-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtmp.te
1592 lines (1449 loc) · 74.6 KB
/
tmp.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
module tmp 1.0;
require {
type var_lib_t;
type dri_device_t;
type tty_device_t;
type policy_config_t;
type gnome_home_t;
type fs_t;
type chromium_t;
type sysctl_t;
type node_t;
type inspider_packet_t;
type autofs_device_t;
type getty_t;
type xkb_var_lib_t;
type etc_runtime_t;
type auditd_log_t;
type xdm_t;
type initrc_runtime_t;
type session_dbusd_tmp_t;
type staff_gkeyringd_t;
type ifconfig_t;
type sysctl_kernel_t;
type systemd_tmpfiles_conf_t;
type semanage_store_t;
type mplayer_home_t;
type telegram_exec_t;
type winbind_helper_exec_t;
type device_t;
type dosfs_t;
type wm_tmp_t;
type ssdp_packet_t;
type clock_device_t;
type chromium_sandbox_t;
type xserver_misc_device_t;
type vmware_file_t;
type lvm_runtime_t;
type ssh_agent_exec_t;
type lircd_runtime_t;
type dirmngr_t;
type xdg_documents_tmp_t;
type systemd_machined_t;
type user_dbusd_t;
type systemd_tmpfiles_t;
type gnome_xdg_config_t;
type staff_t;
type tmpfs_t;
type sysfs_t;
type java_t;
type bluetooth_t;
type dirmngr_home_t;
type file_context_t;
type systemd_cgtop_exec_t;
type dof_dps_mc_sec_packet_t;
type systemd_logind_t;
type xdg_documents_private_t;
type staff_systemd_t;
type systemd_locale_t;
type dnsmasq_t;
type semanage_trans_lock_t;
type systemd_homed_t;
type boot_t;
type udev_rules_t;
type lvm_t;
type secadm_git_t;
type systemd_backlight_t;
type usr_t;
type mesa_shader_cache_t;
type init_t;
type sshd_exec_t;
type dockerd_t;
type cgroup_t;
type syslogd_runtime_t;
type hpvroom_packet_t;
type gpg_secret_t;
type system_dbusd_var_lib_t;
type unreserved_port_t;
type gpg_pinentry_t;
type avahi_t;
type xdm_exec_t;
type home_root_t;
type vhost_device_t;
type var_run_t;
type kernel_t;
type user_t;
type udev_runtime_t;
type gpg_t;
type system_dbusd_t;
type gnome_keyring_tmp_t;
type selinux_config_t;
type tmosms1_packet_t;
type httpd_suexec_exec_t;
type container_runtime_t;
type sysctl_vm_t;
type user_tmpfs_t;
type pulseaudio_tmp_t;
type usb_device_t;
type udev_t;
type xdg_cache_t;
type evolution_t;
type xdg_data_t;
type telepathy_mission_control_t;
type sysctl_vm_overcommit_t;
type named_runtime_t;
type zero_device_t;
type fonts_cache_t;
type net_conf_t;
type systemd_homed_runtime_t;
type snort_t;
type systemd_machined_runtime_t;
type ora_oap_packet_t;
type auditd_t;
type httpd_runtime_t;
type thunderbird_home_t;
type bin_t;
type user_fonts_config_t;
type mouse_device_t;
type gpg_agent_t;
type vmware_host_pid_t;
type bootpc_packet_t;
type ntp_packet_t;
type auditd_runtime_t;
type evolution_xdg_config_t;
type fonts_t;
type www_http_packet_t;
type iptables_runtime_t;
type systemd_userdbd_runtime_t;
type spc_t;
type svnserve_exec_t;
type xdm_tmp_t;
type samba_etc_t;
type systemd_hostnamed_t;
type farenet_packet_t;
type gpiochip_device_t;
type local_login_t;
type fixed_disk_device_t;
type lo_netif_t;
type user_runtime_root_t;
type transproxy_port_t;
type vmware_device_t;
type saslauthd_keytab_t;
type kmod_t;
type mount_t;
type tmp_t;
type systemd_logind_runtime_t;
type restorecond_run_t;
type faillog_t;
type cert_t;
type shell_exec_t;
type sysctl_fs_t;
type imyx_packet_t;
type blackjack_packet_t;
type root_t;
type secadm_systemd_t;
type staff_dbusd_tmpfs_t;
type virtd_t;
type modules_object_t;
type user_tmp_t;
type sysctl_net_t;
type etc_t;
type efivarfs_t;
type staff_sudo_t;
type xdg_downloads_t;
type usbguard_runtime_t;
type ndm_agent_port_packet_t;
type fdtracks_packet_t;
type devicekit_runtime_t;
type svnserve_runtime_t;
type ssh_home_t;
type pam_runtime_t;
type virtlockd_exec_t;
type gpm_exec_t;
type cupsd_t;
type sdmmp_packet_t;
type git_xdg_config_t;
type mozilla_home_t;
type nvram_device_t;
type xdg_documents_archive_t;
type devicekit_disk_t;
type domain_packet_t;
type user_fonts_cache_t;
type system_dbusd_runtime_t;
type default_t;
type devpts_t;
type syslogd_t;
type smbd_exec_t;
type mount_runtime_t;
type restorecond_t;
type staff_git_t;
type caerpc_packet_t;
type local_ephemeral_port_t;
type vmware_host_t;
type user_cert_t;
type scsi_generic_device_t;
type initrc_t;
type unlabeled_t;
type locale_t;
type lib_t;
type modules_dep_t;
type bis_sync_packet_t;
type init_runtime_t;
type xfs_tmp_t;
type mnt_t;
type xdg_pictures_t;
type systemd_logind_inhibit_runtime_t;
type wine_home_t;
type systemd_user_runtime_dir_t;
type getty_runtime_t;
type user_runtime_t;
type setfiles_t;
type fuse_device_t;
type hwdata_t;
type boolean_t;
type systemd_user_tmpfs_t;
type mplayer_xdg_cache_t;
type chromium_tmp_t;
type xdg_documents_t;
type ssh_t;
type mplayer_xdg_config_t;
type pulseaudio_xdg_config_t;
type java_home_t;
type nsfs_t;
type uhid_device_t;
type initrc_exec_t;
type personal_agent_packet_t;
type ppp_device_t;
type staff_dbusd_t;
type lvm_control_t;
type usbguard_t;
type semanage_read_lock_t;
type loop_control_device_t;
type gpg_runtime_t;
type watchdog_device_t;
type user_systemd_t;
type dp_bura_packet_t;
type usbguard_tmpfs_t;
type evolution_tmpfs_t;
type session_dbusd_runtime_t;
type iso9660_t;
type https_packet_t;
type policykit_t;
type user_home_dir_t;
type xdg_documents_school_t;
type rdmnet_ctrl_packet_t;
type xdm_var_lib_t;
type dmidecode_t;
type dhcpc_runtime_t;
type snmpd_exec_t;
type NetworkManager_t;
type telegram_t;
type http_port_t;
type devlog_t;
type secadm_sudo_t;
type systemd_tmpfiles_exec_t;
type vmware_host_exec_t;
type systemd_notify_exec_t;
type kmsg_device_t;
type wm_tmpfs_t;
type xdg_documents_work_t;
type v4l_device_t;
type tpm_device_t;
type user_home_t;
type pam_motd_runtime_t;
type staff_wm_t;
type ip_provision_packet_t;
type imaps_packet_t;
type usbguard_rules_t;
type fsdaemon_exec_t;
type chromium_tmpfs_t;
type ssh_packet_t;
type security_t;
type systemd_homework_t;
type kvm_device_t;
type mdns_packet_t;
type systemd_sessions_runtime_t;
type pmqos_device_t;
type user_tty_device_t;
type filenet_obrok_packet_t;
type secadm_t;
type event_device_t;
type virtlogd_exec_t;
type proc_psi_t;
type policykit_auth_t;
type samba_runtime_t;
type var_t;
type proc_t;
type xserver_port_t;
type systemd_user_runtime_t;
type iptables_t;
type framebuf_device_t;
type snort_exec_t;
type tmo_icon_sync_packet_t;
type shadow_t;
type xdg_music_t;
type ntpd_t;
type bootps_packet_t;
type xdg_config_t;
type systemd_journal_t;
type systemd_userdbd_t;
class file { append create execmod execute execute_no_trans getattr ioctl link lock map mounton open read relabelfrom relabelto rename setattr unlink watch watch_reads write };
class netif egress;
class node sendto;
class peer recv;
class packet { recv send };
class dir { add_name create getattr ioctl mounton open read remove_name rename rmdir search setattr watch write };
class chr_file { append execute getattr ioctl lock map open read unlink write };
class tcp_socket { connect create getattr getopt name_bind name_connect node_bind read setopt write };
class lnk_file { getattr read };
class unix_stream_socket { connectto getattr ioctl read write };
class fifo_file { getattr ioctl read write };
class blk_file { getattr ioctl open read write };
class capability { dac_read_search fowner linux_immutable net_admin setpcap sys_admin sys_module sys_ptrace sys_rawio sys_resource };
class user_namespace create;
class cap_userns { dac_override dac_read_search net_admin setfcap setpcap setuid sys_admin };
class netlink_route_socket { bind create getattr getopt nlmsg_read nlmsg_write read setopt write };
class process { execmem getattr getcap getsched noatsecure ptrace rlimitinh setsched siginh sigkill signal signull };
class sock_file { create getattr write };
class filesystem { getattr mount remount unmount };
class binder { call set_context_mgr transfer };
class security { load_policy read_policy setenforce };
class fd use;
class key search;
class udp_socket node_bind;
class unix_dgram_socket { create sendto write };
class msgq { associate read unix_read unix_write write };
class sem { associate read unix_read unix_write write };
class msg { receive send };
class perf_event { cpu open write };
class rawip_socket node_bind;
}
#============= NetworkManager_t ==============
allow NetworkManager_t bootpc_packet_t:packet recv;
allow NetworkManager_t bootps_packet_t:packet send;
allow NetworkManager_t systemd_machined_t:unix_stream_socket connectto;
allow NetworkManager_t unlabeled_t:node sendto;
#============= auditd_t ==============
allow auditd_t systemd_machined_t:unix_stream_socket connectto;
#============= avahi_t ==============
allow avahi_t sysctl_t:netif egress;
allow avahi_t systemd_homed_runtime_t:sock_file write;
allow avahi_t systemd_homed_t:unix_stream_socket connectto;
allow avahi_t systemd_machined_t:unix_stream_socket connectto;
allow avahi_t unlabeled_t:node sendto;
allow avahi_t unlabeled_t:packet { recv send };
allow avahi_t unlabeled_t:udp_socket node_bind;
#============= bluetooth_t ==============
allow bluetooth_t uhid_device_t:chr_file { getattr open read write };
#============= chromium_t ==============
allow chromium_t boolean_t:file { open read };
allow chromium_t caerpc_packet_t:packet recv;
allow chromium_t chromium_tmpfs_t:file execute;
#!!!! This avc can be allowed using the boolean 'chromium_read_system_info'
allow chromium_t etc_runtime_t:file { getattr open read };
allow chromium_t filenet_obrok_packet_t:packet recv;
allow chromium_t hpvroom_packet_t:packet send;
