commit: 2691ab991317ef15b9fbba6394c678aed2e3d758
Author: Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Tue Sep 20 14:59:19 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov 2 14:07:00 2022 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2691ab99
Drop audit_access allows.
This permission is only used for auditing purposes. It is a no-op for allows.
Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/kernel/devices.te | 6 +++---
policy/modules/kernel/files.te | 14 +++++++-------
policy/modules/kernel/filesystem.te | 14 +++++++-------
policy/modules/kernel/kernel.te | 24 ++++++++++++------------
policy/modules/kernel/storage.te | 4 ++--
5 files changed, 31 insertions(+), 31 deletions(-)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 49718cc26..5e2c77cbb 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -434,6 +434,6 @@ files_associate_tmp(device_node)
#
allow devices_unconfined_type self:capability sys_rawio;
-allow devices_unconfined_type device_node:blk_file { manage_blk_file_perms
relabel_blk_file_perms map execute quotaon mounton audit_access execmod watch };
-allow devices_unconfined_type device_node:chr_file { manage_chr_file_perms
relabel_chr_file_perms map execute quotaon mounton execmod audit_access watch };
-allow devices_unconfined_type mtrr_device_t:file { manage_file_perms
relabel_file_perms exec_file_perms quotaon mounton entrypoint execmod
audit_access watch };
+allow devices_unconfined_type device_node:blk_file { manage_blk_file_perms
relabel_blk_file_perms map execute quotaon mounton execmod watch };
+allow devices_unconfined_type device_node:chr_file { manage_chr_file_perms
relabel_chr_file_perms map execute quotaon mounton execmod watch };
+allow devices_unconfined_type mtrr_device_t:file { manage_file_perms
relabel_file_perms exec_file_perms quotaon mounton entrypoint execmod watch };
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 2691a8611..e8fe42214 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -227,13 +227,13 @@ fs_associate_tmpfs(tmpfsfile)
#
# Create/access any file in a labeled filesystem;
-allow files_unconfined_type file_type:file { manage_file_perms
relabel_file_perms exec_file_perms quotaon mounton audit_access watch };
-allow files_unconfined_type file_type:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms append map execute quotaon mounton open audit_access
execmod watch };
-allow files_unconfined_type file_type:sock_file { manage_sock_file_perms
relabel_sock_file_perms map execute quotaon mounton audit_access execmod watch
};
-allow files_unconfined_type file_type:fifo_file { manage_fifo_file_perms
relabel_fifo_file_perms map execute quotaon mounton audit_access execmod watch
};
-allow files_unconfined_type file_type:blk_file { manage_blk_file_perms
relabel_blk_file_perms map execute quotaon mounton audit_access execmod watch };
-allow files_unconfined_type file_type:chr_file { manage_chr_file_perms
relabel_chr_file_perms map execute quotaon mounton audit_access watch };
-allow files_unconfined_type file_type:dir { manage_dir_perms relabel_dir_perms
append map execute quotaon mounton add_name remove_name reparent search rmdir
audit_access execmod watch };
+allow files_unconfined_type file_type:file { manage_file_perms
relabel_file_perms exec_file_perms quotaon mounton watch };
+allow files_unconfined_type file_type:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms append map execute quotaon mounton open execmod watch };
+allow files_unconfined_type file_type:sock_file { manage_sock_file_perms
relabel_sock_file_perms map execute quotaon mounton execmod watch };
+allow files_unconfined_type file_type:fifo_file { manage_fifo_file_perms
relabel_fifo_file_perms map execute quotaon mounton execmod watch };
+allow files_unconfined_type file_type:blk_file { manage_blk_file_perms
relabel_blk_file_perms map execute quotaon mounton execmod watch };
+allow files_unconfined_type file_type:chr_file { manage_chr_file_perms
relabel_chr_file_perms map execute quotaon mounton watch };
+allow files_unconfined_type file_type:dir { manage_dir_perms relabel_dir_perms
append map execute quotaon mounton add_name remove_name reparent search rmdir
execmod watch };
# Mount/unmount any filesystem with the context= option.
allow files_unconfined_type file_type:filesystem { mount remount unmount
getattr relabelfrom relabelto associate quotamod quotaget watch };
diff --git a/policy/modules/kernel/filesystem.te
b/policy/modules/kernel/filesystem.te
index 810bdaaa0..b3fd4abf8 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -339,13 +339,13 @@ allow filesystem_unconfined_type
filesystem_type:filesystem { mount remount unmo
# Create/access other files. fs_type is to pick up various
# pseudo filesystem types that are applied to both the filesystem
# and its files.
-allow filesystem_unconfined_type filesystem_type:file { manage_file_perms
relabel_file_perms exec_file_perms quotaon mounton entrypoint audit_access
execmod watch };
-allow filesystem_unconfined_type filesystem_type:lnk_file {
manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton
open audit_access execmod watch };
-allow filesystem_unconfined_type filesystem_type:sock_file {
manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton
audit_access execmod watch };
-allow filesystem_unconfined_type filesystem_type:fifo_file {
manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton
audit_access execmod watch };
-allow filesystem_unconfined_type filesystem_type:blk_file {
manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton
audit_access execmod watch };
-allow filesystem_unconfined_type filesystem_type:chr_file {
manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton
audit_access execmod watch };
-allow filesystem_unconfined_type filesystem_type:dir { manage_dir_perms
relabel_dir_perms append map execute quotaon mounton add_name remove_name
reparent search rmdir audit_access execmod watch };
+allow filesystem_unconfined_type filesystem_type:file { manage_file_perms
relabel_file_perms exec_file_perms quotaon mounton entrypoint execmod watch };
+allow filesystem_unconfined_type filesystem_type:lnk_file {
manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton
open execmod watch };
+allow filesystem_unconfined_type filesystem_type:sock_file {
manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton
execmod watch };
+allow filesystem_unconfined_type filesystem_type:fifo_file {
manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton
execmod watch };
+allow filesystem_unconfined_type filesystem_type:blk_file {
manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton
execmod watch };
+allow filesystem_unconfined_type filesystem_type:chr_file {
manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton
execmod watch };
+allow filesystem_unconfined_type filesystem_type:dir { manage_dir_perms
relabel_dir_perms append map execute quotaon mounton add_name remove_name
reparent search rmdir execmod watch };
ifdef(`distro_gentoo',`
# Fix bug 535986 - Mark configfs_t as file type (and mountpoint
probably as well)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index b4e5bdc0b..d44d07d16 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -548,22 +548,22 @@ if(secure_mode_insmod) {
# Rules for unconfined access to this module
#
-allow kern_unconfined proc_type:dir { manage_dir_perms relabel_dir_perms
append map execute quotaon mounton audit_access execmod watch };
-allow kern_unconfined proc_type:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms append map execute quotaon mounton open audit_access
execmod watch };
-allow kern_unconfined proc_type:file { manage_file_perms relabel_file_perms
exec_file_perms quotaon mounton audit_access watch };
+allow kern_unconfined proc_type:dir { manage_dir_perms relabel_dir_perms
append map execute quotaon mounton execmod watch };
+allow kern_unconfined proc_type:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms append map execute quotaon mounton open execmod watch };
+allow kern_unconfined proc_type:file { manage_file_perms relabel_file_perms
exec_file_perms quotaon mounton watch };
-allow kern_unconfined sysctl_type:dir { manage_dir_perms relabel_dir_perms
append map execute quotaon mounton audit_access execmod watch };
-allow kern_unconfined sysctl_type:file { manage_file_perms relabel_file_perms
exec_file_perms quotaon mounton audit_access watch };
+allow kern_unconfined sysctl_type:dir { manage_dir_perms relabel_dir_perms
append map execute quotaon mounton execmod watch };
+allow kern_unconfined sysctl_type:file { manage_file_perms relabel_file_perms
exec_file_perms quotaon mounton watch };
allow kern_unconfined kernel_t:system { ipc_info syslog_read syslog_mod
syslog_console module_request module_load halt reboot status start stop enable
disable reload };
-allow kern_unconfined unlabeled_t:file { manage_file_perms relabel_file_perms
exec_file_perms quotaon mounton audit_access watch };
-allow kern_unconfined unlabeled_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms append map execute quotaon mounton open audit_access
execmod watch };
-allow kern_unconfined unlabeled_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms map execute quotaon mounton audit_access execmod watch
};
-allow kern_unconfined unlabeled_t:fifo_file { manage_fifo_file_perms
relabel_fifo_file_perms map execute quotaon mounton audit_access execmod watch
};
-allow kern_unconfined unlabeled_t:blk_file { manage_blk_file_perms
relabel_blk_file_perms map execute quotaon mounton audit_access execmod watch };
-allow kern_unconfined unlabeled_t:chr_file { manage_chr_file_perms
relabel_chr_file_perms map execute quotaon mounton audit_access watch };
-allow kern_unconfined unlabeled_t:dir { manage_dir_perms relabelfrom relabelto
append map execute quotaon mounton add_name remove_name reparent search rmdir
audit_access execmod watch };
+allow kern_unconfined unlabeled_t:file { manage_file_perms relabel_file_perms
exec_file_perms quotaon mounton watch };
+allow kern_unconfined unlabeled_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms append map execute quotaon mounton open execmod watch };
+allow kern_unconfined unlabeled_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms map execute quotaon mounton execmod watch };
+allow kern_unconfined unlabeled_t:fifo_file { manage_fifo_file_perms
relabel_fifo_file_perms map execute quotaon mounton execmod watch };
+allow kern_unconfined unlabeled_t:blk_file { manage_blk_file_perms
relabel_blk_file_perms map execute quotaon mounton execmod watch };
+allow kern_unconfined unlabeled_t:chr_file { manage_chr_file_perms
relabel_chr_file_perms map execute quotaon mounton watch };
+allow kern_unconfined unlabeled_t:dir { manage_dir_perms relabelfrom relabelto
append map execute quotaon mounton add_name remove_name reparent search rmdir
execmod watch };
allow kern_unconfined unlabeled_t:filesystem { mount remount unmount getattr
relabelfrom relabelto associate quotamod quotaget watch };
allow kern_unconfined unlabeled_t:association { sendto recvfrom setcontext
polmatch };
allow kern_unconfined unlabeled_t:packet { send recv relabelto forward_in
forward_out };
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index dfe1a1663..7d30dc450 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -59,5 +59,5 @@ dev_node(tape_device_t)
# Unconfined access to this module
#
-allow storage_unconfined_type { fixed_disk_device_t removable_device_t
}:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon
mounton audit_access execmod };
-allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file
{ manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton
execmod audit_access };
+allow storage_unconfined_type { fixed_disk_device_t removable_device_t
}:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon
mounton execmod };
+allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file
{ manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton
execmod };
