|
 |
2f8dfd1 |
diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te
|
|
|
e8d4b4b |
--- ./contrib/selinux/cjdns.te.selinux 2020-06-23 08:37:44.000000000 -0400
|
|
|
e8d4b4b |
+++ ./contrib/selinux/cjdns.te 2020-07-01 19:34:24.473531348 -0400
|
|
|
db9c926 |
@@ -7,8 +7,9 @@ require {
|
|
|
2f8dfd1 |
type port_t;
|
|
|
2f8dfd1 |
type unreserved_port_t;
|
|
|
2f8dfd1 |
type tmp_t;
|
|
|
2f8dfd1 |
- type kernel_t;
|
|
|
2f8dfd1 |
type passwd_file_t;
|
|
|
2f8dfd1 |
+ type net_conf_t;
|
|
|
db9c926 |
+ type sssd_var_lib_t;
|
|
|
2f8dfd1 |
}
|
|
|
2f8dfd1 |
|
|
|
2f8dfd1 |
type cjdns_t;
|
|
|
e8d4b4b |
@@ -17,27 +18,29 @@ init_daemon_domain(cjdns_t,cjdns_exec_t)
|
|
|
07af323 |
|
|
|
2f8dfd1 |
#============= cjdns_t ==============
|
|
|
2f8dfd1 |
# Let master process run further restricted subprocess
|
|
|
07af323 |
-allow cjdns_t cjdns_exec_t:file { execute_no_trans execmod };
|
|
|
2f8dfd1 |
-allow cjdns_t self:capability { net_admin net_raw setuid setgid sys_chroot sys_module };
|
|
|
e80e13c |
+allow cjdns_t cjdns_exec_t:file { execute_no_trans execmod map };
|
|
|
2f8dfd1 |
+allow cjdns_t self:capability { net_admin net_raw setuid setgid sys_chroot };
|
|
|
2f8dfd1 |
allow cjdns_t self:process { signal getcap setrlimit setcap };
|
|
|
2f8dfd1 |
-allow cjdns_t kernel_t:system module_request;
|
|
|
2f8dfd1 |
# translate username to uid
|
|
|
2f8dfd1 |
allow cjdns_t passwd_file_t:file { read getattr open };
|
|
|
db9c926 |
+# should not need sssd to lookup uid for local uid
|
|
|
db9c926 |
+dontaudit cjdns_t sssd_var_lib_t:dir search;
|
|
|
2f8dfd1 |
|
|
|
2f8dfd1 |
+# translate host names
|
|
|
2f8dfd1 |
+allow cjdns_t net_conf_t:file { read getattr open };
|
|
|
2f8dfd1 |
# allow network access
|
|
|
2f8dfd1 |
allow cjdns_t node_t:udp_socket node_bind;
|
|
|
2f8dfd1 |
allow cjdns_t port_t:udp_socket name_bind;
|
|
|
3559534 |
allow cjdns_t unreserved_port_t:udp_socket name_bind;
|
|
|
3559534 |
-allow cjdns_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
|
|
|
3559534 |
+allow cjdns_t self:netlink_route_socket { bind create getattr nlmsg_read read write nlmsg_write };
|
|
|
2f8dfd1 |
allow cjdns_t self:packet_socket { bind create ioctl read write };
|
|
|
2f8dfd1 |
allow cjdns_t self:tun_socket create;
|
|
|
2f8dfd1 |
-allow cjdns_t self:udp_socket { create setopt bind ioctl getattr read write };
|
|
|
2f8dfd1 |
+allow cjdns_t self:udp_socket { create setopt bind ioctl getattr read write connect };
|
|
|
2f8dfd1 |
allow cjdns_t tun_tap_device_t:chr_file { read write open ioctl };
|
|
|
2f8dfd1 |
|
|
|
2f8dfd1 |
-
|
|
|
2f8dfd1 |
# management API
|
|
|
2f8dfd1 |
allow cjdns_t self:unix_stream_socket connectto;
|
|
|
e8d4b4b |
-allow cjdns_t tmp_t:sock_file { write create unlink };
|
|
|
e8d4b4b |
+allow cjdns_t tmp_t:sock_file { write create unlink getattr };
|
|
|
e8d4b4b |
allow cjdns_t tmp_t:dir { write remove_name add_name };
|
|
|
e8d4b4b |
allow cjdns_t urandom_device_t:chr_file { read open };
|
|
|
e8d4b4b |
|