From 98dbb8563a8274f4839870c22f7de7bc8227749b Mon Sep 17 00:00:00 2001 From: "Yunchuan \"Winslow\" Hu" Date: Thu, 29 Feb 2024 14:35:44 -0800 Subject: [PATCH] fix secmos prev legacy broken modules --- policy/flask/access_vectors | 1 - policy/modules/apps/monero-gui.fc | 1 - policy/modules/apps/monero-gui.if | 87 --- policy/modules/apps/monero-gui.te | 44 -- policy/modules/apps/spotify.if | 2 - policy/modules/apps/telegram.if | 2 - policy/modules/apps/tmp.if | 1 - policy/modules/apps/tmp.te | 890 --------------------------- policy/modules/apps/vscode.if | 2 - policy/modules/apps/zoom.if | 2 - policy/modules/apps/zoom.te | 4 +- policy/modules/services/bluetooth.te | 7 + policy/modules/services/monerod.fc | 23 - policy/modules/services/monerod.if | 0 policy/modules/services/monerod.te | 33 - 15 files changed, 9 insertions(+), 1090 deletions(-) delete mode 100644 policy/modules/apps/monero-gui.fc delete mode 100644 policy/modules/apps/monero-gui.if delete mode 100644 policy/modules/apps/monero-gui.te delete mode 100644 policy/modules/apps/tmp.if delete mode 100644 policy/modules/apps/tmp.te delete mode 100644 policy/modules/services/monerod.fc delete mode 100644 policy/modules/services/monerod.if delete mode 100644 policy/modules/services/monerod.te diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index b76492ab7..734cca05b 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -1072,7 +1072,6 @@ class io_uring cmd override_creds sqpoll - cmd } class user_namespace { diff --git a/policy/modules/apps/monero-gui.fc b/policy/modules/apps/monero-gui.fc deleted file mode 100644 index 8b1378917..000000000 --- a/policy/modules/apps/monero-gui.fc +++ /dev/null @@ -1 +0,0 @@ - diff --git a/policy/modules/apps/monero-gui.if b/policy/modules/apps/monero-gui.if deleted file mode 100644 index 7b10ba853..000000000 --- a/policy/modules/apps/monero-gui.if +++ /dev/null @@ -1,87 +0,0 @@ -## Monero wallet GUI - -####################################### -## -## Role access for monero_gui -## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## -## -## -## User domain for the role. -## -## -## -## -## User exec domain for execute and transition access. -## -## -## -## -## Role allowed access -## -## -# -template(`monero_gui_role',` - gen_require(` - type monero_gui_t; - type monero_gui_exec_t; - type $1_wm_t; - attribute_role monero_gui_roles; - class dbus send_msg; - ') - - roleattribute $4 monero_gui_roles; - - allow $2 monero_gui_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - optional_policy(` - systemd_user_app_status($1, monero_gui_t) - ') -') - -## policy for monero_gui - -######################################## -## -## Execute monero_gui_exec_t in the monero_gui domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`monero_gui_domtrans',` - gen_require(` - type monero_gui_t, monero_gui_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, monero_gui_exec_t, monero_gui_t) -') - -###################################### -## -## Execute monero_gui in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`monero_gui_exec',` - gen_require(` - type monero_gui_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, monero_gui_exec_t) -') - - diff --git a/policy/modules/apps/monero-gui.te b/policy/modules/apps/monero-gui.te deleted file mode 100644 index 2a1adac5c..000000000 --- a/policy/modules/apps/monero-gui.te +++ /dev/null @@ -1,44 +0,0 @@ -policy_module(monero_gui, 1.0) - -attribute_role monero_gui_roles; - -type monero_gui_t; -monero_gui_exec_t; - -userdom_user_application_domain(monero_gui_t, monero_gui_exec_t) - -application_domain(monero_gui_t, monero_gui_exec_t) - -wm_application_domain(monero_gui_t, monero_gui_exec_t) - -role monero_gui_roles types monero_gui_t; - -optional_policy(` - wm_application_domain(monero_gui_t, monero_gui_exec_t) -') - -type monero_gui_usr_t; - -allow monero_gui_t self:process { signal_perms }; -allow monero_gui_t self:fifo_file { rw_fifo_file_perms }; -allow monero_gui_t self:netlink_route_socket { bind create getattr getopt nlmsg_read read setopt write }; -allow monero_gui_t self:process { getsched ptrace setsched }; -allow monero_gui_t self:tcp_socket { connect create getattr getopt read setopt write }; -allow monero_gui_t self:unix_dgram_socket { create write }; - -manage_files_pattern(monero_gui_t, monero_gui_usr_t, monero_gui_usr_t) -manage_dirs_pattern(monero_gui_t, monero_gui_usr_t, monero_gui_usr_t) - -xdg_manage_documents_monero_gui(monero_gui_t) - -domain_use_interactive_fds(monero_gui_t) - -can_exec(monero_gui_t, monero_gui_exec_t) -corecmd_search_bin(monero_gui_t) -corecmd_exec_bin(monero_gui_exec_t) - -domain_use_interactive_fds(monero_gui_t) - -xserver_stream_connect_xdm(monero_gui_t) - -domain_mmap_low_uncond(monero_gui_t) diff --git a/policy/modules/apps/spotify.if b/policy/modules/apps/spotify.if index 67680b5f8..b9a1ae3de 100644 --- a/policy/modules/apps/spotify.if +++ b/policy/modules/apps/spotify.if @@ -67,8 +67,6 @@ template(`spotify_role',` ') ') -## policy for spotify - ######################################## ## ## Execute spotify_exec_t in the spotify domain. diff --git a/policy/modules/apps/telegram.if b/policy/modules/apps/telegram.if index fe8da0a09..15cfcb254 100644 --- a/policy/modules/apps/telegram.if +++ b/policy/modules/apps/telegram.if @@ -44,8 +44,6 @@ template(`telegram_role',` ') ') -## policy for telegram - ######################################## ## ## Execute telegram_exec_t in the telegram domain. diff --git a/policy/modules/apps/tmp.if b/policy/modules/apps/tmp.if deleted file mode 100644 index f324e3bfa..000000000 --- a/policy/modules/apps/tmp.if +++ /dev/null @@ -1 +0,0 @@ -# Stub diff --git a/policy/modules/apps/tmp.te b/policy/modules/apps/tmp.te deleted file mode 100644 index c73681212..000000000 --- a/policy/modules/apps/tmp.te +++ /dev/null @@ -1,890 +0,0 @@ -policy_module(tmp, 1.0) - - -#============= NetworkManager_t ============== -allow NetworkManager_t bootpc_packet_t:packet recv; -allow NetworkManager_t bootps_packet_t:packet send; -allow NetworkManager_t systemd_machined_t:unix_stream_socket connectto; -allow NetworkManager_t unlabeled_t:node sendto; - -#============= avahi_t ============== -allow avahi_t sysctl_t:netif egress; -allow avahi_t systemd_homed_runtime_t:sock_file write; -allow avahi_t systemd_homed_t:unix_stream_socket connectto; -allow avahi_t systemd_machined_t:unix_stream_socket connectto; -allow avahi_t unlabeled_t:node sendto; -allow