Re: [PATCH 2/2] sepolgen: sort extended rules like normal ones

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Aug 19, 2020 at 11:07 AM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Currently:
>
>     #============= sshd_t ==============
>
>     #!!!! This avc is allowed in the current policy
>     #!!!! This av rule may have been overridden by an extended permission av rule
>     allow sshd_t ptmx_t:chr_file ioctl;
>
>     #!!!! This avc is allowed in the current policy
>     #!!!! This av rule may have been overridden by an extended permission av rule
>     allow sshd_t sshd_devpts_t:chr_file ioctl;
>
>     #!!!! This avc is allowed in the current policy
>     #!!!! This av rule may have been overridden by an extended permission av rule
>     allow sshd_t user_devpts_t:chr_file ioctl;
>
>     #============= user_t ==============
>
>     #!!!! This avc is allowed in the current policy
>     #!!!! This av rule may have been overridden by an extended permission av rule
>     allow user_t devtty_t:chr_file ioctl;
>
>     #!!!! This avc is allowed in the current policy
>     #!!!! This av rule may have been overridden by an extended permission av rule
>     allow user_t user_devpts_t:chr_file ioctl;
>     allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
>     allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
>     allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
>     allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
>     allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
>
> Changed:
>
>     #============= sshd_t ==============
>
>     #!!!! This avc is allowed in the current policy
>     #!!!! This av rule may have been overridden by an extended permission av rule
>     allow sshd_t ptmx_t:chr_file ioctl;
>     allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
>
>     #!!!! This avc is allowed in the current policy
>     #!!!! This av rule may have been overridden by an extended permission av rule
>     allow sshd_t sshd_devpts_t:chr_file ioctl;
>     allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
>
>     #!!!! This avc is allowed in the current policy
>     #!!!! This av rule may have been overridden by an extended permission av rule
>     allow sshd_t user_devpts_t:chr_file ioctl;
>     allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
>
>     #============= user_t ==============
>
>     #!!!! This avc is allowed in the current policy
>     #!!!! This av rule may have been overridden by an extended permission av rule
>     allow user_t devtty_t:chr_file ioctl;
>     allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
>
>     #!!!! This avc is allowed in the current policy
>     #!!!! This av rule may have been overridden by an extended permission av rule
>     allow user_t user_devpts_t:chr_file ioctl;
>     allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>

Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux