelper_conf_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow userhelper_type userhelper_conf_t (dir (getattr open search)))
|
|
(allow userhelper_type userhelper_conf_t (file (ioctl read write getattr lock append open)))
|
|
(allow userhelper_type userhelper_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(dontaudit utype userhelper_type (process (signal)))
|
|
(allow userhelper_type sysctl_type (dir (getattr open search)))
|
|
(allow userhelper_type proc_t (dir (getattr open search)))
|
|
(allow userhelper_type proc_net_t (dir (getattr open search)))
|
|
(allow userhelper_type sysctl_type (file (ioctl read getattr lock open)))
|
|
(allow userhelper_type proc_t (dir (getattr open search)))
|
|
(allow userhelper_type proc_net_t (dir (getattr open search)))
|
|
(allow userhelper_type sysctl_type (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type debugfs_t (filesystem (getattr)))
|
|
(allow userhelper_type bin_t (dir (getattr open search)))
|
|
(allow userhelper_type bin_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type bin_t (dir (getattr open search)))
|
|
(allow userhelper_type bin_t (lnk_file (read getattr)))
|
|
(allow userhelper_type shell_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow userhelper_type shell_exec_t (file (map)))
|
|
(allow userhelper_type bin_t (dir (getattr open search)))
|
|
(allow userhelper_type bin_t (lnk_file (read getattr)))
|
|
(allow userhelper_type bin_t (file (ioctl read getattr map execute open)))
|
|
(allow userhelper_type utype (process (transition)))
|
|
(allow userhelper_type usr_t (dir (getattr open search)))
|
|
(allow userhelper_type usr_t (lnk_file (read getattr)))
|
|
(allow userhelper_type usr_t (file (ioctl read getattr map execute open)))
|
|
(allow userhelper_type utype (process (transition)))
|
|
(typetransition userhelper_type bin_t process utype)
|
|
(typetransition userhelper_type usr_t process utype)
|
|
(allow userhelper_type privfd (fd (use)))
|
|
(allow userhelper_type privfd (process (sigchld)))
|
|
(allow userhelper_type device_t (dir (getattr open search)))
|
|
(allow userhelper_type urandom_device_t (chr_file (ioctl read getattr lock open)))
|
|
(allow userhelper_type device_t (dir (getattr open search)))
|
|
(allow userhelper_type device_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type device_t (dir (getattr open search)))
|
|
(allow userhelper_type device_t (lnk_file (read getattr)))
|
|
(allow userhelper_type var_t (dir (getattr open search)))
|
|
(allow userhelper_type var_lib_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type etc_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type etc_t (dir (getattr open search)))
|
|
(allow userhelper_type etc_t (file (ioctl read getattr lock open)))
|
|
(allow userhelper_type etc_t (dir (getattr open search)))
|
|
(allow userhelper_type etc_t (lnk_file (read getattr)))
|
|
(allow userhelper_type etc_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type etc_t (dir (getattr open search)))
|
|
(allow userhelper_type etc_runtime_t (file (ioctl read getattr lock open)))
|
|
(allow userhelper_type etc_t (dir (getattr open search)))
|
|
(allow userhelper_type etc_runtime_t (lnk_file (read getattr)))
|
|
(allow userhelper_type var_t (dir (getattr open search)))
|
|
(allow userhelper_type var_t (file (ioctl read getattr lock open)))
|
|
(allow userhelper_type var_t (dir (getattr open search)))
|
|
(allow userhelper_type var_t (lnk_file (read getattr)))
|
|
(allow userhelper_type home_root_t (dir (getattr open search)))
|
|
(allow userhelper_type home_root_t (lnk_file (read getattr)))
|
|
(allow userhelper_type autofs_t (dir (getattr open search)))
|
|
(allow userhelper_type autofs_t (dir (getattr open search)))
|
|
(allow userhelper_type nfs_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type nfs_t (dir (getattr open search)))
|
|
(allow userhelper_type nfs_t (file (ioctl read getattr lock open)))
|
|
(allow userhelper_type nfs_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type nfs_t (dir (getattr open search)))
|
|
(allow userhelper_type nfs_t (lnk_file (read getattr)))
|
|
(allow userhelper_type security_t (lnk_file (read getattr)))
|
|
(allow userhelper_type sysfs_t (filesystem (getattr)))
|
|
(allow userhelper_type sysfs_t (dir (getattr open search)))
|
|
(allow userhelper_type sysfs_t (dir (getattr open search)))
|
|
(allow userhelper_type security_t (filesystem (getattr)))
|
|
(allow userhelper_type sysfs_t (filesystem (getattr)))
|
|
(allow userhelper_type sysfs_t (dir (getattr open search)))
|
|
(allow userhelper_type sysfs_t (dir (getattr open search)))
|
|
(allow userhelper_type security_t (lnk_file (read getattr)))
|
|
(allow userhelper_type security_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type security_t (file (ioctl read write getattr lock append map open)))
|
|
(allow userhelper_type security_t (security (check_context)))
|
|
(allow userhelper_type sysfs_t (filesystem (getattr)))
|
|
(allow userhelper_type sysfs_t (dir (getattr open search)))
|
|
(allow userhelper_type sysfs_t (dir (getattr open search)))
|
|
(allow userhelper_type security_t (lnk_file (read getattr)))
|
|
(allow userhelper_type security_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type security_t (file (ioctl read write getattr lock append open)))
|
|
(allow userhelper_type security_t (security (compute_av)))
|
|
(allow userhelper_type sysfs_t (filesystem (getattr)))
|
|
(allow userhelper_type sysfs_t (dir (getattr open search)))
|
|
(allow userhelper_type sysfs_t (dir (getattr open search)))
|
|
(allow userhelper_type security_t (lnk_file (read getattr)))
|
|
(allow userhelper_type security_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type security_t (file (ioctl read write getattr lock append open)))
|
|
(allow userhelper_type security_t (security (compute_create)))
|
|
(allow userhelper_type sysfs_t (filesystem (getattr)))
|
|
(allow userhelper_type sysfs_t (dir (getattr open search)))
|
|
(allow userhelper_type sysfs_t (dir (getattr open search)))
|
|
(allow userhelper_type security_t (lnk_file (read getattr)))
|
|
(allow userhelper_type security_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type security_t (file (ioctl read write getattr lock append open)))
|
|
(allow userhelper_type security_t (security (compute_relabel)))
|
|
(allow userhelper_type sysfs_t (filesystem (getattr)))
|
|
(allow userhelper_type sysfs_t (dir (getattr open search)))
|
|
(allow userhelper_type sysfs_t (dir (getattr open search)))
|
|
(allow userhelper_type security_t (lnk_file (read getattr)))
|
|
(allow userhelper_type security_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type security_t (file (ioctl read write getattr lock append open)))
|
|
(allow userhelper_type security_t (security (compute_user)))
|
|
(allow userhelper_type device_t (dir (getattr open search)))
|
|
(allow userhelper_type device_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type device_t (dir (getattr open search)))
|
|
(allow userhelper_type device_t (lnk_file (read getattr)))
|
|
(allow userhelper_type devpts_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type device_t (dir (getattr open search)))
|
|
(allow userhelper_type device_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type device_t (dir (getattr open search)))
|
|
(allow userhelper_type device_t (lnk_file (read getattr)))
|
|
(allow userhelper_type ttynode (chr_file (getattr relabelfrom relabelto)))
|
|
(allow userhelper_type device_t (dir (getattr open search)))
|
|
(allow userhelper_type device_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type device_t (dir (getattr open search)))
|
|
(allow userhelper_type device_t (lnk_file (read getattr)))
|
|
(allow userhelper_type devpts_t (dir (getattr open search)))
|
|
(allow userhelper_type devpts_t (chr_file (getattr relabelfrom relabelto)))
|
|
(allow userhelper_type ptynode (chr_file (getattr relabelfrom relabelto)))
|
|
(allow userhelper_type device_t (dir (getattr open search)))
|
|
(allow userhelper_type device_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type device_t (dir (getattr open search)))
|
|
(allow userhelper_type device_t (lnk_file (read getattr)))
|
|
(allow userhelper_type ttynode (chr_file (ioctl read write getattr lock append open)))
|
|
(allow userhelper_type device_t (dir (getattr open search)))
|
|
(allow userhelper_type device_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type device_t (dir (getattr open search)))
|
|
(allow userhelper_type device_t (lnk_file (read getattr)))
|
|
(allow userhelper_type devpts_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type ptynode (chr_file (ioctl read write getattr lock append open)))
|
|
(allow userhelper_type auth_cache_t (dir (getattr open search)))
|
|
(allow userhelper_type bin_t (dir (getattr open search)))
|
|
(allow userhelper_type bin_t (lnk_file (read getattr)))
|
|
(allow userhelper_type bin_t (dir (getattr open search)))
|
|
(allow userhelper_type bin_t (dir (getattr open search)))
|
|
(allow userhelper_type chkpwd_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow userhelper_type chkpwd_t (process (transition)))
|
|
(typetransition userhelper_type chkpwd_exec_t process chkpwd_t)
|
|
(allow chkpwd_t userhelper_type (fd (use)))
|
|
(allow chkpwd_t userhelper_type (fifo_file (ioctl read write getattr lock append)))
|
|
(allow chkpwd_t userhelper_type (process (sigchld)))
|
|
(allow userhelper_type chkpwd_exec_t (file (map)))
|
|
(dontaudit userhelper_type shadow_t (file (ioctl read getattr lock open)))
|
|
(allow userhelper_type device_t (dir (getattr open search)))
|
|
(allow userhelper_type random_device_t (chr_file (ioctl read getattr lock open)))
|
|
(allow userhelper_type device_t (dir (getattr open search)))
|
|
(allow userhelper_type urandom_device_t (chr_file (ioctl read getattr lock open)))
|
|
(allow userhelper_type var_t (dir (getattr open search)))
|
|
(allow userhelper_type var_log_t (dir (getattr open search)))
|
|
(allow userhelper_type faillog_t (dir (getattr open search)))
|
|
(allow userhelper_type faillog_t (file (ioctl read write getattr lock append open)))
|
|
(allow userhelper_type self (capability (audit_write)))
|
|
(allow userhelper_type self (netlink_audit_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_relay nlmsg_tty_audit)))
|
|
(allow userhelper_type cert_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type cert_t (dir (getattr open search)))
|
|
(allow userhelper_type cert_t (file (ioctl read getattr lock open)))
|
|
(allow userhelper_type cert_t (dir (getattr open search)))
|
|
(allow userhelper_type cert_t (lnk_file (read getattr)))
|
|
(allow userhelper_type updpwd_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow userhelper_type updpwd_t (process (transition)))
|
|
(typetransition userhelper_type updpwd_exec_t process updpwd_t)
|
|
(allow updpwd_t userhelper_type (fd (use)))
|
|
(allow updpwd_t userhelper_type (fifo_file (ioctl read write getattr lock append)))
|
|
(allow updpwd_t userhelper_type (process (sigchld)))
|
|
(dontaudit userhelper_type shadow_t (file (ioctl read getattr lock open)))
|
|
(allow userhelper_type var_t (lnk_file (read getattr)))
|
|
(allow userhelper_type var_run_t (lnk_file (read getattr)))
|
|
(allow userhelper_type var_t (dir (getattr open search)))
|
|
(allow userhelper_type var_run_t (dir (getattr open search)))
|
|
(allow userhelper_type pam_var_run_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow userhelper_type pam_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow userhelper_type var_t (dir (getattr open search)))
|
|
(allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow userhelper_type var_t (dir (getattr open search)))
|
|
(allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow userhelper_type var_t (dir (getattr open search)))
|
|
(allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow userhelper_type var_t (dir (getattr open search)))
|
|
(allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow userhelper_type var_t (dir (getattr open search)))
|
|
(allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow userhelper_type var_t (dir (getattr open search)))
|
|
(allow userhelper_type var_auth_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow userhelper_type var_auth_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow userhelper_type var_auth_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow userhelper_type var_auth_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow userhelper_type var_auth_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow userhelper_type var_auth_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
|
(allow userhelper_type var_t (lnk_file (read getattr)))
|
|
(allow userhelper_type var_run_t (lnk_file (read getattr)))
|
|
(allow userhelper_type var_t (dir (getattr open search)))
|
|
(allow userhelper_type var_run_t (dir (getattr open search)))
|
|
(allow userhelper_type pam_var_console_t (dir (getattr open search)))
|
|
(allow userhelper_type init_t (fd (use)))
|
|
(allow userhelper_type var_t (lnk_file (read getattr)))
|
|
(allow userhelper_type var_run_t (lnk_file (read getattr)))
|
|
(allow userhelper_type var_t (dir (getattr open search)))
|
|
(allow userhelper_type var_run_t (dir (getattr open search)))
|
|
(allow userhelper_type initrc_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow userhelper_type var_t (dir (getattr open search)))
|
|
(allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow userhelper_type etc_t (dir (getattr open search)))
|
|
(allow userhelper_type selinux_config_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type selinux_config_t (dir (getattr open search)))
|
|
(allow userhelper_type selinux_config_t (file (ioctl read getattr lock open)))
|
|
(allow userhelper_type selinux_config_t (dir (getattr open search)))
|
|
(allow userhelper_type selinux_config_t (lnk_file (read getattr)))
|
|
(allow userhelper_type etc_t (dir (getattr open search)))
|
|
(allow userhelper_type selinux_config_t (dir (getattr open search)))
|
|
(allow userhelper_type default_context_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type default_context_t (dir (getattr open search)))
|
|
(allow userhelper_type default_context_t (file (ioctl read getattr lock open)))
|
|
(allow userhelper_type bin_t (dir (getattr open search)))
|
|
(allow userhelper_type bin_t (lnk_file (read getattr)))
|
|
(allow userhelper_type bin_t (file (ioctl read getattr map execute open)))
|
|
(allow userhelper_type unpriv_userdomain (process (transition)))
|
|
(allow userhelper_type usr_t (dir (getattr open search)))
|
|
(allow userhelper_type usr_t (lnk_file (read getattr)))
|
|
(allow userhelper_type usr_t (file (ioctl read getattr map execute open)))
|
|
(allow userhelper_type unpriv_userdomain (process (transition)))
|
|
(allow unpriv_userdomain userhelper_type (fd (use)))
|
|
(allow unpriv_userdomain userhelper_type (fifo_file (ioctl read write getattr lock append open)))
|
|
(allow unpriv_userdomain userhelper_type (process (sigchld)))
|
|
(allow userhelper_type entry_type (file (ioctl read getattr map execute open)))
|
|
(allow userhelper_type unpriv_userdomain (process (transition)))
|
|
(allow unpriv_userdomain userhelper_type (fd (use)))
|
|
(allow unpriv_userdomain userhelper_type (fifo_file (ioctl read write getattr lock append open)))
|
|
(allow unpriv_userdomain userhelper_type (process (sigchld)))
|
|
(typetransition userhelper_type var_run_t file "utmp" initrc_var_run_t)
|
|
(typetransition userhelper_type var_run_t dir "sudo" pam_var_run_t)
|
|
(typetransition userhelper_type var_run_t dir "sepermit" pam_var_run_t)
|
|
(typetransition userhelper_type var_run_t dir "pam_timestamp" pam_var_run_t)
|
|
(typetransition userhelper_type var_run_t dir "pam_ssh" pam_var_run_t)
|
|
(typetransition userhelper_type var_run_t dir "pam_mount" pam_var_run_t)
|
|
(optional confinedom_security_advanced_optional_5
|
|
(typeattributeset cil_gen_require etc_t)
|
|
(typeattributeset cil_gen_require krb5_keytab_t)
|
|
(allow userhelper_type etc_t (dir (getattr open search)))
|
|
(allow userhelper_type krb5_keytab_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type krb5_keytab_t (file (ioctl read getattr lock open)))
|
|
)
|
|
(optional confinedom_security_advanced_optional_6
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require pcscd_var_run_t)
|
|
(typeattributeset cil_gen_require var_run_t)
|
|
(typeattributeset cil_gen_require pcscd_t)
|
|
(allow userhelper_type var_t (lnk_file (read getattr)))
|
|
(allow userhelper_type var_run_t (lnk_file (read getattr)))
|
|
(allow userhelper_type var_t (dir (getattr open search)))
|
|
(allow userhelper_type var_run_t (dir (getattr open search)))
|
|
(allow userhelper_type pcscd_var_run_t (dir (getattr open search)))
|
|
(allow userhelper_type pcscd_var_run_t (file (ioctl read getattr lock open)))
|
|
(allow userhelper_type var_t (lnk_file (read getattr)))
|
|
(allow userhelper_type var_run_t (lnk_file (read getattr)))
|
|
(allow userhelper_type var_t (dir (getattr open search)))
|
|
(allow userhelper_type var_run_t (dir (getattr open search)))
|
|
(allow userhelper_type pcscd_var_run_t (dir (getattr open search)))
|
|
(allow userhelper_type pcscd_var_run_t (sock_file (write getattr append open)))
|
|
(allow userhelper_type pcscd_t (unix_stream_socket (connectto)))
|
|
)
|
|
(optional confinedom_security_advanced_optional_7
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require etc_t)
|
|
(typeattributeset cil_gen_require var_run_t)
|
|
(typeattributeset cil_gen_require samba_var_t)
|
|
(typeattributeset cil_gen_require winbind_t)
|
|
(typeattributeset cil_gen_require winbind_var_run_t)
|
|
(typeattributeset cil_gen_require smbd_var_run_t)
|
|
(typeattributeset cil_gen_require samba_etc_t)
|
|
(allow userhelper_type var_t (lnk_file (read getattr)))
|
|
(allow userhelper_type var_run_t (lnk_file (read getattr)))
|
|
(allow userhelper_type var_t (dir (getattr open search)))
|
|
(allow userhelper_type var_run_t (dir (getattr open search)))
|
|
(allow userhelper_type smbd_var_run_t (dir (getattr open search)))
|
|
(allow userhelper_type samba_var_t (dir (getattr open search)))
|
|
(allow userhelper_type winbind_var_run_t (dir (getattr open search)))
|
|
(allow userhelper_type winbind_var_run_t (sock_file (write getattr append open)))
|
|
(allow userhelper_type winbind_t (unix_stream_socket (connectto)))
|
|
(allow userhelper_type etc_t (dir (getattr open search)))
|
|
(allow userhelper_type samba_etc_t (dir (getattr open search)))
|
|
(allow userhelper_type samba_etc_t (dir (ioctl read getattr lock open search)))
|
|
(allow userhelper_type samba_etc_t (dir (getattr open search)))
|
|
(allow userhelper_type samba_etc_t (file (ioctl read getattr lock open)))
|
|
)
|
|
(optional confinedom_security_advanced_optional_8
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require rpm_t)
|
|
(typeattributeset cil_gen_require rpm_exec_t)
|
|
(typeattributeset cil_gen_require rpm_transition_domain)
|
|
(typeattributeset cil_gen_require debuginfo_exec_t)
|
|
(typeattributeset cil_gen_require rpm_transition_domain)
|
|
(typeattributeset rpm_transition_domain (userhelper_type ))
|
|
(allow userhelper_type bin_t (dir (getattr open search)))
|
|
(allow userhelper_type bin_t (lnk_file (read getattr)))
|
|
(allow userhelper_type bin_t (dir (getattr open search)))
|
|
(allow userhelper_type bin_t (dir (getattr open search)))
|
|
(allow userhelper_type rpm_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow userhelper_type rpm_t (process (transition)))
|
|
(typetransition userhelper_type rpm_exec_t process rpm_t)
|
|
(allow rpm_t userhelper_type (fd (use)))
|
|
(allow rpm_t userhelper_type (fifo_file (ioctl read write getattr lock append)))
|
|
(allow rpm_t userhelper_type (process (sigchld)))
|
|
(allow userhelper_type bin_t (dir (getattr open search)))
|
|
(allow userhelper_type bin_t (lnk_file (read getattr)))
|
|
(allow userhelper_type bin_t (dir (getattr open search)))
|
|
(allow userhelper_type bin_t (dir (getattr open search)))
|
|
(allow userhelper_type debuginfo_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow userhelper_type rpm_t (process (transition)))
|
|
(typetransition userhelper_type debuginfo_exec_t process rpm_t)
|
|
(allow rpm_t userhelper_type (fd (use)))
|
|
(allow rpm_t userhelper_type (fifo_file (ioctl read write getattr lock append)))
|
|
(allow rpm_t userhelper_type (process (sigchld)))
|
|
(allow userhelper_type debuginfo_exec_t (dir (getattr open search)))
|
|
(allow userhelper_type debuginfo_exec_t (lnk_file (read getattr)))
|
|
)
|
|
(optional confinedom_security_advanced_optional_9
|
|
(typeattributeset cil_gen_require usr_t)
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset cil_gen_require sysadm_t)
|
|
(booleanif (secure_mode)
|
|
(false
|
|
(allow sysadm_t userhelper_type (process (sigchld)))
|
|
(allow sysadm_t userhelper_type (fifo_file (ioctl read write getattr lock append open)))
|
|
(allow sysadm_t userhelper_type (fd (use)))
|
|
(allow userhelper_type sysadm_t (process (transition)))
|
|
(allow userhelper_type entry_type (file (ioctl read getattr map execute open)))
|
|
(allow sysadm_t userhelper_type (process (sigchld)))
|
|
(allow sysadm_t userhelper_type (fifo_file (ioctl read write getattr lock append open)))
|
|
(allow sysadm_t userhelper_type (fd (use)))
|
|
(allow userhelper_type sysadm_t (process (transition)))
|
|
(allow userhelper_type usr_t (file (ioctl read getattr map execute open)))
|
|
(allow userhelper_type usr_t (lnk_file (read getattr)))
|
|
(allow userhelper_type usr_t (dir (getattr open search)))
|
|
(allow userhelper_type sysadm_t (process (transition)))
|
|
(allow userhelper_type bin_t (file (ioctl read getattr map execute open)))
|
|
(allow userhelper_type bin_t (lnk_file (read getattr)))
|
|
(allow userhelper_type bin_t (dir (getattr open search)))
|
|
)
|
|
)
|
|
)
|
|
)
|
|
)
|
|
)
|
|
|
|
(macro confinedom_security_basic_macro ((type utype) (role urole))
|
|
(optional confinedom_security_basic_optional_2
|
|
(typeattributeset cil_gen_require utype)
|
|
(typeattributeset cil_gen_require security_t)
|
|
(typeattributeset cil_gen_require can_load_policy)
|
|
(typeattributeset cil_gen_require sysfs_t)
|
|
(typeattributeset cil_gen_require can_load_policy)
|
|
(typeattributeset can_load_policy (utype ))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype security_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype security_t (file (ioctl read write getattr lock append open)))
|
|
(allow utype security_t (lnk_file (read getattr)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype security_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype security_t (file (ioctl read getattr lock open)))
|
|
(allow utype security_t (lnk_file (read getattr)))
|
|
(allow utype security_t (security (read_policy)))
|
|
)
|
|
)
|
|
|
|
(macro confinedom_sudo_macro ((type utype) (role urole) (type sudo_type) (type sudo_tmp_type))
|
|
(optional confinedom_sudo_optional
|
|
;(type sudo_type)
|
|
(roletype object_r sudo_type)
|
|
;(type sudo_tmp_type)
|
|
(roletype object_r sudo_tmp_type)
|
|
(roleattributeset cil_gen_require urole)
|
|
(typeattributeset cil_gen_require utype)
|
|
(typeattributeset cil_gen_require sudo_type)
|
|
(typeattributeset cil_gen_require kernel_t)
|
|
(typeattributeset cil_gen_require sudo_exec_t)
|
|
(typeattributeset cil_gen_require sudo_db_t)
|
|
(typeattributeset cil_gen_require sudodomain)
|
|
(typeattributeset cil_gen_require application_domain_type)
|
|
(typeattributeset cil_gen_require domain)
|
|
(typeattributeset cil_gen_require corenet_unlabeled_type)
|
|
(typeattributeset cil_gen_require application_exec_type)
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset cil_gen_require ubac_constrained_type)
|
|
(typeattributeset cil_gen_require privfd)
|
|
(typeattributeset cil_gen_require can_change_process_role)
|
|
(typeattributeset cil_gen_require userdom_home_manager_type)
|
|
(typeattributeset cil_gen_require tmpfile)
|
|
(typeattributeset cil_gen_require tmp_t)
|
|
(typeattributeset cil_gen_require polymember)
|
|
(typeattributeset cil_gen_require shell_exec_t)
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require usr_t)
|
|
(typeattributeset cil_gen_require user_home_t)
|
|
(typeattributeset cil_gen_require user_tmp_t)
|
|
(typeattributeset cil_gen_require tmpfs_t)
|
|
(typeattributeset cil_gen_require kernel_system_state_reader)
|
|
(typeattributeset cil_gen_require security_t)
|
|
(typeattributeset cil_gen_require sysfs_t)
|
|
(typeattributeset cil_gen_require selinux_config_t)
|
|
(typeattributeset cil_gen_require etc_t)
|
|
(typeattributeset cil_gen_require chkpwd_t)
|
|
(typeattributeset cil_gen_require chkpwd_exec_t)
|
|
(typeattributeset cil_gen_require shadow_t)
|
|
(typeattributeset cil_gen_require auth_cache_t)
|
|
(typeattributeset cil_gen_require device_t)
|
|
(typeattributeset cil_gen_require random_device_t)
|
|
(typeattributeset cil_gen_require urandom_device_t)
|
|
(typeattributeset cil_gen_require nsswitch_domain)
|
|
(typeattributeset cil_gen_require netlabel_peer_type)
|
|
(typeattributeset cil_gen_require faillog_t)
|
|
(typeattributeset cil_gen_require var_log_t)
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require cert_t)
|
|
(typeattributeset cil_gen_require updpwd_t)
|
|
(typeattributeset cil_gen_require updpwd_exec_t)
|
|
(typeattributeset cil_gen_require syslog_client_type)
|
|
(typeattributeset cil_gen_require syslogd_var_run_t)
|
|
(typeattributeset cil_gen_require devpts_t)
|
|
(typeattributeset cil_gen_require sshd_devpts_t)
|
|
(typeattributeset cil_gen_require systemd_unit_file_type)
|
|
(typeattributeset cil_gen_require init_script_file_type)
|
|
(roleattributeset cil_gen_require urole)
|
|
(roletype urole sudo_type)
|
|
(roletype urole chkpwd_t)
|
|
(roletype urole updpwd_t)
|
|
(typeattributeset cil_gen_require netlabel_peer_type)
|
|
(typeattributeset netlabel_peer_type (sudo_type ))
|
|
(typeattributeset cil_gen_require corenet_unlabeled_type)
|
|
(typeattributeset corenet_unlabeled_type (sudo_type ))
|
|
(typeattributeset cil_gen_require privfd)
|
|
(typeattributeset privfd (sudo_type ))
|
|
(typeattributeset cil_gen_require syslog_client_type)
|
|
(typeattributeset syslog_client_type (sudo_type ))
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset file_type (sudo_exec_t sudo_tmp_type ))
|
|
(typeattributeset cil_gen_require tmpfile)
|
|
(typeattributeset tmpfile (sudo_tmp_type ))
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset non_security_file_type (sudo_exec_t sudo_tmp_type ))
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset exec_type (sudo_exec_t ))
|
|
(typeattributeset cil_gen_require application_domain_type)
|
|
(typeattributeset application_domain_type (sudo_type ))
|
|
(typeattributeset cil_gen_require polymember)
|
|
(typeattributeset polymember (sudo_tmp_type ))
|
|
(typeattributeset cil_gen_require userdom_home_manager_type)
|
|
(typeattributeset userdom_home_manager_type (sudo_type ))
|
|
(typeattributeset cil_gen_require ubac_constrained_type)
|
|
(typeattributeset ubac_constrained_type (sudo_type ))
|
|
(typeattributeset cil_gen_require kernel_system_state_reader)
|
|
(typeattributeset kernel_system_state_reader (sudo_type ))
|
|
(typeattributeset cil_gen_require can_change_process_role)
|
|
(typeattributeset can_change_process_role (sudo_type ))
|
|
(typeattributeset cil_gen_require application_exec_type)
|
|
(typeattributeset application_exec_type (sudo_exec_t ))
|
|
(typeattributeset cil_gen_require nsswitch_domain)
|
|
(typeattributeset nsswitch_domain (sudo_type ))
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset entry_type (sudo_exec_t ))
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset non_auth_file_type (sudo_exec_t sudo_tmp_type ))
|
|
(typeattributeset cil_gen_require sudodomain)
|
|
(typeattributeset sudodomain (sudo_type ))
|
|
(typeattributeset cil_gen_require domain)
|
|
(typeattributeset domain (sudo_type ))
|
|
(allow sudo_type kernel_t (system (module_request)))
|
|
(allow sudo_type sudo_exec_t (file (entrypoint)))
|
|
(allow sudo_type sudo_exec_t (file (ioctl read getattr lock map execute open)))
|
|
(allow sudo_type sudo_tmp_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow sudo_type tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(typetransition sudo_type tmp_t file sudo_tmp_type)
|
|
(allow sudo_type utype (dir (getattr open search)))
|
|
(allow sudo_type utype (file (ioctl read getattr lock open)))
|
|
(allow sudo_type utype (key (search)))
|
|
(allow sudo_type utype (unix_stream_socket (read write connectto)))
|
|
(allow utype sudo_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype sudo_type (process (transition)))
|
|
(typetransition utype sudo_exec_t process sudo_type)
|
|
(allow sudo_type utype (fd (use)))
|
|
(allow sudo_type utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow sudo_type utype (process (getpgid sigchld)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (dir (ioctl read getattr lock open search)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (lnk_file (read getattr)))
|
|
(allow sudo_type shell_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow sudo_type utype (process (transition)))
|
|
(typetransition sudo_type shell_exec_t process utype)
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (lnk_file (read getattr)))
|
|
(allow sudo_type bin_t (file (ioctl read getattr map execute open)))
|
|
(allow sudo_type utype (process (transition)))
|
|
(allow sudo_type usr_t (dir (getattr open search)))
|
|
(allow sudo_type usr_t (lnk_file (read getattr)))
|
|
(allow sudo_type usr_t (file (ioctl read getattr map execute open)))
|
|
(allow sudo_type utype (process (transition)))
|
|
(typetransition sudo_type bin_t process utype)
|
|
(typetransition sudo_type usr_t process utype)
|
|
(allow sudo_type user_home_t (dir (getattr open search)))
|
|
(allow sudo_type user_home_t (lnk_file (read getattr)))
|
|
(allow sudo_type user_home_t (file (ioctl read getattr map execute open)))
|
|
(allow sudo_type utype (process (transition)))
|
|
(typetransition sudo_type user_home_t process utype)
|
|
(allow sudo_type tmpfs_t (dir (getattr open search)))
|
|
(allow sudo_type tmp_t (dir (getattr open search)))
|
|
(allow sudo_type tmp_t (lnk_file (read getattr)))
|
|
(allow sudo_type tmp_t (dir (getattr open search)))
|
|
(allow sudo_type user_tmp_t (dir (getattr open search)))
|
|
(allow sudo_type user_tmp_t (lnk_file (read getattr)))
|
|
(allow sudo_type user_tmp_t (file (ioctl read getattr map execute open)))
|
|
(allow sudo_type utype (process (transition)))
|
|
(typetransition sudo_type user_tmp_t process utype)
|
|
(allow utype sudo_exec_t (file (entrypoint)))
|
|
(allow utype sudo_exec_t (file (ioctl read getattr lock map execute open)))
|
|
(allow sudo_type sudo_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow sudo_type utype (process (transition)))
|
|
(typetransition sudo_type sudo_exec_t process utype)
|
|
(allow utype sudo_type (fd (use)))
|
|
(allow utype sudo_type (fifo_file (ioctl read write getattr lock append open)))
|
|
(allow utype sudo_type (process (sigchld sigkill sigstop signull signal)))
|
|
(allow sudo_type security_t (lnk_file (read getattr)))
|
|
(allow sudo_type sysfs_t (filesystem (getattr)))
|
|
(allow sudo_type sysfs_t (dir (getattr open search)))
|
|
(allow sudo_type sysfs_t (dir (getattr open search)))
|
|
(allow sudo_type security_t (filesystem (getattr)))
|
|
(allow sudo_type etc_t (dir (getattr open search)))
|
|
(allow sudo_type selinux_config_t (dir (ioctl read getattr lock open search)))
|
|
(allow sudo_type selinux_config_t (dir (getattr open search)))
|
|
(allow sudo_type selinux_config_t (file (ioctl read getattr lock open)))
|
|
(allow sudo_type selinux_config_t (dir (getattr open search)))
|
|
(allow sudo_type selinux_config_t (lnk_file (read getattr)))
|
|
(allow sudo_type auth_cache_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (lnk_file (read getattr)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type chkpwd_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow sudo_type chkpwd_t (process (transition)))
|
|
(typetransition sudo_type chkpwd_exec_t process chkpwd_t)
|
|
(allow chkpwd_t sudo_type (fd (use)))
|
|
(allow chkpwd_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
|
(allow chkpwd_t sudo_type (process (sigchld)))
|
|
(allow sudo_type chkpwd_exec_t (file (map)))
|
|
(dontaudit sudo_type shadow_t (file (ioctl read getattr lock open)))
|
|
(allow sudo_type device_t (dir (getattr open search)))
|
|
(allow sudo_type random_device_t (chr_file (ioctl read getattr lock open)))
|
|
(allow sudo_type device_t (dir (getattr open search)))
|
|
(allow sudo_type urandom_device_t (chr_file (ioctl read getattr lock open)))
|
|
(allow sudo_type var_t (dir (getattr open search)))
|
|
(allow sudo_type var_log_t (dir (getattr open search)))
|
|
(allow sudo_type faillog_t (dir (getattr open search)))
|
|
(allow sudo_type faillog_t (file (ioctl read write getattr lock append open)))
|
|
(allow sudo_type self (capability (audit_write)))
|
|
(allow sudo_type self (netlink_audit_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_relay nlmsg_tty_audit)))
|
|
(allow sudo_type cert_t (dir (ioctl read getattr lock open search)))
|
|
(allow sudo_type cert_t (dir (getattr open search)))
|
|
(allow sudo_type cert_t (file (ioctl read getattr lock open)))
|
|
(allow sudo_type cert_t (dir (getattr open search)))
|
|
(allow sudo_type cert_t (lnk_file (read getattr)))
|
|
(allow sudo_type updpwd_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow sudo_type updpwd_t (process (transition)))
|
|
(typetransition sudo_type updpwd_exec_t process updpwd_t)
|
|
(allow updpwd_t sudo_type (fd (use)))
|
|
(allow updpwd_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
|
(allow updpwd_t sudo_type (process (sigchld)))
|
|
(dontaudit sudo_type shadow_t (file (ioctl read getattr lock open)))
|
|
(allow sudo_type updpwd_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow sudo_type updpwd_t (process (transition)))
|
|
(typetransition sudo_type updpwd_exec_t process updpwd_t)
|
|
(allow updpwd_t sudo_type (fd (use)))
|
|
(allow updpwd_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
|
(allow updpwd_t sudo_type (process (sigchld)))
|
|
(dontaudit sudo_type shadow_t (file (ioctl read getattr lock open)))
|
|
(allow sudo_type syslogd_var_run_t (dir (getattr open search)))
|
|
(allow sudo_type syslogd_var_run_t (file (ioctl read getattr lock open map)))
|
|
(allow sudo_type syslogd_var_run_t (dir (getattr open search)))
|
|
(allow sudo_type syslogd_var_run_t (dir (ioctl read getattr lock open search)))
|
|
(allow sudo_type device_t (dir (getattr open search)))
|
|
(allow sudo_type device_t (dir (ioctl read getattr lock open search)))
|
|
(allow sudo_type device_t (dir (getattr open search)))
|
|
(allow sudo_type device_t (lnk_file (read getattr)))
|
|
(allow sudo_type devpts_t (dir (ioctl read getattr lock open search)))
|
|
(allow sudo_type devpts_t (chr_file (ioctl read write getattr lock append open)))
|
|
(allow sudo_type devpts_t (chr_file (setattr)))
|
|
(allow sudo_type sshd_devpts_t (chr_file (ioctl read write getattr lock append)))
|
|
(allow sudo_type systemd_unit_file_type (service (start stop status reload enable disable)))
|
|
(allow sudo_type init_script_file_type (service (start stop status reload enable disable)))
|
|
(optional confinedom_sudo_optional_3
|
|
(typeattributeset cil_gen_require etc_t)
|
|
(typeattributeset cil_gen_require krb5_keytab_t)
|
|
(allow sudo_type etc_t (dir (getattr open search)))
|
|
(allow sudo_type krb5_keytab_t (dir (ioctl read getattr lock open search)))
|
|
(allow sudo_type krb5_keytab_t (file (ioctl read getattr lock open)))
|
|
)
|
|
(optional confinedom_sudo_optional_4
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require pcscd_var_run_t)
|
|
(typeattributeset cil_gen_require var_run_t)
|
|
(typeattributeset cil_gen_require pcscd_t)
|
|
(allow sudo_type var_t (lnk_file (read getattr)))
|
|
(allow sudo_type var_run_t (lnk_file (read getattr)))
|
|
(allow sudo_type var_t (dir (getattr open search)))
|
|
(allow sudo_type var_run_t (dir (getattr open search)))
|
|
(allow sudo_type pcscd_var_run_t (dir (getattr open search)))
|
|
(allow sudo_type pcscd_var_run_t (file (ioctl read getattr lock open)))
|
|
(allow sudo_type var_t (lnk_file (read getattr)))
|
|
(allow sudo_type var_run_t (lnk_file (read getattr)))
|
|
(allow sudo_type var_t (dir (getattr open search)))
|
|
(allow sudo_type var_run_t (dir (getattr open search)))
|
|
(allow sudo_type pcscd_var_run_t (dir (getattr open search)))
|
|
(allow sudo_type pcscd_var_run_t (sock_file (write getattr append open)))
|
|
(allow sudo_type pcscd_t (unix_stream_socket (connectto)))
|
|
)
|
|
(optional confinedom_sudo_optional_5
|
|
(typeattributeset cil_gen_require etc_t)
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require var_run_t)
|
|
(typeattributeset cil_gen_require samba_var_t)
|
|
(typeattributeset cil_gen_require winbind_t)
|
|
(typeattributeset cil_gen_require winbind_var_run_t)
|
|
(typeattributeset cil_gen_require smbd_var_run_t)
|
|
(typeattributeset cil_gen_require samba_etc_t)
|
|
(allow sudo_type var_t (lnk_file (read getattr)))
|
|
(allow sudo_type var_run_t (lnk_file (read getattr)))
|
|
(allow sudo_type var_t (dir (getattr open search)))
|
|
(allow sudo_type var_run_t (dir (getattr open search)))
|
|
(allow sudo_type smbd_var_run_t (dir (getattr open search)))
|
|
(allow sudo_type samba_var_t (dir (getattr open search)))
|
|
(allow sudo_type winbind_var_run_t (dir (getattr open search)))
|
|
(allow sudo_type winbind_var_run_t (sock_file (write getattr append open)))
|
|
(allow sudo_type winbind_t (unix_stream_socket (connectto)))
|
|
(allow sudo_type etc_t (dir (getattr open search)))
|
|
(allow sudo_type samba_etc_t (dir (getattr open search)))
|
|
(allow sudo_type samba_etc_t (dir (ioctl read getattr lock open search)))
|
|
(allow sudo_type samba_etc_t (dir (getattr open search)))
|
|
(allow sudo_type samba_etc_t (file (ioctl read getattr lock open)))
|
|
)
|
|
(optional confinedom_sudo_optional_6
|
|
(typeattributeset cil_gen_require mta_user_agent)
|
|
(typeattributeset cil_gen_require user_mail_t)
|
|
(typeattributeset cil_gen_require sendmail_exec_t)
|
|
(roleattributeset cil_gen_require urole)
|
|
(roletype urole mta_user_agent)
|
|
(roletype urole user_mail_t)
|
|
(allow sudo_type sendmail_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow sudo_type user_mail_t (process (transition)))
|
|
(typetransition sudo_type sendmail_exec_t process user_mail_t)
|
|
(allow user_mail_t sudo_type (fd (use)))
|
|
(allow user_mail_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
|
(allow user_mail_t sudo_type (process (sigchld)))
|
|
(allow sudo_type sendmail_exec_t (lnk_file (read getattr)))
|
|
(allow mta_user_agent sudo_type (fd (use)))
|
|
(allow mta_user_agent sudo_type (process (sigchld)))
|
|
(allow mta_user_agent sudo_type (fifo_file (ioctl read write getattr lock append)))
|
|
(allow sudo_type user_mail_t (process (signal)))
|
|
(optional confinedom_sudo_optional_7
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require exim_t)
|
|
(typeattributeset cil_gen_require exim_exec_t)
|
|
(roleattributeset cil_gen_require urole)
|
|
(roletype urole exim_t)
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (lnk_file (read getattr)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type exim_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow sudo_type exim_t (process (transition)))
|
|
(typetransition sudo_type exim_exec_t process exim_t)
|
|
(allow exim_t sudo_type (fd (use)))
|
|
(allow exim_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
|
(allow exim_t sudo_type (process (sigchld)))
|
|
)
|
|
(optional confinedom_sudo_optional_8
|
|
(typeattributeset cil_gen_require mailman_mail_t)
|
|
(typeattributeset cil_gen_require mailman_mail_exec_t)
|
|
(roleattributeset cil_gen_require urole)
|
|
(roletype urole mailman_mail_t)
|
|
(allow mta_user_agent mailman_mail_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow mta_user_agent mailman_mail_t (process (transition)))
|
|
(typetransition mta_user_agent mailman_mail_exec_t process mailman_mail_t)
|
|
(allow mailman_mail_t mta_user_agent (fd (use)))
|
|
(allow mailman_mail_t mta_user_agent (fifo_file (ioctl read write getattr lock append)))
|
|
(allow mailman_mail_t mta_user_agent (process (sigchld)))
|
|
)
|
|
)
|
|
(optional confinedom_sudo_optional_9
|
|
(roleattributeset cil_gen_require rpm_script_roles)
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require rpm_t)
|
|
(typeattributeset cil_gen_require rpm_script_t)
|
|
(typeattributeset cil_gen_require rpm_exec_t)
|
|
(typeattributeset cil_gen_require rpm_transition_domain)
|
|
(typeattributeset cil_gen_require debuginfo_exec_t)
|
|
(typeattributeset cil_gen_require can_system_change)
|
|
(roleattributeset cil_gen_require rpm_script_roles)
|
|
(roleattributeset rpm_script_roles (urole ))
|
|
(typeattributeset cil_gen_require rpm_transition_domain)
|
|
(typeattributeset rpm_transition_domain (sudo_type ))
|
|
(typeattributeset cil_gen_require can_system_change)
|
|
(typeattributeset can_system_change (sudo_type ))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (lnk_file (read getattr)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type rpm_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow sudo_type rpm_t (process (transition)))
|
|
(typetransition sudo_type rpm_exec_t process rpm_t)
|
|
(allow rpm_t sudo_type (fd (use)))
|
|
(allow rpm_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
|
(allow rpm_t sudo_type (process (sigchld)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (lnk_file (read getattr)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type debuginfo_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow sudo_type rpm_t (process (transition)))
|
|
(typetransition sudo_type debuginfo_exec_t process rpm_t)
|
|
(allow rpm_t sudo_type (fd (use)))
|
|
(allow rpm_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
|
(allow rpm_t sudo_type (process (sigchld)))
|
|
(allow sudo_type debuginfo_exec_t (dir (getattr open search)))
|
|
(allow sudo_type debuginfo_exec_t (lnk_file (read getattr)))
|
|
(allow sudo_type rpm_script_t (process (transition)))
|
|
(allow sudo_type rpm_script_t (fd (use)))
|
|
(allow rpm_script_t sudo_type (fd (use)))
|
|
(allow rpm_script_t sudo_type (fifo_file (ioctl read write getattr lock append open)))
|
|
(allow rpm_script_t sudo_type (process (sigchld)))
|
|
)
|
|
(optional confinedom_sudo_optional_10
|
|
(typeattributeset cil_gen_require tmp_t)
|
|
(typeattributeset cil_gen_require tmpfs_t)
|
|
(typeattributeset cil_gen_require security_t)
|
|
(typeattributeset cil_gen_require sysfs_t)
|
|
(typeattributeset cil_gen_require selinux_config_t)
|
|
(typeattributeset cil_gen_require etc_t)
|
|
(typeattributeset cil_gen_require krb5_host_rcache_t)
|
|
(typeattributeset cil_gen_require can_change_object_identity)
|
|
(typeattributeset cil_gen_require default_context_t)
|
|
(typeattributeset cil_gen_require file_context_t)
|
|
(typeattributeset cil_gen_require krb5_conf_t)
|
|
(typeattributeset cil_gen_require krb5_home_t)
|
|
(typeattributeset cil_gen_require can_change_object_identity)
|
|
(typeattributeset can_change_object_identity (sudo_type ))
|
|
(allow sudo_type etc_t (dir (getattr open search)))
|
|
(allow sudo_type krb5_conf_t (file (ioctl read getattr lock open)))
|
|
(allow sudo_type krb5_home_t (file (ioctl read getattr lock open)))
|
|
(booleanif (kerberos_enabled)
|
|
(true
|
|
(allow sudo_type tmp_t (dir (getattr open search)))
|
|
(allow sudo_type tmp_t (lnk_file (read getattr)))
|
|
(allow sudo_type tmp_t (dir (getattr open search)))
|
|
(allow sudo_type tmpfs_t (dir (getattr open search)))
|
|
(allow sudo_type krb5_host_rcache_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow sudo_type krb5_host_rcache_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow sudo_type tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow sudo_type tmp_t (dir (getattr open search)))
|
|
(allow sudo_type tmp_t (lnk_file (read getattr)))
|
|
(allow sudo_type tmp_t (dir (getattr open search)))
|
|
(allow sudo_type tmpfs_t (dir (getattr open search)))
|
|
(allow sudo_type file_context_t (file (map)))
|
|
(allow sudo_type file_context_t (lnk_file (read getattr)))
|
|
(allow sudo_type file_context_t (dir (getattr open search)))
|
|
(allow sudo_type file_context_t (file (ioctl read getattr lock open)))
|
|
(allow sudo_type file_context_t (dir (getattr open search)))
|
|
(allow sudo_type file_context_t (dir (ioctl read getattr lock open search)))
|
|
(allow sudo_type file_context_t (dir (getattr open search)))
|
|
(allow sudo_type selinux_config_t (dir (getattr open search)))
|
|
(allow sudo_type default_context_t (dir (getattr open search)))
|
|
(allow sudo_type etc_t (dir (getattr open search)))
|
|
(allow sudo_type security_t (security (check_context)))
|
|
(allow sudo_type security_t (file (ioctl read write getattr lock append map open)))
|
|
(allow sudo_type security_t (dir (ioctl read getattr lock open search)))
|
|
(allow sudo_type security_t (lnk_file (read getattr)))
|
|
(allow sudo_type sysfs_t (dir (getattr open search)))
|
|
(allow sudo_type sysfs_t (dir (getattr open search)))
|
|
(allow sudo_type sysfs_t (filesystem (getattr)))
|
|
(allow sudo_type self (process (setfscreate)))
|
|
)
|
|
)
|
|
)
|
|
(optional confinedom_sudo_optional_11
|
|
(typeattributeset cil_gen_require systemd_systemctl_exec_t)
|
|
(allow sudo_type systemd_systemctl_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow sudo_type utype (process (transition)))
|
|
(typetransition sudo_type systemd_systemctl_exec_t process utype)
|
|
(allow utype systemd_systemctl_exec_t (file (entrypoint)))
|
|
)
|
|
(optional confinedom_sudo_optional_12
|
|
(typeattributeset cil_gen_require tmp_t)
|
|
(typeattributeset cil_gen_require user_tmp_t)
|
|
(typeattributeset cil_gen_require tmpfs_t)
|
|
(allow sudo_type user_tmp_t (sock_file (write getattr append open)))
|
|
(allow sudo_type tmpfs_t (dir (getattr open search)))
|
|
(allow sudo_type tmp_t (dir (getattr open search)))
|
|
(allow sudo_type tmp_t (lnk_file (read getattr)))
|
|
(allow sudo_type tmp_t (dir (getattr open search)))
|
|
(optional confinedom_sudo_optional_13
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require passwd_t)
|
|
(typeattributeset cil_gen_require passwd_exec_t)
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (lnk_file (read getattr)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type bin_t (dir (getattr open search)))
|
|
(allow sudo_type passwd_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow sudo_type passwd_t (process (transition)))
|
|
(typetransition sudo_type passwd_exec_t process passwd_t)
|
|
(allow passwd_t sudo_type (fd (use)))
|
|
(allow passwd_t sudo_type (fifo_file (ioctl read write getattr lock append)))
|
|
(allow passwd_t sudo_type (process (sigchld)))
|
|
)
|
|
)
|
|
)
|
|
)
|
|
|
|
(macro confinedom_user_login_macro ((type utype) (role urole) (type gkeyringd_type) (type dbusd_type) (boolean exec_content_bool))
|
|
(optional confinedom_user_login_optional_2
|
|
(roletype object_r utype)
|
|
(typeattributeset cil_gen_require userdomain)
|
|
(typeattributeset cil_gen_require login_confinedom)
|
|
(typeattributeset cil_gen_require user_devpts_t)
|
|
(typeattributeset cil_gen_require user_tty_device_t)
|
|
(typeattributeset cil_gen_require shell_exec_t)
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset cil_gen_require domain)
|
|
(typeattributeset cil_gen_require corenet_unlabeled_type)
|
|
(typeattributeset cil_gen_require process_user_target)
|
|
(typeattributeset cil_gen_require ubac_constrained_type)
|
|
(typeattributeset cil_gen_require userdom_filetrans_type)
|
|
(typeattributeset cil_gen_require user_tmp_t)
|
|
(typeattributeset cil_gen_require user_tmp_type)
|
|
(typeattributeset cil_gen_require tmp_t)
|
|
(typeattributeset cil_gen_require tmpfs_t)
|
|
(typeattributeset cil_gen_require user_home_dir_t)
|
|
(typeattributeset cil_gen_require user_home_t)
|
|
(typeattributeset cil_gen_require user_home_type)
|
|
(typeattributeset cil_gen_require home_root_t)
|
|
(typeattributeset cil_gen_require user_home_content_type)
|
|
(typeattributeset cil_gen_require polymember)
|
|
(typeattributeset cil_gen_require nfs_t)
|
|
(typeattributeset cil_gen_require cifs_t)
|
|
(typeattributeset cil_gen_require bsdpty_device_t)
|
|
(typeattributeset cil_gen_require devpts_t)
|
|
(typeattributeset cil_gen_require ptmx_t)
|
|
(typeattributeset cil_gen_require device_t)
|
|
(typeattributeset cil_gen_require ttynode)
|
|
(typeattributeset cil_gen_require ptynode)
|
|
(typeattributeset cil_gen_require console_device_t)
|
|
(typeattributeset cil_gen_require tty_device_t)
|
|
(typeattributeset cil_gen_require server_ptynode)
|
|
(typeattributeset cil_gen_require device_node)
|
|
(typeattributeset cil_gen_require virtio_device_t)
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require base_ro_file_type)
|
|
(typeattributeset cil_gen_require application_exec_type)
|
|
(typeattributeset cil_gen_require chkpwd_t)
|
|
(typeattributeset cil_gen_require chkpwd_exec_t)
|
|
(typeattributeset cil_gen_require shadow_t)
|
|
(typeattributeset cil_gen_require updpwd_t)
|
|
(typeattributeset cil_gen_require updpwd_exec_t)
|
|
(typeattributeset cil_gen_require passwd_file_t)
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require var_lib_t)
|
|
(typeattributeset cil_gen_require var_run_t)
|
|
(typeattributeset cil_gen_require init_t)
|
|
(typeattributeset cil_gen_require nsswitch_domain)
|
|
(typeattributeset cil_gen_require netlabel_peer_type)
|
|
(typeattributeset cil_gen_require boot_t)
|
|
(typeattributeset cil_gen_require cgroup_t)
|
|
(typeattributeset cil_gen_require filesystem_type)
|
|
(typeattributeset cil_gen_require fs_t)
|
|
(typeattributeset cil_gen_require sysfs_t)
|
|
(typeattributeset cil_gen_require init_exec_t)
|
|
(typeattributeset cil_gen_require systemd_systemctl_exec_t)
|
|
(typeattributeset cil_gen_require efivarfs_t)
|
|
(typeattributeset cil_gen_require systemd_unit_file_type)
|
|
(typeattributeset cil_gen_require init_var_run_t)
|
|
(typeattributeset cil_gen_require systemd_logind_var_run_t)
|
|
(typeattributeset cil_gen_require systemd_passwd_agent_t)
|
|
(typeattributeset cil_gen_require systemd_passwd_agent_exec_t)
|
|
(typeattributeset cil_gen_require systemd_passwd_var_run_t)
|
|
(typeattributeset cil_gen_require kernel_t)
|
|
(typeattributeset cil_gen_require sysctl_type)
|
|
(typeattributeset cil_gen_require proc_t)
|
|
(typeattributeset cil_gen_require proc_net_t)
|
|
(typeattributeset cil_gen_require syslog_client_type)
|
|
(typeattributeset cil_gen_require locale_t)
|
|
(typeattributeset cil_gen_require mount_var_run_t)
|
|
(typeattributeset cil_gen_require sound_device_t)
|
|
(typeattributeset cil_gen_require security_t)
|
|
(typeattributeset cil_gen_require kernel_system_state_reader)
|
|
(typeattributeset cil_gen_require selinux_config_t)
|
|
(typeattributeset cil_gen_require etc_t)
|
|
(typeattributeset cil_gen_require default_context_t)
|
|
(typeattributeset cil_gen_require file_context_t)
|
|
(typeattributeset cil_gen_require fixed_disk_device_t)
|
|
(typeattributeset cil_gen_require systemd_hostnamed_t)
|
|
(typeattributeset cil_gen_require systemd_tmpfiles_exec_t)
|
|
(typeattributeset cil_gen_require udev_var_run_t)
|
|
(roleattributeset cil_gen_require urole)
|
|
(roletype urole utype)
|
|
(roletype urole user_tmp_t)
|
|
(typeattributeset cil_gen_require netlabel_peer_type)
|
|
(typeattributeset netlabel_peer_type (utype ))
|
|
(typeattributeset cil_gen_require login_confinedom)
|
|
(typeattributeset login_confinedom (utype ))
|
|
(typeattributeset cil_gen_require corenet_unlabeled_type)
|
|
(typeattributeset corenet_unlabeled_type (utype ))
|
|
(typeattributeset cil_gen_require syslog_client_type)
|
|
(typeattributeset syslog_client_type (utype ))
|
|
(typeattributeset cil_gen_require device_node)
|
|
(typeattributeset device_node (user_devpts_t ))
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset file_type (utype shell_exec_t ))
|
|
(typeattributeset cil_gen_require ptynode)
|
|
(typeattributeset ptynode (user_devpts_t ))
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset non_security_file_type (utype shell_exec_t ))
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset exec_type (shell_exec_t ))
|
|
(typeattributeset cil_gen_require user_home_content_type)
|
|
(typeattributeset user_home_content_type (utype ))
|
|
(typeattributeset cil_gen_require polymember)
|
|
(typeattributeset polymember (utype ))
|
|
(typeattributeset cil_gen_require ubac_constrained_type)
|
|
(typeattributeset ubac_constrained_type (utype ))
|
|
(typeattributeset cil_gen_require kernel_system_state_reader)
|
|
(typeattributeset kernel_system_state_reader (utype ))
|
|
(typeattributeset cil_gen_require userdom_filetrans_type)
|
|
(typeattributeset userdom_filetrans_type (utype ))
|
|
(typeattributeset cil_gen_require nsswitch_domain)
|
|
(typeattributeset nsswitch_domain (utype ))
|
|
(typeattributeset cil_gen_require user_home_type)
|
|
(typeattributeset user_home_type (utype ))
|
|
(typeattributeset cil_gen_require userdomain)
|
|
(typeattributeset userdomain (utype ))
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset entry_type (shell_exec_t ))
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset non_auth_file_type (utype shell_exec_t ))
|
|
(typeattributeset cil_gen_require domain)
|
|
(typeattributeset domain (utype ))
|
|
(typeattributeset cil_gen_require process_user_target)
|
|
(typeattributeset process_user_target (utype ))
|
|
(allow utype shell_exec_t (file (entrypoint)))
|
|
(allow utype shell_exec_t (file (ioctl read getattr lock map execute open)))
|
|
(allow utype user_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype user_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_tmp_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(typemember utype tmp_t dir user_tmp_t)
|
|
(allow utype user_tmp_type (dir (mounton)))
|
|
(allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_tmp_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_tmp_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_tmp_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
|
(allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_tmp_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_tmp_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow utype tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(typetransition utype tmp_t fifo_file user_tmp_t)
|
|
(typetransition utype tmp_t sock_file user_tmp_t)
|
|
(typetransition utype tmp_t lnk_file user_tmp_t)
|
|
(typetransition utype tmp_t dir user_tmp_t)
|
|
(typetransition utype tmp_t file user_tmp_t)
|
|
(allow user_tmp_t tmpfs_t (filesystem (associate)))
|
|
(allow utype tmpfs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(typetransition utype tmpfs_t fifo_file user_tmp_t)
|
|
(typetransition utype tmpfs_t sock_file user_tmp_t)
|
|
(typetransition utype tmpfs_t lnk_file user_tmp_t)
|
|
(typetransition utype tmpfs_t dir user_tmp_t)
|
|
(typetransition utype tmpfs_t file user_tmp_t)
|
|
(allow utype user_tmp_type (dir (getattr open search)))
|
|
(allow utype user_tmp_type (dir (getattr relabelfrom relabelto)))
|
|
(allow utype user_tmp_type (dir (getattr open search)))
|
|
(allow utype user_tmp_type (file (getattr relabelfrom relabelto)))
|
|
(allow utype user_tmp_type (dir (getattr open search)))
|
|
(allow utype user_tmp_type (lnk_file (getattr relabelfrom relabelto)))
|
|
(allow utype user_tmp_type (dir (getattr open search)))
|
|
(allow utype user_tmp_type (sock_file (getattr relabelfrom relabelto)))
|
|
(allow utype user_tmp_type (dir (getattr open search)))
|
|
(allow utype user_tmp_type (fifo_file (getattr relabelfrom relabelto)))
|
|
(allow utype user_tmp_type (file (map)))
|
|
(allow utype home_root_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_home_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(typetransition utype user_home_dir_t fifo_file user_home_t)
|
|
(typetransition utype user_home_dir_t sock_file user_home_t)
|
|
(typetransition utype user_home_dir_t lnk_file user_home_t)
|
|
(typetransition utype user_home_dir_t dir user_home_t)
|
|
(typetransition utype user_home_dir_t file user_home_t)
|
|
(allow login_confinedom self (capability (mknod)))
|
|
(allow login_confinedom user_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow login_confinedom user_tmp_t (chr_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow login_confinedom tmpfs_t (dir (getattr open search)))
|
|
(allow login_confinedom tmp_t (dir (getattr open search)))
|
|
(allow login_confinedom tmp_t (lnk_file (read getattr)))
|
|
(allow login_confinedom tmp_t (dir (getattr open search)))
|
|
(allow utype user_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype user_tmp_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow utype tmpfs_t (dir (getattr open search)))
|
|
(allow utype tmp_t (dir (getattr open search)))
|
|
(allow utype tmp_t (lnk_file (read getattr)))
|
|
(allow utype tmp_t (dir (getattr open search)))
|
|
(allow utype user_home_t (filesystem (associate)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype device_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype device_t (lnk_file (read getattr)))
|
|
(allow utype ptmx_t (chr_file (ioctl read write getattr lock append open)))
|
|
(allow utype devpts_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype devpts_t (filesystem (getattr)))
|
|
(dontaudit utype bsdpty_device_t (chr_file (read write getattr)))
|
|
(typetransition utype devpts_t chr_file user_devpts_t)
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype device_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype device_t (lnk_file (read getattr)))
|
|
(allow utype devpts_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype devpts_t (chr_file (ioctl read write getattr lock append open)))
|
|
(allow utype ttynode (chr_file (ioctl read write getattr lock append open)))
|
|
(allow utype ptynode (chr_file (ioctl read write getattr lock append open)))
|
|
(allow utype console_device_t (chr_file (ioctl read write getattr lock append open)))
|
|
(allow utype tty_device_t (chr_file (ioctl read write getattr lock append open)))
|
|
(allow user_devpts_t devpts_t (filesystem (associate)))
|
|
(allow utype user_devpts_t (chr_file (setattr)))
|
|
(typechange utype server_ptynode chr_file user_devpts_t)
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype device_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype device_t (lnk_file (read getattr)))
|
|
(allow utype virtio_device_t (chr_file (ioctl read write getattr lock append open)))
|
|
(allow utype utype (capability (chown dac_read_search setgid setuid audit_write)))
|
|
(allow utype utype (dbus (acquire_svc)))
|
|
(allow utype utype (process (setsched setcap setfscreate setsockcreate)))
|
|
(allow utype utype (netlink_audit_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_write nlmsg_relay)))
|
|
(allow utype utype (netlink_kobject_uevent_socket (create getattr bind getopt setopt)))
|
|
(allow utype utype (unix_dgram_socket (ioctl create bind connect getopt setopt sendto)))
|
|
(allow utype utype (unix_stream_socket (connectto)))
|
|
(allow utype utype (context (contains)))
|
|
(dontaudit utype exec_type (file (execute execute_no_trans)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (lnk_file (read getattr)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype bin_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow utype base_ro_file_type (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (lnk_file (read getattr)))
|
|
(allow utype shell_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow utype shell_exec_t (file (map)))
|
|
(allow utype application_exec_type (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (lnk_file (read getattr)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype chkpwd_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype chkpwd_t (process (transition)))
|
|
(typetransition utype chkpwd_exec_t process chkpwd_t)
|
|
(allow chkpwd_t utype (fd (use)))
|
|
(allow chkpwd_t utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow chkpwd_t utype (process (sigchld)))
|
|
(dontaudit utype shadow_t (file (read getattr)))
|
|
(allow utype updpwd_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype updpwd_t (process (transition)))
|
|
(typetransition utype updpwd_exec_t process updpwd_t)
|
|
(allow updpwd_t utype (fd (use)))
|
|
(allow updpwd_t utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow updpwd_t utype (process (sigchld)))
|
|
(dontaudit utype shadow_t (file (ioctl read getattr lock open)))
|
|
(allow utype passwd_file_t (file (ioctl read getattr lock open)))
|
|
(allow utype init_t (dbus (send_msg)))
|
|
(allow init_t utype (dbus (send_msg)))
|
|
(dontaudit utype boot_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(dontaudit utype boot_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype cgroup_t (filesystem (getattr)))
|
|
(allow utype filesystem_type (dir (getattr)))
|
|
(allow utype tmpfs_t (filesystem (getattr)))
|
|
(allow utype fs_t (filesystem (getattr)))
|
|
(allow utype cgroup_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype cgroup_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype tmpfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype cgroup_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype cgroup_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype cgroup_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype cgroup_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
|
(allow utype tmpfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype tmpfs_t (dir (getattr open search)))
|
|
(allow utype tmpfs_t (file (ioctl read getattr lock open)))
|
|
(allow utype filesystem_type (dir (getattr open search)))
|
|
(allow utype init_exec_t (file (entrypoint)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (lnk_file (read getattr)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype init_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow utype init_t (system (status)))
|
|
(allow utype init_t (service (status)))
|
|
(allow utype kernel_t (unix_dgram_socket (sendto)))
|
|
(allow utype sysctl_type (dir (getattr open search)))
|
|
(allow utype proc_t (dir (getattr open search)))
|
|
(allow utype proc_net_t (dir (getattr open search)))
|
|
(allow utype sysctl_type (file (ioctl read getattr lock open)))
|
|
(allow utype proc_t (dir (getattr open search)))
|
|
(allow utype proc_net_t (dir (getattr open search)))
|
|
(allow utype sysctl_type (dir (ioctl read getattr lock open search)))
|
|
(allow utype proc_t (dir (getattr open search)))
|
|
(allow utype proc_net_t (dir (getattr open search)))
|
|
(allow utype proc_net_t (file (ioctl read getattr lock open)))
|
|
(allow utype proc_t (dir (getattr open search)))
|
|
(allow utype proc_net_t (dir (getattr open search)))
|
|
(allow utype proc_net_t (lnk_file (read getattr)))
|
|
(allow utype proc_t (dir (getattr open search)))
|
|
(allow utype proc_net_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype kernel_t (system (module_request)))
|
|
(allow utype kernel_t (unix_stream_socket (getattr connectto)))
|
|
(allow utype locale_t (dir (getattr open search)))
|
|
(allow utype locale_t (lnk_file (getattr watch)))
|
|
(allow utype mount_var_run_t (dir (getattr open search)))
|
|
(allow utype mount_var_run_t (file (ioctl read getattr lock open)))
|
|
(allow utype mount_var_run_t (dir (getattr open search)))
|
|
(allow utype mount_var_run_t (dir (ioctl read getattr lock open search watch watch_reads)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype mount_var_run_t (dir (getattr open search)))
|
|
(allow utype mount_var_run_t (dir (getattr watch)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype sound_device_t (chr_file (getattr)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (file (ioctl read getattr lock open)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (lnk_file (read getattr)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype proc_t (dir (getattr open search)))
|
|
(allow utype proc_t (dir (getattr open search)))
|
|
(allow utype domain (dir (ioctl read getattr lock open search)))
|
|
(allow utype domain (dir (getattr open search)))
|
|
(allow utype domain (file (ioctl read getattr lock open)))
|
|
(allow utype domain (dir (getattr open search)))
|
|
(allow utype domain (lnk_file (read getattr)))
|
|
(allow utype sysfs_t (filesystem (getattr)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype security_t (lnk_file (read getattr)))
|
|
(allow utype security_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype security_t (file (ioctl read write getattr lock append open)))
