From 006e998287b23cd36a37814a47799168ca43468a Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 26 May 2006 18:04:46 +0000 Subject: [PATCH] packet updates for kernel, nscd, bind, ntp, spamassassin, and dhcpc --- refpolicy/policy/modules/kernel/kernel.te | 4 ++-- refpolicy/policy/modules/services/bind.te | 7 ++++++- refpolicy/policy/modules/services/nscd.te | 9 +++------ refpolicy/policy/modules/services/ntp.te | 8 ++++---- refpolicy/policy/modules/services/spamassassin.te | 9 ++++----- refpolicy/policy/modules/system/sysnetwork.te | 5 +++-- 6 files changed, 22 insertions(+), 20 deletions(-) diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 41bbc8d7..04de8221 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -1,5 +1,5 @@ -policy_module(kernel,1.3.7) +policy_module(kernel,1.3.8) ######################################## # @@ -201,12 +201,12 @@ corenet_non_ipsec_sendrecv(kernel_t) corenet_raw_sendrecv_all_if(kernel_t) corenet_raw_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_if(kernel_t) - # Kernel-generated traffic e.g., TCP resets: corenet_tcp_sendrecv_all_if(kernel_t) corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_node(kernel_t) corenet_raw_send_multicast_node(kernel_t) +corenet_send_all_packets(kernel_t) dev_read_sysfs(kernel_t) dev_search_usbfs(kernel_t) diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te index 15cd2e7c..a31e9567 100644 --- a/refpolicy/policy/modules/services/bind.te +++ b/refpolicy/policy/modules/services/bind.te @@ -1,5 +1,5 @@ -policy_module(bind,1.1.4) +policy_module(bind,1.1.5) ######################################## # @@ -112,6 +112,10 @@ corenet_tcp_bind_dns_port(named_t) corenet_udp_bind_dns_port(named_t) corenet_tcp_bind_rndc_port(named_t) corenet_tcp_connect_all_ports(named_t) +corenet_sendrecv_dns_server_packets(named_t) +corenet_sendrecv_dns_client_packets(named_t) +corenet_sendrecv_rndc_server_packets(named_t) +corenet_sendrecv_rndc_client_packets(named_t) dev_read_sysfs(named_t) dev_read_rand(named_t) @@ -244,6 +248,7 @@ corenet_tcp_sendrecv_all_if(ndc_t) corenet_tcp_sendrecv_all_nodes(ndc_t) corenet_tcp_sendrecv_all_ports(ndc_t) corenet_tcp_connect_rndc_port(ndc_t) +corenet_sendrecv_rndc_client_packets(ndc_t) fs_getattr_xattr_fs(ndc_t) diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te index 451302d6..06663c45 100644 --- a/refpolicy/policy/modules/services/nscd.te +++ b/refpolicy/policy/modules/services/nscd.te @@ -1,5 +1,5 @@ -policy_module(nscd,1.2.2) +policy_module(nscd,1.2.3) gen_require(` class nscd all_nscd_perms; @@ -68,17 +68,13 @@ term_dontaudit_use_console(nscd_t) # for when /etc/passwd has just been updated and has the wrong type auth_getattr_shadow(nscd_t) +corenet_non_ipsec_sendrecv(nscd_t) corenet_tcp_sendrecv_all_if(nscd_t) corenet_udp_sendrecv_all_if(nscd_t) -corenet_raw_sendrecv_all_if(nscd_t) corenet_tcp_sendrecv_all_nodes(nscd_t) corenet_udp_sendrecv_all_nodes(nscd_t) -corenet_raw_sendrecv_all_nodes(nscd_t) corenet_tcp_sendrecv_all_ports(nscd_t) corenet_udp_sendrecv_all_ports(nscd_t) -corenet_non_ipsec_sendrecv(nscd_t) -corenet_tcp_bind_all_nodes(nscd_t) -corenet_udp_bind_all_nodes(nscd_t) corenet_tcp_connect_all_ports(nscd_t) corenet_rw_tun_tap_dev(nscd_t) @@ -108,6 +104,7 @@ seutil_read_config(nscd_t) seutil_read_default_contexts(nscd_t) seutil_sigchld_newrole(nscd_t) +sysnet_dns_name_resolve(nscd_t) sysnet_read_config(nscd_t) userdom_dontaudit_use_unpriv_user_fds(nscd_t) diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te index b29010e2..8f8ab87e 100644 --- a/refpolicy/policy/modules/services/ntp.te +++ b/refpolicy/policy/modules/services/ntp.te @@ -1,5 +1,5 @@ -policy_module(ntp,1.1.0) +policy_module(ntp,1.1.1) ######################################## # @@ -63,19 +63,19 @@ files_pid_filetrans(ntpd_t,ntpd_var_run_t,file) kernel_read_kernel_sysctls(ntpd_t) kernel_read_system_state(ntpd_t) +corenet_non_ipsec_sendrecv(ntpd_t) corenet_tcp_sendrecv_all_if(ntpd_t) corenet_udp_sendrecv_all_if(ntpd_t) -corenet_raw_sendrecv_all_if(ntpd_t) corenet_tcp_sendrecv_all_nodes(ntpd_t) corenet_udp_sendrecv_all_nodes(ntpd_t) -corenet_raw_sendrecv_all_nodes(ntpd_t) corenet_tcp_sendrecv_all_ports(ntpd_t) corenet_udp_sendrecv_all_ports(ntpd_t) -corenet_non_ipsec_sendrecv(ntpd_t) corenet_tcp_bind_all_nodes(ntpd_t) corenet_udp_bind_all_nodes(ntpd_t) corenet_udp_bind_ntp_port(ntpd_t) corenet_tcp_connect_ntp_port(ntpd_t) +corenet_sendrecv_ntp_server_packets(ntpd_t) +corenet_sendrecv_ntp_client_packets(ntpd_t) dev_read_sysfs(ntpd_t) # for SSP diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te index 0da5225b..7f396eec 100644 --- a/refpolicy/policy/modules/services/spamassassin.te +++ b/refpolicy/policy/modules/services/spamassassin.te @@ -1,5 +1,5 @@ -policy_module(spamassassin,1.3.6) +policy_module(spamassassin,1.3.7) ######################################## # @@ -61,24 +61,22 @@ kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) kernel_tcp_recvfrom(spamd_t) +corenet_non_ipsec_sendrecv(spamd_t) corenet_tcp_sendrecv_all_if(spamd_t) corenet_udp_sendrecv_all_if(spamd_t) -corenet_raw_sendrecv_all_if(spamd_t) corenet_tcp_sendrecv_all_nodes(spamd_t) corenet_udp_sendrecv_all_nodes(spamd_t) -corenet_raw_sendrecv_all_nodes(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) -corenet_non_ipsec_sendrecv(spamd_t) corenet_tcp_bind_all_nodes(spamd_t) corenet_udp_bind_all_nodes(spamd_t) corenet_tcp_bind_spamd_port(spamd_t) +corenet_tcp_connect_razor_port(spamd_t) # spamassassin 3.1 needs this for its # DnsResolver.pm module which binds to # random ports >= 1024. corenet_udp_bind_generic_port(spamd_t) corenet_udp_bind_imaze_port(spamd_t) -corenet_tcp_connect_razor_port(spamd_t) dev_read_sysfs(spamd_t) dev_read_urand(spamd_t) @@ -114,6 +112,7 @@ miscfiles_read_localization(spamd_t) sysnet_read_config(spamd_t) sysnet_use_ldap(spamd_t) +sysnet_dns_name_resolve(spamd_t) userdom_use_unpriv_users_fds(spamd_t) userdom_search_unpriv_users_home_dirs(spamd_t) diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 5a0ba14c..42411bb8 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -1,5 +1,5 @@ -policy_module(sysnetwork,1.1.5) +policy_module(sysnetwork,1.1.6) ######################################## # @@ -91,6 +91,7 @@ kernel_read_network_state(dhcpc_t) kernel_read_kernel_sysctls(dhcpc_t) kernel_use_fds(dhcpc_t) +corenet_non_ipsec_sendrecv(dhcpc_t) corenet_tcp_sendrecv_all_if(dhcpc_t) corenet_raw_sendrecv_all_if(dhcpc_t) corenet_udp_sendrecv_all_if(dhcpc_t) @@ -99,11 +100,11 @@ corenet_raw_sendrecv_all_nodes(dhcpc_t) corenet_udp_sendrecv_all_nodes(dhcpc_t) corenet_tcp_sendrecv_all_ports(dhcpc_t) corenet_udp_sendrecv_all_ports(dhcpc_t) -corenet_non_ipsec_sendrecv(dhcpc_t) corenet_tcp_bind_all_nodes(dhcpc_t) corenet_udp_bind_all_nodes(dhcpc_t) corenet_udp_bind_dhcpc_port(dhcpc_t) corenet_tcp_connect_all_ports(dhcpc_t) +corenet_sendrecv_dhcpd_client_packets(dhcpc_t) dev_read_sysfs(dhcpc_t) # for SSP: