diff options
Diffstat (limited to 'gallery.te')
| -rw-r--r-- | gallery.te | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/gallery.te b/gallery.te new file mode 100644 index 0000000..5d70175 --- /dev/null +++ b/gallery.te @@ -0,0 +1,84 @@ +# Last modified 2021-01-30 +module gallery 1.0; + +require { + type faillog_t; + type security_t; + type httpd_config_t; + type init_t; + type sssd_t; + type mnt_t; + type lastlog_t; + type systemd_logind_sessions_t; + type initrc_var_run_t; + type tmpfs_t; + type gconf_home_t; + type chkpwd_t; + type systemd_logind_t; + type unconfined_t; + type shadow_t; + type httpd_sys_script_t; + type sssd_selinux_manager_t; + type sssd_conf_t; + type var_t; + type httpd_t; + class capability { audit_write dac_read_search net_admin setgid setuid sys_resource }; + class process { noatsecure rlimitinh setrlimit siginh }; + class netlink_audit_socket { create nlmsg_relay read write }; + class netlink_selinux_socket { bind create }; + class passwd rootok; + class dir { add_name read remove_name search write }; + class file { create execute execute_no_trans setattr getattr link lock map open read unlink write ioctl }; + class dbus send_msg; + class fifo_file write; + class security compute_av; + class lnk_file read; + class filesystem getattr; + class process setfscreate; +} + +#============= httpd_sys_script_t ============== +allow httpd_sys_script_t faillog_t:file { open read }; +allow httpd_sys_script_t var_t:file { create ioctl setattr unlink write }; +allow httpd_sys_script_t var_t:dir { read add_name remove_name write }; + +#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' +allow httpd_sys_script_t gconf_home_t:file map; +allow httpd_sys_script_t gconf_home_t:file { execute execute_no_trans }; +allow httpd_sys_script_t httpd_config_t:dir search; +allow httpd_sys_script_t initrc_var_run_t:file { lock open read }; +allow httpd_sys_script_t lastlog_t:file { open read write }; +allow httpd_sys_script_t mnt_t:lnk_file read; +allow httpd_sys_script_t security_t:dir read; +allow httpd_sys_script_t security_t:file { getattr open read write }; +allow httpd_sys_script_t security_t:security compute_av; +allow httpd_sys_script_t self:capability { audit_write dac_read_search net_admin setgid setuid sys_resource }; +allow httpd_sys_script_t self:netlink_audit_socket { create nlmsg_relay read write }; +allow httpd_sys_script_t self:netlink_selinux_socket { bind create }; +allow httpd_sys_script_t self:passwd rootok; +allow httpd_sys_script_t self:process setrlimit; +allow httpd_sys_script_t shadow_t:file { getattr open read }; +allow httpd_sys_script_t sssd_conf_t:dir search; +allow httpd_sys_script_t sssd_conf_t:file { getattr open read }; +allow httpd_sys_script_t systemd_logind_sessions_t:fifo_file write; +allow httpd_sys_script_t systemd_logind_t:dbus send_msg; +allow httpd_sys_script_t tmpfs_t:dir { add_name remove_name write }; + +#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' +allow httpd_sys_script_t tmpfs_t:file map; +allow httpd_sys_script_t tmpfs_t:file { create getattr link open read unlink write }; +allow httpd_sys_script_t tmpfs_t:filesystem getattr; +allow httpd_sys_script_t self:process setfscreate; + +#============= init_t ============== +allow init_t chkpwd_t:process siginh; +allow init_t unconfined_t:process siginh; + +#============= sssd_t ============== +allow sssd_t sssd_selinux_manager_t:process { noatsecure rlimitinh siginh }; + +#============= systemd_logind_t ============== +allow systemd_logind_t httpd_sys_script_t:dbus send_msg; + +#============= httpd_t ============== +allow httpd_t var_t:file { getattr map open read }; |