|
|
(allow utype security_t (security (compute_av)))
|
|
(allow utype sysfs_t (filesystem (getattr)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype security_t (lnk_file (read getattr)))
|
|
(allow utype security_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype security_t (file (ioctl read write getattr lock append open)))
|
|
(allow utype security_t (security (compute_create)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype security_t (lnk_file (read getattr)))
|
|
(allow utype sysfs_t (filesystem (getattr)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype security_t (filesystem (getattr)))
|
|
(allow utype security_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype security_t (file (ioctl read getattr map open)))
|
|
(allow utype security_t (lnk_file (read getattr)))
|
|
(allow utype etc_t (dir (getattr open search)))
|
|
(allow utype selinux_config_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype selinux_config_t (dir (getattr open search)))
|
|
(allow utype selinux_config_t (file (ioctl read getattr lock open)))
|
|
(allow utype selinux_config_t (dir (getattr open search)))
|
|
(allow utype selinux_config_t (lnk_file (read getattr)))
|
|
(allow utype etc_t (dir (getattr open search)))
|
|
(allow utype selinux_config_t (dir (getattr open search)))
|
|
(allow utype default_context_t (dir (getattr open search)))
|
|
(allow utype file_context_t (dir (getattr open search)))
|
|
(allow utype file_context_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype file_context_t (dir (getattr open search)))
|
|
(allow utype file_context_t (file (ioctl read getattr lock open)))
|
|
(allow utype file_context_t (dir (getattr open search)))
|
|
(allow utype file_context_t (lnk_file (read getattr)))
|
|
(allow utype file_context_t (file (map)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype device_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype device_t (lnk_file (read getattr)))
|
|
(allow utype fixed_disk_device_t (blk_file (getattr)))
|
|
(allow utype systemd_hostnamed_t (dbus (send_msg)))
|
|
(allow systemd_hostnamed_t utype (dbus (send_msg)))
|
|
(allow systemd_hostnamed_t utype (dir (ioctl read getattr lock open search)))
|
|
(allow systemd_hostnamed_t utype (file (ioctl read getattr lock open)))
|
|
(allow systemd_hostnamed_t utype (lnk_file (read getattr)))
|
|
(allow systemd_hostnamed_t utype (process (getattr)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (lnk_file (read getattr)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype systemd_systemctl_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow utype cgroup_t (dir (getattr open search)))
|
|
(allow utype cgroup_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype tmpfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype cgroup_t (dir (getattr open search)))
|
|
(allow utype cgroup_t (file (ioctl read getattr lock open)))
|
|
(allow utype cgroup_t (dir (getattr open search)))
|
|
(allow utype cgroup_t (lnk_file (read getattr)))
|
|
(allow utype tmpfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype efivarfs_t (dir (getattr open search)))
|
|
(allow utype efivarfs_t (file (ioctl read getattr lock open)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_lib_t (dir (getattr open search)))
|
|
(allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search)))
|
|
(allow utype init_var_run_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype init_t (dir (getattr open search)))
|
|
(allow utype init_t (file (ioctl read getattr lock open)))
|
|
(allow utype init_t (lnk_file (read getattr)))
|
|
(allow utype init_t (unix_stream_socket (sendto)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype init_var_run_t (dir (getattr open search)))
|
|
(allow utype init_var_run_t (sock_file (write getattr append open)))
|
|
(allow utype init_t (unix_stream_socket (connectto)))
|
|
(allow utype init_t (unix_stream_socket (getattr)))
|
|
(dontaudit utype self (process (setrlimit)))
|
|
(dontaudit utype self (capability (sys_resource)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_logind_var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_logind_var_run_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_logind_var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_logind_var_run_t (file (ioctl read getattr lock open)))
|
|
(allow utype systemd_passwd_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow utype init_var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype systemd_passwd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype systemd_passwd_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype systemd_passwd_var_run_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow systemd_passwd_agent_t utype (process (signull)))
|
|
(allow systemd_passwd_agent_t utype (unix_dgram_socket (sendto)))
|
|
(dontaudit utype self (capability (net_admin sys_ptrace)))
|
|
(allow utype systemd_tmpfiles_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow utype systemd_passwd_var_run_t (dir (getattr watch)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_lib_t (dir (getattr open search)))
|
|
(allow utype systemd_unit_file_type (file (ioctl read getattr lock open)))
|
|
(allow utype systemd_unit_file_type (lnk_file (read getattr)))
|
|
(allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype device_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype device_t (lnk_file (read getattr)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype udev_var_run_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype udev_var_run_t (dir (getattr open search)))
|
|
(allow utype udev_var_run_t (file (ioctl read getattr lock open)))
|
|
(allow utype udev_var_run_t (dir (getattr open search)))
|
|
(allow utype udev_var_run_t (lnk_file (read getattr)))
|
|
(roleallow system_r urole)
|
|
(booleanif (deny_bluetooth)
|
|
(false
|
|
(allow utype self (bluetooth_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown)))
|
|
)
|
|
)
|
|
(booleanif (and (exec_content_bool) (use_samba_home_dirs))
|
|
(true
|
|
(allow utype cifs_t (file (ioctl read getattr map execute open execute_no_trans)))
|
|
(allow utype cifs_t (dir (getattr open search)))
|
|
(allow utype cifs_t (dir (ioctl read getattr lock open search)))
|
|
)
|
|
)
|
|
(booleanif (and (exec_content_bool) (use_nfs_home_dirs))
|
|
(true
|
|
(allow utype nfs_t (file (ioctl read getattr map execute open execute_no_trans)))
|
|
(allow utype nfs_t (dir (getattr open search)))
|
|
(allow utype nfs_t (dir (ioctl read getattr lock open search)))
|
|
)
|
|
)
|
|
(booleanif (exec_content_bool)
|
|
(true
|
|
(allow utype user_home_type (file (ioctl read getattr map execute open execute_no_trans)))
|
|
(allow utype user_home_dir_t (dir (getattr open search)))
|
|
(allow utype user_home_type (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype tmp_t (dir (getattr open search)))
|
|
(allow utype tmp_t (lnk_file (read getattr)))
|
|
(allow utype tmp_t (dir (getattr open search)))
|
|
(allow utype tmpfs_t (dir (getattr open search)))
|
|
(allow utype user_tmp_t (file (ioctl read getattr map execute open execute_no_trans)))
|
|
(allow utype user_tmp_t (dir (getattr open search)))
|
|
(allow utype user_tmp_t (file (entrypoint)))
|
|
)
|
|
)
|
|
(optional confinedom_user_login_optional_3
|
|
(typeattributeset cil_gen_require sssd_public_t)
|
|
(typeattributeset cil_gen_require sssd_var_lib_t)
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require var_lib_t)
|
|
(typeattributeset cil_gen_require sssd_t)
|
|
(typeattributeset cil_gen_require var_run_t)
|
|
(allow utype sssd_var_lib_t (dir (getattr open search)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_lib_t (dir (getattr open search)))
|
|
(allow utype sssd_public_t (dir (getattr open search)))
|
|
(allow utype sssd_public_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype sssd_public_t (dir (getattr open search)))
|
|
(allow utype sssd_public_t (file (ioctl read getattr lock open)))
|
|
(allow utype sssd_public_t (file (map)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype sssd_var_lib_t (dir (getattr open search)))
|
|
(allow utype sssd_var_lib_t (sock_file (write getattr append open)))
|
|
(allow utype sssd_t (unix_stream_socket (connectto)))
|
|
)
|
|
(optional confinedom_user_login_optional_4
|
|
(typeattributeset cil_gen_require tmpfs_t)
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require var_lib_t)
|
|
(typeattributeset cil_gen_require var_run_t)
|
|
(typeattributeset cil_gen_require init_t)
|
|
(typeattributeset cil_gen_require cgroup_t)
|
|
(typeattributeset cil_gen_require sysfs_t)
|
|
(typeattributeset cil_gen_require systemd_systemctl_exec_t)
|
|
(typeattributeset cil_gen_require efivarfs_t)
|
|
(typeattributeset cil_gen_require systemd_unit_file_type)
|
|
(typeattributeset cil_gen_require init_var_run_t)
|
|
(typeattributeset cil_gen_require systemd_logind_var_run_t)
|
|
(typeattributeset cil_gen_require systemd_passwd_agent_t)
|
|
(typeattributeset cil_gen_require systemd_passwd_agent_exec_t)
|
|
(typeattributeset cil_gen_require systemd_passwd_var_run_t)
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (lnk_file (read getattr)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype systemd_systemctl_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow utype cgroup_t (dir (getattr open search)))
|
|
(allow utype cgroup_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype tmpfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype cgroup_t (dir (getattr open search)))
|
|
(allow utype cgroup_t (file (ioctl read getattr lock open)))
|
|
(allow utype cgroup_t (dir (getattr open search)))
|
|
(allow utype cgroup_t (lnk_file (read getattr)))
|
|
(allow utype tmpfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype efivarfs_t (dir (getattr open search)))
|
|
(allow utype efivarfs_t (file (ioctl read getattr lock open)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_lib_t (dir (getattr open search)))
|
|
(allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search)))
|
|
(allow utype init_var_run_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype init_t (dir (getattr open search)))
|
|
(allow utype init_t (file (ioctl read getattr lock open)))
|
|
(allow utype init_t (lnk_file (read getattr)))
|
|
(allow utype init_t (unix_stream_socket (sendto)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype init_var_run_t (dir (getattr open search)))
|
|
(allow utype init_var_run_t (sock_file (write getattr append open)))
|
|
(allow utype init_t (unix_stream_socket (connectto)))
|
|
(allow utype init_t (unix_stream_socket (getattr)))
|
|
(dontaudit utype self (process (setrlimit)))
|
|
(dontaudit utype self (capability (sys_resource)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_logind_var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_logind_var_run_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_logind_var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_logind_var_run_t (file (ioctl read getattr lock open)))
|
|
(allow utype systemd_passwd_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow utype init_var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype systemd_passwd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype systemd_passwd_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype systemd_passwd_var_run_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow systemd_passwd_agent_t utype (process (signull)))
|
|
(allow systemd_passwd_agent_t utype (unix_dgram_socket (sendto)))
|
|
(dontaudit utype self (capability (net_admin sys_ptrace)))
|
|
(optional confinedom_user_login_optional_5
|
|
(typeattributeset cil_gen_require bluetooth_t)
|
|
(allow utype bluetooth_t (dbus (send_msg)))
|
|
(allow bluetooth_t utype (dbus (send_msg)))
|
|
)
|
|
(optional confinedom_user_login_optional_6
|
|
(typeattributeset cil_gen_require shell_exec_t)
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset cil_gen_require domain)
|
|
(typeattributeset cil_gen_require corenet_unlabeled_type)
|
|
(typeattributeset cil_gen_require ubac_constrained_type)
|
|
(typeattributeset cil_gen_require device_t)
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require base_ro_file_type)
|
|
(typeattributeset cil_gen_require application_exec_type)
|
|
(typeattributeset cil_gen_require chkpwd_t)
|
|
(typeattributeset cil_gen_require chkpwd_exec_t)
|
|
(typeattributeset cil_gen_require shadow_t)
|
|
(typeattributeset cil_gen_require updpwd_t)
|
|
(typeattributeset cil_gen_require updpwd_exec_t)
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require nsswitch_domain)
|
|
(typeattributeset cil_gen_require netlabel_peer_type)
|
|
(typeattributeset cil_gen_require syslog_client_type)
|
|
(typeattributeset cil_gen_require kernel_system_state_reader)
|
|
(typeattributeset cil_gen_require cronjob_t)
|
|
(typeattributeset cil_gen_require crontab_t)
|
|
(typeattributeset cil_gen_require crontab_exec_t)
|
|
(typeattributeset cil_gen_require user_cron_spool_t)
|
|
(typeattributeset cil_gen_require crond_t)
|
|
(typeattributeset cil_gen_require application_domain_type)
|
|
(typeattributeset cil_gen_require auth_cache_t)
|
|
(typeattributeset cil_gen_require random_device_t)
|
|
(typeattributeset cil_gen_require urandom_device_t)
|
|
(typeattributeset cil_gen_require faillog_t)
|
|
(typeattributeset cil_gen_require var_log_t)
|
|
(typeattributeset cil_gen_require cert_t)
|
|
(typeattributeset cil_gen_require userdom_home_reader_type)
|
|
(roleattributeset cil_gen_require urole)
|
|
(roletype urole cronjob_t)
|
|
(roletype urole crontab_t)
|
|
(typeattributeset cil_gen_require netlabel_peer_type)
|
|
(typeattributeset netlabel_peer_type (utype ))
|
|
(typeattributeset cil_gen_require corenet_unlabeled_type)
|
|
(typeattributeset corenet_unlabeled_type (utype ))
|
|
(typeattributeset cil_gen_require syslog_client_type)
|
|
(typeattributeset syslog_client_type (utype ))
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset file_type (crontab_exec_t ))
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset non_security_file_type (crontab_exec_t ))
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset exec_type (crontab_exec_t ))
|
|
(typeattributeset cil_gen_require application_domain_type)
|
|
(typeattributeset application_domain_type (utype ))
|
|
(typeattributeset cil_gen_require ubac_constrained_type)
|
|
(typeattributeset ubac_constrained_type (utype ))
|
|
(typeattributeset cil_gen_require kernel_system_state_reader)
|
|
(typeattributeset kernel_system_state_reader (utype ))
|
|
(typeattributeset cil_gen_require application_exec_type)
|
|
(typeattributeset application_exec_type (crontab_exec_t ))
|
|
(typeattributeset cil_gen_require nsswitch_domain)
|
|
(typeattributeset nsswitch_domain (utype ))
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset entry_type (crontab_exec_t ))
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset non_auth_file_type (crontab_exec_t ))
|
|
(typeattributeset cil_gen_require userdom_home_reader_type)
|
|
(typeattributeset userdom_home_reader_type (utype ))
|
|
(typeattributeset cil_gen_require domain)
|
|
(typeattributeset domain (utype ))
|
|
(allow utype crontab_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype crontab_t (process (transition)))
|
|
(typetransition utype crontab_exec_t process crontab_t)
|
|
(allow crontab_t utype (fd (use)))
|
|
(allow crontab_t utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow crontab_t utype (process (sigchld)))
|
|
(dontaudit crond_t utype (process (noatsecure siginh rlimitinh)))
|
|
(allow utype crond_t (process (sigchld)))
|
|
(allow utype user_cron_spool_t (file (ioctl read write getattr)))
|
|
(allow utype crontab_t (process (sigchld sigkill sigstop signull signal)))
|
|
(allow utype crontab_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype crontab_t (file (ioctl read getattr lock open)))
|
|
(allow utype crontab_t (lnk_file (read getattr)))
|
|
(allow utype crontab_t (process (getattr)))
|
|
(allow utype crontab_exec_t (file (entrypoint)))
|
|
(allow utype crontab_exec_t (file (ioctl read getattr lock map execute open)))
|
|
(allow utype auth_cache_t (dir (getattr open search)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (lnk_file (read getattr)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype chkpwd_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype chkpwd_t (process (transition)))
|
|
(typetransition utype chkpwd_exec_t process chkpwd_t)
|
|
(allow chkpwd_t utype (fd (use)))
|
|
(allow chkpwd_t utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow chkpwd_t utype (process (sigchld)))
|
|
(allow utype chkpwd_exec_t (file (map)))
|
|
(dontaudit utype shadow_t (file (ioctl read getattr lock open)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype random_device_t (chr_file (ioctl read getattr lock open)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype urandom_device_t (chr_file (ioctl read getattr lock open)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_log_t (dir (getattr open search)))
|
|
(allow utype faillog_t (dir (getattr open search)))
|
|
(allow utype faillog_t (file (ioctl read write getattr lock append open)))
|
|
(allow utype self (capability (audit_write)))
|
|
(allow utype self (netlink_audit_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_relay nlmsg_tty_audit)))
|
|
(allow utype cert_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype cert_t (dir (getattr open search)))
|
|
(allow utype cert_t (file (ioctl read getattr lock open)))
|
|
(allow utype cert_t (dir (getattr open search)))
|
|
(allow utype cert_t (lnk_file (read getattr)))
|
|
(allow utype updpwd_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype updpwd_t (process (transition)))
|
|
(typetransition utype updpwd_exec_t process updpwd_t)
|
|
(allow updpwd_t utype (fd (use)))
|
|
(allow updpwd_t utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow updpwd_t utype (process (sigchld)))
|
|
(dontaudit utype shadow_t (file (ioctl read getattr lock open)))
|
|
(allow crontab_t bin_t (dir (getattr open search)))
|
|
(allow crontab_t bin_t (lnk_file (read getattr)))
|
|
(allow crontab_t bin_t (dir (getattr open search)))
|
|
(allow crontab_t bin_t (dir (ioctl read getattr lock open search)))
|
|
(allow crontab_t bin_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow crontab_t base_ro_file_type (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow crontab_t bin_t (dir (getattr open search)))
|
|
(allow crontab_t bin_t (dir (ioctl read getattr lock open search)))
|
|
(allow crontab_t bin_t (dir (getattr open search)))
|
|
(allow crontab_t bin_t (lnk_file (read getattr)))
|
|
(allow crontab_t shell_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow crontab_t shell_exec_t (file (map)))
|
|
(booleanif (cron_userdomain_transition)
|
|
(true
|
|
(allow utype cronjob_t (process (getattr)))
|
|
(allow utype cronjob_t (lnk_file (read getattr)))
|
|
(allow utype cronjob_t (file (ioctl read getattr lock open)))
|
|
(allow utype cronjob_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype cronjob_t (process (sigchld sigkill sigstop signull signal)))
|
|
(allow utype crond_t (fifo_file (ioctl read write getattr lock append open)))
|
|
(allow utype user_cron_spool_t (file (entrypoint)))
|
|
(allow crond_t utype (key (view read write search link setattr create)))
|
|
(allow crond_t utype (fd (use)))
|
|
(allow crond_t utype (process (transition)))
|
|
)
|
|
(false
|
|
(dontaudit utype cronjob_t (process (sigchld sigkill sigstop signull signal)))
|
|
(dontaudit utype crond_t (fifo_file (ioctl read write getattr lock append open)))
|
|
(dontaudit utype user_cron_spool_t (file (entrypoint)))
|
|
(dontaudit crond_t utype (key (view read write search link setattr create)))
|
|
(dontaudit crond_t utype (fd (use)))
|
|
(dontaudit crond_t utype (process (transition)))
|
|
)
|
|
)
|
|
(booleanif (deny_ptrace)
|
|
(false
|
|
(allow utype crontab_t (process (ptrace)))
|
|
)
|
|
)
|
|
(optional confinedom_user_login_optional_7
|
|
(typeattributeset cil_gen_require etc_t)
|
|
(typeattributeset cil_gen_require krb5_keytab_t)
|
|
(allow utype etc_t (dir (getattr open search)))
|
|
(allow utype krb5_keytab_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype krb5_keytab_t (file (ioctl read getattr lock open)))
|
|
)
|
|
(optional confinedom_user_login_optional_8
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require var_run_t)
|
|
(typeattributeset cil_gen_require pcscd_var_run_t)
|
|
(typeattributeset cil_gen_require pcscd_t)
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype pcscd_var_run_t (dir (getattr open search)))
|
|
(allow utype pcscd_var_run_t (file (ioctl read getattr lock open)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype pcscd_var_run_t (dir (getattr open search)))
|
|
(allow utype pcscd_var_run_t (sock_file (write getattr append open)))
|
|
(allow utype pcscd_t (unix_stream_socket (connectto)))
|
|
)
|
|
(optional confinedom_user_login_optional_9
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require var_run_t)
|
|
(typeattributeset cil_gen_require etc_t)
|
|
(typeattributeset cil_gen_require samba_var_t)
|
|
(typeattributeset cil_gen_require winbind_t)
|
|
(typeattributeset cil_gen_require winbind_var_run_t)
|
|
(typeattributeset cil_gen_require smbd_var_run_t)
|
|
(typeattributeset cil_gen_require samba_etc_t)
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype smbd_var_run_t (dir (getattr open search)))
|
|
(allow utype samba_var_t (dir (getattr open search)))
|
|
(allow utype winbind_var_run_t (dir (getattr open search)))
|
|
(allow utype winbind_var_run_t (sock_file (write getattr append open)))
|
|
(allow utype winbind_t (unix_stream_socket (connectto)))
|
|
(allow utype etc_t (dir (getattr open search)))
|
|
(allow utype samba_etc_t (dir (getattr open search)))
|
|
(allow utype samba_etc_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype samba_etc_t (dir (getattr open search)))
|
|
(allow utype samba_etc_t (file (ioctl read getattr lock open)))
|
|
)
|
|
(optional confinedom_user_login_optional_10
|
|
(typeattributeset cil_gen_require system_dbusd_t)
|
|
(allow cronjob_t utype (dbus (send_msg)))
|
|
)
|
|
)
|
|
(optional confinedom_user_login_optional_11
|
|
;(type dbusd_type)
|
|
(roletype object_r dbusd_type)
|
|
(typeattributeset cil_gen_require utype)
|
|
(typeattributeset cil_gen_require shell_exec_t)
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset cil_gen_require domain)
|
|
(typeattributeset cil_gen_require corenet_unlabeled_type)
|
|
(typeattributeset cil_gen_require ubac_constrained_type)
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require application_exec_type)
|
|
(typeattributeset cil_gen_require nsswitch_domain)
|
|
(typeattributeset cil_gen_require netlabel_peer_type)
|
|
(typeattributeset cil_gen_require sysfs_t)
|
|
(typeattributeset cil_gen_require syslog_client_type)
|
|
(typeattributeset cil_gen_require security_t)
|
|
(typeattributeset cil_gen_require kernel_system_state_reader)
|
|
(typeattributeset cil_gen_require application_domain_type)
|
|
(typeattributeset cil_gen_require system_dbusd_t)
|
|
(typeattributeset cil_gen_require session_dbusd_tmp_t)
|
|
(typeattributeset cil_gen_require dbusd_unconfined)
|
|
(typeattributeset cil_gen_require session_bus_type)
|
|
(typeattributeset cil_gen_require dbusd_exec_t)
|
|
(typeattributeset cil_gen_require dbusd_etc_t)
|
|
(typeattributeset cil_gen_require userdom_home_manager_type)
|
|
(typeattributeset cil_gen_require usr_t)
|
|
(roleattributeset cil_gen_require urole)
|
|
(roletype urole dbusd_type)
|
|
(typeattributeset cil_gen_require netlabel_peer_type)
|
|
(typeattributeset netlabel_peer_type (dbusd_type ))
|
|
(typeattributeset cil_gen_require corenet_unlabeled_type)
|
|
(typeattributeset corenet_unlabeled_type (dbusd_type ))
|
|
(typeattributeset cil_gen_require syslog_client_type)
|
|
(typeattributeset syslog_client_type (dbusd_type ))
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset file_type (dbusd_exec_t ))
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset non_security_file_type (dbusd_exec_t ))
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset exec_type (dbusd_exec_t ))
|
|
(typeattributeset cil_gen_require application_domain_type)
|
|
(typeattributeset application_domain_type (dbusd_type ))
|
|
(typeattributeset cil_gen_require userdom_home_manager_type)
|
|
(typeattributeset userdom_home_manager_type (dbusd_type ))
|
|
(typeattributeset cil_gen_require ubac_constrained_type)
|
|
(typeattributeset ubac_constrained_type (dbusd_type ))
|
|
(typeattributeset cil_gen_require kernel_system_state_reader)
|
|
(typeattributeset kernel_system_state_reader (dbusd_type ))
|
|
(typeattributeset cil_gen_require application_exec_type)
|
|
(typeattributeset application_exec_type (dbusd_exec_t ))
|
|
(typeattributeset cil_gen_require nsswitch_domain)
|
|
(typeattributeset nsswitch_domain (dbusd_type ))
|
|
(typeattributeset cil_gen_require session_bus_type)
|
|
(typeattributeset session_bus_type (dbusd_type ))
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset entry_type (dbusd_exec_t ))
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset non_auth_file_type (dbusd_exec_t ))
|
|
(typeattributeset cil_gen_require domain)
|
|
(typeattributeset domain (dbusd_type ))
|
|
(allow utype session_dbusd_tmp_t (dir (ioctl write getattr lock open add_name search)))
|
|
(allow utype session_dbusd_tmp_t (sock_file (create getattr setattr open)))
|
|
(allow utype system_dbusd_t (dbus (send_msg)))
|
|
(allow dbusd_type dbusd_exec_t (file (entrypoint)))
|
|
(allow dbusd_type dbusd_exec_t (file (ioctl read getattr lock map execute open)))
|
|
(allow dbusd_type security_t (lnk_file (read getattr)))
|
|
(allow dbusd_type sysfs_t (filesystem (getattr)))
|
|
(allow dbusd_type sysfs_t (dir (getattr open search)))
|
|
(allow dbusd_type sysfs_t (dir (getattr open search)))
|
|
(allow dbusd_type security_t (filesystem (getattr)))
|
|
(allow utype dbusd_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto)))
|
|
(allow dbusd_type utype (unix_stream_socket (read write getattr accept getopt)))
|
|
(allow dbusd_type utype (unix_dgram_socket (sendto)))
|
|
(allow utype dbusd_type (dbus (acquire_svc send_msg)))
|
|
(allow dbusd_unconfined dbusd_type (dbus (acquire_svc send_msg)))
|
|
(allow utype system_dbusd_t (dbus (acquire_svc send_msg)))
|
|
(allow utype dbusd_type (process (noatsecure siginh rlimitinh)))
|
|
(allow dbusd_type utype (dbus (send_msg)))
|
|
(allow utype dbusd_type (dbus (send_msg)))
|
|
(allow dbusd_type utype (system (start reload)))
|
|
(allow dbusd_type session_dbusd_tmp_t (service (start stop)))
|
|
(allow utype session_dbusd_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype session_dbusd_tmp_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow dbusd_type dbusd_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow utype dbusd_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype dbusd_type (process (transition)))
|
|
(typetransition utype dbusd_exec_t process dbusd_type)
|
|
(allow dbusd_type utype (fd (use)))
|
|
(allow dbusd_type utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow dbusd_type utype (process (sigchld)))
|
|
(allow utype dbusd_type (dir (ioctl read getattr lock open search)))
|
|
(allow utype dbusd_type (file (ioctl read getattr lock open)))
|
|
(allow utype dbusd_type (lnk_file (read getattr)))
|
|
(allow utype dbusd_type (process (getattr)))
|
|
(allow utype dbusd_type (process (sigchld sigkill sigstop signull signal)))
|
|
(allow dbusd_type bin_t (dir (getattr open search)))
|
|
(allow dbusd_type bin_t (lnk_file (read getattr)))
|
|
(allow dbusd_type bin_t (file (ioctl read getattr map execute open)))
|
|
(allow dbusd_type utype (process (transition)))
|
|
(allow dbusd_type usr_t (dir (getattr open search)))
|
|
(allow dbusd_type usr_t (lnk_file (read getattr)))
|
|
(allow dbusd_type usr_t (file (ioctl read getattr map execute open)))
|
|
(allow dbusd_type utype (process (transition)))
|
|
(typetransition dbusd_type bin_t process utype)
|
|
(typetransition dbusd_type usr_t process utype)
|
|
(allow dbusd_type bin_t (dir (getattr open search)))
|
|
(allow dbusd_type bin_t (dir (ioctl read getattr lock open search)))
|
|
(allow dbusd_type bin_t (dir (getattr open search)))
|
|
(allow dbusd_type bin_t (lnk_file (read getattr)))
|
|
(allow dbusd_type shell_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow dbusd_type utype (process (transition)))
|
|
(typetransition dbusd_type shell_exec_t process utype)
|
|
(allow dbusd_type utype (process (sigkill)))
|
|
(allow utype dbusd_type (fd (use)))
|
|
(allow utype dbusd_type (fifo_file (ioctl read write getattr lock append open)))
|
|
(allow dbusd_type file_type (service (start stop status reload enable disable)))
|
|
(dontaudit dbusd_type self (capability (net_admin)))
|
|
(allow utype session_dbusd_tmp_t (dir (getattr open search)))
|
|
(allow utype session_dbusd_tmp_t (sock_file (write getattr append open)))
|
|
(booleanif (deny_ptrace)
|
|
(false
|
|
(allow utype dbusd_type (process (ptrace)))
|
|
)
|
|
)
|
|
(optional confinedom_user_login_optional_12
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset cil_gen_require mozilla_exec_t)
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset file_type (mozilla_exec_t ))
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset non_security_file_type (mozilla_exec_t ))
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset exec_type (mozilla_exec_t ))
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset entry_type (mozilla_exec_t ))
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset non_auth_file_type (mozilla_exec_t ))
|
|
(allow utype mozilla_exec_t (file (entrypoint)))
|
|
(allow utype mozilla_exec_t (file (ioctl read getattr lock map execute open)))
|
|
(allow dbusd_type mozilla_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow dbusd_type utype (process (transition)))
|
|
(typetransition dbusd_type mozilla_exec_t process utype)
|
|
(allow utype dbusd_type (fd (use)))
|
|
(allow utype dbusd_type (fifo_file (ioctl read write getattr lock append)))
|
|
(allow utype dbusd_type (process (sigchld)))
|
|
)
|
|
(optional confinedom_user_login_optional_13
|
|
(typeattributeset cil_gen_require systemd_unit_file_t)
|
|
(allow dbusd_type systemd_unit_file_t (service (start)))
|
|
)
|
|
)
|
|
(optional confinedom_user_login_optional_14
|
|
;(type gkeyringd_type)
|
|
(roletype object_r gkeyringd_type)
|
|
(roleattributeset cil_gen_require gconfd_roles)
|
|
(typeattributeset cil_gen_require shell_exec_t)
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset cil_gen_require domain)
|
|
(typeattributeset cil_gen_require corenet_unlabeled_type)
|
|
(typeattributeset cil_gen_require process_user_target)
|
|
(typeattributeset cil_gen_require ubac_constrained_type)
|
|
(typeattributeset cil_gen_require user_tmp_t)
|
|
(typeattributeset cil_gen_require tmp_t)
|
|
(typeattributeset cil_gen_require tmpfs_t)
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require application_exec_type)
|
|
(typeattributeset cil_gen_require nsswitch_domain)
|
|
(typeattributeset cil_gen_require netlabel_peer_type)
|
|
(typeattributeset cil_gen_require syslog_client_type)
|
|
(typeattributeset cil_gen_require kernel_system_state_reader)
|
|
(typeattributeset cil_gen_require application_domain_type)
|
|
(typeattributeset cil_gen_require userdom_home_manager_type)
|
|
(typeattributeset cil_gen_require usr_t)
|
|
(typeattributeset cil_gen_require gnomedomain)
|
|
(typeattributeset cil_gen_require gkeyringd_domain)
|
|
(typeattributeset cil_gen_require gnome_home_type)
|
|
(typeattributeset cil_gen_require gkeyringd_exec_t)
|
|
(typeattributeset cil_gen_require gkeyringd_tmp_t)
|
|
(typeattributeset cil_gen_require gconfd_t)
|
|
(typeattributeset cil_gen_require gconfd_exec_t)
|
|
(typeattributeset cil_gen_require gconf_tmp_t)
|
|
(typeattributeset cil_gen_require cache_home_t)
|
|
(roleattributeset cil_gen_require urole)
|
|
(roletype urole gkeyringd_type)
|
|
(roleattributeset cil_gen_require gconfd_roles)
|
|
(roleattributeset gconfd_roles (urole ))
|
|
(typeattributeset cil_gen_require netlabel_peer_type)
|
|
(typeattributeset netlabel_peer_type (gkeyringd_type ))
|
|
(typeattributeset cil_gen_require corenet_unlabeled_type)
|
|
(typeattributeset corenet_unlabeled_type (gkeyringd_type ))
|
|
(typeattributeset cil_gen_require syslog_client_type)
|
|