allow chromium_t inspider_packet_t:packet recv;
allow chromium_t ip_provision_packet_t:packet recv;
allow chromium_t lo_netif_t:netif egress;
allow chromium_t local_ephemeral_port_t:tcp_socket name_connect;
allow chromium_t locale_t:dir watch;
allow chromium_t mdns_packet_t:packet { recv send };
allow chromium_t ndm_agent_port_packet_t:packet recv;
allow chromium_t node_t:tcp_socket name_connect;
allow chromium_t proc_psi_t:dir search;
allow chromium_t proc_psi_t:file { getattr open read };
allow chromium_t pulseaudio_tmp_t:dir read;
#!!!! This avc can be allowed using one of the these booleans:
# chromium_read_all_user_content, chromium_manage_all_user_content
allow chromium_t pulseaudio_xdg_config_t:dir search;
#!!!! This avc can be allowed using one of the these booleans:
# chromium_read_all_user_content, chromium_manage_all_user_content
allow chromium_t pulseaudio_xdg_config_t:file { open read };
allow chromium_t security_t:dir search;
allow chromium_t ssdp_packet_t:packet send;
allow chromium_t staff_wm_t:unix_stream_socket ioctl;
allow chromium_t sysctl_t:netif egress;
allow chromium_t systemd_machined_t:unix_stream_socket connectto;
allow chromium_t unlabeled_t:node sendto;
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
# mlsconstrain packet { recv } ((l1 dom l2 -Fail-) or (t1 == mlsnetreadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsnetread -Fail-) ); Constraint DENIED
# Possible cause is the source user (staff_u) and target user (system_u) are different.
# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different.
allow chromium_t unlabeled_t:packet recv;
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
# mlsconstrain peer { recv } ((l1 dom l2 -Fail-) or (t1 == mlsnetreadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsnetread -Fail-) ); Constraint DENIED
# Possible cause is the source user (staff_u) and target user (system_u) are different.
# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different.
allow chromium_t unlabeled_t:peer recv;
allow chromium_t unlabeled_t:udp_socket node_bind;
#!!!! This avc can be allowed using the boolean 'chromium_rw_usb_dev'
allow chromium_t usb_device_t:chr_file { ioctl open read write };
allow chromium_t user_home_t:file map;
allow chromium_t v4l_device_t:chr_file { getattr ioctl open read };
allow chromium_t var_lib_t:dir read;
allow chromium_t var_lib_t:file { getattr map open read };
#============= cupsd_t ==============
allow cupsd_t self:capability net_admin;
allow cupsd_t systemd_machined_t:unix_stream_socket connectto;
allow cupsd_t unlabeled_t:tcp_socket node_bind;
#============= devicekit_disk_t ==============
#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap'
allow devicekit_disk_t cert_t:file { open read };
allow devicekit_disk_t lvm_control_t:chr_file open;
allow devicekit_disk_t lvm_runtime_t:dir { add_name remove_name write };
allow devicekit_disk_t lvm_runtime_t:file { create lock open read unlink write };
allow devicekit_disk_t mount_runtime_t:dir { add_name remove_name write };
allow devicekit_disk_t mount_runtime_t:file { create rename setattr unlink watch watch_reads };
allow devicekit_disk_t mount_t:process { noatsecure rlimitinh siginh };
allow devicekit_disk_t selinux_config_t:lnk_file read;
allow devicekit_disk_t sysctl_kernel_t:dir search;
allow devicekit_disk_t sysctl_kernel_t:file read;
allow devicekit_disk_t systemd_homed_runtime_t:sock_file write;
allow devicekit_disk_t systemd_homed_t:unix_stream_socket connectto;
allow devicekit_disk_t systemd_logind_inhibit_runtime_t:fifo_file write;
allow devicekit_disk_t systemd_logind_t:fd use;
allow devicekit_disk_t systemd_machined_t:unix_stream_socket connectto;
allow devicekit_disk_t systemd_sessions_runtime_t:file open;
#============= dirmngr_t ==============
allow dirmngr_t bin_t:dir search;
#============= dnsmasq_t ==============
allow dnsmasq_t bootpc_packet_t:packet send;
allow dnsmasq_t bootps_packet_t:packet recv;
allow dnsmasq_t sysctl_t:netif egress;
allow dnsmasq_t systemd_machined_t:unix_stream_socket connectto;
allow dnsmasq_t unlabeled_t:node sendto;
allow dnsmasq_t unlabeled_t:packet { recv send };
allow dnsmasq_t unlabeled_t:tcp_socket node_bind;
allow dnsmasq_t unlabeled_t:udp_socket node_bind;
allow dnsmasq_t var_lib_t:file { append getattr open read write };
#============= dockerd_t ==============
allow dockerd_t iptables_t:process { noatsecure rlimitinh siginh };
allow dockerd_t kmod_t:process { noatsecure rlimitinh siginh };
#!!!! This avc can be allowed using the boolean 'container_mounton_non_security'
allow dockerd_t security_t:dir search;
allow dockerd_t spc_t:process { noatsecure rlimitinh siginh };