avahi_t unlabeled_t:packet { recv send }; -allow avahi_t unlabeled_t:udp_socket node_bind; - -#============= chromium_t ============== - -#!!!! This avc can be allowed using the boolean 'chromium_read_system_info' -allow chromium_t etc_runtime_t:file read; -allow chromium_t locale_t:dir watch; -allow chromium_t security_t:dir search; -allow chromium_t staff_wm_t:unix_stream_socket ioctl; -allow chromium_t sysctl_t:netif egress; -allow chromium_t syslogd_runtime_t:dir search; -allow chromium_t systemd_machined_t:unix_stream_socket connectto; -allow chromium_t unlabeled_t:udp_socket node_bind; -allow chromium_t user_home_t:file map; -allow chromium_t var_lib_t:dir read; -allow chromium_t var_lib_t:file { getattr read }; - -#============= cupsd_t ============== -allow cupsd_t systemd_machined_t:unix_stream_socket connectto; - -#============= devicekit_disk_t ============== -allow devicekit_disk_t lvm_runtime_t:dir { add_name remove_name write }; -allow devicekit_disk_t lvm_runtime_t:file { create lock open read unlink write }; - -#============= mandb_t ============== -allow mandb_t self:capability dac_read_search; -allow mandb_t var_lib_t:dir search; - -#============= mozilla_t ============== -allow mozilla_t NetworkManager_etc_t:dir getattr; -allow mozilla_t auditd_etc_t:dir getattr; -allow mozilla_t bluetooth_conf_t:dir getattr; -allow mozilla_t container_config_t:dir getattr; -allow mozilla_t dnsmasq_etc_t:dir getattr; -allow mozilla_t domain_packet_t:packet send; -allow mozilla_t firewalld_etc_rw_t:dir getattr; -allow mozilla_t geoclue_etc_t:dir getattr; -allow mozilla_t hostapd_conf_t:dir getattr; -allow mozilla_t httpd_config_t:dir getattr; -allow mozilla_t https_packet_t:packet send; -allow mozilla_t ifplugd_etc_t:dir getattr; -allow mozilla_t lircd_etc_t:dir getattr; -allow mozilla_t lo_netif_t:netif egress; -allow mozilla_t local_ephemeral_port_t:tcp_socket name_connect; -allow mozilla_t lvm_etc_t:dir getattr; -allow mozilla_t modules_conf_t:dir getattr; -allow mozilla_t mplayer_etc_t:dir getattr; -allow mozilla_t named_conf_t:dir getattr; -allow mozilla_t node_t:tcp_socket name_connect; -allow mozilla_t samba_etc_t:dir getattr; -allow mozilla_t saslauthd_keytab_t:dir getattr; -allow mozilla_t selinux_config_t:dir getattr; -allow mozilla_t snort_etc_t:dir getattr; -allow mozilla_t sysctl_t:netif egress; -allow mozilla_t system_cron_spool_t:dir getattr; -allow mozilla_t systemd_machined_t:unix_stream_socket connectto; -allow mozilla_t unlabeled_t:node sendto; -allow mozilla_t unlabeled_t:packet { recv send }; -allow mozilla_t unlabeled_t:peer recv; -allow mozilla_t unlabeled_t:udp_socket node_bind; -allow mozilla_t usbguard_conf_t:dir getattr; -allow mozilla_t user_home_t:file map; -allow mozilla_t user_runtime_t:file getattr; -allow mozilla_t var_lib_t:file map; -allow mozilla_t virt_etc_t:dir getattr; -allow mozilla_t vmware_sys_conf_t:dir getattr; -allow mozilla_t www_http_packet_t:packet send; - -#============= ntpd_t ============== -allow ntpd_t ntp_packet_t:packet send; -allow ntpd_t selinux_config_t:dir search; -allow ntpd_t sysctl_t:netif egress; -allow ntpd_t unlabeled_t:node sendto; -allow ntpd_t unlabeled_t:packet recv; -allow ntpd_t unlabeled_t:peer recv; -allow ntpd_t unlabeled_t:udp_socket node_bind; - -#============= secadm_sudo_t ============== -allow secadm_sudo_t cgroup_t:filesystem getattr; - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain chr_file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED - -# Possible cause is the source user (secadm_u) and target user (system_u) are different. -# Possible cause is the source level (s0-s15:c0.c512) and target level (s15:c0.c1023) are different. -allow secadm_sudo_t kmsg_device_t:chr_file getattr; -allow secadm_sudo_t proc_t:filesystem getattr; -allow secadm_sudo_t secadm_t:process { noatsecure rlimitinh siginh }; - -#!!!! This avc can be allowed using the boolean 'authlogin_pam' -allow secadm_sudo_t shadow_t:file { getattr open read }; -allow secadm_sudo_t systemd_machined_t:unix_stream_socket connectto; -allow secadm_sudo_t systemd_sessions_runtime_t:dir search; -allow secadm_sudo_t systemd_sessions_runtime_t:file { getattr open read }; -allow secadm_sudo_t tty_device_t:chr_file getattr; - -#============= secadm_t ============== -allow secadm_t secadm_git_t:process { noatsecure rlimitinh siginh }; -allow secadm_t secadm_sudo_t:process { noatsecure rlimitinh siginh }; -allow secadm_t xdg_documents_work_t:file { ioctl open read setattr write }; - -#============= staff_dbusd_t ============== -allow staff_dbusd_t etc_t:file map; -allow staff_dbusd_t http_port_t:tcp_socket name_connect; -allow staff_dbusd_t https_packet_t:packet send; -allow staff_dbusd_t ssdp_packet_t:packet { recv send }; -allow staff_dbusd_t staff_dbusd_tmpfs_t:file execute; -allow staff_dbusd_t sysctl_t:netif egress; -allow staff_dbusd_t systemd_machined_t:unix_stream_socket connectto; -allow staff_dbusd_t unlabeled_t:node sendto; -allow staff_dbusd_t unlabeled_t:packet recv; -allow staff_dbusd_t unlabeled_t:peer recv; -allow staff_dbusd_t unlabeled_t:tcp_socket node_bind; -allow staff_dbusd_t unlabeled_t:udp_socket node_bind; - -#============= staff_git_t ============== - -#!!!! This avc can be allowed using the boolean 'git_client_manage_all_user_home_content' -allow staff_git_t xdg_documents_t:dir { getattr search }; - -#!!!! This avc can be allowed using the boolean 'git_client_manage_all_user_home_content' -allow staff_git_t xdg_documents_work_t:dir { getattr open read search }; - -#!!!! This avc can be allowed using the boolean 'git_client_manage_all_user_home_content' -allow staff_git_t xdg_documents_work_t:file { getattr map open read }; - -#============= staff_sudo_t ============== -allow staff_sudo_t self:capability dac_read_search; -allow staff_sudo_t systemd_machined_t:unix_stream_socket connectto; -allow staff_sudo_t xdg_documents_work_t:file { getattr write }; - -#============= staff_systemd_t ============== -allow staff_systemd_t chromium_sandbox_t:dir search; -allow staff_systemd_t etc_t:file map; -allow staff_systemd_t gpg_agent_t:process { noatsecure rlimitinh siginh }; -allow staff_systemd_t http_port_t:tcp_socket name_connect; -allow staff_systemd_t https_packet_t:packet send; -allow staff_systemd_t samba_etc_t:dir search; -allow staff_systemd_t samba_etc_t:file { getattr open read }; -allow staff_systemd_t samba_runtime_t:dir search; -allow staff_systemd_t sysctl_net_t:dir