initial commit
This commit is contained in:
94
requiredmod.te
Normal file
94
requiredmod.te
Normal file
@@ -0,0 +1,94 @@
|
||||
module requiredmod 1.0;
|
||||
|
||||
require {
|
||||
type auditd_etc_t;
|
||||
type getty_t;
|
||||
type var_run_t;
|
||||
type tmpfs_t;
|
||||
type local_login_t;
|
||||
type systemd_tmpfiles_t;
|
||||
type init_runtime_t;
|
||||
type devpts_t;
|
||||
type kernel_t;
|
||||
type device_t;
|
||||
type udev_t;
|
||||
type hugetlbfs_t;
|
||||
type udev_tbl_t;
|
||||
type policy_config_t;
|
||||
type tmp_t;
|
||||
type unconfined_t;
|
||||
type var_lib_t;
|
||||
type systemd_userdbd_runtime_t;
|
||||
type systemd_user_runtime_dir_t;
|
||||
type systemd_sessions_t;
|
||||
type systemd_userdbd_t;
|
||||
type etc_runtime_t;
|
||||
type systemd_logind_t;
|
||||
type file_context_t;
|
||||
type semanage_t;
|
||||
type selinux_config_t;
|
||||
type initrc_runtime_t;
|
||||
type sshd_t;
|
||||
class dir { write add_name remove_name getattr open read search };
|
||||
class file { getattr open read write create getattr ioctl lock relabelfrom relabelto setattr unlink };
|
||||
class sock_file write;
|
||||
class unix_stream_socket { read write ioctl connectto};
|
||||
class capability2 block_suspend;
|
||||
class filesystem { associate quotaget quotamod };
|
||||
class key { link search };
|
||||
class process { noatsecure rlimitinh siginh transition };
|
||||
|
||||
}
|
||||
|
||||
#============= getty_t ==============
|
||||
allow getty_t tmpfs_t:dir { getattr open read };
|
||||
allow getty_t var_run_t:file { getattr open read };
|
||||
allow getty_t initrc_runtime_t:dir { getattr open read };
|
||||
|
||||
#============= local_login_t ==============
|
||||
allow local_login_t init_runtime_t:sock_file write;
|
||||
allow local_login_t systemd_logind_t:unix_stream_socket connectto;
|
||||
allow local_login_t var_lib_t:dir { add_name remove_name };
|
||||
allow local_login_t var_lib_t:file { create getattr lock open read setattr unlink write };
|
||||
|
||||
#============= sshd_t ==============
|
||||
allow sshd_t local_login_t:key { link search };
|
||||
allow sshd_t systemd_logind_t:unix_stream_socket connectto;
|
||||
allow sshd_t unconfined_t:process { noatsecure rlimitinh siginh };
|
||||
|
||||
#============= systemd_tmpfiles_t ==============
|
||||
allow systemd_tmpfiles_t auditd_etc_t:dir search;
|
||||
allow systemd_tmpfiles_t auditd_etc_t:file getattr;
|
||||
|
||||
#============= systemd_sessions_t ==============
|
||||
allow systemd_sessions_t kernel_t:dir search;
|
||||
allow systemd_sessions_t kernel_t:file { getattr ioctl open read };
|
||||
|
||||
#============= systemd_user_runtime_dir_t ==============
|
||||
allow systemd_user_runtime_dir_t etc_runtime_t:file { open read };
|
||||
allow systemd_user_runtime_dir_t kernel_t:dir search;
|
||||
allow systemd_user_runtime_dir_t kernel_t:file { getattr ioctl open read };
|
||||
allow systemd_user_runtime_dir_t systemd_userdbd_runtime_t:sock_file write;
|
||||
allow systemd_user_runtime_dir_t systemd_userdbd_t:unix_stream_socket connectto;
|
||||
allow systemd_user_runtime_dir_t tmp_t:dir read;
|
||||
allow systemd_user_runtime_dir_t tmpfs_t:filesystem { quotaget quotamod };
|
||||
|
||||
#============= systemd_userdbd_t ==============
|
||||
allow systemd_userdbd_t initrc_runtime_t:dir { getattr open read search };
|
||||
|
||||
#============= devpts_t ==============
|
||||
allow devpts_t device_t:filesystem associate;
|
||||
|
||||
#============= hugetlbfs_t ==============
|
||||
allow hugetlbfs_t device_t:filesystem associate;
|
||||
|
||||
#============= kernel_t ==============
|
||||
allow kernel_t self:capability2 block_suspend;
|
||||
|
||||
#============= tmpfs_t ==============
|
||||
allow tmpfs_t device_t:filesystem associate;
|
||||
|
||||
#============= udev_t ==============
|
||||
allow udev_t kernel_t:unix_stream_socket { read write ioctl };
|
||||
allow udev_t udev_tbl_t:dir { write add_name };
|
||||
allow udev_t var_run_t:sock_file write;
|
||||
Reference in New Issue
Block a user