forked from pool/selinux-policy
cbd186764a
- Moved back to fedora policy (20190802) - Removed spec file conditionals for old SELinux userland - Removed config.tgz - Removed patches: * label_sysconfig.selinux.patch * label_var_run_rsyslog.patch * suse_additions_obs.patch * suse_additions_sslh.patch * suse_modifications_apache.patch * suse_modifications_cron.patch * suse_modifications_getty.patch * suse_modifications_logging.patch * suse_modifications_ntp.patch * suse_modifications_usermanage.patch * suse_modifications_virt.patch * suse_modifications_xserver.patch * sysconfig_network_scripts.patch * segenxml_interpreter.patch - Added patches: * fix_djbdns.patch * fix_dbus.patch * fix_gift.patch * fix_java.patch * fix_hadoop.patch * fix_thunderbird.patch * postfix_paths.patch * fix_nscd.patch * fix_sysnetwork.patch * fix_logging.patch * fix_xserver.patch OBS-URL: https://build.opensuse.org/request/show/734854 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=73
96 lines
3.4 KiB
Plaintext
96 lines
3.4 KiB
Plaintext
policy_module(minimum_temp_fixes, 1.0)
|
|
|
|
require {
|
|
type sshd_t;
|
|
type lib_t;
|
|
type init_t;
|
|
type unconfined_t;
|
|
type systemd_localed_t;
|
|
type systemd_logind_t;
|
|
type unconfined_service_t;
|
|
type chkpwd_t;
|
|
type bin_t;
|
|
type fsadm_t;
|
|
type getty_t;
|
|
type systemd_tmpfiles_t;
|
|
type systemd_systemctl_exec_t;
|
|
type unconfined_dbusd_t;
|
|
type rtkit_daemon_t;
|
|
type system_dbusd_t;
|
|
class dir mounton;
|
|
class dbus { acquire_svc send_msg };
|
|
class nscd { getgrp shmemgrp shmemhost shmempwd getpwd gethost getserv shmemserv };
|
|
class process { execmem transition };
|
|
class file { entrypoint execmod };
|
|
}
|
|
|
|
#============= chkpwd_t ==============
|
|
allow chkpwd_t unconfined_service_t:nscd { shmempwd getpwd };
|
|
files_map_var_lib_files(chkpwd_t)
|
|
files_read_var_lib_files(chkpwd_t)
|
|
files_write_generic_pid_sockets(chkpwd_t)
|
|
|
|
#============= fsadm_t ==============
|
|
allow fsadm_t unconfined_service_t:nscd { shmemgrp shmempwd };
|
|
|
|
#============= getty_t ==============
|
|
allow getty_t unconfined_service_t:nscd shmemgrp;
|
|
files_map_var_lib_files(getty_t)
|
|
files_read_var_lib_files(getty_t)
|
|
files_write_generic_pid_sockets(getty_t)
|
|
|
|
#============= init_t ==============
|
|
allow init_t bin_t:dir mounton;
|
|
allow init_t lib_t:dir mounton;
|
|
allow init_t self:process execmem;
|
|
allow init_t unconfined_service_t:dbus { acquire_svc send_msg };
|
|
allow init_t unconfined_service_t:nscd { gethost getserv shmemhost shmemserv shmemgrp shmempwd getpwd };
|
|
files_manage_generic_spool(init_t)
|
|
corenet_udp_bind_generic_node(init_t)
|
|
files_map_var_lib_files(init_t)
|
|
files_read_var_files(init_t)
|
|
files_manage_var_files(init_t)
|
|
storage_raw_read_removable_device(init_t)
|
|
|
|
#============= sshd_t ==============
|
|
allow sshd_t unconfined_service_t:nscd { shmemgrp shmemhost shmempwd getgrp getpwd };
|
|
files_exec_generic_pid_files(sshd_t)
|
|
files_map_var_lib_files(sshd_t)
|
|
files_read_var_lib_files(sshd_t)
|
|
files_write_generic_pid_sockets(sshd_t)
|
|
unconfined_server_dbus_chat(sshd_t)
|
|
|
|
#============= systemd_localed_t ==============
|
|
allow systemd_localed_t unconfined_service_t:dbus { acquire_svc send_msg };
|
|
files_write_generic_pid_sockets(systemd_localed_t)
|
|
|
|
#============= systemd_logind_t ==============
|
|
allow systemd_logind_t unconfined_service_t:dbus { acquire_svc send_msg };
|
|
allow systemd_logind_t unconfined_service_t:nscd { shmempwd getpwd };
|
|
files_map_var_lib_files(systemd_logind_t)
|
|
files_read_var_lib_files(systemd_logind_t)
|
|
files_write_generic_pid_sockets(systemd_logind_t)
|
|
systemd_dbus_chat_logind(systemd_logind_t)
|
|
|
|
#============= systemd_tmpfiles_t ==============
|
|
allow systemd_tmpfiles_t unconfined_service_t:nscd { getpwd getgrp shmemgrp shmempwd };
|
|
files_map_var_lib_files(systemd_tmpfiles_t)
|
|
|
|
#============= unconfined_service_t ==============
|
|
allow unconfined_service_t unconfined_t:process transition;
|
|
init_dbus_chat(unconfined_service_t)
|
|
unconfined_server_dbus_chat(unconfined_service_t)
|
|
|
|
#============= unconfined_t ==============
|
|
allow unconfined_t systemd_systemctl_exec_t:file entrypoint;
|
|
allow unconfined_t unconfined_service_t:nscd { shmemgrp shmempwd getgrp gethost getpwd getserv shmemhost shmemserv };
|
|
|
|
#============= unconfined_dbusd_t ==============
|
|
allow unconfined_dbusd_t unconfined_service_t:nscd { getgrp getpwd shmemgrp shmempwd };
|
|
|
|
#============= rtkit_daemon_t ==============
|
|
allow rtkit_daemon_t unconfined_service_t:nscd { getpwd shmempwd };
|
|
|
|
#============= system_dbusd_t ==============
|
|
allow system_dbusd_t unconfined_service_t:nscd { getgrp getpwd shmemgrp shmempwd };
|