Hu
fade960df6
* Use new kanidm interfaces * Initial module for kanidm * Update bootupd policy * Allow rhsmcertd read/write access to /dev/papr-sysparm * Label /dev/papr-sysparm and /dev/papr-vpd * Allow abrt-dump-journal-core connect to winbindd * Allow systemd-hostnamed shut down nscd * Allow systemd-pstore send a message to syslogd over a unix domain * Allow postfix_domain map postfix_etc_t files * Allow microcode create /sys/devices/system/cpu/microcode/reload * Allow rhsmcertd read, write, and map ica tmpfs files * Support SGX devices * Allow initrc_t transition to passwd_t * Update fstab and cryptsetup generators policy * Allow xdm_t read and write the dma device * Update stalld policy for bpf usage * Allow systemd_gpt_generator to getattr on DOS directories * Make cgroup_memory_pressure_t a part of the file_type attribute * Allow ssh_t to change role to system_r * Update policy for coreos generators * Allow init_t nnp domain transition to firewalld_t * Label /run/modprobe.d with modules_conf_t * Allow virtnodedevd run udev with a domain transition * Allow virtnodedev_t create and use virtnodedev_lock_t * Allow virtstoraged manage files with virt_content_t type * Allow virtqemud unmount a filesystem with extended attributes * Allow svirt_t connect to unconfined_t over a unix domain socket * Update afterburn file transition policy * Allow systemd_generator read attributes of all filesystems * Allow fstab-generator read and write cryptsetup-generator unit file * Allow cryptsetup-generator read and write fstab-generator unit file * Allow systemd_generator map files in /etc * Allow systemd_generator read init's process state * Allow coreos-installer-generator read sssd public files * Allow coreos-installer-generator work with partitions * Label /etc/mdadm.conf.d with mdadm_conf_t * Confine coreos generators * Label /run/metadata with afterburn_runtime_t * Allow afterburn list ssh home directory * Label samba certificates with samba_cert_t * Label /run/coreos-installer-reboot with coreos_installer_var_run_t * Allow virtqemud read virt-dbus process state * Allow staff user dbus chat with virt-dbus * Allow staff use watch /run/systemd * Allow systemd_generator to write kmsg * Allow virtqemud connect to sanlock over a unix stream socket * Allow virtqemud relabel virt_var_run_t directories * Allow svirt_tcg_t read vm sysctls * Allow virtnodedevd connect to systemd-userdbd over a unix socket * Allow svirt read virtqemud fifo files * Allow svirt attach_queue to a virtqemud tun_socket * Allow virtqemud run ssh client with a transition * Allow virt_dbus_t connect to virtqemud_t over a unix stream socket * Update keyutils policy * Allow sshd_keygen_t connect to userdbd over a unix stream socket * Allow postfix-smtpd read mysql config files * Allow locate stream connect to systemd-userdbd * Allow the staff user use wireshark * Allow updatedb connect to userdbd over a unix stream socket * Allow gpg_t set attributes of public-keys.d * Allow gpg_t get attributes of login_userdomain stream * Allow systemd_getty_generator_t read /proc/1/environ * Allow systemd_getty_generator_t to read and write to tty_device_t * Drop publicfile module * Remove permissive domain for systemd_nsresourced_t * Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t * Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t * Allow to create and delete socket files created by rhsm.service * Allow virtnetworkd exec shell when virt_hooks_unconfined is on * Allow unconfined_service_t transition to passwd_t * Support /var is empty * Allow abrt-dump-journal read all non_security socket files * Allow timemaster write to sysfs files * Dontaudit domain write cgroup files * Label /usr/lib/node_modules/npm/bin with bin_t * Allow ip the setexec permission * Allow systemd-networkd write files in /var/lib/systemd/network * Fix typo in systemd_nsresourced_prog_run_bpf() OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=248
