updated selinux policy; hopefully services are no longer started as

sau_t after restart
This commit is contained in:
Fredrik Eriksson 2020-03-01 08:20:41 +01:00
parent 8a29ab82b0
commit 994b93e3b4
Signed by: feffe
GPG Key ID: 18524638BE25530A

View File

@ -23,14 +23,35 @@ role system_r types sau_t;
domain_auto_transition_pattern(sysadm_t, sau_exec_t, sau_t)
domain_auto_transition_pattern(system_cronjob_t, sau_exec_t, sau_t)
# this should be fixed, but I don't know enough selinux magic to restrict this
# while still allowing it to inspect all open files for all processes
unconfined_domain_noaudit(sau_t)
domain_use_interactive_fds(sau_t)
userdom_use_user_ptys(sau_t)
userdom_use_all_users_fds(sau_t)
# required for python
corecmd_mmap_bin_files(sau_t)
kernel_read_system_state(sau_t)
domain_read_all_domains_state(sau_t)
allow sau_t self:capability sys_ptrace;
init_startstop_all_script_services(sau_t)
init_all_labeled_script_domtrans(sau_t)
init_use_script_ptys(sau_t)
miscfiles_read_localization(sau_t)
logging_send_syslog_msg(sau_t)
allow sau_t self:fifo_file { read write };
corecmd_exec_shell(sau_t)
corecmd_exec_bin(sau_t)
init_manage_script_service(sau_t)
init_read_script_status_files(sau_t)
allow sau_t initrc_state_t:lnk_file { getattr read };
allow sau_t initrc_state_t:dir { search read };
# Gentoo specific
portage_domtrans(sau_t)
# postfix
postfix_admin(sau_t, system_r)
dontaudit sau_t self:fifo_file { getattr ioctl };