Skip to content
Snippets Groups Projects
Commit e8c9fdac authored by Stephen Smalley's avatar Stephen Smalley
Browse files

Exclude audit-related capabilities from unconfined domains. 


Require them to be explicitly granted by specific allow rules.
audit_write is required to write an audit message from userspace.
audit_control is required to configure the audit subsystem.

Change-Id: I5aa4e3228f9b0bde3570689fe7a0d68e56861a17
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
parent 888d283c
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 1 addition and 1 deletion
unconfined.te
+ 1
1
View file @ e8c9fdac
...@@ -16,7 +16,7 @@ ...@@ -16,7 +16,7 @@
# The use of this template is discouraged. # The use of this template is discouraged.
###################################################### ######################################################
allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module }; allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control };
allow unconfineddomain self:capability2 ~{ mac_override mac_admin }; allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam }; allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
allow unconfineddomain kernel:system *; allow unconfineddomain kernel:system *;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment