95 lines
3.4 KiB
Plaintext
95 lines
3.4 KiB
Plaintext
module requiredmod 1.0;
|
|
|
|
require {
|
|
type auditd_etc_t;
|
|
type getty_t;
|
|
type var_run_t;
|
|
type tmpfs_t;
|
|
type local_login_t;
|
|
type systemd_tmpfiles_t;
|
|
type init_runtime_t;
|
|
type devpts_t;
|
|
type kernel_t;
|
|
type device_t;
|
|
type udev_t;
|
|
type hugetlbfs_t;
|
|
type udev_tbl_t;
|
|
type policy_config_t;
|
|
type tmp_t;
|
|
type unconfined_t;
|
|
type var_lib_t;
|
|
type systemd_userdbd_runtime_t;
|
|
type systemd_user_runtime_dir_t;
|
|
type systemd_sessions_t;
|
|
type systemd_userdbd_t;
|
|
type etc_runtime_t;
|
|
type systemd_logind_t;
|
|
type file_context_t;
|
|
type semanage_t;
|
|
type selinux_config_t;
|
|
type initrc_runtime_t;
|
|
type sshd_t;
|
|
class dir { write add_name remove_name getattr open read search };
|
|
class file { getattr open read write create getattr ioctl lock relabelfrom relabelto setattr unlink };
|
|
class sock_file write;
|
|
class unix_stream_socket { read write ioctl connectto};
|
|
class capability2 block_suspend;
|
|
class filesystem { associate quotaget quotamod };
|
|
class key { link search };
|
|
class process { noatsecure rlimitinh siginh transition };
|
|
|
|
}
|
|
|
|
#============= getty_t ==============
|
|
allow getty_t tmpfs_t:dir { getattr open read };
|
|
allow getty_t var_run_t:file { getattr open read };
|
|
allow getty_t initrc_runtime_t:dir { getattr open read };
|
|
|
|
#============= local_login_t ==============
|
|
allow local_login_t init_runtime_t:sock_file write;
|
|
allow local_login_t systemd_logind_t:unix_stream_socket connectto;
|
|
allow local_login_t var_lib_t:dir { add_name remove_name };
|
|
allow local_login_t var_lib_t:file { create getattr lock open read setattr unlink write };
|
|
|
|
#============= sshd_t ==============
|
|
allow sshd_t local_login_t:key { link search };
|
|
allow sshd_t systemd_logind_t:unix_stream_socket connectto;
|
|
allow sshd_t unconfined_t:process { noatsecure rlimitinh siginh };
|
|
|
|
#============= systemd_tmpfiles_t ==============
|
|
allow systemd_tmpfiles_t auditd_etc_t:dir search;
|
|
allow systemd_tmpfiles_t auditd_etc_t:file getattr;
|
|
|
|
#============= systemd_sessions_t ==============
|
|
allow systemd_sessions_t kernel_t:dir search;
|
|
allow systemd_sessions_t kernel_t:file { getattr ioctl open read };
|
|
|
|
#============= systemd_user_runtime_dir_t ==============
|
|
allow systemd_user_runtime_dir_t etc_runtime_t:file { open read };
|
|
allow systemd_user_runtime_dir_t kernel_t:dir search;
|
|
allow systemd_user_runtime_dir_t kernel_t:file { getattr ioctl open read };
|
|
allow systemd_user_runtime_dir_t systemd_userdbd_runtime_t:sock_file write;
|
|
allow systemd_user_runtime_dir_t systemd_userdbd_t:unix_stream_socket connectto;
|
|
allow systemd_user_runtime_dir_t tmp_t:dir read;
|
|
allow systemd_user_runtime_dir_t tmpfs_t:filesystem { quotaget quotamod };
|
|
|
|
#============= systemd_userdbd_t ==============
|
|
allow systemd_userdbd_t initrc_runtime_t:dir { getattr open read search };
|
|
|
|
#============= devpts_t ==============
|
|
allow devpts_t device_t:filesystem associate;
|
|
|
|
#============= hugetlbfs_t ==============
|
|
allow hugetlbfs_t device_t:filesystem associate;
|
|
|
|
#============= kernel_t ==============
|
|
allow kernel_t self:capability2 block_suspend;
|
|
|
|
#============= tmpfs_t ==============
|
|
allow tmpfs_t device_t:filesystem associate;
|
|
|
|
#============= udev_t ==============
|
|
allow udev_t kernel_t:unix_stream_socket { read write ioctl };
|
|
allow udev_t udev_tbl_t:dir { write add_name };
|
|
allow udev_t var_run_t:sock_file write;
|