[gogoc: 1/2] Add SELinux policy module gogoc 1.0.0
Juan Orti
jorti at fedoraproject.org
Sat Aug 17 15:29:35 UTC 2013
commit b1d48c563f1aa30bdc519897a4e865edc4ccfcaa
Author: Juan Orti Alcaine <jorti at fedoraproject.org>
Date: Sat Aug 17 17:22:19 2013 +0200
Add SELinux policy module gogoc 1.0.0
This is the first version of the SELinux policy for gogoc. Also, I've changed
the way radvd is stopped.
gogoc-1.2-kill_radvd.patch | 57 ++++++---
gogoc-1.2-selinux_fix.patch | 44 ------
gogoc.fc | 9 ++
gogoc.if | 310 +++++++++++++++++++++++++++++++++++++++++++
gogoc.service | 1 +
gogoc.spec | 79 +++++++++--
gogoc.te | 101 ++++++++++++++
7 files changed, 528 insertions(+), 73 deletions(-)
---
diff --git a/gogoc-1.2-kill_radvd.patch b/gogoc-1.2-kill_radvd.patch
index c8e4993..3b30bbb 100644
--- a/gogoc-1.2-kill_radvd.patch
+++ b/gogoc-1.2-kill_radvd.patch
@@ -1,21 +1,44 @@
-diff -up gogoc-1_2-RELEASE/gogoc-tsp/template/linux.sh.kill_radvd gogoc-1_2-RELEASE/gogoc-tsp/template/linux.sh
---- gogoc-1_2-RELEASE/gogoc-tsp/template/linux.sh.kill_radvd
-+++ gogoc-1_2-RELEASE/gogoc-tsp/template/linux.sh
-@@ -27,9 +27,14 @@ KillProcess()
+diff --git a/gogoc-tsp/template/linux.sh b/gogoc-tsp/template/linux.sh
+index 5621485..5de52b2 100644
+--- a/gogoc-tsp/template/linux.sh
++++ b/gogoc-tsp/template/linux.sh
+@@ -32,6 +32,18 @@ KillProcess()
fi
- PID=`ps axww | grep $1 | grep -v grep | awk '{ print $1;}'`
- echo $PID
-- if [ ! -z $PID ]; then
-- kill $PID
-- fi
-+
-+ # This check doesn't work in Fedora, I don't know why
-+ # if [ ! -z $PID ]; then
-+ for i in $PID
-+ do
-+ kill $i
-+ done
-+ # fi
}
++KillProcessPIDFile()
++{
++ if [ ! -z $TSP_VERBOSE ]; then
++ if [ $TSP_VERBOSE -ge 2 ]; then
++ echo killing $*
++ fi
++ fi
++ if [ -r "$1" ]; then
++ kill `cat "$1"`
++ fi
++}
++
Display()
+ {
+ if [ -z $TSP_VERBOSE ]; then
+@@ -125,7 +137,7 @@ if [ X"${TSP_OPERATION}" = X"TSP_TUNNEL_TEARDOWN" ]; then
+ if [ X"${TSP_HOST_TYPE}" = X"router" ]; then
+
+ # Kill router advertisement daemon
+- KillProcess $rtadvdconfigfile
++ KillProcessPIDFile $rtadvd_pid
+
+ # Remove prefix routing on TSP_HOME_INTERFACE
+ ExecNoCheck $route -A inet6 del $TSP_PREFIX::/$TSP_PREFIXLEN
+@@ -246,9 +258,9 @@ if [ X"${TSP_HOST_TYPE}" = X"router" ]; then
+
+
+ # Stop radvd daemon if it was running. Twice.
+- /etc/init.d/radvd stop
++ /usr/bin/systemctl is-active --quiet radvd.service && /usr/bin/systemctl stop radvd.service
+ if [ -f $rtadvdconfigfile ]; then
+- KillProcess $rtadvdconfigfile
++ KillProcessPIDFile $rtadvd_pid
+ fi
+
+ # Create new radvd configuration file.