#!!!! This avc can be allowed using one of the these booleans:
# container_mounton_non_security, container_use_nfs
allow dockerd_t sysctl_fs_t:dir search;
allow dockerd_t systemd_machined_t:unix_stream_socket connectto;
allow dockerd_t unlabeled_t:tcp_socket node_bind;
#============= evolution_t ==============
allow evolution_t blackjack_packet_t:packet send;
allow evolution_t cgroup_t:file { open read };
allow evolution_t device_t:chr_file { getattr ioctl open read };
allow evolution_t devpts_t:filesystem mount;
allow evolution_t domain_packet_t:packet send;
allow evolution_t dri_device_t:chr_file { getattr ioctl map open read write };
allow evolution_t etc_runtime_t:file { getattr open read };
allow evolution_t etc_t:dir watch;
allow evolution_t etc_t:file map;
allow evolution_t evolution_tmpfs_t:dir { create mounton };
allow evolution_t evolution_tmpfs_t:file mounton;
allow evolution_t evolution_xdg_config_t:file map;
allow evolution_t fonts_t:dir mounton;
allow evolution_t fs_t:filesystem { getattr remount unmount };
#!!!! This avc can be allowed using one of the these booleans:
# evolution_read_all_user_content, evolution_manage_all_user_content
allow evolution_t gnome_xdg_config_t:dir { getattr search };
#!!!! This avc can be allowed using one of the these booleans:
# evolution_read_all_user_content, evolution_manage_all_user_content
allow evolution_t gnome_xdg_config_t:file { getattr open read };
allow evolution_t gnome_xdg_config_t:file map;
allow evolution_t gpg_t:process { noatsecure rlimitinh siginh };
allow evolution_t imaps_packet_t:packet send;
allow evolution_t imyx_packet_t:packet send;
allow evolution_t lib_t:dir mounton;
allow evolution_t lib_t:file execute_no_trans;
allow evolution_t lo_netif_t:netif egress;
allow evolution_t locale_t:file mounton;
#!!!! This avc can be allowed using one of the these booleans:
# evolution_read_all_user_content, evolution_manage_all_user_content
allow evolution_t mesa_shader_cache_t:dir { getattr search };
#!!!! This avc can be allowed using the boolean 'evolution_manage_all_user_content'
allow evolution_t mesa_shader_cache_t:file { getattr open read write };
allow evolution_t mesa_shader_cache_t:file map;
allow evolution_t nsfs_t:file getattr;
allow evolution_t proc_t:filesystem mount;
allow evolution_t pulseaudio_tmp_t:dir getattr;
#!!!! This avc can be allowed using one of the these booleans:
# evolution_read_all_user_content, evolution_manage_all_user_content
allow evolution_t pulseaudio_xdg_config_t:dir getattr;
allow evolution_t root_t:dir mounton;
allow evolution_t security_t:filesystem getattr;
allow evolution_t self:capability { net_admin setpcap sys_admin sys_ptrace };
allow evolution_t selinux_config_t:dir search;
allow evolution_t selinux_config_t:lnk_file read;
allow evolution_t session_dbusd_runtime_t:sock_file write;
allow evolution_t staff_t:process signull;
allow evolution_t staff_wm_t:unix_stream_socket { getattr ioctl read write };
allow evolution_t sysctl_t:netif egress;
allow evolution_t sysctl_vm_overcommit_t:file { open read };
allow evolution_t sysctl_vm_t:dir search;
allow evolution_t sysctl_vm_t:file { getattr open read };
allow evolution_t sysfs_t:dir read;
allow evolution_t sysfs_t:file { getattr open read };
allow evolution_t sysfs_t:filesystem { getattr remount };
allow evolution_t sysfs_t:lnk_file { getattr read };
allow evolution_t systemd_homed_runtime_t:sock_file write;
allow evolution_t systemd_homed_t:unix_stream_socket connectto;
allow evolution_t systemd_machined_t:unix_stream_socket connectto;
allow evolution_t systemd_user_runtime_t:dir { getattr mounton search };
allow evolution_t systemd_user_runtime_t:sock_file write;
allow evolution_t tmp_t:dir mounton;
allow evolution_t tmpfs_t:filesystem { mount remount unmount };
allow evolution_t unlabeled_t:node sendto;
allow evolution_t unlabeled_t:packet recv;
allow evolution_t unlabeled_t:peer recv;
allow evolution_t unreserved_port_t:tcp_socket name_connect;
#!!!! This avc can be allowed using one of the these booleans:
# evolution_manage_user_certs, evolution_manage_all_user_content
allow evolution_t user_cert_t:dir { add_name remove_name write };
#!!!! This avc can be allowed using one of the these booleans:
# evolution_manage_user_certs, evolution_manage_all_user_content
allow evolution_t user_cert_t:file { append create rename unlink write };
allow evolution_t user_home_t:file map;
allow evolution_t user_runtime_t:dir { add_name create remove_name write };
allow evolution_t user_runtime_t:file { create open read unlink write };
allow evolution_t user_runtime_t:sock_file { create getattr write };
#!!!! This avc can be allowed using one of the these booleans:
# evolution_manage_generic_user_content, evolution_manage_all_user_content
allow evolution_t user_tmp_t:dir { add_name write };
#!!!! This avc can be allowed using one of the these booleans:
# evolution_manage_generic_user_content, evolution_manage_all_user_content
allow evolution_t user_tmp_t:file { create write };
allow evolution_t user_tmp_t:file map;
allow evolution_t usr_t:dir { mounton watch };
allow evolution_t v4l_device_t:chr_file { getattr ioctl open read write };
allow evolution_t var_lib_t:dir watch;
allow evolution_t var_lib_t:file { getattr map open };
allow evolution_t winbind_helper_exec_t:file execute;
allow evolution_t wm_tmpfs_t:file { map read write };
allow evolution_t xdg_cache_t:dir watch;
#!!!! This avc can be allowed using one of the these booleans:
# evolution_read_all_user_content, evolution_manage_all_user_content
allow evolution_t xdg_cache_t:file { getattr lock open read unlink write };
#!!!! This avc can be allowed using the boolean 'evolution_manage_all_user_content'
allow evolution_t xdg_cache_t:sock_file write;
allow evolution_t xdg_config_t:dir watch;
#!!!! This avc can be allowed using one of the these booleans:
# evolution_read_all_user_content, evolution_manage_all_user_content
allow evolution_t xdg_config_t:file { append getattr lock open read };
allow evolution_t xdg_data_t:dir watch;
#!!!! This avc can be allowed using one of the these booleans:
# evolution_read_all_user_content, evolution_manage_all_user_content
allow evolution_t xdg_data_t:file { getattr open read };
allow evolution_t xdg_data_t:file map;
#!!!! This avc can be allowed using one of the these booleans:
# evolution_read_all_user_content, evolution_manage_all_user_content
allow evolution_t xdg_data_t:lnk_file read;
allow evolution_t xkb_var_lib_t:dir { getattr read search };
allow evolution_t xkb_var_lib_t:file { getattr map open read };
#============= gpg_agent_t ==============
allow gpg_agent_t gpg_pinentry_t:process { noatsecure rlimitinh siginh };
allow gpg_agent_t sysfs_t:filesystem getattr;
allow gpg_agent_t udev_runtime_t:dir search;
allow gpg_agent_t udev_runtime_t:file { getattr open read };
#============= gpg_pinentry_t ==============
allow gpg_pinentry_t gpg_t:dir search;
allow gpg_pinentry_t gpg_t:file { getattr open read };
allow gpg_pinentry_t security_t:filesystem getattr;
allow gpg_pinentry_t selinux_config_t:dir search;
allow gpg_pinentry_t selinux_config_t:lnk_file read;
allow gpg_pinentry_t staff_systemd_t:fd use;
allow gpg_pinentry_t staff_systemd_t:unix_stream_socket { read write };
#============= gpg_t ==============
allow gpg_t staff_t:msg { receive send };
allow gpg_t staff_t:msgq { associate read unix_read unix_write write };
allow gpg_t staff_t:sem { associate read unix_read unix_write write };
#============= ifconfig_t ==============
allow ifconfig_t security_t:filesystem getattr;
allow ifconfig_t self:capability sys_module;
allow ifconfig_t selinux_config_t:dir search;
allow ifconfig_t selinux_config_t:lnk_file read;
#============= init_t ==============
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
# mlsconstrain node { sendto } ((l1 dom l2 -Fail-) and (l1 domby h2) or (t1 == mlsnetoutbound -Fail-) ); Constraint DENIED
# Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow init_t unlabeled_t:node sendto;
#============= initrc_t ==============
allow initrc_t self:binder { call set_context_mgr transfer };
allow initrc_t self:perf_event { cpu open write };
#!!!! This avc can be allowed using one of the these booleans:
# allow_execmem, allow_execstack
allow initrc_t self:process execmem;
allow initrc_t staff_t:binder { call transfer };
allow initrc_t unlabeled_t:file execmod;
#============= java_t ==============
allow java_t blackjack_packet_t:packet recv;
allow java_t cgroup_t:dir search;
allow java_t cgroup_t:file { getattr open read };
allow java_t domain_packet_t:packet send;
allow java_t https_packet_t:packet send;
allow java_t imyx_packet_t:packet recv;
allow java_t lo_netif_t:netif egress;
#!!!! This avc can be allowed using the boolean 'allow_java_execstack'
allow java_t self:process execmem;
allow java_t sysctl_t:netif egress;
allow java_t systemd_machined_t:unix_stream_socket connectto;
allow java_t transproxy_port_t:tcp_socket name_bind;
allow java_t unlabeled_t:node sendto;
allow java_t unlabeled_t:packet { recv send };
allow java_t unlabeled_t:peer recv;
allow java_t unlabeled_t:tcp_socket node_bind;
allow java_t unreserved_port_t:tcp_socket name_bind;
#============= kernel_t ==============
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
# mlsconstrain fd { use } ((l1 eq l2 -Fail-) or (t1 == mlsfduse -Fail-) or (t2 == mlsfdshare -Fail-) ); Constraint DENIED
# Possible cause is the source level (s15:c0.c1023) and target level (s0-s15:c0.c1023) are different.
allow kernel_t mount_t:fd use;
#============= local_login_t ==============
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
# mlsconstrain key { view read write search link setattr create } ((l1 eq l2 -Fail-) or (t1 == mlskeywritetoclr -Fail-) and (h1 dom l2) and (l1 domby l2) or (t1 == mlskeywrite -Fail-) ); Constraint DENIED
# Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow local_login_t kernel_t:key search;
allow local_login_t secadm_t:process { noatsecure rlimitinh siginh };
allow local_login_t unlabeled_t:dir search;
#============= lvm_t ==============
allow lvm_t self:capability dac_read_search;
#============= mount_t ==============
allow mount_t self:capability fowner;
allow mount_t unlabeled_t:dir read;
allow mount_t unlabeled_t:file { execute getattr mounton open read };
allow mount_t unlabeled_t:filesystem mount;
allow mount_t unlabeled_t:lnk_file { getattr read };
allow mount_t var_lib_t:chr_file unlink;
allow mount_t var_lib_t:dir { add_name create remove_name rmdir setattr write };
allow mount_t var_lib_t:file { create open rename unlink write };
#============= ntpd_t ==============
allow ntpd_t cgroup_t:file getattr;
allow ntpd_t ntp_packet_t:packet send;
allow ntpd_t selinux_config_t:dir search;
allow ntpd_t sysctl_t:netif egress;
allow ntpd_t unlabeled_t:node sendto;
allow ntpd_t unlabeled_t:packet { recv send };
allow ntpd_t unlabeled_t:peer recv;
allow ntpd_t unlabeled_t:udp_socket node_bind;
#============= policykit_auth_t ==============
allow policykit_auth_t faillog_t:dir search;
allow policykit_auth_t init_t:dir search;
allow policykit_auth_t init_t:file { getattr ioctl open read };
allow policykit_auth_t self:capability net_admin;
#!!!! This avc can be allowed using the boolean 'allow_kerberos'
allow policykit_auth_t selinux_config_t:dir search;
allow policykit_auth_t selinux_config_t:lnk_file read;
allow policykit_auth_t staff_systemd_t:fd use;
allow policykit_auth_t staff_systemd_t:unix_stream_socket { ioctl read write };
allow policykit_auth_t sysctl_kernel_t:dir search;
allow policykit_auth_t sysctl_kernel_t:file { open read };
allow policykit_auth_t systemd_homed_runtime_t:fifo_file write;
allow policykit_auth_t systemd_homed_runtime_t:sock_file write;
allow policykit_auth_t systemd_homed_t:fd use;
allow policykit_auth_t systemd_homed_t:unix_stream_socket connectto;
allow policykit_auth_t systemd_machined_t:unix_stream_socket connectto;
#============= policykit_t ==============
allow policykit_t security_t:filesystem getattr;
#============= secadm_sudo_t ==============
allow secadm_sudo_t cgroup_t:filesystem getattr;
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
# mlsconstrain chr_file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED
# Possible cause is the source user (secadm_u) and target user (system_u) are different.
# Possible cause is the source level (s0-s15:c0.c512) and target level (s15:c0.c1023) are different.
allow secadm_sudo_t kmsg_device_t:chr_file getattr;
allow secadm_sudo_t proc_t:filesystem getattr;
allow secadm_sudo_t secadm_t:process { noatsecure rlimitinh siginh };
#!!!! This avc can be allowed using the boolean 'authlogin_pam'
allow secadm_sudo_t shadow_t:file read;
allow secadm_sudo_t systemd_machined_t:unix_stream_socket connectto;
allow secadm_sudo_t tty_device_t:chr_file getattr;
#============= secadm_systemd_t ==============
allow secadm_systemd_t proc_t:filesystem getattr;
allow secadm_systemd_t secadm_t:process { noatsecure siginh };
#============= secadm_t ==============
allow secadm_t NetworkManager_t:dir getattr;
allow secadm_t auditd_t:dir getattr;
allow secadm_t bluetooth_t:dir getattr;
allow secadm_t cupsd_t:dir getattr;
allow secadm_t devicekit_disk_t:dir getattr;
allow secadm_t dockerd_t:dir getattr;
allow secadm_t gpg_t:process { noatsecure rlimitinh siginh };
allow secadm_t hwdata_t:file read;
allow secadm_t initrc_t:dir getattr;
allow secadm_t kernel_t:dir getattr;
allow secadm_t local_login_t:dir { getattr search };
allow secadm_t ntpd_t:dir getattr;
allow secadm_t policykit_t:dir getattr;
allow secadm_t restorecond_t:dir getattr;
allow secadm_t secadm_git_t:process { noatsecure rlimitinh siginh };
allow secadm_t secadm_sudo_t:process { noatsecure rlimitinh siginh };
allow secadm_t secadm_systemd_t:dir getattr;
allow secadm_t snort_t:dir getattr;
allow secadm_t staff_dbusd_t:dir getattr;
allow secadm_t staff_gkeyringd_t:dir getattr;
allow secadm_t staff_systemd_t:dir getattr;
allow secadm_t staff_t:dir getattr;
allow secadm_t staff_wm_t:dir getattr;
allow secadm_t syslogd_t:dir getattr;
allow secadm_t system_dbusd_t:dir getattr;
allow secadm_t systemd_homed_t:dir getattr;
allow secadm_t systemd_hostnamed_t:dir getattr;
allow secadm_t systemd_locale_t:dir getattr;
allow secadm_t systemd_logind_t:dir getattr;
allow secadm_t systemd_machined_t:dir getattr;
allow secadm_t systemd_userdbd_t:dir getattr;
allow secadm_t udev_t:dir getattr;
allow secadm_t usbguard_t:dir getattr;
allow secadm_t virtd_t:dir getattr;
allow secadm_t vmware_host_t:dir getattr;
allow secadm_t xdm_t:dir getattr;
#============= setfiles_t ==============
allow setfiles_t proc_t:filesystem getattr;
#============= snort_t ==============
allow snort_t proc_t:file read;
#============= ssh_t ==============
allow ssh_t devpts_t:chr_file { append ioctl read write };
allow ssh_t domain_packet_t:packet send;
allow ssh_t gnome_keyring_tmp_t:dir search;