search; -allow staff_systemd_t sysctl_net_t:file { getattr open read }; -allow staff_systemd_t sysctl_t:netif egress; -allow staff_systemd_t unlabeled_t:node sendto; - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain packet { recv } ((l1 dom l2 -Fail-) or (t1 == mlsnetreadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsnetread -Fail-) ); Constraint DENIED - -# Possible cause is the source user (staff_u) and target user (system_u) are different. -# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different. -allow staff_systemd_t unlabeled_t:packet recv; - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain peer { recv } ((l1 dom l2 -Fail-) or (t1 == mlsnetreadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsnetread -Fail-) ); Constraint DENIED - -# Possible cause is the source user (staff_u) and target user (system_u) are different. -# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different. -allow staff_systemd_t unlabeled_t:peer recv; -allow staff_systemd_t var_lib_t:file map; -allow staff_systemd_t winbind_helper_exec_t:file { execute execute_no_trans map open read }; - -#============= staff_t ============== - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED -# # mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton } ((l1 eq l2 -Fail-) or (t1 == mlsfilewritetoclr -Fail-) and (h1 dom l2 -Fail-) and (l1 domby l2) or (t2 == mlsfilewriteinrange -Fail-) and (l1 dom l2 -Fail-) and (h1 domby h2) or (t1 == mlsfilewrite -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED - -# Possible cause is the source user (staff_u) and target user (system_u) are different. -# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different. -allow staff_t auditd_log_t:file { getattr read }; - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED -# # mlsconstrain dir { search } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED - -# Possible cause is the source user (staff_u) and target user (system_u) are different. -# Possible cause is the source role (staff_r) and target role (system_r) are different. -# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different. -allow staff_t auditd_t:dir { getattr search }; - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED - -# Possible cause is the source user (staff_u) and target user (system_u) are different. -# Possible cause is the source role (staff_r) and target role (system_r) are different. -# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different. -allow staff_t auditd_t:file read; -allow staff_t avahi_t:dir { getattr search }; -allow staff_t avahi_t:file read; -allow staff_t default_t:dir getattr; -allow staff_t default_t:file getattr; -allow staff_t faillog_t:dir search; -allow staff_t faillog_t:file getattr; -allow staff_t init_runtime_t:dir { add_name create write }; -allow staff_t init_runtime_t:fifo_file { create open read }; -allow staff_t init_runtime_t:sock_file write; -allow staff_t init_t:system reload; -allow staff_t lo_netif_t:netif egress; -allow staff_t local_login_t:file { open read }; -allow staff_t ntpd_t:dir { getattr search }; -allow staff_t ntpd_t:file { open read }; -allow staff_t restorecond_t:dir { getattr search }; -allow staff_t restorecond_t:file { open read }; -allow staff_t secadm_dbusd_t:dir { getattr search }; -allow staff_t secadm_dbusd_t:file { open read }; -allow staff_t secadm_systemd_t:dir { getattr search }; -allow staff_t secadm_systemd_t:file { open read }; -allow staff_t secadm_t:dir { getattr search }; -allow staff_t secadm_t:file { open read }; -allow staff_t security_t:security read_policy; -allow staff_t self:capability sys_resource; -allow staff_t shadow_t:file { getattr open read }; -allow staff_t staff_systemd_t:lnk_file read; -allow staff_t staff_wm_t:fifo_file { getattr ioctl read }; -allow staff_t sysctl_t:netif egress; - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED -# # mlsconstrain dir { search } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED - -# Possible cause is the source user (staff_u) and target user (system_u) are different. -# Possible cause is the source role (staff_r) and target role (system_r) are different. -# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different. -allow staff_t syslogd_t:dir { getattr search }; - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED - -# Possible cause is the source user (staff_u) and target user (system_u) are different. -# Possible cause is the source role (staff_r) and target role (system_r) are different. -# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different. -allow staff_t syslogd_t:file read; -allow staff_t systemd_logind_runtime_t:dir search; -allow staff_t systemd_machined_t:dir { getattr search }; -allow staff_t systemd_machined_t:file { open read }; -allow staff_t systemd_passwd_runtime_t:dir { getattr open read }; -allow staff_t systemd_sessions_runtime_t:dir search; -allow staff_t systemd_sessions_runtime_t:file getattr; -allow staff_t systemd_unit_t:service { status stop }; -allow staff_t unlabeled_t:chr_file { open read write }; -allow staff_t unlabeled_t:node sendto; -allow staff_t unlabeled_t:packet recv; -allow staff_t unlabeled_t:peer recv; -allow staff_t var_lib_t:file map; -allow staff_t var_lib_t:lnk_file getattr; -allow staff_t xdg_documents_archive_t:file execute; - -#============= staff_wm_t ============== -allow staff_wm_t staff_dbusd_tmpfs_t:file { getattr map read write }; - -#============= udev_t ============== -allow udev_t default_t:file getattr; - - -#============= NetworkManager_t ============== -allow NetworkManager_t bootpc_packet_t:packet recv; -allow NetworkManager_t bootps_packet_t:packet send; -allow NetworkManager_t unlabeled_t:node sendto; - -#============= auditd_t ============== -allow auditd_t systemd_machined_t:unix_stream_socket connectto; - -#============= chromium_t ============== -allow chromium_t boolean_t:file { open read }; - -#!!!! This avc can be allowed using the boolean 'chromium_read_system_info' -allow chromium_t etc_runtime_t:file { getattr open read }; -allow chromium_t hpvroom_packet_t:packet send; -allow chromium_t inedo_packet_t:packet recv; -allow chromium_t locale_t:dir watch; -allow chromium_t mdns_packet_t:packet { recv send }; -allow chromium_t security_t:dir search; -allow chromium_t self:process execheap; -allow chromium_t ssdp_packet_t:packet send; -allow chromium_t sysctl_t:netif egress; -allow chromium_t unlabeled_t:node