diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te index 157ab14..4a25d6c 100644 --- a/refpolicy/policy/modules/admin/amanda.te +++ b/refpolicy/policy/modules/admin/amanda.te @@ -115,6 +115,10 @@ files_create_tmp_files(amanda_t, amanda_tmp_t, { file dir }) kernel_read_system_state(amanda_t) kernel_read_kernel_sysctl(amanda_t) kernel_dontaudit_getattr_unlabeled_file(amanda_t) +kernel_dontaudit_read_proc_symlink(amanda_t) + +# Added for targeted policy +term_use_unallocated_tty(amanda_t) corenet_tcp_sendrecv_all_if(amanda_t) corenet_udp_sendrecv_all_if(amanda_t) diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 6d557ad..bdd44b9 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -568,6 +568,24 @@ interface(`kernel_dontaudit_read_system_state',` dontaudit $1 proc_t:file read; ') +######################################## +## +## Do not audit attempts by caller to +## read system state information in proc. +## +## +## The process type not to audit. +## +# +interface(`kernel_dontaudit_read_proc_symlink',` + gen_require(` + type proc_t; + class lnk_file read; + ') + + dontaudit $1 proc_t:lnk_file read; +') + ####################################### ## ## Allow caller to read the state information for software raid.