(typeattributeset syslog_client_type (gkeyringd_type ))
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset file_type (gkeyringd_exec_t ))
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset non_security_file_type (gkeyringd_exec_t ))
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset exec_type (gkeyringd_exec_t ))
|
|
(typeattributeset cil_gen_require application_domain_type)
|
|
(typeattributeset application_domain_type (gkeyringd_type ))
|
|
(typeattributeset cil_gen_require userdom_home_manager_type)
|
|
(typeattributeset userdom_home_manager_type (gkeyringd_type ))
|
|
(typeattributeset cil_gen_require ubac_constrained_type)
|
|
(typeattributeset ubac_constrained_type (gkeyringd_type ))
|
|
(typeattributeset cil_gen_require kernel_system_state_reader)
|
|
(typeattributeset kernel_system_state_reader (gkeyringd_type ))
|
|
(typeattributeset cil_gen_require gnomedomain)
|
|
(typeattributeset gnomedomain (gkeyringd_type ))
|
|
(typeattributeset cil_gen_require application_exec_type)
|
|
(typeattributeset application_exec_type (gkeyringd_exec_t ))
|
|
(typeattributeset cil_gen_require gkeyringd_domain)
|
|
(typeattributeset gkeyringd_domain (gkeyringd_type ))
|
|
(typeattributeset cil_gen_require nsswitch_domain)
|
|
(typeattributeset nsswitch_domain (gkeyringd_type ))
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset entry_type (gkeyringd_exec_t ))
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset non_auth_file_type (gkeyringd_exec_t ))
|
|
(typeattributeset cil_gen_require domain)
|
|
(typeattributeset domain (gkeyringd_type ))
|
|
(typeattributeset cil_gen_require process_user_target)
|
|
(typeattributeset process_user_target (gkeyringd_type ))
|
|
(allow gkeyringd_type gkeyringd_exec_t (file (entrypoint)))
|
|
(allow gkeyringd_type gkeyringd_exec_t (file (ioctl read getattr lock map execute open)))
|
|
(allow utype gconfd_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype gconfd_t (process (transition)))
|
|
(typetransition utype gconfd_exec_t process gconfd_t)
|
|
(allow gconfd_t utype (fd (use)))
|
|
(allow gconfd_t utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow gconfd_t utype (process (sigchld)))
|
|
(allow utype gconfd_t (process (sigchld sigkill sigstop signull signal)))
|
|
(allow utype gconfd_t (unix_stream_socket (connectto)))
|
|
(allow utype gconfd_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype gconfd_t (file (ioctl read getattr lock open)))
|
|
(allow utype gconfd_t (lnk_file (read getattr)))
|
|
(allow utype gconfd_t (process (getattr)))
|
|
(allow gkeyringd_type utype (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto)))
|
|
(allow gkeyringd_type self (process (setsched)))
|
|
(allow utype gkeyringd_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype gkeyringd_type (process (transition)))
|
|
(typetransition utype gkeyringd_exec_t process gkeyringd_type)
|
|
(allow gkeyringd_type utype (fd (use)))
|
|
(allow gkeyringd_type utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow gkeyringd_type utype (process (sigchld)))
|
|
(allow utype gnome_home_type (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype gkeyringd_tmp_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype gconf_tmp_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow utype gnome_home_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads)))
|
|
(allow utype gkeyringd_tmp_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads)))
|
|
(allow utype gconf_tmp_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads)))
|
|
(allow utype gkeyringd_tmp_t (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open)))
|
|
(allow utype gkeyringd_type (dir (ioctl read getattr lock open search)))
|
|
(allow utype gkeyringd_type (file (ioctl read getattr lock open)))
|
|
(allow utype gkeyringd_type (lnk_file (read getattr)))
|
|
(allow utype gkeyringd_type (process (getattr)))
|
|
(allow utype gkeyringd_type (process (sigchld sigkill sigstop signull signal)))
|
|
(dontaudit utype gkeyringd_exec_t (file (entrypoint)))
|
|
(allow gkeyringd_type utype (process (sigkill)))
|
|
(allow utype gkeyringd_type (fd (use)))
|
|
(allow utype gkeyringd_type (fifo_file (ioctl read write getattr lock append open)))
|
|
(allow utype gkeyringd_type (dbus (acquire_svc)))
|
|
(allow utype gkeyringd_tmp_t (dir (getattr open search)))
|
|
(allow utype gkeyringd_tmp_t (sock_file (write getattr append open)))
|
|
(allow utype gkeyringd_type (unix_stream_socket (connectto)))
|
|
(allow gkeyringd_type bin_t (dir (getattr open search)))
|
|
(allow gkeyringd_type bin_t (lnk_file (read getattr)))
|
|
(allow gkeyringd_type bin_t (file (ioctl read getattr map execute open)))
|
|
(allow gkeyringd_type utype (process (transition)))
|
|
(allow gkeyringd_type usr_t (dir (getattr open search)))
|
|
(allow gkeyringd_type usr_t (lnk_file (read getattr)))
|
|
(allow gkeyringd_type usr_t (file (ioctl read getattr map execute open)))
|
|
(allow gkeyringd_type utype (process (transition)))
|
|
(typetransition gkeyringd_type bin_t process utype)
|
|
(typetransition gkeyringd_type usr_t process utype)
|
|
(allow gkeyringd_type bin_t (dir (getattr open search)))
|
|
(allow gkeyringd_type bin_t (dir (ioctl read getattr lock open search)))
|
|
(allow gkeyringd_type bin_t (dir (getattr open search)))
|
|
(allow gkeyringd_type bin_t (lnk_file (read getattr)))
|
|
(allow gkeyringd_type shell_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow gkeyringd_type utype (process (transition)))
|
|
(typetransition gkeyringd_type shell_exec_t process utype)
|
|
(allow utype gconf_tmp_t (dir (getattr open search)))
|
|
(allow utype tmpfs_t (dir (getattr open search)))
|
|
(allow utype tmp_t (dir (getattr open search)))
|
|
(allow utype tmp_t (lnk_file (read getattr)))
|
|
(allow utype tmp_t (dir (getattr open search)))
|
|
(allow utype user_tmp_t (dir (getattr open search)))
|
|
(allow utype gkeyringd_tmp_t (dir (getattr open search)))
|
|
(allow utype gkeyringd_tmp_t (sock_file (write getattr append open)))
|
|
(allow utype gkeyringd_domain (unix_stream_socket (connectto)))
|
|
(allow utype cache_home_t (dir (getattr open search)))
|
|
(allow utype cache_home_t (sock_file (write getattr append open)))
|
|
(allow utype gkeyringd_domain (unix_stream_socket (connectto)))
|
|
(allow gkeyringd_type utype (dir (ioctl read getattr lock open search)))
|
|
(allow gkeyringd_type utype (file (ioctl read getattr lock open)))
|
|
(allow gkeyringd_type utype (lnk_file (read getattr)))
|
|
(allow gkeyringd_type utype (process (getattr)))
|
|
(allow gkeyringd_type user_tmp_t (dir (ioctl read getattr lock open search)))
|
|
(allow gkeyringd_type user_tmp_t (sock_file (read write getattr append)))
|
|
(allow gkeyringd_type tmpfs_t (dir (getattr open search)))
|
|
(allow gkeyringd_type tmp_t (dir (getattr open search)))
|
|
(allow gkeyringd_type tmp_t (lnk_file (read getattr)))
|
|
(allow gkeyringd_type tmp_t (dir (getattr open search)))
|
|
(allow gkeyringd_type utype (dbus (acquire_svc send_msg)))
|
|
(allow utype gkeyringd_type (dbus (send_msg)))
|
|
(optional confinedom_user_login_optional_15
|
|
(typeattributeset cil_gen_require user_home_dir_t)
|
|
(typeattributeset cil_gen_require home_root_t)
|
|
(typeattributeset cil_gen_require system_dbusd_t)
|
|
(typeattributeset cil_gen_require session_bus_type)
|
|
(typeattributeset cil_gen_require dbusd_type)
|
|
(typeattributeset cil_gen_require gnome_home_t)
|
|
(typeattributeset cil_gen_require data_home_t)
|
|
(typeattributeset cil_gen_require gconf_home_t)
|
|
(allow dbusd_type gkeyringd_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow dbusd_type gkeyringd_type (process (transition)))
|
|
(typetransition dbusd_type gkeyringd_exec_t process gkeyringd_type)
|
|
(allow gkeyringd_type dbusd_type (fd (use)))
|
|
(allow gkeyringd_type dbusd_type (fifo_file (ioctl read write getattr lock append)))
|
|
(allow gkeyringd_type dbusd_type (process (sigchld)))
|
|
(allow gkeyringd_type session_bus_type (dbus (send_msg)))
|
|
(allow gkeyringd_type self (dbus (send_msg)))
|
|
(allow gkeyringd_type session_bus_type (unix_stream_socket (connectto)))
|
|
(allow session_bus_type gkeyringd_type (process (sigkill)))
|
|
(allow gkeyringd_type session_bus_type (dbus (acquire_svc)))
|
|
(allow gkeyringd_type system_dbusd_t (unix_stream_socket (connectto)))
|
|
(allow gkeyringd_type system_dbusd_t (dbus (send_msg)))
|
|
(allow gkeyringd_type user_home_dir_t (dir (getattr open search)))
|
|
(allow gkeyringd_type user_home_dir_t (lnk_file (read getattr)))
|
|
(allow gkeyringd_type home_root_t (dir (getattr open search)))
|
|
(allow gkeyringd_type home_root_t (lnk_file (read getattr)))
|
|
(allow gkeyringd_type gnome_home_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow gkeyringd_type data_home_t (dir (getattr open search)))
|
|
(allow gkeyringd_type gconf_home_t (dir (getattr open search)))
|
|
(allow gkeyringd_type data_home_t (file (ioctl read getattr lock open)))
|
|
(allow gkeyringd_type data_home_t (dir (getattr open search)))
|
|
(allow gkeyringd_type gconf_home_t (dir (getattr open search)))
|
|
(allow gkeyringd_type data_home_t (lnk_file (read getattr)))
|
|
(allow gkeyringd_type data_home_t (dir (getattr open search)))
|
|
(allow gkeyringd_type gconf_home_t (dir (getattr open search)))
|
|
(allow gkeyringd_type data_home_t (dir (ioctl read getattr lock open search)))
|
|
(optional confinedom_user_login_optional_16
|
|
(typeattributeset cil_gen_require proc_t)
|
|
(typeattributeset cil_gen_require telepathy_mission_control_t)
|
|
(typeattributeset cil_gen_require telepathy_gabble_t)
|
|
(allow gkeyringd_type proc_t (dir (getattr open search)))
|
|
(allow gkeyringd_type proc_t (dir (getattr open search)))
|
|
(allow gkeyringd_type telepathy_mission_control_t (dir (ioctl read getattr lock open search)))
|
|
(allow gkeyringd_type telepathy_mission_control_t (file (ioctl read getattr lock open)))
|
|
(allow gkeyringd_type telepathy_mission_control_t (lnk_file (read getattr)))
|
|
(allow gkeyringd_type telepathy_mission_control_t (process (getattr)))
|
|
(allow telepathy_gabble_t gkeyringd_tmp_t (dir (getattr open search)))
|
|
(allow telepathy_gabble_t gkeyringd_tmp_t (sock_file (write getattr append open)))
|
|
(allow telepathy_gabble_t gkeyringd_type (unix_stream_socket (connectto)))
|
|
)
|
|
(optional confinedom_user_login_optional_17
|
|
(typeattributeset cil_gen_require systemd_logind_t)
|
|
(allow gkeyringd_type systemd_logind_t (dbus (send_msg)))
|
|
(allow systemd_logind_t gkeyringd_type (dbus (send_msg)))
|
|
(allow systemd_logind_t gkeyringd_type (dir (ioctl read getattr lock open search)))
|
|
(allow systemd_logind_t gkeyringd_type (file (ioctl read getattr lock open)))
|
|
(allow systemd_logind_t gkeyringd_type (lnk_file (read getattr)))
|
|
(allow systemd_logind_t gkeyringd_type (process (getattr)))
|
|
(allow systemd_logind_t gkeyringd_type (process (signal)))
|
|
(allow gkeyringd_type systemd_logind_t (fd (use)))
|
|
)
|
|
)
|
|
(optional confinedom_user_login_optional_18
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require ssh_agent_exec_t)
|
|
(allow gkeyringd_type bin_t (dir (getattr open search)))
|
|
(allow gkeyringd_type bin_t (lnk_file (read getattr)))
|
|
(allow gkeyringd_type bin_t (dir (getattr open search)))
|
|
(allow gkeyringd_type bin_t (dir (getattr open search)))
|
|
(allow gkeyringd_type ssh_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
)
|
|
)
|
|
(optional confinedom_user_login_optional_19
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require var_lib_t)
|
|
(typeattributeset cil_gen_require locate_var_lib_t)
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_lib_t (dir (getattr open search)))
|
|
(allow utype locate_var_lib_t (dir (getattr open search)))
|
|
(allow utype locate_var_lib_t (file (ioctl read getattr lock open)))
|
|
(allow utype locate_var_lib_t (dir (ioctl read getattr lock open search)))
|
|
)
|
|
(optional confinedom_user_login_optional_20
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require mail_spool_t)
|
|
(typeattributeset cil_gen_require var_spool_t)
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_spool_t (dir (getattr open search)))
|
|
(allow utype mail_spool_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype mail_spool_t (dir (getattr open search)))
|
|
(allow utype mail_spool_t (file (getattr)))
|
|
(allow utype mail_spool_t (dir (getattr open search)))
|
|
(allow utype mail_spool_t (lnk_file (read getattr)))
|
|
)
|
|
)
|
|
)
|
|
; Telnet login
|
|
(optional confinedom_user_login_optional_3
|
|
(typeattributeset cil_gen_require remote_login_t)
|
|
(allow remote_login_t utype (process (signal transition)))
|
|
(allow utype self (bpf (prog_load)))
|
|
)
|
|
; asynchronous I/O operations RHEL 10
|
|
(optional confinedom_user_login_optional_4
|
|
(typeattributeset cil_gen_require io_uring_t)
|
|
(allow utype self (io_uring (sqpoll)))
|
|
(allow utype io_uring_t (anon_inode (create)))
|
|
(allow utype io_uring_t (anon_inode (read write getattr map)))
|
|
)
|
|
)
|
|
|
|
(macro confined_ssh_connect_macro ((type utype) (role urole) (type ssh_agent_type))
|
|
(optional confined_ssh_connect_macro_optional
|
|
(typeattributeset cil_gen_require sshd_t)
|
|
(typeattributeset cil_gen_require ptmx_t)
|
|
(typeattributeset cil_gen_require device_t)
|
|
(typeattributeset cil_gen_require sshd_devpts_t)
|
|
(typeattributeset cil_gen_require ssh_server)
|
|
(typeattributeset cil_gen_require ssh_t)
|
|
(typeattributeset cil_gen_require ssh_exec_t)
|
|
(typeattributeset cil_gen_require ssh_tmpfs_t)
|
|
(typeattributeset cil_gen_require ssh_home_t)
|
|
(typeattributeset cil_gen_require ssh_agent_exec_t)
|
|
(typeattributeset cil_gen_require ssh_keysign_t)
|
|
(typeattributeset cil_gen_require ssh_agent_tmp_t)
|
|
(typeattributeset cil_gen_require cache_home_t)
|
|
(typeattributeset cil_gen_require application_domain_type)
|
|
(typeattributeset cil_gen_require domain)
|
|
(typeattributeset cil_gen_require corenet_unlabeled_type)
|
|
(typeattributeset cil_gen_require application_exec_type)
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset cil_gen_require ubac_constrained_type)
|
|
(typeattributeset cil_gen_require privfd)
|
|
(typeattributeset cil_gen_require user_home_dir_t)
|
|
(typeattributeset cil_gen_require home_root_t)
|
|
(typeattributeset cil_gen_require user_tmp_type)
|
|
(typeattributeset cil_gen_require user_tmp_t)
|
|
(typeattributeset cil_gen_require tmp_t)
|
|
(typeattributeset cil_gen_require tmpfs_t)
|
|
(typeattributeset cil_gen_require kernel_system_state_reader)
|
|
(typeattributeset cil_gen_require shell_exec_t)
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require usr_t)
|
|
(typeattributeset cil_gen_require nsswitch_domain)
|
|
(typeattributeset cil_gen_require netlabel_peer_type)
|
|
(typeattributeset cil_gen_require syslog_client_type)
|
|
(typeattributeset cil_gen_require tty_device_t)
|
|
(typeattributeset cil_gen_require user_home_t)
|
|
(typeattributeset cil_gen_require userdom_home_manager_type)
|
|
(typeattributeset cil_gen_require ssh_keygen_exec_t)
|
|
(roleattributeset cil_gen_require urole)
|
|
(roletype object_r ssh_agent_type)
|
|
(roletype urole ssh_t)
|
|
(roletype urole ssh_agent_type)
|
|
(roletype urole user_tmp_t)
|
|
(typeattributeset cil_gen_require netlabel_peer_type)
|
|
(typeattributeset netlabel_peer_type (ssh_agent_type ))
|
|
(typeattributeset cil_gen_require corenet_unlabeled_type)
|
|
(typeattributeset corenet_unlabeled_type (ssh_agent_type ))
|
|
(typeattributeset cil_gen_require privfd)
|
|
(typeattributeset privfd (ssh_agent_type ))
|
|
(typeattributeset cil_gen_require syslog_client_type)
|
|
(typeattributeset syslog_client_type (ssh_agent_type ))
|
|
(typeattributeset cil_gen_require file_type)
|
|
(typeattributeset file_type (ssh_agent_exec_t ))
|
|
(typeattributeset cil_gen_require non_security_file_type)
|
|
(typeattributeset non_security_file_type (ssh_agent_exec_t ))
|
|
(typeattributeset cil_gen_require exec_type)
|
|
(typeattributeset exec_type (ssh_agent_exec_t ))
|
|
(typeattributeset cil_gen_require application_domain_type)
|
|
(typeattributeset application_domain_type (ssh_agent_type ))
|
|
(typeattributeset cil_gen_require userdom_home_manager_type)
|
|