diff --git a/gogoc.fc b/gogoc.fc
new file mode 100644
index 0000000..6293f13
--- /dev/null
+++ b/gogoc.fc
@@ -0,0 +1,9 @@
+/usr/bin/gogoc -- gen_context(system_u:object_r:gogoc_exec_t,s0)
+
+/usr/lib/systemd/system/gogoc.service -- gen_context(system_u:object_r:gogoc_unit_file_t,s0)
+
+/var/lib/gogoc(/.*)? gen_context(system_u:object_r:gogoc_var_lib_t,s0)
+
+/var/log/gogoc(/.*)? gen_context(system_u:object_r:gogoc_log_t,s0)
+
+/var/run/gogoc(/.*)? gen_context(system_u:object_r:gogoc_var_run_t,s0)
diff --git a/gogoc.if b/gogoc.if
new file mode 100644
index 0000000..fcdc1cb
--- /dev/null
+++ b/gogoc.if
@@ -0,0 +1,310 @@
+
+## <summary>policy for gogoc</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the gogoc domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gogoc_domtrans',`
+ gen_require(`
+ type gogoc_t, gogoc_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gogoc_exec_t, gogoc_t)
+')
+########################################
+## <summary>
+## Read gogoc's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`gogoc_read_log',`
+ gen_require(`
+ type gogoc_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, gogoc_log_t, gogoc_log_t)
+')
+
+########################################
+## <summary>
+## Append to gogoc log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gogoc_append_log',`
+ gen_require(`
+ type gogoc_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, gogoc_log_t, gogoc_log_t)
+')
+
+########################################
+## <summary>
+## Manage gogoc log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gogoc_manage_log',`
+ gen_require(`
+ type gogoc_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, gogoc_log_t, gogoc_log_t)
+ manage_files_pattern($1, gogoc_log_t, gogoc_log_t)
+ manage_lnk_files_pattern($1, gogoc_log_t, gogoc_log_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read,
+## gogoc tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`gogoc_dontaudit_read_tmp_files',`
+ gen_require(`
+ type gogoc_tmp_t;
+ ')
+
+ dontaudit $1 gogoc_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read gogoc tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gogoc_read_tmp_files',`
+ gen_require(`
+ type gogoc_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, gogoc_tmp_t, gogoc_tmp_t)
+')
+
+########################################
+## <summary>
+## Manage gogoc tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gogoc_manage_tmp',`
+ gen_require(`
+ type gogoc_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_dirs_pattern($1, gogoc_tmp_t, gogoc_tmp_t)
+ manage_files_pattern($1, gogoc_tmp_t, gogoc_tmp_t)
+ manage_lnk_files_pattern($1, gogoc_tmp_t, gogoc_tmp_t)
+')
+
+########################################
+## <summary>
+## Search gogoc lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gogoc_search_lib',`
+ gen_require(`
+ type gogoc_var_lib_t;
+ ')
+
+ allow $1 gogoc_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read gogoc lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gogoc_read_lib_files',`
+ gen_require(`
+ type gogoc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gogoc_var_lib_t, gogoc_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gogoc lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gogoc_manage_lib_files',`
+ gen_require(`
+ type gogoc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gogoc_var_lib_t, gogoc_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gogoc lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gogoc_manage_lib_dirs',`
+ gen_require(`
+ type gogoc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, gogoc_var_lib_t, gogoc_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read gogoc PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gogoc_read_pid_files',`
+ gen_require(`
+ type gogoc_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, gogoc_var_run_t, gogoc_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute gogoc server in the gogoc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gogoc_systemctl',`
+ gen_require(`
+ type gogoc_t;
+ type gogoc_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_password_run($1)
+ allow $1 gogoc_unit_file_t:file read_file_perms;
+ allow $1 gogoc_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, gogoc_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an gogoc environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`gogoc_admin',`
+ gen_require(`
+ type gogoc_t;
+ type gogoc_log_t;
+ type gogoc_tmp_t;
+ type gogoc_var_lib_t;
+ type gogoc_var_run_t;
+ type gogoc_unit_file_t;
+ ')
+
+ allow $1 gogoc_t:process { ptrace signal_perms };
+ ps_process_pattern($1, gogoc_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, gogoc_log_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, gogoc_tmp_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, gogoc_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, gogoc_var_run_t)
+
+ gogoc_systemctl($1)
+ admin_pattern($1, gogoc_unit_file_t)
+ allow $1 gogoc_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/gogoc.service b/gogoc.service
index 3d4eb3a..42c837a 100644
--- a/gogoc.service
+++ b/gogoc.service
@@ -16,6 +16,7 @@ Type=simple
ExecStart=/usr/bin/gogoc -f /etc/gogoc/gogoc.conf $GOGOC_OPTS
KillSignal=SIGHUP
KillMode=process
+TimeoutStopSec=30
PrivateTmp=true
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_KILL
InaccessibleDirectories=/home /root /boot /opt /mnt /media
diff --git a/gogoc.spec b/gogoc.spec
index b8ffc2c..7185532 100644
--- a/gogoc.spec
+++ b/gogoc.spec
@@ -1,9 +1,12 @@
%global _hardened_build 1
%global distver 1_2-RELEASE
+%global selinux_variants mls strict targeted
+%global selinux_policyver %(%{__sed} -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp || echo 0.0.0)
+%global modulename gogoc
Name: gogoc
Version: 1.2
-Release: 26%{?dist}
+Release: 27%{?dist}
Summary: IPv6 TSP client for gogo6
Group: System Environment/Daemons
@@ -13,26 +16,37 @@ URL: http://gogonet.gogo6.com/page/freenet6-services
Source0: http://content.gogo6.com/%{name}-%{distver}.tar.gz
Source1: %{name}.service
Source2: %{name}-tmpfiles.conf
+Source3: %{name}.fc
+Source4: %{name}.if
+Source5: %{name}.te
Patch1: %{name}-%{version}-dirpath.patch
Patch2: %{name}-%{version}-gcc_4.6_compile_fix.patch
Patch3: %{name}-%{version}-gogoc_conf_5.patch
# Patch4: https://bugs.launchpad.net/ubuntu/+source/gw6c/+bug/418176
Patch4: %{name}-%{version}-lp418176_client_v4.patch
-Patch5: %{name}-%{version}-selinux_fix.patch
Patch6: %{name}-%{version}-kill_radvd.patch
Patch7: %{name}-%{version}-debug_info.patch
# Patch8: https://bugzilla.redhat.com/show_bug.cgi?id=983052
Patch8: %{name}-%{version}-bz983052_adjust_output_scraping_to_match_current_ifconfig.patch
BuildRequires: openssl-devel
-BuildRequires: systemd-units
+BuildRequires: systemd
+BuildRequires: checkpolicy
+BuildRequires: selinux-policy-devel
+BuildRequires: /usr/share/selinux/devel/policyhelp
+BuildRequires: hardlink
Requires: radvd
-Requires(post): systemd-units
+%if "%{selinux_policyver}" != ""
+Requires: selinux-policy >= %{selinux_policyver}
+%endif
+Requires(post): systemd
Requires(post): policycoreutils-python
-Requires(preun): systemd-units
-Requires(postun): systemd-units
-Requires(postun): policycoreutils-python
+Requires(post): /usr/sbin/semodule
+Requires(post): /sbin/fixfiles
+Requires(preun): systemd
+Requires(postun): systemd
+Requires(postun): /usr/sbin/semodule
%description
TSP is a control protocol used to establish and maintain static tunnels.
@@ -49,16 +63,25 @@ you need an account in Freenet6 http://gogonet.gogo6.com/page/freenet6-account
%patch2 -p1 -b .gcc_4.6_compile_fix
%patch3 -p1 -b .gogoc_conf_5
%patch4 -p1 -b .lp418176_client_v4
-%patch5 -p1 -b .selinux_fix
%patch6 -p1 -b .kill_radvd
%patch7 -p1
%patch8 -p1
+mkdir SELinux
+cp -p %{SOURCE3} %{SOURCE4} %{SOURCE5} SELinux
%build
CFLAGS="%{optflags}"; export CFLAGS
CXXFLAGS="%{optflags}"; export CXXFLAGS
LDFLAGS="%{__global_ldflags}"; export LDFLAGS
make -j1 all
+cd SELinux
+for selinuxvariant in %{selinux_variants}
+do
+ make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
+ mv %{modulename}.pp %{modulename}.pp.${selinuxvariant}
+ make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
+done
+cd -
%install
make installdir=%{buildroot}%{_prefix} install
@@ -79,6 +102,7 @@ touch %{buildroot}%{_sharedstatedir}/%{name}/gogockeys.pub
touch %{buildroot}%{_sharedstatedir}/%{name}/tsp-last-server.txt
touch %{buildroot}%{_sharedstatedir}/%{name}/tsp-broker-list.txt
touch %{buildroot}%{_localstatedir}/run/%{name}/%{name}-rtadvd.conf
+touch %{buildroot}%{_localstatedir}/run/%{name}/radvd.pid
# Remove unneeded files
rm -f %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf.sample
rm -rf %{buildroot}%{_datadir}/%{name}
@@ -87,23 +111,48 @@ chmod 0640 %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf
# Tmpfiles
mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d
install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/tmpfiles.d/%{name}.conf
+# SELinux policy
+cd SELinux
+for selinuxvariant in %{selinux_variants}
+do
+ install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant}
+ install -p -m 644 %{modulename}.pp.${selinuxvariant} \
+ %{buildroot}%{_datadir}/selinux/${selinuxvariant}/%{modulename}.pp
+done
+cd -
+/usr/sbin/hardlink -cv %{buildroot}%{_datadir}/selinux
%post
-semanage fcontext -a -t radvd_etc_t '%{_localstatedir}/run/%{name}/%{name}-rtadvd.conf' 2>/dev/null || :
%systemd_post %{name}.service
+# Remove old SELinux file context
+semanage fcontext -d -t radvd_etc_t '%{_localstatedir}/run/%{name}/%{name}-rtadvd.conf' 2>/dev/null || :
+
+# Install SELinux policy
+for selinuxvariant in %{selinux_variants}
+do
+ /usr/sbin/semodule -s ${selinuxvariant} -i \
+ %{_datadir}/selinux/${selinuxvariant}/%{modulename}.pp &> /dev/null || :
+done
+/sbin/fixfiles -R %{name} restore || :
+
%preun
%systemd_preun %{name}.service
%postun
%systemd_postun_with_restart %{name}.service
-if [ $1 -eq 0 ] ; then # final removal
- semanage fcontext -d -t radvd_etc_t '%{_localstatedir}/run/%{name}/%{name}-rtadvd.conf' 2>/dev/null || :
+
+# Remove SELinux policy
+if [ $1 -eq 0 ] ; then
+ for selinuxvariant in %{selinux_variants}
+ do
+ /usr/sbin/semodule -s ${selinuxvariant} -r %{modulename} &> /dev/null || :
+ done
fi
%files
-%doc CLIENT-LICENSE.TXT README
+%doc CLIENT-LICENSE.TXT README SELinux/*
%{_mandir}/man5/%{name}.conf.5.gz
%{_mandir}/man8/%{name}.8.gz
%config(noreplace) %{_sysconfdir}/%{name}
@@ -114,11 +163,17 @@ fi
%ghost %{_sharedstatedir}/%{name}/tsp-broker-list.txt
%dir %{_localstatedir}/run/%{name}
%ghost %{_localstatedir}/run/%{name}/%{name}-rtadvd.conf
+%ghost %{_localstatedir}/run/%{name}/radvd.pid
%dir %{_localstatedir}/log/%{name}
%{_bindir}/%{name}
%{_unitdir}/%{name}.service
+%{_datadir}/selinux/*/%{modulename}.pp
%changelog
+* Tue Aug 13 2013 Juan Orti Alcaine <jorti at fedoraproject.org> - 1.2-27
+- Add SELinux policy
+- Use PID file and systemctl to stop radvd
+
* Fri Jul 12 2013 Juan Orti Alcaine <jorti at fedoraproject.org> - 1.2-26
- Adjust output scraping to match current ifconfig. Closes bug #983052,
thanks to Frank Dana
diff --git a/gogoc.te b/gogoc.te
new file mode 100644
index 0000000..a358728
--- /dev/null
+++ b/gogoc.te
@@ -0,0 +1,101 @@
+policy_module(gogoc, 1.0.0)
+
+require {
+ type gogoc_t;
+ type proc_net_t;
+ type unreserved_port_t;
+ type radvd_exec_t;
+ type radvd_var_run_t;
+ class capability { net_admin net_raw setuid kill setgid };
+ class tun_socket create;
+ class process signal;
+ class file { execute read open getattr execute_no_trans write lock create unlink};
+ class dir { write remove_name search add_name };
+ class rawip_socket { ioctl create setopt };
+}
+
+########################################
+#
+# Declarations
+#
+
+type gogoc_t;
+type gogoc_exec_t;
+init_daemon_domain(gogoc_t, gogoc_exec_t)
+
+permissive gogoc_t;
+
+type gogoc_log_t;
+logging_log_file(gogoc_log_t)
+
+type gogoc_tmp_t;
+files_tmp_file(gogoc_tmp_t)
+
+type gogoc_var_lib_t;
+files_type(gogoc_var_lib_t)
+
+type gogoc_var_run_t;
+files_pid_file(gogoc_var_run_t)
+
+type gogoc_unit_file_t;
+systemd_unit_file(gogoc_unit_file_t)
+
+########################################
+#
+# gogoc local policy
+#
+allow gogoc_t self:process { fork signal };
+allow gogoc_t self:fifo_file rw_fifo_file_perms;
+allow gogoc_t self:unix_stream_socket create_stream_socket_perms;
+allow gogoc_t self:capability { net_admin net_raw setuid kill setgid };
+allow gogoc_t self:rawip_socket { ioctl create setopt };
+allow gogoc_t self:tun_socket create;
+allow gogoc_t self:tcp_socket create_stream_socket_perms;
+allow gogoc_t proc_net_t:file { read getattr open };
+allow gogoc_t unreserved_port_t:tcp_socket name_connect;
+allow gogoc_t radvd_exec_t:file { read execute open execute_no_trans };
+
+manage_dirs_pattern(gogoc_t, gogoc_log_t, gogoc_log_t)
+manage_files_pattern(gogoc_t, gogoc_log_t, gogoc_log_t)
+manage_lnk_files_pattern(gogoc_t, gogoc_log_t, gogoc_log_t)
+logging_log_filetrans(gogoc_t, gogoc_log_t, { dir file lnk_file })
+
+manage_dirs_pattern(gogoc_t, gogoc_tmp_t, gogoc_tmp_t)
+manage_files_pattern(gogoc_t, gogoc_tmp_t, gogoc_tmp_t)
+manage_lnk_files_pattern(gogoc_t, gogoc_tmp_t, gogoc_tmp_t)
+files_tmp_filetrans(gogoc_t, gogoc_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(gogoc_t, gogoc_var_lib_t, gogoc_var_lib_t)
+manage_files_pattern(gogoc_t, gogoc_var_lib_t, gogoc_var_lib_t)
+manage_lnk_files_pattern(gogoc_t, gogoc_var_lib_t, gogoc_var_lib_t)
+files_var_lib_filetrans(gogoc_t, gogoc_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(gogoc_t, gogoc_var_run_t, gogoc_var_run_t)
+manage_files_pattern(gogoc_t, gogoc_var_run_t, gogoc_var_run_t)
+manage_lnk_files_pattern(gogoc_t, gogoc_var_run_t, gogoc_var_run_t)
+files_pid_filetrans(gogoc_t, gogoc_var_run_t, { dir file lnk_file })
+
+corenet_all_recvfrom_unlabeled(gogoc_t)
+corenet_rw_tun_tap_dev(gogoc_t)
+corenet_tcp_sendrecv_generic_if(gogoc_t)
+corenet_tcp_sendrecv_generic_node(gogoc_t)
+corenet_tcp_sendrecv_all_ports(gogoc_t)
+domain_use_interactive_fds(gogoc_t)
+files_read_etc_files(gogoc_t)
+logging_send_syslog_msg(gogoc_t)
+miscfiles_read_localization(gogoc_t)
+sysnet_dns_name_resolve(gogoc_t)
+auth_read_passwd(gogoc_t)
+auth_use_nsswitch(gogoc_t)
+corecmd_exec_shell(gogoc_t)
+corecmd_bin_entry_type(gogoc_t)
+fs_getattr_tmpfs(gogoc_t)
+kernel_read_system_state(gogoc_t)
+kernel_read_unix_sysctls(gogoc_t)
+kernel_rw_net_sysctls(gogoc_t)
+kernel_request_load_module(gogoc_t)
+sysnet_exec_ifconfig(gogoc_t)
+dev_read_urand(gogoc_t)
+radvd_admin(gogoc_t, system_r)
+radvd_read_pid_files(gogoc_t)
+systemd_exec_systemctl(gogoc_t)
More information about the scm-commits
mailing list