feffe/sau
1
0
Fork 0
Code Issues Pull Requests Projects Releases 20 Wiki Activity

make sau unconfined again... I admit defeat for now.

Browse Source
This commit is contained in:
Fredrik Eriksson 2020-04-13 10:22:05 +02:00
parent fd66a30de4
commit afa616916d
Signed by: feffe
GPG Key ID: 18524638BE25530A
1 changed files with 37 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
selinux/sau.te
View File

@ -16,6 +16,11 @@ domain_type(sau_t)
domain_entry_file(sau_t, sau_exec_t) domain_entry_file(sau_t, sau_exec_t)
files_config_file(sau_config_t) files_config_file(sau_config_t)
read_files_pattern(sau_t, etc_t, sau_config_t); read_files_pattern(sau_t, etc_t, sau_config_t);
read_files_pattern(sau_t, etc_t, etc_t)
files_read_etc_runtime_files(sau_t);
search_dirs_pattern(sau_t, etc_t, etc_runtime_t);
files_manage_generic_tmp_files(sau_t)
files_manage_generic_tmp_dirs(sau_t)
role sysadm_r types sau_t; role sysadm_r types sau_t;
role system_r types sau_t; role system_r types sau_t;
@ -29,31 +34,48 @@ userdom_use_all_users_fds(sau_t)
# required for python # required for python
corecmd_mmap_bin_files(sau_t) corecmd_mmap_bin_files(sau_t)
mmap_exec_files_pattern(sau_t, tmp_t, tmp_t);
kernel_read_system_state(sau_t) read_files_pattern(sau_t, usr_t, usr_t)
domain_read_all_domains_state(sau_t)
allow sau_t self:capability sys_ptrace;
init_startstop_all_script_services(sau_t)
init_all_labeled_script_domtrans(sau_t)
init_use_script_ptys(sau_t)
init_domtrans_script(sau_t)
init_domtrans_labeled_script(sau_t)
miscfiles_read_localization(sau_t) miscfiles_read_localization(sau_t)
logging_send_syslog_msg(sau_t) logging_send_syslog_msg(sau_t)
allow sau_t self:fifo_file { read write }; allow sau_t self:fifo_file { read write };
corecmd_exec_shell(sau_t) corecmd_exec_shell(sau_t)
corecmd_exec_bin(sau_t) corecmd_exec_bin(sau_t)
init_manage_script_service(sau_t) # list processes
init_read_script_status_files(sau_t) kernel_read_system_state(sau_t)
allow sau_t initrc_state_t:lnk_file { getattr read }; domain_read_all_domains_state(sau_t)
allow sau_t initrc_state_t:dir { search read }; allow sau_t self:capability sys_ptrace;
# I've tried it all; I don't know how to give sau permission to
# run init-scripts :(
#init_all_labeled_script_domtrans(sau_t)
#init_domtrans_script(sau_t)
#init_read_utmp(sau_t)
#init_signull_script(sau_t)
#init_startstop_all_script_services(sau_t)
#init_use_script_ptys(sau_t)
#init_domtrans_labeled_script(sau_t)
#init_manage_script_service(sau_t)
#init_read_script_status_files(sau_t)
#allow sau_t initrc_state_t:lnk_file { getattr read };
#allow sau_t initrc_state_t:dir { search read };
#init_admin(sau_t)
# FIXME: shouldn't have to be unconfined...
unconfined_domain(sau_t)
# allow during troubleshooting...
#files_getattr_all_dirs(sau_t)
#files_getattr_all_files(sau_t)
# Gentoo specific # Gentoo specific
portage_read_config(sau_t)
portage_read_ebuild(sau_t)
portage_read_db(sau_t)
portage_read_cache(sau_t)
portage_domtrans(sau_t) portage_domtrans(sau_t)
dontaudit sau_t self:fifo_file { getattr ioctl };