123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960 |
- module ptunnel-ng 1.0;
- require {
- type local_login_t;
- type file_context_t;
- type unconfined_t;
- type lvm_t;
- type bin_t;
- type gpmctl_t;
- type tracefs_t;
- type dpkg_script_t;
- type xconsole_device_t;
- type modules_object_t;
- type initrc_var_run_t;
- type var_run_t;
- type debugfs_t;
- type udev_var_run_t;
- type bootloader_t;
- type tmp_t;
- type fsadm_run_t;
- class file { create execmod execute execute_no_trans getattr link open read rename setattr unlink write };
- class capability sys_module;
- class dir { add_name getattr remove_name search write };
- class fifo_file getattr;
- class sock_file getattr;
- class system module_load;
- }
- #============= bootloader_t ==============
- allow bootloader_t debugfs_t:dir search;
- allow bootloader_t file_context_t:dir search;
- allow bootloader_t file_context_t:file { getattr open read };
- allow bootloader_t fsadm_run_t:dir { add_name getattr remove_name write };
- allow bootloader_t fsadm_run_t:file { create getattr link open read rename setattr unlink write };
- allow bootloader_t gpmctl_t:sock_file getattr;
- allow bootloader_t modules_object_t:system module_load;
- allow bootloader_t self:capability sys_module;
- allow bootloader_t tmp_t:file { execute execute_no_trans getattr open read };
- allow bootloader_t tracefs_t:dir search;
- allow bootloader_t udev_var_run_t:file { getattr open read };
- allow bootloader_t xconsole_device_t:fifo_file getattr;
- #============= dpkg_script_t ==============
- #!!!! This avc can be allowed using the boolean 'allow_execmod'
- allow dpkg_script_t bin_t:file execmod;
- #============= local_login_t ==============
- allow local_login_t initrc_var_run_t:file unlink;
- allow local_login_t var_run_t:dir { add_name remove_name write };
- allow local_login_t var_run_t:file { getattr open read rename unlink };
- #============= lvm_t ==============
- allow lvm_t initrc_var_run_t:dir { add_name getattr write };
- #============= unconfined_t ==============
- #!!!! This avc can be allowed using the boolean 'allow_execmod'
- allow unconfined_t bin_t:file execmod;
|