sendto; - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain packet { recv } ((l1 dom l2 -Fail-) or (t1 == mlsnetreadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsnetread -Fail-) ); Constraint DENIED - -# Possible cause is the source user (staff_u) and target user (system_u) are different. -# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different. -allow chromium_t unlabeled_t:packet recv; - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain peer { recv } ((l1 dom l2 -Fail-) or (t1 == mlsnetreadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsnetread -Fail-) ); Constraint DENIED - -# Possible cause is the source user (staff_u) and target user (system_u) are different. -# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different. -allow chromium_t unlabeled_t:peer recv; -allow chromium_t unlabeled_t:udp_socket node_bind; -allow chromium_t user_home_t:file map; -allow chromium_t var_lib_t:dir read; -allow chromium_t var_lib_t:file { getattr map open read }; - -#============= cupsd_t ============== -allow cupsd_t systemd_machined_t:unix_stream_socket connectto; - -#============= devicekit_disk_t ============== -allow devicekit_disk_t lvm_runtime_t:dir write; - -#============= mozilla_t ============== -allow mozilla_t domain_packet_t:packet send; -allow mozilla_t https_packet_t:packet send; -allow mozilla_t sysctl_t:netif egress; -allow mozilla_t unlabeled_t:node sendto; -allow mozilla_t unlabeled_t:packet recv; -allow mozilla_t unlabeled_t:peer recv; -allow mozilla_t unlabeled_t:udp_socket node_bind; -allow mozilla_t www_http_packet_t:packet send; - -#============= secadm_sudo_t ============== -allow secadm_sudo_t cgroup_t:filesystem getattr; - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain chr_file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED - -# Possible cause is the source user (secadm_u) and target user (system_u) are different. -# Possible cause is the source level (s0-s15:c0.c512) and target level (s15:c0.c1023) are different. -allow secadm_sudo_t kmsg_device_t:chr_file getattr; -allow secadm_sudo_t proc_t:filesystem getattr; -allow secadm_sudo_t secadm_t:process { noatsecure rlimitinh siginh }; - -#!!!! This avc can be allowed using the boolean 'authlogin_pam' -allow secadm_sudo_t shadow_t:file read; -allow secadm_sudo_t systemd_machined_t:unix_stream_socket connectto; -allow secadm_sudo_t tty_device_t:chr_file getattr; - -#============= secadm_t ============== -allow secadm_t secadm_git_t:process { noatsecure rlimitinh siginh }; -allow secadm_t secadm_sudo_t:process { noatsecure rlimitinh siginh }; - -#============= staff_git_t ============== - -#!!!! This avc can be allowed using the boolean 'git_client_manage_all_user_home_content' -allow staff_git_t xdg_documents_t:dir { getattr search }; - -#!!!! This avc can be allowed using the boolean 'git_client_manage_all_user_home_content' -allow staff_git_t xdg_documents_work_t:dir { getattr open read search }; - -#!!!! This avc can be allowed using the boolean 'git_client_manage_all_user_home_content' -allow staff_git_t xdg_documents_work_t:file { getattr map open read }; - -#============= staff_sudo_t ============== -allow staff_sudo_t self:capability dac_read_search; -allow staff_sudo_t systemd_machined_t:unix_stream_socket connectto; -allow staff_sudo_t xdg_documents_work_t:file { getattr write }; - -#============= staff_systemd_t ============== -allow staff_systemd_t chromium_sandbox_t:dir search; -allow staff_systemd_t chromium_sandbox_t:file { getattr ioctl open }; - -#============= staff_t ============== - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED -# mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton } ((l1 eq l2 -Fail-) or (t1 == mlsfilewritetoclr -Fail-) and (h1 dom l2 -Fail-) and (l1 domby l2) or (t2 == mlsfilewriteinrange -Fail-) and (l1 dom l2 -Fail-) and (h1 domby h2) or (t1 == mlsfilewrite -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED - -# Possible cause is the source user (staff_u) and target user (system_u) are different. -# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different. -allow staff_t auditd_log_t:file { getattr read write }; -allow staff_t security_t:security { read_policy setenforce }; -allow staff_t staff_wm_t:fifo_file read; - -#============= staff_wm_t ============== -allow staff_wm_t etc_t:file map; -allow staff_wm_t http_port_t:tcp_socket name_connect; -allow staff_wm_t https_packet_t:packet send; -allow staff_wm_t sysctl_t:netif egress; -allow staff_wm_t unlabeled_t:node sendto; -allow staff_wm_t unlabeled_t:packet recv; - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain peer { recv } ((l1 dom l2 -Fail-) or (t1 == mlsnetreadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsnetread -Fail-) ); Constraint DENIED - -# Possible cause is the source user (staff_u) and target user (system_u) are different. -# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different. -allow staff_wm_t unlabeled_t:peer recv; - -#============= udev_t ============== -allow udev_t default_t:file getattr; - - -#============= NetworkManager_t ============== -allow NetworkManager_t unlabeled_t:node sendto; - -#============= devicekit_disk_t ============== -allow devicekit_disk_t lvm_runtime_t:dir write; - -#============= mozilla_t ============== -allow mozilla_t domain_packet_t:packet send; -allow mozilla_t https_packet_t:packet send; -allow mozilla_t sysctl_t:netif egress; -allow mozilla_t systemd_machined_t:unix_stream_socket connectto; -allow mozilla_t unlabeled_t:node sendto; -allow mozilla_t unlabeled_t:packet recv; -allow mozilla_t unlabeled_t:peer recv; -allow mozilla_t user_home_t:file map; -allow mozilla_t user_runtime_t:file getattr; - -#============= secadm_sudo_t ============== -allow secadm_sudo_t cgroup_t:filesystem getattr; - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain chr_file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED - -# Possible cause is the source user (secadm_u) and target user (system_u) are different. -# Possible cause is the source level (s0-s15:c0.c512) and target level (s15:c0.c1023) are different. -allow secadm_sudo_t kmsg_device_t:chr_file getattr; -allow secadm_sudo_t proc_t:filesystem getattr; -allow secadm_sudo_t secadm_t:process { noatsecure rlimitinh siginh }; - -#!!!! This avc can be allowed using the boolean 'authlogin_pam' -allow secadm_sudo_t shadow_t:file read; -allow secadm_sudo_t systemd_machined_t:unix_stream_socket