allow ssh_t gnome_keyring_tmp_t:sock_file write;
allow ssh_t ssh_packet_t:packet send;
allow ssh_t staff_gkeyringd_t:unix_stream_socket connectto;
allow ssh_t sysctl_t:netif egress;
allow ssh_t systemd_homed_runtime_t:sock_file write;
allow ssh_t systemd_homed_t:unix_stream_socket connectto;
allow ssh_t systemd_machined_t:unix_stream_socket connectto;
allow ssh_t unlabeled_t:chr_file { open read write };
allow ssh_t unlabeled_t:node sendto;
allow ssh_t unlabeled_t:packet recv;
allow ssh_t unlabeled_t:peer recv;
#============= staff_dbusd_t ==============
allow staff_dbusd_t boot_t:dir search;
allow staff_dbusd_t device_t:chr_file { ioctl open read };
allow staff_dbusd_t etc_t:file map;
allow staff_dbusd_t http_port_t:tcp_socket name_connect;
allow staff_dbusd_t https_packet_t:packet send;
allow staff_dbusd_t self:process getcap;
allow staff_dbusd_t session_dbusd_runtime_t:file map;
allow staff_dbusd_t session_dbusd_tmp_t:file map;
allow staff_dbusd_t ssdp_packet_t:packet { recv send };
allow staff_dbusd_t staff_dbusd_tmpfs_t:file { execute open };
allow staff_dbusd_t sysctl_fs_t:dir search;
allow staff_dbusd_t sysctl_t:netif egress;
allow staff_dbusd_t systemd_machined_t:unix_stream_socket connectto;
allow staff_dbusd_t systemd_user_tmpfs_t:file { read write };
allow staff_dbusd_t telepathy_mission_control_t:process { noatsecure rlimitinh siginh };
allow staff_dbusd_t udev_runtime_t:dir search;
allow staff_dbusd_t udev_runtime_t:file { getattr open read };
allow staff_dbusd_t unlabeled_t:node sendto;
allow staff_dbusd_t unlabeled_t:packet recv;
allow staff_dbusd_t unlabeled_t:peer recv;
allow staff_dbusd_t unlabeled_t:tcp_socket node_bind;
allow staff_dbusd_t unlabeled_t:udp_socket node_bind;
allow staff_dbusd_t user_home_dir_t:file { open read write };
allow staff_dbusd_t v4l_device_t:chr_file { ioctl open read write };
#============= staff_git_t ==============
allow staff_git_t devicekit_runtime_t:dir { getattr search };
allow staff_git_t devpts_t:chr_file append;
allow staff_git_t iso9660_t:dir { getattr open read search };
#!!!! This avc can be allowed using the boolean 'git_client_manage_all_user_home_content'
allow staff_git_t xdg_cache_t:dir read;
#!!!! This avc can be allowed using the boolean 'git_client_manage_all_user_home_content'
allow staff_git_t xdg_cache_t:file { getattr map open read };
#!!!! This avc can be allowed using the boolean 'git_client_manage_all_user_home_content'
allow staff_git_t xdg_documents_t:dir { getattr search };
#!!!! This avc can be allowed using the boolean 'git_client_manage_all_user_home_content'
allow staff_git_t xdg_documents_work_t:dir { getattr open read search };
#!!!! This avc can be allowed using the boolean 'git_client_manage_all_user_home_content'
allow staff_git_t xdg_documents_work_t:file { getattr map open read };
#!!!! This avc can be allowed using the boolean 'git_client_manage_all_user_home_content'
allow staff_git_t xdg_downloads_t:dir { getattr search };
#============= staff_gkeyringd_t ==============
allow staff_gkeyringd_t cert_t:dir search;
allow staff_gkeyringd_t cert_t:file { getattr open read };
allow staff_gkeyringd_t ssh_agent_exec_t:file { execute execute_no_trans map open read };
#============= staff_sudo_t ==============
allow staff_sudo_t devicekit_runtime_t:dir search;
allow staff_sudo_t fixed_disk_device_t:blk_file { getattr ioctl open read write };
allow staff_sudo_t init_runtime_t:file getattr;
allow staff_sudo_t iso9660_t:dir { getattr mounton open read search };
allow staff_sudo_t iso9660_t:filesystem { mount unmount };
allow staff_sudo_t kmsg_device_t:chr_file getattr;
allow staff_sudo_t mnt_t:dir mounton;
allow staff_sudo_t mount_runtime_t:dir { add_name remove_name search write };
allow staff_sudo_t mount_runtime_t:file { create getattr lock open read rename setattr unlink write };
allow staff_sudo_t self:capability { dac_read_search sys_rawio };
allow staff_sudo_t systemd_machined_t:unix_stream_socket connectto;
allow staff_sudo_t systemd_sessions_runtime_t:dir search;
allow staff_sudo_t systemd_sessions_runtime_t:file getattr;
allow staff_sudo_t tty_device_t:chr_file getattr;
allow staff_sudo_t user_tty_device_t:chr_file lock;
allow staff_sudo_t var_run_t:dir create;
allow staff_sudo_t var_run_t:file { create getattr link open read rename setattr unlink write };
allow staff_sudo_t xdg_documents_work_t:dir search;
allow staff_sudo_t xdg_documents_work_t:file { execute execute_no_trans getattr open read };
allow staff_sudo_t xserver_misc_device_t:chr_file getattr;
#============= staff_systemd_t ==============
allow staff_systemd_t chromium_sandbox_t:dir search;
allow staff_systemd_t chromium_sandbox_t:file { getattr ioctl open };
allow staff_systemd_t device_t:chr_file read;
allow staff_systemd_t devicekit_runtime_t:dir search;
allow staff_systemd_t dri_device_t:chr_file open;
allow staff_systemd_t etc_t:file map;
allow staff_systemd_t evolution_tmpfs_t:dir { open read search };
allow staff_systemd_t evolution_tmpfs_t:file { getattr map open read };
allow staff_systemd_t git_xdg_config_t:file getattr;
allow staff_systemd_t gnome_home_t:dir getattr;
allow staff_systemd_t gpg_agent_t:process { noatsecure rlimitinh siginh };
allow staff_systemd_t home_root_t:dir read;
allow staff_systemd_t http_port_t:tcp_socket name_connect;
allow staff_systemd_t https_packet_t:packet send;
allow staff_systemd_t iso9660_t:dir { getattr open read search watch };
allow staff_systemd_t iso9660_t:file getattr;
allow staff_systemd_t java_home_t:dir getattr;