381 lines
5.1 KiB
Plaintext
381 lines
5.1 KiB
Plaintext
# Layer: kernel
|
|
# Module: bootloader
|
|
#
|
|
# Policy for the kernel modules, kernel image, and bootloader.
|
|
#
|
|
bootloader = module
|
|
|
|
# Layer: kernel
|
|
# Module: corenetwork
|
|
# Required in base
|
|
#
|
|
# Policy controlling access to network objects
|
|
#
|
|
corenetwork = base
|
|
|
|
# Layer: admin
|
|
# Module: dmesg
|
|
#
|
|
# Policy for dmesg.
|
|
#
|
|
dmesg = module
|
|
|
|
# Layer: admin
|
|
# Module: netutils
|
|
#
|
|
# Network analysis utilities
|
|
#
|
|
netutils = module
|
|
|
|
# Layer: admin
|
|
# Module: sudo
|
|
#
|
|
# Execute a command with a substitute user
|
|
#
|
|
sudo = module
|
|
|
|
# Layer: admin
|
|
# Module: su
|
|
#
|
|
# Run shells with substitute user and group
|
|
#
|
|
su = module
|
|
|
|
# Layer: admin
|
|
# Module: usermanage
|
|
#
|
|
# Policy for managing user accounts.
|
|
#
|
|
usermanage = module
|
|
|
|
# Layer: apps
|
|
# Module: seunshare
|
|
#
|
|
# seunshare executable
|
|
#
|
|
seunshare = module
|
|
|
|
# Layer: kernel
|
|
# Module: corecommands
|
|
# Required in base
|
|
#
|
|
# Core policy for shells, and generic programs
|
|
# in /bin, /sbin, /usr/bin, and /usr/sbin.
|
|
#
|
|
corecommands = base
|
|
|
|
# Module: devices
|
|
# Required in base
|
|
#
|
|
# Device nodes and interfaces for many basic system devices.
|
|
#
|
|
devices = base
|
|
|
|
# Module: domain
|
|
# Required in base
|
|
#
|
|
# Core policy for domains.
|
|
#
|
|
domain = base
|
|
|
|
# Layer: system
|
|
# Module: userdomain
|
|
#
|
|
# Policy for user domains
|
|
#
|
|
userdomain = module
|
|
|
|
# Module: files
|
|
# Required in base
|
|
#
|
|
# Basic filesystem types and interfaces.
|
|
#
|
|
files = base
|
|
|
|
# Module: filesystem
|
|
# Required in base
|
|
#
|
|
# Policy for filesystems.
|
|
#
|
|
filesystem = base
|
|
|
|
# Module: kernel
|
|
# Required in base
|
|
#
|
|
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
|
|
#
|
|
kernel = base
|
|
|
|
# Module: mcs
|
|
# Required in base
|
|
#
|
|
# MultiCategory security policy
|
|
#
|
|
mcs = base
|
|
|
|
# Module: mls
|
|
# Required in base
|
|
#
|
|
# Multilevel security policy
|
|
#
|
|
mls = base
|
|
|
|
# Module: selinux
|
|
# Required in base
|
|
#
|
|
# Policy for kernel security interface, in particular, selinuxfs.
|
|
#
|
|
selinux = base
|
|
|
|
# Layer: kernel
|
|
# Module: storage
|
|
#
|
|
# Policy controlling access to storage devices
|
|
#
|
|
storage = base
|
|
|
|
# Module: terminal
|
|
# Required in base
|
|
#
|
|
# Policy for terminals.
|
|
#
|
|
terminal = base
|
|
|
|
# Layer: kernel
|
|
# Module: ubac
|
|
#
|
|
#
|
|
#
|
|
ubac = base
|
|
|
|
# Layer: kernel
|
|
# Module: unlabelednet
|
|
#
|
|
# The unlabelednet module.
|
|
#
|
|
unlabelednet = module
|
|
|
|
# Layer: role
|
|
# Module: auditadm
|
|
#
|
|
# auditadm account on tty logins
|
|
#
|
|
auditadm = module
|
|
|
|
# Layer: role
|
|
# Module: logadm
|
|
#
|
|
# Minimally prived root role for managing logging system
|
|
#
|
|
logadm = module
|
|
|
|
# Layer: role
|
|
# Module: secadm
|
|
#
|
|
# secadm account on tty logins
|
|
#
|
|
secadm = module
|
|
|
|
# Layer:role
|
|
# Module: staff
|
|
#
|
|
# admin account
|
|
#
|
|
staff = module
|
|
|
|
# Layer:role
|
|
# Module: sysadm_secadm
|
|
#
|
|
# System Administrator with Security Admin rules
|
