diff --git a/policy/modules/apps/usernetctl.if b/policy/modules/apps/usernetctl.if index 2dbc328..63b5167 100644 --- a/policy/modules/apps/usernetctl.if +++ b/policy/modules/apps/usernetctl.if @@ -66,6 +66,6 @@ interface(`usernetctl_run',` optional_policy(` - ppp_run(usernetctl_t,$2,$3) + ppp_run(usernetctl_t, $2, $3) ') ') diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 63e7842..c711e97 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -81,26 +81,6 @@ interface(`storage_dontaudit_setattr_fixed_disk_dev',` ######################################## ## -## dontaudit the caller attempts to read from a fixed disk. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`storage_dontaudit_raw_read_fixed_disk',` - gen_require(` - attribute fixed_disk_raw_read; - type fixed_disk_device_t; - ') - - dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms; - dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms; -') - -######################################## -## ## Allow the caller to directly read from a fixed disk. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and @@ -141,7 +121,8 @@ interface(`storage_dontaudit_read_fixed_disk',` ') - dontaudit $1 fixed_disk_device_t:blk_file { getattr ioctl read }; + dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms; + dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms; ') ######################################## diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te index d7547bb..958e813 100644 --- a/policy/modules/services/rsync.te +++ b/policy/modules/services/rsync.te @@ -61,6 +61,9 @@ allow rsync_t rsync_data_t:dir list_dir_perms; read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) +manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t) +logging_log_filetrans(rsync_t, rsync_log_t, file) + manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) manage_files_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir }) @@ -97,8 +100,6 @@ libs_use_ld_so(rsync_t) libs_use_shared_libs(rsync_t) logging_send_syslog_msg(rsync_t) -manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t) -logging_log_filetrans(rsync_t,rsync_log_t,file) miscfiles_read_localization(rsync_t) miscfiles_read_public_files(rsync_t)