allow staff_systemd_t modules_object_t:dir { getattr search };
allow staff_systemd_t modules_object_t:file { getattr read };
allow staff_systemd_t mozilla_home_t:dir getattr;
allow staff_systemd_t mplayer_home_t:dir getattr;
allow staff_systemd_t proc_t:filesystem getattr;
allow staff_systemd_t samba_etc_t:dir search;
allow staff_systemd_t samba_etc_t:file { getattr open read };
allow staff_systemd_t samba_runtime_t:dir search;
allow staff_systemd_t self:capability sys_admin;
allow staff_systemd_t self:process { sigkill signull };
allow staff_systemd_t ssh_home_t:dir { search write };
allow staff_systemd_t ssh_home_t:file { getattr read write };
allow staff_systemd_t sysctl_net_t:dir search;
allow staff_systemd_t sysctl_net_t:file { getattr open read };
allow staff_systemd_t sysctl_t:netif egress;
allow staff_systemd_t systemd_machined_t:unix_stream_socket connectto;
allow staff_systemd_t telegram_exec_t:file execute;
#!!!! This avc is allowed in the current policy
allow staff_systemd_t telegram_t:dir search;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow staff_systemd_t telegram_t:file { getattr ioctl open read };
#!!!! This avc is allowed in the current policy
allow staff_systemd_t telegram_t:lnk_file read;
allow staff_systemd_t thunderbird_home_t:dir getattr;
allow staff_systemd_t unlabeled_t:dir { getattr read search watch };
allow staff_systemd_t unlabeled_t:node sendto;
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
# mlsconstrain packet { recv } ((l1 dom l2 -Fail-) or (t1 == mlsnetreadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsnetread -Fail-) ); Constraint DENIED
# Possible cause is the source user (staff_u) and target user (system_u) are different.
# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different.
allow staff_systemd_t unlabeled_t:packet recv;
allow staff_systemd_t unlabeled_t:packet send;
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
# mlsconstrain peer { recv } ((l1 dom l2 -Fail-) or (t1 == mlsnetreadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsnetread -Fail-) ); Constraint DENIED
# Possible cause is the source user (staff_u) and target user (system_u) are different.
# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different.
allow staff_systemd_t unlabeled_t:peer recv;
allow staff_systemd_t user_home_t:file write;
allow staff_systemd_t var_lib_t:file map;
allow staff_systemd_t var_run_t:file { getattr open read };
allow staff_systemd_t vmware_file_t:dir { getattr ioctl open read search write };
allow staff_systemd_t vmware_file_t:file { execute getattr open read write };
allow staff_systemd_t winbind_helper_exec_t:file { execute execute_no_trans map open read };
allow staff_systemd_t wine_home_t:dir getattr;
allow staff_systemd_t xdg_documents_archive_t:dir { getattr read search watch write };
allow staff_systemd_t xdg_documents_archive_t:file getattr;
allow staff_systemd_t xdg_documents_private_t:dir { getattr read search watch write };
allow staff_systemd_t xdg_documents_private_t:file getattr;
allow staff_systemd_t xdg_documents_school_t:dir { getattr read search watch write };
allow staff_systemd_t xdg_documents_school_t:file { getattr open read write };
allow staff_systemd_t xdg_documents_t:file write;
allow staff_systemd_t xdg_documents_tmp_t:dir { getattr read search watch write };
allow staff_systemd_t xdg_documents_tmp_t:file getattr;
allow staff_systemd_t xdg_documents_work_t:dir { getattr read search watch write };
allow staff_systemd_t xdg_documents_work_t:file { getattr open read write };
allow staff_systemd_t xdg_documents_work_t:lnk_file { getattr read };
allow staff_systemd_t xdg_downloads_t:dir search;
allow staff_systemd_t xdg_downloads_t:file { getattr open read write };
allow staff_systemd_t xdg_music_t:dir search;
allow staff_systemd_t xdg_music_t:file { execute getattr read write };
allow staff_systemd_t xdg_pictures_t:dir { ioctl search };
allow staff_systemd_t xdg_pictures_t:file { getattr open read write };
allow staff_systemd_t xdm_tmp_t:sock_file write;
allow staff_systemd_t xserver_port_t:tcp_socket name_connect;
#============= staff_t ==============
allow staff_t NetworkManager_t:dir { open read };
allow staff_t NetworkManager_t:file getattr;
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
# mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED
mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton } ((l1 eq l2 -Fail-) or (t1 == mlsfilewritetoclr -Fail-) and (h1 dom l2 -Fail-) and (l1 domby l2) or (t2 == mlsfilewriteinrange -Fail-) and (l1 dom l2 -Fail-) and (h1 domby h2) or (t1 == mlsfilewrite -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED
# Possible cause is the source user (staff_u) and target user (system_u) are different.
# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different.
allow staff_t auditd_log_t:file { getattr read write };
allow staff_t auditd_runtime_t:file getattr;
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
# mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED
mlsconstrain dir { search } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED
# Possible cause is the source user (sbadm_u) and target user (system_u) are different.
# Possible cause is the source role (staff_r) and target role (system_r) are different.
# Possible cause is the source level (s0-s15:c0.c512) and target level (s15:c0.c1023) are different.
allow staff_t auditd_t:dir { getattr search };
allow staff_t auditd_t:dir { open read };
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: