tnmt · December 19, 2017 10:20
diff --git a/stns-query-wrapper.te b/stns-query-wrapper.te
 module stns-query-wrapper 1.0;

 require {
        type bin_t;
        type chkpwd_t;
        type policykit_t;
        type sshd_t;
        type sysctl_net_t;
        type sysfs_t;
        type system_dbusd_t;
        type systemd_logind_t;
        type unreserved_port_t;
        type useradd_t;
        type var_lib_t;
        class capability { sys_ptrace fsetid };
        class capability2 block_suspend;
        class dir search;
        class file { open execute execute_no_trans getattr setattr read write };
        class lnk_file read;
        class tcp_socket name_connect;
 }

 allow chkpwd_t bin_t:file { execute execute_no_trans };
 allow chkpwd_t self:capability2 block_suspend;
 allow chkpwd_t sysctl_net_t:dir search;
 allow chkpwd_t sysctl_net_t:file { open read };
 allow chkpwd_t sysfs_t:file { setattr getattr read open };
 allow chkpwd_t sysfs_t:lnk_file read;
 allow chkpwd_t unreserved_port_t:tcp_socket name_connect;

 allow policykit_t self:capability2 block_suspend;
 allow policykit_t sysctl_net_t:dir search;
 allow policykit_t unreserved_port_t:tcp_socket name_connect;

 allow sshd_t self:capability2 block_suspend;
 allow sshd_t unreserved_port_t:tcp_socket name_connect;
 allow sshd_t var_lib_t:file { setattr getattr open write };

 allow system_dbusd_t self:capability { sys_ptrace fsetid };
 allow system_dbusd_t sysctl_net_t:dir search;
 allow system_dbusd_t sysctl_net_t:file { open read };
 allow system_dbusd_t var_lib_t:file { open setattr };

 allow systemd_logind_t bin_t:file { execute execute_no_trans };
 allow systemd_logind_t sysctl_net_t:dir search;
 allow systemd_logind_t sysctl_net_t:file { open read };
 allow systemd_logind_t unreserved_port_t:tcp_socket name_connect;

 allow useradd_t self:capability2 block_suspend;
 allow useradd_t sysctl_net_t:dir search;
 allow useradd_t unreserved_port_t:tcp_socket name_connect;
	module stns-query-wrapper 1.0;

	require {
	type bin_t;
	type chkpwd_t;
	type policykit_t;
	type sshd_t;
	type sysctl_net_t;
	type sysfs_t;
	type system_dbusd_t;
	type systemd_logind_t;
	type unreserved_port_t;
	type useradd_t;
	type var_lib_t;
	class capability { sys_ptrace fsetid };
	class capability2 block_suspend;
	class dir search;
	class file { open execute execute_no_trans getattr setattr read write };
	class lnk_file read;
	class tcp_socket name_connect;
	}

	allow chkpwd_t bin_t:file { execute execute_no_trans };
	allow chkpwd_t self:capability2 block_suspend;
	allow chkpwd_t sysctl_net_t:dir search;
	allow chkpwd_t sysctl_net_t:file { open read };
	allow chkpwd_t sysfs_t:file { setattr getattr read open };
	allow chkpwd_t sysfs_t:lnk_file read;
	allow chkpwd_t unreserved_port_t:tcp_socket name_connect;

	allow policykit_t self:capability2 block_suspend;
	allow policykit_t sysctl_net_t:dir search;
	allow policykit_t unreserved_port_t:tcp_socket name_connect;

	allow sshd_t self:capability2 block_suspend;
	allow sshd_t unreserved_port_t:tcp_socket name_connect;
	allow sshd_t var_lib_t:file { setattr getattr open write };

	allow system_dbusd_t self:capability { sys_ptrace fsetid };
	allow system_dbusd_t sysctl_net_t:dir search;
	allow system_dbusd_t sysctl_net_t:file { open read };
	allow system_dbusd_t var_lib_t:file { open setattr };

	allow systemd_logind_t bin_t:file { execute execute_no_trans };
	allow systemd_logind_t sysctl_net_t:dir search;
	allow systemd_logind_t sysctl_net_t:file { open read };
	allow systemd_logind_t unreserved_port_t:tcp_socket name_connect;

	allow useradd_t self:capability2 block_suspend;
	allow useradd_t sysctl_net_t:dir search;
	allow useradd_t unreserved_port_t:tcp_socket name_connect;