diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index 58b4e9d..ae853de 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -163,7 +163,7 @@ interface(`corecmd_list_bin',` ######################################## ## -## Do not auidt attempts to write bin directories. +## Do not audit attempts to write bin directories. ## ## ## @@ -181,6 +181,24 @@ interface(`corecmd_dontaudit_write_bin_dirs',` ######################################## ## +## Do not audit attempts to write bin files. +## +## +## +## Domain to not audit. +## +## +# +interface(`corecmd_dontaudit_write_bin_files',` + gen_require(` + type bin_t; + ') + + dontaudit $1 bin_t:file write; +') + +######################################## +## ## Get the attributes of files in bin directories. ## ## diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 6c6f684..69093aa 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -521,6 +521,7 @@ kernel_stream_connect(xdm_t) corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) +corecmd_dontaudit_write_bin_files(xdm_t) corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 00283ba..d17f2bf 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -375,6 +375,7 @@ files_setattr_pid_dirs(initrc_t) files_read_kernel_symbol_table(initrc_t) files_exec_etc_files(initrc_t) files_manage_etc_symlinks(initrc_t) +files_manage_system_conf_files(initrc_t) fs_manage_tmpfs_dirs(initrc_t) fs_tmpfs_filetrans(initrc_t, initrc_state_t, file)