-#
-# /usr
-#
+/etc/readahead.d(/.*)? gen_context(system_u:object_r:readahead_etc_rw_t,s0)
+
/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)
-policy_module(readahead,1.3.1)
+policy_module(readahead,1.3.2)
########################################
#
init_daemon_domain(readahead_t,readahead_exec_t)
application_domain(readahead_t,readahead_exec_t)
+type readahead_etc_rw_t;
+files_pid_file(readahead_etc_rw_t)
+
type readahead_var_run_t;
files_pid_file(readahead_var_run_t)
# Local policy
#
-dontaudit readahead_t self:capability { dac_override dac_read_search sys_tty_config };
+allow readahead_t self:capability { dac_override dac_read_search };
+dontaudit readahead_t self:capability sys_tty_config;
allow readahead_t self:process signal_perms;
+manage_files_pattern(readahead_t,readahead_etc_rw_t,readahead_etc_rw_t)
+
manage_files_pattern(readahead_t,readahead_var_run_t,readahead_var_run_t)
files_pid_filetrans(readahead_t,readahead_var_run_t,file)
dev_dontaudit_read_all_blk_files(readahead_t)
dev_dontaudit_getattr_memory_dev(readahead_t)
dev_dontaudit_getattr_nvram_dev(readahead_t)
-storage_dontaudit_getattr_fixed_disk_dev(readahead_t)
+storage_raw_read_fixed_disk(readahead_t)
domain_use_interactive_fds(readahead_t)
libs_use_shared_libs(readahead_t)
logging_send_syslog_msg(readahead_t)
+logging_dontaudit_search_audit_config(readahead_t)
miscfiles_read_localization(readahead_t)
term_dontaudit_use_generic_ptys(readahead_t)
')
+optional_policy(`
+ cron_system_entry(readahead_t, readahead_exec_t)
+')
+
optional_policy(`
seutil_sigchld_newrole(readahead_t)
')
type crack_db_t;
')
- allow $1 crack_db_t:file read_file_perms;
+ read_files_pattern($1,crack_db_t,crack_db_t)
')
-policy_module(usermanage,1.7.1)
+policy_module(usermanage,1.7.2)
########################################
#
allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
allow groupadd_t self:unix_dgram_socket sendto;
allow groupadd_t self:unix_stream_socket connectto;
-allow groupadd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
fs_getattr_xattr_fs(groupadd_t)
fs_search_auto_mountpoints(groupadd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(groupadd_t)
+logging_send_audit_msgs(groupadd_t)
logging_send_syslog_msg(groupadd_t)
miscfiles_read_localization(groupadd_t)
dpkg_rw_pipes(groupadd_t)
')
+optional_policy(`
+ nscd_domtrans(groupadd_t)
+')
+
optional_policy(`
rpm_use_fds(groupadd_t)
rpm_rw_pipes(groupadd_t)
# Passwd local policy
#
-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource audit_control audit_write };
+allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
allow passwd_t self:fd use;
allow passwd_t self:unix_stream_socket create_stream_socket_perms;
allow passwd_t self:unix_dgram_socket sendto;
allow passwd_t self:unix_stream_socket connectto;
-allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
libs_use_ld_so(passwd_t)
libs_use_shared_libs(passwd_t)
+logging_send_audit_msgs(passwd_t)
logging_send_syslog_msg(passwd_t)
miscfiles_read_localization(passwd_t)
optional_policy(`
nscd_socket_use(passwd_t)
+ nscd_domtrans(passwd_t)
')
########################################
optional_policy(`
nscd_socket_use(sysadm_passwd_t)
+ nscd_domtrans(sysadm_passwd_t)
')
########################################
# Useradd local policy
#
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource audit_write };
+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
-allow useradd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
libs_use_ld_so(useradd_t)
libs_use_shared_libs(useradd_t)
+logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
miscfiles_read_localization(useradd_t)
dpkg_rw_pipes(useradd_t)
')
+optional_policy(`
+ nscd_domtrans(useradd_t)
+')
+
optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
-policy_module(loadkeys,1.1.0)
+policy_module(loadkeys,1.1.1)
########################################
#
files_read_etc_runtime_files(loadkeys_t)
term_dontaudit_use_console(loadkeys_t)
- term_dontaudit_use_unallocated_ttys(loadkeys_t)
+ term_use_unallocated_ttys(loadkeys_t)
init_dontaudit_use_script_ptys(loadkeys_t)
locallogin_use_fds(loadkeys_t)
miscfiles_read_localization(loadkeys_t)
+
+ optional_policy(`
+ nscd_dontaudit_search_pid(loadkeys_t)
+ ')
')
allow $1 setroubleshoot_var_run_t:sock_file write;
allow $1 setroubleshootd_t:unix_stream_socket connectto;
')
+
+########################################
+## <summary>
+## Dontaudit attempts to connect to setroubleshootd
+## over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_dontaudit_stream_connect',`
+ gen_require(`
+ type setroubleshootd_t, setroubleshoot_var_run_t;
+ ')
+
+ dontaudit $1 setroubleshoot_var_run_t:sock_file write;
+ dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
+')
-policy_module(setroubleshoot,1.4.0)
+policy_module(setroubleshoot,1.4.1)
########################################
#
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
-allow setroubleshootd_t self:netlink_route_socket r_netlink_socket_perms;
# database files
allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr;
files_getattr_all_dirs(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
+fs_getattr_all_dirs(setroubleshootd_t)
+fs_getattr_all_files(setroubleshootd_t)
+
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
term_dontaudit_use_all_user_ptys(setroubleshootd_t)
term_dontaudit_use_all_user_ttys(setroubleshootd_t)
+auth_use_nsswitch(setroubleshootd_t)
+
init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
rpm_use_script_fds(setroubleshootd_t)
')
-
-optional_policy(`
- nis_use_ypbind(setroubleshootd_t)
-')
allow $1 auditd_etc_t:dir list_dir_perms;
')
+########################################
+## <summary>
+## dontaudit search of auditd configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_dontaudit_search_audit_config',`
+ gen_require(`
+ type auditd_etc_t;
+ ')
+
+ dontaudit $1 auditd_etc_t:dir search_dir_perms;
+')
+
########################################
## <summary>
## Allows the domain to open a file in the
-policy_module(logging,1.7.2)
+policy_module(logging,1.7.3)
########################################
#
-policy_module(netlabel,1.0.1)
+policy_module(netlabel,1.0.2)
########################################
#
kernel_read_network_state(netlabel_mgmt_t)
+files_read_etc_files(netlabel_mgmt_t)
+
libs_use_ld_so(netlabel_mgmt_t)
libs_use_shared_libs(netlabel_mgmt_t)