cjdns/cjdns.selinux.patch

48 lines
2.0 KiB
Diff
Raw Normal View History

2016-03-22 15:40:36 +00:00
diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te
--- ./contrib/selinux/cjdns.te.selinux 2019-05-02 04:02:32.000000000 -0400
+++ ./contrib/selinux/cjdns.te 2019-08-15 22:23:18.807845457 -0400
@@ -7,8 +7,9 @@ require {
2016-03-22 15:40:36 +00:00
type port_t;
type unreserved_port_t;
type tmp_t;
- type kernel_t;
type passwd_file_t;
+ type net_conf_t;
+ type sssd_var_lib_t;
2016-03-22 15:40:36 +00:00
}
type cjdns_t;
@@ -17,24 +18,26 @@ init_daemon_domain(cjdns_t,cjdns_exec_t)
2016-03-22 15:40:36 +00:00
#============= cjdns_t ==============
# Let master process run further restricted subprocess
-allow cjdns_t cjdns_exec_t:file { execute_no_trans execmod };
2016-03-22 15:40:36 +00:00
-allow cjdns_t self:capability { net_admin net_raw setuid setgid sys_chroot sys_module };
+allow cjdns_t cjdns_exec_t:file { execute_no_trans execmod map };
2016-03-22 15:40:36 +00:00
+allow cjdns_t self:capability { net_admin net_raw setuid setgid sys_chroot };
allow cjdns_t self:process { signal getcap setrlimit setcap };
-allow cjdns_t kernel_t:system module_request;
# translate username to uid
allow cjdns_t passwd_file_t:file { read getattr open };
+# should not need sssd to lookup uid for local uid
+dontaudit cjdns_t sssd_var_lib_t:dir search;
2016-03-22 15:40:36 +00:00
+# translate host names
+allow cjdns_t net_conf_t:file { read getattr open };
# allow network access
allow cjdns_t node_t:udp_socket node_bind;
allow cjdns_t port_t:udp_socket name_bind;
2016-06-24 14:48:31 +00:00
allow cjdns_t unreserved_port_t:udp_socket name_bind;
-allow cjdns_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow cjdns_t self:netlink_route_socket { bind create getattr nlmsg_read read write nlmsg_write };
2016-03-22 15:40:36 +00:00
allow cjdns_t self:packet_socket { bind create ioctl read write };
allow cjdns_t self:tun_socket create;
-allow cjdns_t self:udp_socket { create setopt bind ioctl getattr read write };
+allow cjdns_t self:udp_socket { create setopt bind ioctl getattr read write connect };
allow cjdns_t tun_tap_device_t:chr_file { read write open ioctl };
-
# management API
allow cjdns_t self:unix_stream_socket connectto;
allow cjdns_t tmp_t:sock_file { write create unlink };