diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index 6c0c20b..deb03ea 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -850,6 +850,42 @@ interface(`domain_dontaudit_getsession_all_domains',` ######################################## ## +## Get the process group ID of all domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`domain_getpgid_all_domains',` + gen_require(` + attribute domain; + ') + + allow $1 domain:process getpgid; +') + +######################################## +## +## Get the scheduler information of all domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`domain_getsched_all_domains',` + gen_require(` + attribute domain; + ') + + allow $1 domain:process getsched; +') + +######################################## +## ## Get the attributes of all domains ## sockets, for all socket types. ## @@ -1060,6 +1096,25 @@ interface(`domain_dontaudit_getattr_all_dgram_sockets',` ######################################## ## +## Get the attributes +## of all domains unix datagram sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`domain_getattr_all_stream_sockets',` + gen_require(` + attribute domain; + ') + + allow $1 domain:unix_stream_socket getattr; +') + +######################################## +## ## Do not audit attempts to get the attributes ## of all domains unix datagram sockets. ## @@ -1079,6 +1134,35 @@ interface(`domain_dontaudit_getattr_all_stream_sockets',` ######################################## ## +## Get the attributes of all domains +## unnamed pipes. +## +## +## +## Get the attributes of all domains +## unnamed pipes. +## +## +## This is commonly used for domains +## that can use lsof on all domains. +## +## +## +## +## Domain allowed access. +## +## +# +interface(`domain_getattr_all_pipes',` + gen_require(` + attribute domain; + ') + + allow $1 domain:fifo_file getattr; +') + +######################################## +## ## Do not audit attempts to get the attributes ## of all domains unnamed pipes. ## @@ -1320,6 +1404,24 @@ interface(`domain_all_recvfrom_all_domains',` ######################################## ## +## Send generic signals to the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`domain_unconfined_signal',` + gen_require(` + attribute unconfined_domain_type; + ') + + allow $1 unconfined_domain_type:process signal; +') + +######################################## +## ## Unconfined access to domains. ## ## @@ -1343,4 +1445,3 @@ interface(`domain_unconfined',` typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; ') - diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 5491823..8213e5a 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -1,5 +1,5 @@ -policy_module(domain, 1.7.0) +policy_module(domain, 1.7.1) ######################################## #
+## Get the attributes of all domains +## unnamed pipes. +##
+## This is commonly used for domains +## that can use lsof on all domains. +##