commit b60031f4bc571b593f4148d7543ce14c51d42ef3 Author: Sam Hadow Date: Mon Feb 2 10:36:58 2026 +0100 initial commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..90895e4 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +*.pp +*.mod diff --git a/README.md b/README.md new file mode 100644 index 0000000..95807d5 --- /dev/null +++ b/README.md @@ -0,0 +1,9 @@ +## loading a module + +(replace module with the module filename) + +```bash +checkmodule -m -o module.mod module.te +semodule_package -o module.pp -m module.mod +semodule -i module.pp +``` diff --git a/requiredmod.te b/requiredmod.te new file mode 100644 index 0000000..d41c345 --- /dev/null +++ b/requiredmod.te @@ -0,0 +1,94 @@ +module requiredmod 1.0; + +require { + type auditd_etc_t; + type getty_t; + type var_run_t; + type tmpfs_t; + type local_login_t; + type systemd_tmpfiles_t; + type init_runtime_t; + type devpts_t; + type kernel_t; + type device_t; + type udev_t; + type hugetlbfs_t; + type udev_tbl_t; + type policy_config_t; + type tmp_t; + type unconfined_t; + type var_lib_t; + type systemd_userdbd_runtime_t; + type systemd_user_runtime_dir_t; + type systemd_sessions_t; + type systemd_userdbd_t; + type etc_runtime_t; + type systemd_logind_t; + type file_context_t; + type semanage_t; + type selinux_config_t; + type initrc_runtime_t; + type sshd_t; + class dir { write add_name remove_name getattr open read search }; + class file { getattr open read write create getattr ioctl lock relabelfrom relabelto setattr unlink }; + class sock_file write; + class unix_stream_socket { read write ioctl connectto}; + class capability2 block_suspend; + class filesystem { associate quotaget quotamod }; + class key { link search }; + class process { noatsecure rlimitinh siginh transition }; + +} + +#============= getty_t ============== +allow getty_t tmpfs_t:dir { getattr open read }; +allow getty_t var_run_t:file { getattr open read }; +allow getty_t initrc_runtime_t:dir { getattr open read }; + +#============= local_login_t ============== +allow local_login_t init_runtime_t:sock_file write; +allow local_login_t systemd_logind_t:unix_stream_socket connectto; +allow local_login_t var_lib_t:dir { add_name remove_name }; +allow local_login_t var_lib_t:file { create getattr lock open read setattr unlink write }; + +#============= sshd_t ============== +allow sshd_t local_login_t:key { link search }; +allow sshd_t systemd_logind_t:unix_stream_socket connectto; +allow sshd_t unconfined_t:process { noatsecure rlimitinh siginh }; + +#============= systemd_tmpfiles_t ============== +allow systemd_tmpfiles_t auditd_etc_t:dir search; +allow systemd_tmpfiles_t auditd_etc_t:file getattr; + +#============= systemd_sessions_t ============== +allow systemd_sessions_t kernel_t:dir search; +allow systemd_sessions_t kernel_t:file { getattr ioctl open read }; + +#============= systemd_user_runtime_dir_t ============== +allow systemd_user_runtime_dir_t etc_runtime_t:file { open read }; +allow systemd_user_runtime_dir_t kernel_t:dir search; +allow systemd_user_runtime_dir_t kernel_t:file { getattr ioctl open read }; +allow systemd_user_runtime_dir_t systemd_userdbd_runtime_t:sock_file write; +allow systemd_user_runtime_dir_t systemd_userdbd_t:unix_stream_socket connectto; +allow systemd_user_runtime_dir_t tmp_t:dir read; +allow systemd_user_runtime_dir_t tmpfs_t:filesystem { quotaget quotamod }; + +#============= systemd_userdbd_t ============== +allow systemd_userdbd_t initrc_runtime_t:dir { getattr open read search }; + +#============= devpts_t ============== +allow devpts_t device_t:filesystem associate; + +#============= hugetlbfs_t ============== +allow hugetlbfs_t device_t:filesystem associate; + +#============= kernel_t ============== +allow kernel_t self:capability2 block_suspend; + +#============= tmpfs_t ============== +allow tmpfs_t device_t:filesystem associate; + +#============= udev_t ============== +allow udev_t kernel_t:unix_stream_socket { read write ioctl }; +allow udev_t udev_tbl_t:dir { write add_name }; +allow udev_t var_run_t:sock_file write;