diff --git a/policy/global_tunables b/policy/global_tunables index 56af226..f85244d 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -13,21 +13,21 @@ gen_tunable(allow_execheap,false) ## ##

-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") +## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla ##

##
gen_tunable(allow_execmem,false) ## ##

-## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t") +## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t ##

##
gen_tunable(allow_execmod,false) ## ##

-## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") +## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla ##

##
gen_tunable(allow_execstack,false) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index 464a11e..2993130 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -140,6 +140,7 @@ template(`sudo_role_template',` userdom_manage_user_tmp_files($1_sudo_t) userdom_manage_user_tmp_symlinks($1_sudo_t) userdom_use_user_terminals($1_sudo_t) + userdom_signal_unpriv_users($1_sudo_t) # for some PAM modules and for cwd userdom_search_user_home_content($1_sudo_t) userdom_search_admin_dir($1_sudo_t) diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index 09d4b31..0d8458a 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -474,6 +474,25 @@ interface(`domain_signal_all_domains',` ######################################## ## +## Dontaudit sending general signals to all domains. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`domain_dontaudit_signal_all_domains',` + gen_require(` + attribute domain; + ') + + dontaudit $1 domain:process signal; +') + +######################################## +## ## Send a null signal to all domains. ## ## diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 31ebaa7..a09ab47 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -102,7 +102,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); -dev_associate_sysfs(hugetlbfs_t) +dev_associate(hugetlbfs_t) type ibmasmfs_t; fs_type(ibmasmfs_t) diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 9b9e013..5fbf38f 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -576,6 +576,7 @@ domain_use_interactive_fds(xdm_t) # Do not audit denied probes of /proc. domain_dontaudit_read_all_domains_state(xdm_t) domain_dontaudit_ptrace_all_domains(xdm_t) +domain_dontaudit_signal_all_domains(xdm_t) files_read_etc_files(xdm_t) files_read_var_files(xdm_t)