Debian 12 Gnome DE
This commit is contained in:
nobody43
Alex
parent
0687c32df2
commit
d414083113
34 changed files with 150 additions and 33 deletions
|
|
@ -16,6 +16,8 @@ profile adduser @{exec_path} {
|
|||
capability chown,
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability setuid,
|
||||
capability setgid,
|
||||
capability fowner,
|
||||
capability fsetid,
|
||||
|
||||
|
|
@ -40,6 +42,8 @@ profile adduser @{exec_path} {
|
|||
/etc/adduser.conf r,
|
||||
/etc/skel/{,.*} r,
|
||||
|
||||
@{run}/adduser wk,
|
||||
|
||||
# To create user dirs and copy files from /etc/skel/ to them
|
||||
@{HOME}/ rw,
|
||||
@{HOME}/.* w,
|
||||
|
|
|
|||
|
|
@ -18,8 +18,8 @@ profile augenrules @{exec_path} {
|
|||
@{bin}/chmod rix,
|
||||
@{bin}/cmp rix,
|
||||
@{bin}/cp rix,
|
||||
@{bin}/gawk rix,
|
||||
@{bin}/grep rix,
|
||||
@{bin}/{,g,m}awk rix,
|
||||
@{bin}/{,e,f}grep rix,
|
||||
@{bin}/ls rix,
|
||||
@{bin}/mktemp rix,
|
||||
@{bin}/rm rix,
|
||||
|
|
@ -27,9 +27,9 @@ profile augenrules @{exec_path} {
|
|||
/etc/audit/audit.rules rw,
|
||||
/etc/audit/rules.d/{,*} r,
|
||||
|
||||
owner /tmp/aurules.* rw,
|
||||
owner /tmp/aurules.@{rand8} rw,
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
include if exists <local/augenrules>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
34
apparmor.d/profiles-a-f/chpasswd
Normal file
34
apparmor.d/profiles-a-f/chpasswd
Normal file
|
|
@ -0,0 +1,34 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/chpasswd
|
||||
profile chpasswd @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability chown,
|
||||
capability fsetid,
|
||||
capability setuid,
|
||||
|
||||
signal (receive) set=(term, kill) peer=gnome-control-center,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/.pwd.lock wk,
|
||||
/etc/login.defs r,
|
||||
/etc/shadow rw,
|
||||
/etc/shadow.@{int} w,
|
||||
/etc/shadow.lock w, # change to 'd'
|
||||
/etc/shadow.lock l -> /etc/shadow.@{int},
|
||||
/etc/shadow- w,
|
||||
/etc/shadow+ rw,
|
||||
/etc/passwd rw,
|
||||
/etc/passwd.@{int} w,
|
||||
/etc/passwd.lock w, # change to 'd'
|
||||
/etc/passwd.lock l -> /etc/passwd.@{int},
|
||||
|
||||
include if exists <local/chpasswd>
|
||||
}
|
||||
|
|
@ -65,5 +65,7 @@ profile cups-browsed @{exec_path} {
|
|||
|
||||
@{run}/cups/certs/* r,
|
||||
|
||||
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
|
||||
|
||||
include if exists <local/cups-browsed>
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue