1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
#
# This policy is a temporary fix for the default SELinux "rshim" policy that
# comes with RHEL 9.5. It's be overlaid on top of the default "rshim" policy
# as part of rshim rpm installtion on RHEL 9.5 only.
#
# For future RHEL versions (9.6 or later), it's intended to merge the policy
# here to the official Fedora SELinux rshim policy.
#
module rshim-fix 1.0;
require {
type kernel_t;
type rshim_t;
type sysfs_t;
type tty_device_t;
type tun_tap_device_t;
type userio_device_t;
type var_run_t;
class capability { ipc_lock sys_admin net_admin};
class chr_file { open read write ioctl map };
class dir { write remove_name add_name search };
class file { read write open lock ioctl unlink create map };
class system module_request;
class tun_socket create;
class udp_socket { create ioctl };
}
allow rshim_t kernel_t:system module_request;
allow rshim_t rshim_t:tun_socket create;
allow rshim_t self:capability ipc_lock;
allow rshim_t self:capability net_admin;
allow rshim_t self:capability sys_admin;
allow rshim_t self:udp_socket { create ioctl };
allow rshim_t sysfs_t:file map;
allow rshim_t sysfs_t:file { write open map };
allow rshim_t tty_device_t:chr_file { open read write ioctl map };
allow rshim_t tun_tap_device_t:chr_file { open read write ioctl map };
allow rshim_t userio_device_t:chr_file { open read write ioctl map };
allow rshim_t var_run_t:dir { write remove_name add_name search };
allow rshim_t var_run_t:file { read write open lock ioctl unlink create };
|
