diff options
author | Dave Sugar <dsugar100@gmail.com> | 2023-12-10 21:00:33 -0500 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2024-03-01 12:02:59 -0500 |
commit | 6f2158d257119b0a495955b398183aca5e2c0d50 (patch) | |
tree | 91b5c94f35c33cc0e4cdecca00ca42f8819284a8 /policy | |
parent | Add dontaudit to quiet down a bit (diff) | |
download | hardened-refpolicy-6f2158d257119b0a495955b398183aca5e2c0d50.tar.gz hardened-refpolicy-6f2158d257119b0a495955b398183aca5e2c0d50.tar.bz2 hardened-refpolicy-6f2158d257119b0a495955b398183aca5e2c0d50.zip |
Add watches
node=localhost type=AVC msg=audit(1701960388.658:45746): avc: denied { watch } for pid=7282 comm="cockpit-bridge" path="/" dev="dm-1" ino=2 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1701960389.457:46142): avc: denied { watch } for pid=7282 comm="cockpit-bridge" path="/etc/motd" dev="dm-1" ino=524363 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1701960389.538:46261): avc: denied { watch } for pid=7282 comm="cockpit-bridge" path="/var" dev="dm-9" ino=2 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1701960389.539:46264): avc: denied { watch } for pid=7282 comm="cockpit-bridge" path="/var/lib" dev="dm-9" ino=262145 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1701960389.472:46167): avc: denied { watch } for pid=7282 comm="cockpit-bridge" path="/run/systemd" dev="tmpfs" ino=2 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1701960389.473:46170): avc: denied { watch } for pid=7282 comm="cockpit-bridge" path="/run/systemd/shutdown" dev="tmpfs" ino=99 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1701966176.317:51985): avc: denied { watch } for pid=7186 comm="cockpit-bridge" path="/run/utmp" dev="tmpfs" ino=94 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:initrc_runtime_t:s0 tclass=file permissive=0
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Diffstat (limited to 'policy')
-rw-r--r-- | policy/modules/kernel/files.if | 36 | ||||
-rw-r--r-- | policy/modules/services/cockpit.if | 7 | ||||
-rw-r--r-- | policy/modules/system/init.if | 18 |
3 files changed, 61 insertions, 0 deletions
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 29c8b72f3..e0337d044 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -6912,6 +6912,24 @@ interface(`files_rw_runtime_dirs',` ######################################## ## <summary> +## Watch /var/lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_watch_var_lib_dirs',` + gen_require(` + type var_lib_t; + ') + + allow $1 var_lib_t:dir watch; +') + +######################################## +## <summary> ## Watch /var/run directories. ## </summary> ## <param name="domain"> @@ -6930,6 +6948,24 @@ interface(`files_watch_runtime_dirs',` ######################################## ## <summary> +## Watch /var directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_watch_var_dirs',` + gen_require(` + type var_t; + ') + + allow $1 var_t:dir watch; +') + +######################################## +## <summary> ## Read generic runtime files. ## </summary> ## <param name="domain"> diff --git a/policy/modules/services/cockpit.if b/policy/modules/services/cockpit.if index 494967eb1..7a002b3e5 100644 --- a/policy/modules/services/cockpit.if +++ b/policy/modules/services/cockpit.if @@ -56,10 +56,17 @@ template(`cockpit_role_template',` files_dontaudit_execute_default_files($2) files_dontaudit_execuite_etc_runtime_files($2) files_dontaudit_exec_runtime($2) + files_watch_etc_files($2) + files_watch_root_dirs($2) + files_watch_var_dirs($2) + files_watch_var_lib_dirs($2) cockpit_use_ws_fds($2) cockpit_rw_ws_stream_sockets($2) + init_watch_runtime_dirs($2) + init_watch_utmp($2) + userdom_dontaudit_execute_user_tmpfs_files($2) ') diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 2b8e22f38..f58db6cbd 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -3104,6 +3104,24 @@ interface(`init_manage_utmp',` ######################################## ## <summary> +## Add a watch on init runtime +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`init_watch_runtime_dirs',` + gen_require(` + type init_runtime_t; + ') + + allow $1 init_runtime_t:dir watch; +') + +######################################## +## <summary> ## Add a watch on utmp. ## </summary> ## <param name="domain"> |