|
#
|
|
sysadm_secadm = module
|
|
|
|
# Layer:role
|
|
# Module: sysadm
|
|
#
|
|
# System Administrator
|
|
#
|
|
sysadm = module
|
|
|
|
# Layer: role
|
|
# Module: unprivuser
|
|
#
|
|
# Minimally privs guest account on tty logins
|
|
#
|
|
unprivuser = module
|
|
|
|
# Layer: services
|
|
# Module: postgresql
|
|
#
|
|
# PostgreSQL relational database
|
|
#
|
|
postgresql = module
|
|
|
|
# Layer: services
|
|
# Module: ssh
|
|
#
|
|
# Secure shell client and server policy.
|
|
#
|
|
ssh = module
|
|
|
|
# Layer: services
|
|
# Module: xserver
|
|
#
|
|
# X windows login display manager
|
|
#
|
|
xserver = module
|
|
|
|
# Module: application
|
|
# Required in base
|
|
#
|
|
# Defines attributs and interfaces for all user applications
|
|
#
|
|
application = module
|
|
|
|
# Layer: system
|
|
# Module: authlogin
|
|
#
|
|
# Common policy for authentication and user login.
|
|
#
|
|
authlogin = module
|
|
|
|
# Layer: system
|
|
# Module: clock
|
|
#
|
|
# Policy for reading and setting the hardware clock.
|
|
#
|
|
clock = module
|
|
|
|
# Layer: system
|
|
# Module: fstools
|
|
#
|
|
# Tools for filesystem management, such as mkfs and fsck.
|
|
#
|
|
fstools = module
|
|
|
|
# Layer: system
|
|
# Module: getty
|
|
#
|
|
# Policy for getty.
|
|
#
|
|
getty = module
|
|
|
|
# Layer: system
|
|
# Module: hostname
|
|
#
|
|
# Policy for changing the system host name.
|
|
#
|
|
hostname = module
|
|
|
|
# Layer: system
|
|
# Module: init
|
|
#
|
|
# System initialization programs (init and init scripts).
|
|
#
|
|
init = module
|
|
|
|
# Layer: system
|
|
# Module: ipsec
|
|
#
|
|
# TCP/IP encryption
|
|
#
|
|
ipsec = module
|
|
|
|
# Layer: system
|
|
# Module: iptables
|
|
#
|
|
# Policy for iptables.
|
|
#
|
|
iptables = module
|
|
|
|
# Layer: system
|
|
# Module: libraries
|
|
#
|
|
# Policy for system libraries.
|
|
#
|
|
libraries = module
|
|
|
|
# Layer: system
|
|
# Module: locallogin
|
|
#
|
|
# Policy for local logins.
|
|
#
|
|
locallogin = module
|
|
|
|
# Layer: system
|
|
# Module: logging
|
|
#
|
|
# Policy for the kernel message logger and system logging daemon.
|
|
#
|
|
logging = module
|
|
|
|
# Layer: system
|
|
# Module: lvm
|
|
#
|
|
# Policy for logical volume management programs.
|
|
#
|
|
lvm = module
|
|
|
|
# Layer: system
|
|
# Module: miscfiles
|
|
#
|
|
# Miscelaneous files.
|
|
#
|
|
miscfiles = module
|
|
|
|
# Layer: system
|
|
# Module: modutils
|
|
#
|
|
# Policy for kernel module utilities
|
|
#
|
|
modutils = module
|
|
|
|
# Layer: system
|
|
# Module: mount
|
|
#
|
|
# Policy for mount.
|
|
#
|
|
mount = module
|
|
|
|
# Layer: system
|
|
# Module: netlabel
|
|
#
|
|
# Basic netlabel types and interfaces.
|
|
#
|
|
netlabel = module
|
|
|
|
# Layer: system
|
|
# Module: selinuxutil
|
|
#
|
|
# Policy for SELinux policy and userland applications.
|
|
#
|
|
selinuxutil = module
|
|
|
|
# Module: setrans
|
|
# Required in base
|
|
#
|
|
# Policy for setrans
|
|
#
|
|
setrans = module
|
|
|
|
# Layer: system
|
|
# Module: sysnetwork
|
|
#
|
|
# Policy for network configuration: ifconfig and dhcp client.
|
|
#
|
|
sysnetwork = module
|
|
|
|
# Layer: system
|
|
# Module: systemd
|
|
#
|
|
# Policy for systemd components
|
|
#
|
|
systemd = module
|
|
|
|
# Layer: system
|
|
# Module: udev
|
|
#
|
|
# Policy for udev.
|
|
#
|
|
udev = module
|