(typeattributeset userdom_home_manager_type (ssh_agent_type ))
|
|
(typeattributeset cil_gen_require ubac_constrained_type)
|
|
(typeattributeset ubac_constrained_type (ssh_agent_type ))
|
|
(typeattributeset cil_gen_require ssh_agent_type)
|
|
(typeattributeset cil_gen_require kernel_system_state_reader)
|
|
(typeattributeset kernel_system_state_reader (ssh_agent_type ))
|
|
(typeattributeset cil_gen_require application_exec_type)
|
|
(typeattributeset application_exec_type (ssh_agent_exec_t ))
|
|
(typeattributeset cil_gen_require nsswitch_domain)
|
|
(typeattributeset nsswitch_domain (ssh_agent_type ))
|
|
(typeattributeset cil_gen_require entry_type)
|
|
(typeattributeset entry_type (ssh_agent_exec_t ))
|
|
(typeattributeset cil_gen_require non_auth_file_type)
|
|
(typeattributeset non_auth_file_type (ssh_agent_exec_t ))
|
|
(typeattributeset cil_gen_require domain)
|
|
(typeattributeset domain (ssh_agent_type ))
|
|
(allow sshd_t utype (process (dyntransition)))
|
|
(allow utype sshd_t (process (sigchld)))
|
|
(allow sshd_t utype (process (sigkill sigstop signull signal getattr)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype device_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype device_t (dir (getattr open search)))
|
|
(allow utype device_t (lnk_file (read getattr)))
|
|
(allow utype ptmx_t (chr_file (ioctl read write getattr lock append open)))
|
|
(allow utype sshd_devpts_t (chr_file (ioctl read write getattr lock append)))
|
|
(allow ssh_agent_type ssh_agent_exec_t (file (entrypoint)))
|
|
(allow ssh_agent_type ssh_agent_exec_t (file (ioctl read getattr lock map execute open)))
|
|
(allow utype ssh_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype ssh_t (process (transition)))
|
|
(typetransition utype ssh_exec_t process ssh_t)
|
|
(allow ssh_t utype (fd (use)))
|
|
(allow ssh_t utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow ssh_t utype (process (sigchld)))
|
|
(allow utype ssh_server (unix_stream_socket (ioctl read write getattr setattr lock append bind connect listen accept getopt setopt shutdown)))
|
|
(allow utype ssh_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype ssh_t (file (ioctl read getattr lock open)))
|
|
(allow utype ssh_t (lnk_file (read getattr)))
|
|
(allow utype ssh_t (process (getattr)))
|
|
(allow utype ssh_t (process (sigchld sigkill sigstop signull signal)))
|
|
(allow ssh_t utype (unix_stream_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown)))
|
|
(allow ssh_t utype (unix_stream_socket (connectto)))
|
|
(allow ssh_t utype (key (view read write search link setattr create)))
|
|
(allow utype ssh_t (key (view read write search)))
|
|
(allow utype ssh_home_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype ssh_home_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype ssh_home_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype ssh_home_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
|
(allow utype ssh_home_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype ssh_home_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow utype user_home_dir_t (dir (getattr open search)))
|
|
(allow utype user_home_dir_t (lnk_file (read getattr)))
|
|
(allow utype home_root_t (dir (getattr open search)))
|
|
(allow utype home_root_t (lnk_file (read getattr)))
|
|
(typemember ssh_t tmp_t dir user_tmp_t)
|
|
(allow ssh_t user_tmp_type (dir (mounton)))
|
|
(allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow ssh_t user_tmp_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir)))
|
|
(allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow ssh_t user_tmp_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow ssh_t user_tmp_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads)))
|
|
(allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow ssh_t user_tmp_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow ssh_t user_tmp_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow ssh_t tmp_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(typetransition ssh_t tmp_t fifo_file user_tmp_t)
|
|
(typetransition ssh_t tmp_t sock_file user_tmp_t)
|
|
(typetransition ssh_t tmp_t lnk_file user_tmp_t)
|
|
(typetransition ssh_t tmp_t dir user_tmp_t)
|
|
(typetransition ssh_t tmp_t file user_tmp_t)
|
|
(allow user_tmp_t tmpfs_t (filesystem (associate)))
|
|
(allow ssh_t tmpfs_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(typetransition ssh_t tmpfs_t fifo_file user_tmp_t)
|
|
(typetransition ssh_t tmpfs_t sock_file user_tmp_t)
|
|
(typetransition ssh_t tmpfs_t lnk_file user_tmp_t)
|
|
(typetransition ssh_t tmpfs_t dir user_tmp_t)
|
|
(typetransition ssh_t tmpfs_t file user_tmp_t)
|
|
(allow ssh_t user_tmp_type (dir (getattr open search)))
|
|
(allow ssh_t user_tmp_type (dir (getattr relabelfrom relabelto)))
|
|
(allow ssh_t user_tmp_type (dir (getattr open search)))
|
|
(allow ssh_t user_tmp_type (file (getattr relabelfrom relabelto)))
|
|
(allow ssh_t user_tmp_type (dir (getattr open search)))
|
|
(allow ssh_t user_tmp_type (lnk_file (getattr relabelfrom relabelto)))
|
|
(allow ssh_t user_tmp_type (dir (getattr open search)))
|
|
(allow ssh_t user_tmp_type (sock_file (getattr relabelfrom relabelto)))
|
|
(allow ssh_t user_tmp_type (dir (getattr open search)))
|
|
(allow ssh_t user_tmp_type (fifo_file (getattr relabelfrom relabelto)))
|
|
(allow ssh_t user_tmp_type (file (map)))
|
|
(allow ssh_agent_type utype (process (signull)))
|
|
(allow ssh_agent_type ssh_agent_type (process (signull)))
|
|
(allow ssh_agent_type self (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto)))
|
|
(allow utype ssh_agent_tmp_t (dir (getattr open search)))
|
|
(allow utype ssh_agent_tmp_t (sock_file (write getattr append open)))
|
|
(allow utype ssh_agent_type (unix_stream_socket (connectto)))
|
|
(allow utype cache_home_t (dir (getattr open search)))
|
|
(allow utype cache_home_t (sock_file (write getattr append open)))
|
|
(allow utype ssh_agent_type (unix_stream_socket (connectto)))
|
|
(allow utype ssh_agent_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown)))
|
|
(allow utype ssh_agent_type (process (sigchld sigkill sigstop signull signal)))
|
|
(allow utype ssh_agent_type (dir (ioctl read getattr lock open search)))
|
|
(allow utype ssh_agent_type (file (ioctl read getattr lock open)))
|
|
(allow utype ssh_agent_type (lnk_file (read getattr)))
|
|
(allow utype ssh_agent_type (process (getattr)))
|
|
(allow ssh_agent_type ssh_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow utype ssh_agent_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype ssh_agent_type (process (transition)))
|
|
(typetransition utype ssh_agent_exec_t process ssh_agent_type)
|
|
(allow ssh_agent_type utype (fd (use)))
|
|
(allow ssh_agent_type utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow ssh_agent_type utype (process (sigchld)))
|
|
(allow ssh_agent_type bin_t (dir (getattr open search)))
|
|
(allow ssh_agent_type bin_t (dir (ioctl read getattr lock open search)))
|
|
(allow ssh_agent_type bin_t (dir (getattr open search)))
|
|
(allow ssh_agent_type bin_t (lnk_file (read getattr)))
|
|
(allow ssh_agent_type shell_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow ssh_agent_type utype (process (transition)))
|
|
(typetransition ssh_agent_type shell_exec_t process utype)
|
|
(allow ssh_agent_type bin_t (dir (getattr open search)))
|
|
(allow ssh_agent_type bin_t (lnk_file (read getattr)))
|
|
(allow ssh_agent_type bin_t (file (ioctl read getattr map execute open)))
|
|
(allow ssh_agent_type utype (process (transition)))
|
|
(allow ssh_agent_type usr_t (dir (getattr open search)))
|
|
(allow ssh_agent_type usr_t (lnk_file (read getattr)))
|
|
(allow ssh_agent_type usr_t (file (ioctl read getattr map execute open)))
|
|
(allow ssh_agent_type utype (process (transition)))
|
|
(typetransition ssh_agent_type bin_t process utype)
|
|
(typetransition ssh_agent_type usr_t process utype)
|
|
(allow ssh_agent_type device_t (dir (getattr open search)))
|
|
(allow ssh_agent_type device_t (dir (ioctl read getattr lock open search)))
|
|
(allow ssh_agent_type device_t (dir (getattr open search)))
|
|
(allow ssh_agent_type device_t (lnk_file (read getattr)))
|
|
(allow ssh_agent_type tty_device_t (chr_file (ioctl read write getattr lock append open)))
|
|
(allow ssh_agent_type user_home_t (file (ioctl read getattr map execute open)))
|
|
(allow ssh_agent_type utype (process (transition)))
|
|
(typetransition ssh_agent_type user_home_t process utype)
|
|
(allow ssh_agent_type user_home_dir_t (dir (getattr open search)))
|
|
(allow ssh_agent_type home_root_t (dir (getattr open search)))
|
|
(allow ssh_agent_type home_root_t (lnk_file (read getattr)))
|
|
(allow utype ssh_keygen_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
)
|
|
)
|
|
|
|
(macro confined_use_basic_commands_macro ((type utype) (role urole))
|
|
(optional confined_use_basic_commands_optional_2
|
|
(roleattributeset cil_gen_require urole)
|
|
(typeattributeset cil_gen_require init_var_lib_t)
|
|
(typeattributeset cil_gen_require utype)
|
|
(typeattributeset cil_gen_require login_confinedom)
|
|
(typeattributeset cil_gen_require var_t)
|
|
(typeattributeset cil_gen_require var_lib_t)
|
|
(typeattributeset cil_gen_require init_t)
|
|
(typeattributeset cil_gen_require var_log_t)
|
|
(typeattributeset cil_gen_require syslogd_var_run_t)
|
|
(typeattributeset cil_gen_require systemd_unit_file_type)
|
|
(typeattributeset cil_gen_require systemd_systemctl_exec_t)
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require cgroup_t)
|
|
(typeattributeset cil_gen_require tmpfs_t)
|
|
(typeattributeset cil_gen_require sysfs_t)
|
|
(typeattributeset cil_gen_require efivarfs_t)
|
|
(typeattributeset cil_gen_require init_var_run_t)
|
|
(typeattributeset cil_gen_require var_run_t)
|
|
(typeattributeset cil_gen_require systemd_logind_var_run_t)
|
|
(typeattributeset cil_gen_require systemd_passwd_agent_t)
|
|
(typeattributeset cil_gen_require systemd_passwd_agent_exec_t)
|
|
(typeattributeset cil_gen_require systemd_passwd_var_run_t)
|
|
(allow utype utype (process (setpgid)))
|
|
(allow utype utype (system (status)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_lib_t (dir (getattr open search)))
|
|
(allow utype init_var_lib_t (dir (getattr open search)))
|
|
(allow utype init_var_lib_t (file (ioctl read getattr map open)))
|
|
(allow utype init_t (process (signal)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_log_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype var_log_t (file (map)))
|
|
(allow utype var_log_t (dir (getattr open search)))
|
|
(allow utype var_log_t (file (ioctl read getattr lock open)))
|
|
(allow utype var_log_t (dir (getattr open search)))
|
|
(allow utype var_log_t (lnk_file (read getattr)))
|
|
(allow utype syslogd_var_run_t (dir (getattr open search)))
|
|
(allow utype syslogd_var_run_t (file (ioctl read getattr lock open map)))
|
|
(allow utype syslogd_var_run_t (dir (getattr open search)))
|
|
(allow utype syslogd_var_run_t (dir (ioctl read getattr lock open search)))
|
|
;corecmd_bin_entry_type(utype)
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (lnk_file (read getattr)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (file (entrypoint)))
|
|
(allow utype bin_t (file (ioctl read getattr lock map execute open)))
|
|
(allow utype usr_t (file (entrypoint)))
|
|
(allow utype usr_t (file (ioctl read getattr lock map execute open)))
|
|
(allow utype systemd_systemctl_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow utype cgroup_t (dir (getattr open search)))
|
|
(allow utype cgroup_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype tmpfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype cgroup_t (dir (getattr open search)))
|
|
(allow utype cgroup_t (file (ioctl read getattr lock open)))
|
|
(allow utype cgroup_t (dir (getattr open search)))
|
|
(allow utype cgroup_t (lnk_file (read getattr)))
|
|
(allow utype tmpfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype sysfs_t (dir (getattr open search)))
|
|
(allow utype efivarfs_t (dir (getattr open search)))
|
|
(allow utype efivarfs_t (file (ioctl read getattr lock open)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_lib_t (dir (getattr open search)))
|
|
(allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search)))
|
|
(allow utype init_var_run_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype init_t (dir (getattr open search)))
|
|
(allow utype init_t (file (ioctl read getattr lock open)))
|
|
(allow utype init_t (lnk_file (read getattr)))
|
|
(allow utype init_t (unix_stream_socket (sendto)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype init_var_run_t (dir (getattr open search)))
|
|
(allow utype init_var_run_t (sock_file (write getattr append open)))
|
|
(allow utype init_t (unix_stream_socket (connectto)))
|
|
(allow utype init_t (unix_stream_socket (getattr)))
|
|
(dontaudit utype self (process (setrlimit)))
|
|
(dontaudit utype self (capability (sys_resource)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_logind_var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_logind_var_run_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype var_t (lnk_file (read getattr)))
|
|
(allow utype var_run_t (lnk_file (read getattr)))
|
|
(allow utype var_t (dir (getattr open search)))
|
|
(allow utype var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_logind_var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_logind_var_run_t (file (ioctl read getattr lock open)))
|
|
(allow utype systemd_passwd_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans)))
|
|
(allow utype init_var_run_t (dir (getattr open search)))
|
|
(allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype systemd_passwd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads)))
|
|
(allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype systemd_passwd_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search)))
|
|
(allow utype systemd_passwd_var_run_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
|
(allow systemd_passwd_agent_t utype (process (signull)))
|
|
(allow systemd_passwd_agent_t utype (unix_dgram_socket (sendto)))
|
|
(dontaudit utype self (capability (net_admin sys_ptrace)))
|
|
(allow utype systemd_unit_file_type (service (status)))
|
|
(optional confined_use_basic_commands_optional_3
|
|
(typeattributeset cil_gen_require adjtime_t)
|
|
(typeattributeset cil_gen_require etc_t)
|
|
(allow utype etc_t (dir (ioctl read getattr lock open search)))
|
|
(allow utype adjtime_t (file (ioctl read getattr lock open)))
|
|
)
|
|
(optional confined_use_basic_commands_optional_4
|
|
(typeattributeset cil_gen_require mandb_cache_t)
|
|
(allow utype mandb_cache_t (file (map)))
|
|
)
|
|
(optional confined_use_basic_commands_optional_5
|
|
(roleattributeset cil_gen_require passwd_roles)
|
|
(typeattributeset cil_gen_require bin_t)
|
|
(typeattributeset cil_gen_require passwd_t)
|
|
(typeattributeset cil_gen_require passwd_exec_t)
|
|
(roleattributeset cil_gen_require passwd_roles)
|
|
(roleattributeset passwd_roles (urole ))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (lnk_file (read getattr)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype bin_t (dir (getattr open search)))
|
|
(allow utype passwd_exec_t (file (ioctl read getattr map execute open)))
|
|
(allow utype passwd_t (process (transition)))
|
|
(typetransition utype passwd_exec_t process passwd_t)
|
|
(allow passwd_t utype (fd (use)))
|
|
(allow passwd_t utype (fifo_file (ioctl read write getattr lock append)))
|
|
(allow passwd_t utype (process (sigchld)))
|
|
)
|
|
)
|
|
)
|
|
|
|
;(call confinedom_admin_commands_macro (u_t u_r u_sudo_t))
|
|
;(call confinedom_graphical_login_macro (u_t u_r u_dbus_t))
|
|
;(call confinedom_mozilla_usage_macro (u_t u_r))
|
|
;(call confinedom_networking_macro (u_t u_r))
|
|
;(call confinedom_security_advanced_macro (u_t u_r u_sudo_t u_userhelper_t))
|
|
;(call confinedom_security_basic_macro (u_t u_r))
|
|
;(call confinedom_sudo_macro (u_t u_r u_sudo_t u_sudo_tmp_t))
|
|
;(call confinedom_user_login_macro (u_t u_r u_gkeyringd_t u_dbus_t u_exec_content))
|
|
;(call confined_ssh_connect_macro (u_t u_r u_ssh_agent_t))
|
|
;(call confined_use_basic_commands_macro (u_t u_r))
|