diff options
author | 2017-08-13 16:21:44 -0400 | |
---|---|---|
committer | 2017-09-09 00:31:19 +0200 | |
commit | 55a7d76dd8b6ddc679db0aa67cf3bbbf45fa4b30 (patch) | |
tree | f1b83848b1b9a1e7c068766166c2a8bd81e24756 /policy/modules/admin | |
parent | kernel: Module version bump for patch from Nicolas Iooss. (diff) | |
download | hardened-refpolicy-55a7d76dd8b6ddc679db0aa67cf3bbbf45fa4b30.tar.gz hardened-refpolicy-55a7d76dd8b6ddc679db0aa67cf3bbbf45fa4b30.tar.bz2 hardened-refpolicy-55a7d76dd8b6ddc679db0aa67cf3bbbf45fa4b30.zip |
Remove complement and wildcard in allow rules.
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.
This patch does not add or remove permissions from any rules.
Diffstat (limited to 'policy/modules/admin')
-rw-r--r-- | policy/modules/admin/consoletype.te | 2 | ||||
-rw-r--r-- | policy/modules/admin/sudo.if | 2 | ||||
-rw-r--r-- | policy/modules/admin/usermanage.te | 15 |
3 files changed, 7 insertions, 12 deletions
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te index d9663044b..bf6099615 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -16,7 +16,7 @@ init_system_domain(consoletype_t, consoletype_exec_t) # allow consoletype_t self:capability { sys_admin sys_tty_config }; -allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow consoletype_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow consoletype_t self:fd use; allow consoletype_t self:fifo_file rw_fifo_file_perms; allow consoletype_t self:sock_file read_sock_file_perms; diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index eece2a3b5..ac8c688aa 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -53,7 +53,7 @@ template(`sudo_role_template',` # Use capabilities. allow $1_sudo_t self:capability { chown dac_override fowner setgid setuid sys_nice sys_resource }; - allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1_sudo_t self:process { signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr getrlimit rlimitinh siginh transition setsockcreate dyntransition noatsecure setkeycreate }; allow $1_sudo_t self:process { setexec setrlimit }; allow $1_sudo_t self:fd use; allow $1_sudo_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 4db2838a5..25e34b72d 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -70,8 +70,7 @@ role useradd_roles types useradd_t; # allow chfn_t self:capability { chown dac_override fsetid setgid setuid sys_resource }; -allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; -allow chfn_t self:process { setrlimit setfscreate }; +allow chfn_t self:process { transition sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow chfn_t self:fd use; allow chfn_t self:fifo_file rw_fifo_file_perms; allow chfn_t self:sock_file read_sock_file_perms; @@ -191,8 +190,7 @@ optional_policy(` allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource }; dontaudit groupadd_t self:capability { fsetid sys_tty_config }; -allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; -allow groupadd_t self:process { setrlimit setfscreate }; +allow groupadd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow groupadd_t self:fd use; allow groupadd_t self:fifo_file rw_fifo_file_perms; allow groupadd_t self:shm create_shm_perms; @@ -278,8 +276,7 @@ optional_policy(` allow passwd_t self:capability { chown dac_override fsetid setgid setuid sys_nice sys_resource }; dontaudit passwd_t self:capability sys_tty_config; -allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow passwd_t self:process { setrlimit setfscreate }; +allow passwd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow passwd_t self:fd use; allow passwd_t self:fifo_file rw_fifo_file_perms; allow passwd_t self:sock_file read_sock_file_perms; @@ -366,8 +363,7 @@ optional_policy(` # allow sysadm_passwd_t self:capability { chown dac_override fsetid setgid setuid sys_resource }; -allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow sysadm_passwd_t self:process { setrlimit setfscreate }; +allow sysadm_passwd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow sysadm_passwd_t self:fd use; allow sysadm_passwd_t self:fifo_file rw_fifo_file_perms; allow sysadm_passwd_t self:sock_file read_sock_file_perms; @@ -451,8 +447,7 @@ optional_policy(` allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource }; dontaudit useradd_t self:capability sys_tty_config; -allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow useradd_t self:process setfscreate; +allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow useradd_t self:fd use; allow useradd_t self:fifo_file rw_fifo_file_perms; allow useradd_t self:shm create_shm_perms; |