connectto; -allow secadm_sudo_t tty_device_t:chr_file getattr; - -#============= secadm_t ============== -allow secadm_t secadm_git_t:process { noatsecure rlimitinh siginh }; -allow secadm_t secadm_sudo_t:process { noatsecure rlimitinh siginh }; - -#============= staff_git_t ============== - -#!!!! This avc can be allowed using the boolean 'git_client_manage_all_user_home_content' -allow staff_git_t xdg_documents_t:dir { getattr search }; - -#!!!! This avc can be allowed using the boolean 'git_client_manage_all_user_home_content' -allow staff_git_t xdg_documents_work_t:dir { getattr open read search }; - -#!!!! This avc can be allowed using the boolean 'git_client_manage_all_user_home_content' -allow staff_git_t xdg_documents_work_t:file { getattr map open read }; - -#============= staff_sudo_t ============== -allow staff_sudo_t self:capability dac_read_search; -allow staff_sudo_t systemd_machined_t:unix_stream_socket connectto; -allow staff_sudo_t xdg_documents_work_t:file { getattr write }; - -#============= staff_systemd_t ============== -allow staff_systemd_t sysctl_t:netif egress; - -#============= staff_t ============== - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED -# mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton } ((l1 eq l2 -Fail-) or (t1 == mlsfilewritetoclr -Fail-) and (h1 dom l2 -Fail-) and (l1 domby l2) or (t2 == mlsfilewriteinrange -Fail-) and (l1 dom l2 -Fail-) and (h1 domby h2) or (t1 == mlsfilewrite -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED - -# Possible cause is the source user (staff_u) and target user (system_u) are different. -# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different. -allow staff_t auditd_log_t:file { getattr read }; -allow staff_t security_t:security read_policy; -allow staff_t sysctl_t:netif egress; - -#============= udev_t ============== -allow udev_t default_t:file getattr; - - -#============= NetworkManager_t ============== -allow NetworkManager_t unlabeled_t:node sendto; - -#============= auditd_t ============== -allow auditd_t systemd_machined_t:unix_stream_socket connectto; - -#============= evolution_t ============== -allow evolution_t cgroup_t:file { open read }; -allow evolution_t device_t:chr_file getattr; -allow evolution_t devpts_t:filesystem mount; -allow evolution_t domain_packet_t:packet send; -allow evolution_t dri_device_t:chr_file { getattr ioctl map open read write }; -allow evolution_t etc_runtime_t:file { getattr open read }; -allow evolution_t etc_t:dir watch; -allow evolution_t etc_t:file map; -allow evolution_t evolution_tmpfs_t:dir { create mounton }; -allow evolution_t evolution_tmpfs_t:file mounton; -allow evolution_t evolution_xdg_config_t:file map; -allow evolution_t fonts_t:dir mounton; -allow evolution_t fs_t:filesystem { getattr remount unmount }; - -#!!!! This avc can be allowed using one of the these booleans: -# evolution_read_all_user_content, evolution_manage_all_user_content -allow evolution_t gnome_xdg_config_t:dir { getattr search }; - -#!!!! This avc can be allowed using one of the these booleans: -# evolution_read_all_user_content, evolution_manage_all_user_content -allow evolution_t gnome_xdg_config_t:file { getattr open read }; -allow evolution_t gnome_xdg_config_t:file map; -allow evolution_t imaps_packet_t:packet send; -allow evolution_t imyx_packet_t:packet send; -allow evolution_t lib_t:dir mounton; -allow evolution_t lib_t:file execute_no_trans; -allow evolution_t lo_netif_t:netif egress; -allow evolution_t locale_t:file mounton; - -#!!!! This avc can be allowed using one of the these booleans: -# evolution_read_all_user_content, evolution_manage_all_user_content -allow evolution_t mesa_shader_cache_t:dir { getattr search }; - -#!!!! This avc can be allowed using the boolean 'evolution_manage_all_user_content' -allow evolution_t mesa_shader_cache_t:file { getattr open read write }; -allow evolution_t mesa_shader_cache_t:file map; -allow evolution_t nsfs_t:file getattr; -allow evolution_t proc_t:filesystem mount; -allow evolution_t pulseaudio_tmp_t:dir getattr; - -#!!!! This avc can be allowed using one of the these booleans: -# evolution_read_all_user_content, evolution_manage_all_user_content -allow evolution_t pulseaudio_xdg_config_t:dir getattr; -allow evolution_t root_t:dir mounton; -allow evolution_t security_t:filesystem getattr; -allow evolution_t self:capability { net_admin setpcap sys_ptrace }; -allow evolution_t selinux_config_t:dir search; -allow evolution_t selinux_config_t:lnk_file read; -allow evolution_t session_dbusd_runtime_t:sock_file write; -allow evolution_t staff_t:process signull; -allow evolution_t staff_wm_t:unix_stream_socket { getattr ioctl read write }; -allow evolution_t sysctl_t:netif egress; -allow evolution_t sysctl_vm_overcommit_t:file { open read }; -allow evolution_t sysctl_vm_t:dir search; -allow evolution_t sysfs_t:dir read; -allow evolution_t sysfs_t:file { getattr open read }; -allow evolution_t sysfs_t:filesystem remount; -allow evolution_t sysfs_t:lnk_file read; -allow evolution_t systemd_homed_runtime_t:sock_file write; -allow evolution_t systemd_homed_t:unix_stream_socket connectto; -allow evolution_t systemd_machined_t:unix_stream_socket connectto; -allow evolution_t systemd_user_runtime_t:dir { getattr mounton search }; -allow evolution_t systemd_user_runtime_t:sock_file write; -allow evolution_t tmp_t:dir mounton; -allow evolution_t tmpfs_t:filesystem { mount remount unmount }; -allow evolution_t unlabeled_t:node sendto; -allow evolution_t unlabeled_t:packet recv; -allow evolution_t unlabeled_t:peer recv; -allow evolution_t unreserved_port_t:tcp_socket name_connect; - -#!!!! This avc can be allowed using one of the these booleans: -# evolution_manage_user_certs, evolution_manage_all_user_content -allow evolution_t user_cert_t:dir { add_name remove_name write }; - -#!!!! This avc can be allowed using one of the these booleans: -# evolution_manage_user_certs, evolution_manage_all_user_content -allow evolution_t user_cert_t:file { append create rename unlink write }; -allow evolution_t user_home_t:file map; -allow evolution_t user_runtime_t:dir { add_name create remove_name write }; -allow evolution_t user_runtime_t:file { create open read unlink write }; -allow evolution_t user_runtime_t:sock_file { create getattr write }; - -#!!!! This avc can be allowed using one of the these booleans: -# evolution_manage_generic_user_content, evolution_manage_all_user_content -allow evolution_t user_tmp_t:file write; -allow evolution_t user_tmp_t:file map; -allow evolution_t usr_t:dir { mounton watch }; -allow evolution_t v4l_device_t:chr_file getattr; -allow evolution_t var_lib_t:dir watch; -allow evolution_t var_lib_t:file { getattr map open }; -allow evolution_t winbind_helper_exec_t:file execute; -allow evolution_t wm_tmpfs_t:file { map read write }; -allow evolution_t xdg_cache_t:dir watch; - -#!!!! This avc can be allowed using one of the these booleans: -# evolution_read_all_user_content, evolution_manage_all_user_content -allow evolution_t xdg_cache_t:file { getattr lock open read write }; - -#!!!! This avc can be allowed using the boolean 'evolution_manage_all_user_content' -allow evolution_t xdg_cache_t:sock_file write; -allow evolution_t xdg_config_t:dir watch; - -#!!!! This avc can be allowed using one of the these booleans: -# evolution_read_all_user_content, evolution_manage_all_user_content -allow evolution_t xdg_config_t:file { append getattr lock open read }; -allow evolution_t xdg_data_t:dir watch; - -#!!!! This avc can be allowed using one of the these booleans: -# evolution_read_all_user_content, evolution_manage_all_user_content -allow evolution_t xdg_data_t:file { getattr open read }; -allow evolution_t xdg_data_t:file map; - -#!!!! This avc can be allowed using one of the these booleans: -# evolution_read_all_user_content, evolution_manage_all_user_content -allow evolution_t xdg_data_t:lnk_file read; -allow evolution_t xkb_var_lib_t:dir { getattr read search }; -allow evolution_t xkb_var_lib_t:file { getattr map open read }; - -#============= mozilla_t ============== -allow mozilla_t domain_packet_t:packet send; -allow mozilla_t https_packet_t:packet send; -allow mozilla_t sysctl_t:netif egress; -allow mozilla_t systemd_machined_t:unix_stream_socket connectto; -allow mozilla_t unlabeled_t:node sendto; -allow mozilla_t unlabeled_t:packet recv; -allow mozilla_t unlabeled_t:peer recv; -allow mozilla_t user_home_t:file map; -allow mozilla_t user_runtime_t:file getattr; - -#============= secadm_sudo_t ============== - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain chr_file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED - -# Possible cause is the source user (secadm_u) and target user (system_u) are different. -# Possible cause is the source level (s0-s15:c0.c512) and target level (s15:c0.c1023) are different. -allow secadm_sudo_t kmsg_device_t:chr_file getattr; -allow secadm_sudo_t proc_t:filesystem getattr; -allow secadm_sudo_t secadm_t:process { noatsecure rlimitinh siginh }; -allow secadm_sudo_t systemd_machined_t:unix_stream_socket connectto; -allow secadm_sudo_t tty_device_t:chr_file getattr; - -#============= secadm_t ============== -allow secadm_t secadm_git_t:process { noatsecure rlimitinh siginh }; -allow secadm_t secadm_sudo_t:process { noatsecure rlimitinh siginh }; - -#============= staff_dbusd_t ============== -allow staff_dbusd_t etc_t:file map; -allow staff_dbusd_t http_port_t:tcp_socket name_connect; -allow staff_dbusd_t https_packet_t:packet send; -allow staff_dbusd_t ssdp_packet_t:packet { recv send }; -allow staff_dbusd_t staff_dbusd_tmpfs_t:file execute; -allow staff_dbusd_t sysctl_t:netif egress; -allow staff_dbusd_t systemd_machined_t:unix_stream_socket connectto; -allow staff_dbusd_t unlabeled_t:node sendto; -allow staff_dbusd_t unlabeled_t:packet recv; -allow staff_dbusd_t unlabeled_t:peer recv; -allow staff_dbusd_t unlabeled_t:tcp_socket node_bind; -allow staff_dbusd_t unlabeled_t:udp_socket node_bind; - -#============= staff_git_t ============== - -#!!!! This avc can be allowed using the boolean 'git_client_manage_all_user_home_content' -allow staff_git_t xdg_documents_t:dir { getattr search }; - -#!!!! This avc can be allowed using the boolean 'git_client_manage_all_user_home_content' -allow staff_git_t xdg_documents_work_t:dir { getattr open read search }; - -#!!!! This avc can be allowed using the boolean 'git_client_manage_all_user_home_content' -allow staff_git_t xdg_documents_work_t:file { getattr map open read }; - -#============= staff_sudo_t ============== -allow staff_sudo_t self:capability dac_read_search; -allow staff_sudo_t systemd_machined_t:unix_stream_socket connectto; -allow staff_sudo_t xdg_documents_work_t:file { getattr write }; - -#============= staff_systemd_t ============== -allow staff_systemd_t evolution_tmpfs_t:dir { open read search }; -allow staff_systemd_t evolution_tmpfs_t:file { getattr map open read }; -allow staff_systemd_t evolution_xdg_config_t:file rename; -allow staff_systemd_t http_port_t:tcp_socket name_connect; -allow staff_systemd_t https_packet_t:packet send; -allow staff_systemd_t modules_object_t:dir search; -allow staff_systemd_t ssh_home_t:dir search; -allow staff_systemd_t sysctl_t:netif egress; -allow staff_systemd_t unlabeled_t:node sendto; - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain packet { recv } ((l1 dom l2 -Fail-) or (t1 == mlsnetreadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsnetread -Fail-) ); Constraint DENIED - -# Possible cause is the source user (staff_u) and target user (system_u) are different. -# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different. -allow staff_systemd_t unlabeled_t:packet recv; - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain peer { recv } ((l1 dom l2 -Fail-) or (t1 == mlsnetreadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsnetread -Fail-) ); Constraint DENIED - -# Possible cause is the source user (staff_u) and target user (system_u) are different. -# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different. -allow staff_systemd_t unlabeled_t:peer recv; -allow staff_systemd_t var_lib_t:file map; -allow staff_systemd_t vmware_file_t:dir search; -allow staff_systemd_t xdg_documents_school_t:dir search; -allow staff_systemd_t xdg_documents_work_t:dir search; -allow staff_systemd_t xdg_downloads_t:dir search; -allow staff_systemd_t xdg_music_t:dir search; -allow staff_systemd_t xdg_pictures_t:dir search; - -#============= staff_t ============== - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED -# mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton } ((l1 eq l2 -Fail-) or (t1 == mlsfilewritetoclr -Fail-) and (h1 dom l2 -Fail-) and (l1 domby l2) or (t2 == mlsfilewriteinrange -Fail-) and (l1 dom l2 -Fail-) and (h1 domby h2) or (t1 == mlsfilewrite -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED - -# Possible cause is the source user (staff_u) and target user (system_u) are different. -# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different. -allow staff_t auditd_log_t:file { getattr read write }; - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED -# mlsconstrain dir { search } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED - -# Possible cause is the source user (staff_u) and target user (system_u) are different. -# Possible cause is the source role (staff_r) and target role (system_r) are different. -# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different. -allow staff_t auditd_t:dir { getattr search }; - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED - -# Possible cause is the source user (staff_u) and target user (system_u) are different. -# Possible cause is the source role (staff_r) and target role (system_r) are different. -# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different. -allow staff_t auditd_t:file read; -allow staff_t avahi_t:dir { getattr search }; -allow staff_t avahi_t:file read; -allow staff_t fsdaemon_exec_t:file { execute getattr }; -allow staff_t getty_t:dir { getattr search }; -allow staff_t getty_t:file { open read }; -allow staff_t httpd_suexec_exec_t:file { execute getattr }; -allow staff_t hwdata_t:dir search; -allow staff_t hwdata_t:file { getattr open read }; -allow staff_t local_login_t:file { open read }; -allow staff_t ntpd_t:dir { getattr search }; -allow staff_t ntpd_t:file { open read }; -allow staff_t restorecond_t:dir { getattr search }; -allow staff_t restorecond_t:file { open read }; -allow staff_t saslauthd_keytab_t:dir getattr; -allow staff_t secadm_dbusd_t:dir { getattr search }; -allow staff_t secadm_dbusd_t:file { open read }; -allow staff_t secadm_systemd_t:dir { getattr search }; -allow staff_t secadm_systemd_t:file { open read }; -allow staff_t secadm_t:dir { getattr search }; -allow staff_t secadm_t:file { open read }; -allow staff_t security_t:security { read_policy setenforce }; -allow staff_t smbd_exec_t:file { execute getattr }; -allow staff_t snmpd_exec_t:file { execute getattr }; -allow staff_t snort_exec_t:file { execute getattr }; -allow staff_t sshd_exec_t:file { execute getattr }; -allow staff_t staff_wm_t:fifo_file read; -allow staff_t svnserve_exec_t:file { execute getattr }; - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED -# mlsconstrain dir { search } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED - -# Possible cause is the source user (staff_u) and target user (system_u) are different. -# Possible cause is the source role (staff_r) and target role (system_r) are different. -# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different. -allow staff_t syslogd_t:dir { getattr search }; - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED - -# Possible cause is the source user (staff_u) and target user (system_u) are different. -# Possible cause is the source role (staff_r) and target role (system_r) are different. -# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different. -allow staff_t syslogd_t:file read; -allow staff_t systemd_cgtop_exec_t:file { execute getattr }; -allow staff_t systemd_machined_t:dir { getattr search }; -allow staff_t systemd_machined_t:file { open read }; -allow staff_t systemd_notify_exec_t:file { execute getattr }; -allow staff_t systemd_sessions_runtime_t:dir { getattr open read }; -allow staff_t systemd_tmpfiles_exec_t:file { execute getattr }; -allow staff_t var_lib_t:file map; -allow staff_t xdg_documents_archive_t:file execute; - -#============= staff_wm_t ============== -allow staff_wm_t evolution_t:fd use; -allow staff_wm_t evolution_t:process { rlimitinh siginh }; -allow staff_wm_t evolution_tmpfs_t:file { getattr map read write }; -allow staff_wm_t staff_dbusd_tmpfs_t:file { getattr map read write }; -allow staff_wm_t staff_t:file ioctl; - -#============= udev_t ============== -allow udev_t mount_t:process { noatsecure rlimitinh siginh }; - - -#============= NetworkManager_t ============== -allow NetworkManager_t bootpc_packet_t:packet recv; -allow NetworkManager_t bootps_packet_t:packet send; -allow NetworkManager_t unlabeled_t:node sendto; - -#============= evolution_t ============== -allow evolution_t imaps_packet_t:packet send; -allow evolution_t staff_wm_t:unix_stream_socket { getattr ioctl write }; -allow evolution_t sysctl_t:netif egress; -allow evolution_t unlabeled_t:node sendto; -allow evolution_t unlabeled_t:packet recv; -allow evolution_t unlabeled_t:peer recv; -allow evolution_t wm_tmpfs_t:file { read write }; - -#============= mozilla_t ============== -allow mozilla_t domain_packet_t:packet send; -allow mozilla_t https_packet_t:packet send; -allow mozilla_t sysctl_t:netif egress; -allow mozilla_t unlabeled_t:node sendto; -allow mozilla_t unlabeled_t:packet recv; -allow mozilla_t unlabeled_t:peer recv; -allow mozilla_t unlabeled_t:udp_socket node_bind; -allow mozilla_t www_http_packet_t:packet send; - -#============= secadm_sudo_t ============== - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain chr_file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED - -# Possible cause is the source user (secadm_u) and target user (system_u) are different. -# Possible cause is the source level (s0-s15:c0.c512) and target level (s15:c0.c1023) are different. -allow secadm_sudo_t kmsg_device_t:chr_file getattr; -allow secadm_sudo_t proc_t:filesystem getattr; -allow secadm_sudo_t secadm_t:process { noatsecure rlimitinh siginh }; -allow secadm_sudo_t systemd_machined_t:unix_stream_socket connectto; -allow secadm_sudo_t tty_device_t:chr_file getattr; - -#============= secadm_t ============== -allow secadm_t secadm_git_t:process { noatsecure rlimitinh siginh }; -allow secadm_t secadm_sudo_t:process { noatsecure rlimitinh siginh }; - -#============= staff_sudo_t ============== -allow staff_sudo_t self:capability dac_read_search; -allow staff_sudo_t systemd_machined_t:unix_stream_socket connectto; -allow staff_sudo_t xdg_documents_work_t:file { getattr write }; - -#============= staff_t ============== - -#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. -#Constraint rule: -# # mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED -# mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton } ((l1 eq l2 -Fail-) or (t1 == mlsfilewritetoclr -Fail-) and (h1 dom l2 -Fail-) and (l1 domby l2) or (t2 == mlsfilewriteinrange -Fail-) and (l1 dom l2 -Fail-) and (h1 domby h2) or (t1 == mlsfilewrite -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED - -# Possible cause is the source user (staff_u) and target user (system_u) are different. -# Possible cause is the source level (s0-s14:c0.c1023) and target level (s15:c0.c1023) are different. -allow staff_t auditd_log_t:file { getattr read }; -allow staff_t default_t:dir getattr; -allow staff_t default_t:file getattr; - - -#============= NetworkManager_t ============== -allow NetworkManager_t unlabeled_t:node sendto; - -#============= mozilla_t ============== -allow mozilla_t domain_packet_t:packet send; -allow mozilla_t https_packet_t:packet send; -allow mozilla_t sysctl_t:netif egress; -allow mozilla_t unlabeled_t:node sendto; -allow mozilla_t unlabeled_t:packet recv; -allow mozilla_t unlabeled_t:peer recv; - -#============= staff_git_t ============== - -#!!!! This avc can be allowed using the boolean 'git_client_manage_all_user_home_content' -allow staff_git_t xdg_documents_t:dir { getattr search }; - -#!!!! This avc can be allowed using the boolean 'git_client_manage_all_user_home_content' -allow staff_git_t xdg_documents_work_t:dir { getattr open read search }; - -#!!!! This avc can be allowed using the boolean 'git_client_manage_all_user_home_content' -allow staff_git_t xdg_documents_work_t:file { getattr map open read }; - -#============= staff_sudo_t ============== -allow staff_sudo_t self:capability dac_read_search; -allow staff_sudo_t systemd_machined_t:unix_stream_socket connectto; -allow staff_sudo_t xdg_documents_work_t:file { getattr write }; - -allow staff_t auditd_log_t:file { getattr read write }; -allow staff_t security_t:security read_policy; diff --git a/policy/modules/apps/vscode.if b/policy/modules/apps/vscode.if index decc96c95..8d7b2248a 100644 --- a/policy/modules/apps/vscode.if +++ b/policy/modules/apps/vscode.if @@ -44,8 +44,6 @@ template(`vscode_role',` ') ') -## policy for vscode - ######################################## ## ## Execute vscode_exec_t in the vscode domain. diff --git a/policy/modules/apps/zoom.if b/policy/modules/apps/zoom.if index e33637dfc..bb00b6389 100644 --- a/policy/modules/apps/zoom.if +++ b/policy/modules/apps/zoom.if @@ -44,8 +44,6 @@ template(`zoom_role',` ') ') -## policy for zoom - ######################################## ## ## Execute zoom_exec_t in the zoom domain. diff --git a/policy/modules/apps/zoom.te b/policy/modules/apps/zoom.te index 2674bf993..5b03b213b 100644 --- a/policy/modules/apps/zoom.te +++ b/policy/modules/apps/zoom.te @@ -3,6 +3,8 @@ policy_module(zoom, 1.0) attribute_role zoom_roles; type zoom_t; +type zoom_log_t; +type zoom_usr_t; type zoom_exec_t; userdom_user_application_domain(zoom_t, zoom_exec_t) @@ -29,8 +31,6 @@ allow zoom_t self:unix_dgram_socket { create write }; manage_files_pattern(zoom_t, zoom_usr_t, zoom_usr_t) manage_dirs_pattern(zoom_t, zoom_usr_t, zoom_usr_t) -xdg_manage_documents_zoom(zoom_t) - domain_use_interactive_fds(zoom_t) can_exec(zoom_t, zoom_exec_t) diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te index a591890f5..6faa21089 100644 --- a/policy/modules/services/bluetooth.te +++ b/policy/modules/services/bluetooth.te @@ -7,11 +7,18 @@ policy_module(bluetooth) attribute_role bluetooth_helper_roles; +## +##

+## Allow Bluetooth HID devices +##

+## + gen_tunable(`bluetooth_hid', true) tunable_policy(`bluetooth_hid', ` dev_rw_uhid(bluetooth_t) ') + type bluetooth_t; type bluetooth_exec_t; init_daemon_domain(bluetooth_t, bluetooth_exec_t) diff --git a/policy/modules/services/monerod.fc b/policy/modules/services/monerod.fc deleted file mode 100644 index e1218b93d..000000000 --- a/policy/modules/services/monerod.fc +++ /dev/null @@ -1,23 +0,0 @@ -/usr/share/monero(/.*)? gen_context(system_u:object_r:monerod_usr_t) -/usr/share/monero/bitmonero\.log(.*)? -- gen_context(system_u:object_r:monerod_log_t) -/usr/share/monero/rpc_ssl.crt -- gen_context(system_u:object_r:monerod_cert_t) -/usr/share/monero/rpc_ssl.key -- gen_context(system_u:object_r:monerod_cert_t) - -monero2john -- gen_context(system_u:object_r:monerod_exec_t) -monero-blockchain-ancestry -- gen_context(system_u:object_r:monerod_exec_t) -monero-blockchain-depth -- gen_context(system_u:object_r:monerod_exec_t) -monero-blockchain-export -- gen_context(system_u:object_r:monerod_exec_t) -monero-blockchain-import -- gen_context(system_u:object_r:monerod_exec_t) -monero-blockchain-mark-spent-outputs -- gen_context(system_u:object_r:monerod_exec_t) -monero-blockchain-prune -- gen_context(system_u:object_r:monerod_exec_t) -monero-blockchain-prune-known-spent-data -- gen_context(system_u:object_r:monerod_exec_t) -monero-blockchain-stats -- gen_context(system_u:object_r:monerod_exec_t) -monero-blockchain-usage -- gen_context(system_u:object_r:monerod_exec_t) -monerod -- gen_context(system_u:object_r:monerod_exec_t) -monero-gen-ssl-cert -- gen_context(system_u:object_r:monerod_exec_t) -monero-gen-trusted-multisig -- gen_context(system_u:object_r:monerod_exec_t) - -monero-wallet-cli -- gen_context(system_u:object_r:monerod_cli_exec_t) -monero-wallet-rpc -- gen_context(system_u:object_r:monerod_cli_exec_t) - -# Monero GUI is controlled with policy apps/monero-gui diff --git a/policy/modules/services/monerod.if b/policy/modules/services/monerod.if deleted file mode 100644 index e69de29bb..000000000 diff --git a/policy/modules/services/monerod.te b/policy/modules/services/monerod.te deleted file mode 100644 index dabeff820..000000000 --- a/policy/modules/services/monerod.te +++ /dev/null @@ -1,33 +0,0 @@ -policy(monerod, 1.0) - -type monerod_t; - -init_system_domain(monerod_t, monerod_exec_t) -userdom_user_application_domain(monerod_t, monerod_exec_t) - -manage_dirs_pattern(monerod_t, monerod_usr_t) -manage_files_pattern(monerod_t, monerod_usr_t) -manage_files_pattern(monerod_t, monerod_log_t) -manage_files_pattern(monerod_t, monerod_cert_t) -# MoneroD might create rpc_ssl files, if your rpc_ssl is manage by another -# process, change this to read pattern. - -type monerod_exec_t; -application_executable_file(monerod_exec_t) - -type monerod_log_t; -# Monerod does not use /var/log and tmpfs for logging, therefore -# monerod_log_t has attribute file instead of log file -files_type(monerod_log_t) - -type monerod_conf_t; - -files_type(monerod_conf_t) - -type monerod_cert_t; - -files_type(monerod_conf_t) - -type monerod_usr_t; -# Including p2pstate and blockchain -files_type(monerod_usr_t)