packets for services
This commit is contained in:
Chris PeBenito
parent
9d0c9b3ed5
commit
141cffdd83
@ -200,6 +200,8 @@ template(`apache_content_template',`
|
||||
corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
|
||||
corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
|
||||
corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
|
||||
corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t)
|
||||
corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t)
|
||||
|
||||
sysnet_read_config(httpd_$1_script_t)
|
||||
')
|
||||
@ -216,6 +218,7 @@ template(`apache_content_template',`
|
||||
corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
|
||||
corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
|
||||
corenet_tcp_connect_all_ports(httpd_$1_script_t)
|
||||
corenet_sendrecv_all_client_packets(httpd_$1_script_t)
|
||||
|
||||
sysnet_read_config(httpd_$1_script_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(apache,1.3.11)
|
||||
policy_module(apache,1.3.12)
|
||||
|
||||
#
|
||||
# NOTES:
|
||||
@ -301,6 +301,8 @@ tunable_policy(`httpd_can_network_connect_db',`
|
||||
# allow httpd to connect to mysql/posgresql
|
||||
corenet_tcp_connect_postgresql_port(httpd_t)
|
||||
corenet_tcp_connect_mysqld_port(httpd_t)
|
||||
corenet_sendrecv_postgresql_client_packets(httpd_t)
|
||||
corenet_sendrecv_mysqld_client_packets(httpd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_can_network_relay',`
|
||||
@ -309,6 +311,10 @@ tunable_policy(`httpd_can_network_relay',`
|
||||
corenet_tcp_connect_ftp_port(httpd_t)
|
||||
corenet_tcp_connect_http_port(httpd_t)
|
||||
corenet_tcp_connect_http_cache_port(httpd_t)
|
||||
corenet_sendrecv_gopher_client_packets(httpd_t)
|
||||
corenet_sendrecv_ftp_client_packets(httpd_t)
|
||||
corenet_sendrecv_http_client_packets(httpd_t)
|
||||
corenet_sendrecv_http_cache_client_packets(httpd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi',`
|
||||
@ -573,6 +579,7 @@ tunable_policy(`httpd_can_network_connect',`
|
||||
corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
|
||||
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
|
||||
corenet_tcp_connect_all_ports(httpd_suexec_t)
|
||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||
|
||||
sysnet_read_config(httpd_suexec_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(asterisk,1.0.1)
|
||||
policy_module(asterisk,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -97,9 +97,11 @@ corenet_tcp_bind_all_nodes(asterisk_t)
|
||||
corenet_udp_bind_all_nodes(asterisk_t)
|
||||
corenet_tcp_bind_asterisk_port(asterisk_t)
|
||||
corenet_udp_bind_asterisk_port(asterisk_t)
|
||||
corenet_sendrecv_asterisk_server_packets(asterisk_t)
|
||||
# for VOIP voice channels.
|
||||
corenet_tcp_bind_generic_port(asterisk_t)
|
||||
corenet_udp_bind_generic_port(asterisk_t)
|
||||
corenet_sendrecv_generic_server_packets(asterisk_t)
|
||||
|
||||
dev_read_sysfs(asterisk_t)
|
||||
dev_read_sound(asterisk_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(bluetooth,1.2.5)
|
||||
policy_module(bluetooth,1.2.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -87,6 +87,7 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
|
||||
kernel_read_kernel_sysctls(bluetooth_t)
|
||||
kernel_read_system_state(bluetooth_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(bluetooth_t)
|
||||
corenet_tcp_sendrecv_all_if(bluetooth_t)
|
||||
corenet_udp_sendrecv_all_if(bluetooth_t)
|
||||
corenet_raw_sendrecv_all_if(bluetooth_t)
|
||||
@ -95,9 +96,6 @@ corenet_udp_sendrecv_all_nodes(bluetooth_t)
|
||||
corenet_raw_sendrecv_all_nodes(bluetooth_t)
|
||||
corenet_tcp_sendrecv_all_ports(bluetooth_t)
|
||||
corenet_udp_sendrecv_all_ports(bluetooth_t)
|
||||
corenet_non_ipsec_sendrecv(bluetooth_t)
|
||||
corenet_tcp_bind_all_nodes(bluetooth_t)
|
||||
corenet_udp_bind_all_nodes(bluetooth_t)
|
||||
|
||||
dev_read_sysfs(bluetooth_t)
|
||||
dev_rw_usbfs(bluetooth_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(canna,1.2.1)
|
||||
policy_module(canna,1.2.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -52,8 +52,8 @@ corenet_non_ipsec_sendrecv(canna_t)
|
||||
corenet_tcp_sendrecv_all_if(canna_t)
|
||||
corenet_tcp_sendrecv_all_nodes(canna_t)
|
||||
corenet_tcp_sendrecv_all_ports(canna_t)
|
||||
corenet_tcp_bind_all_nodes(canna_t)
|
||||
corenet_tcp_connect_all_ports(canna_t)
|
||||
corenet_sendrecv_all_client_packets(canna_t)
|
||||
|
||||
dev_read_sysfs(canna_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cipe,1.0.1)
|
||||
policy_module(cipe,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -37,6 +37,7 @@ corenet_udp_sendrecv_all_ports(ciped_t)
|
||||
corenet_udp_bind_all_nodes(ciped_t)
|
||||
# cipe uses the afs3-bos port (udp 7007)
|
||||
corenet_udp_bind_afs_bos_port(ciped_t)
|
||||
corenet_sendrecv_afs_bos_server_packets(ciped_t)
|
||||
|
||||
dev_read_sysfs(ciped_t)
|
||||
dev_read_rand(ciped_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(clamav,1.0.1)
|
||||
policy_module(clamav,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -100,8 +100,9 @@ corenet_tcp_sendrecv_all_if(clamd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(clamd_t)
|
||||
corenet_tcp_sendrecv_all_ports(clamd_t)
|
||||
corenet_tcp_sendrecv_clamd_port(clamd_t)
|
||||
corenet_tcp_bind_clamd_port(clamd_t)
|
||||
corenet_tcp_bind_all_nodes(clamd_t)
|
||||
corenet_tcp_bind_clamd_port(clamd_t)
|
||||
corenet_sendrecv_clamd_server_packets(clamd_t)
|
||||
|
||||
dev_read_rand(clamd_t)
|
||||
dev_read_urand(clamd_t)
|
||||
@ -171,6 +172,7 @@ corenet_tcp_sendrecv_all_nodes(freshclam_t)
|
||||
corenet_tcp_sendrecv_all_ports(freshclam_t)
|
||||
corenet_tcp_sendrecv_clamd_port(freshclam_t)
|
||||
corenet_tcp_connect_http_port(freshclam_t)
|
||||
corenet_sendrecv_http_client_packets(freshclam_t)
|
||||
|
||||
dev_read_rand(freshclam_t)
|
||||
dev_read_urand(freshclam_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(clockspeed,1.0.0)
|
||||
policy_module(clockspeed,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -32,6 +32,7 @@ corenet_non_ipsec_sendrecv(clockspeed_cli_t)
|
||||
corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
|
||||
corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
|
||||
corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
|
||||
corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
|
||||
|
||||
files_list_var_lib(clockspeed_cli_t)
|
||||
files_read_etc_files(clockspeed_cli_t)
|
||||
@ -59,8 +60,9 @@ corenet_non_ipsec_sendrecv(clockspeed_srv_t)
|
||||
corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
|
||||
corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
|
||||
corenet_udp_sendrecv_ntp_port(clockspeed_srv_t)
|
||||
corenet_udp_bind_inaddr_any_node(clockspeed_srv_t)
|
||||
corenet_udp_bind_all_nodes(clockspeed_srv_t)
|
||||
corenet_udp_bind_clockspeed_port(clockspeed_srv_t)
|
||||
corenet_sendrecv_clockspeed_server_packets(clockspeed_srv_t)
|
||||
|
||||
files_read_etc_files(clockspeed_srv_t)
|
||||
files_list_var_lib(clockspeed_srv_t)
|
||||
|
||||
@ -56,8 +56,6 @@ template(`courier_domain_template',`
|
||||
corenet_udp_sendrecv_all_nodes(courier_$1_t)
|
||||
corenet_tcp_sendrecv_all_ports(courier_$1_t)
|
||||
corenet_udp_sendrecv_all_ports(courier_$1_t)
|
||||
corenet_tcp_bind_all_nodes(courier_$1_t)
|
||||
corenet_udp_bind_all_nodes(courier_$1_t)
|
||||
|
||||
dev_read_sysfs(courier_$1_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(courier,1.0.1)
|
||||
policy_module(courier,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -119,7 +119,9 @@ files_search_var_lib(courier_tcpd_t)
|
||||
|
||||
corecmd_search_sbin(courier_tcpd_t)
|
||||
|
||||
corenet_tcp_bind_all_nodes(courier_tcpd_t)
|
||||
corenet_tcp_bind_pop_port(courier_tcpd_t)
|
||||
corenet_sendrecv_pop_server_packets(courier_tcpd_t)
|
||||
|
||||
# for TLS
|
||||
dev_read_rand(courier_tcpd_t)
|
||||
|
||||
@ -91,18 +91,15 @@ template(`cron_per_userdomain_template',`
|
||||
# ps does not need to access /boot when run from cron
|
||||
files_dontaudit_search_boot($1_crond_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_crond_t)
|
||||
corenet_tcp_sendrecv_all_if($1_crond_t)
|
||||
corenet_raw_sendrecv_all_if($1_crond_t)
|
||||
corenet_udp_sendrecv_all_if($1_crond_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_crond_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_crond_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_crond_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_crond_t)
|
||||
corenet_udp_sendrecv_all_ports($1_crond_t)
|
||||
corenet_non_ipsec_sendrecv($1_crond_t)
|
||||
corenet_tcp_bind_all_nodes($1_crond_t)
|
||||
corenet_udp_bind_all_nodes($1_crond_t)
|
||||
corenet_tcp_connect_all_ports($1_crond_t)
|
||||
corenet_sendrecv_all_client_packets($1_crond_t)
|
||||
|
||||
dev_read_urand($1_crond_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cron,1.3.6)
|
||||
policy_module(cron,1.3.7)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cvs,1.2.0)
|
||||
policy_module(cvs,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -48,17 +48,13 @@ kernel_read_kernel_sysctls(cvs_t)
|
||||
kernel_read_system_state(cvs_t)
|
||||
kernel_read_network_state(cvs_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(cvs_t)
|
||||
corenet_tcp_sendrecv_all_if(cvs_t)
|
||||
corenet_udp_sendrecv_all_if(cvs_t)
|
||||
corenet_raw_sendrecv_all_if(cvs_t)
|
||||
corenet_tcp_sendrecv_all_nodes(cvs_t)
|
||||
corenet_udp_sendrecv_all_nodes(cvs_t)
|
||||
corenet_raw_sendrecv_all_nodes(cvs_t)
|
||||
corenet_tcp_sendrecv_all_ports(cvs_t)
|
||||
corenet_udp_sendrecv_all_ports(cvs_t)
|
||||
corenet_non_ipsec_sendrecv(cvs_t)
|
||||
corenet_tcp_bind_all_nodes(cvs_t)
|
||||
corenet_udp_bind_all_nodes(cvs_t)
|
||||
|
||||
dev_read_urand(cvs_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cyrus,1.1.1)
|
||||
policy_module(cyrus,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -59,20 +59,20 @@ kernel_read_kernel_sysctls(cyrus_t)
|
||||
kernel_read_system_state(cyrus_t)
|
||||
kernel_read_all_sysctls(cyrus_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(cyrus_t)
|
||||
corenet_tcp_sendrecv_all_if(cyrus_t)
|
||||
corenet_udp_sendrecv_all_if(cyrus_t)
|
||||
corenet_raw_sendrecv_all_if(cyrus_t)
|
||||
corenet_tcp_sendrecv_all_nodes(cyrus_t)
|
||||
corenet_udp_sendrecv_all_nodes(cyrus_t)
|
||||
corenet_raw_sendrecv_all_nodes(cyrus_t)
|
||||
corenet_tcp_sendrecv_all_ports(cyrus_t)
|
||||
corenet_udp_sendrecv_all_ports(cyrus_t)
|
||||
corenet_non_ipsec_sendrecv(cyrus_t)
|
||||
corenet_tcp_bind_all_nodes(cyrus_t)
|
||||
corenet_udp_bind_all_nodes(cyrus_t)
|
||||
corenet_tcp_bind_mail_port(cyrus_t)
|
||||
corenet_tcp_bind_pop_port(cyrus_t)
|
||||
corenet_tcp_connect_all_ports(cyrus_t)
|
||||
corenet_sendrecv_mail_server_packets(cyrus_t)
|
||||
corenet_sendrecv_pop_server_packets(cyrus_t)
|
||||
corenet_sendrecv_all_client_packets(cyrus_t)
|
||||
|
||||
dev_read_rand(cyrus_t)
|
||||
dev_read_urand(cyrus_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dante,1.0.0)
|
||||
policy_module(dante,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -39,17 +39,14 @@ kernel_read_kernel_sysctls(dante_t)
|
||||
kernel_list_proc(dante_t)
|
||||
kernel_read_proc_symlinks(dante_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(dante_t)
|
||||
corenet_tcp_sendrecv_generic_if(dante_t)
|
||||
corenet_udp_sendrecv_generic_if(dante_t)
|
||||
corenet_raw_sendrecv_generic_if(dante_t)
|
||||
corenet_tcp_sendrecv_all_nodes(dante_t)
|
||||
corenet_udp_sendrecv_all_nodes(dante_t)
|
||||
corenet_raw_sendrecv_all_nodes(dante_t)
|
||||
corenet_tcp_sendrecv_all_ports(dante_t)
|
||||
corenet_udp_sendrecv_all_ports(dante_t)
|
||||
corenet_non_ipsec_sendrecv(dante_t)
|
||||
corenet_tcp_bind_all_nodes(dante_t)
|
||||
corenet_udp_bind_all_nodes(dante_t)
|
||||
#TODO: no portcons for this type
|
||||
#allow dante_t socks_port_t:tcp_socket name_bind;
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dbskk,1.1.0)
|
||||
policy_module(dbskk,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -49,17 +49,13 @@ kernel_read_kernel_sysctls(dbskkd_t)
|
||||
kernel_read_system_state(dbskkd_t)
|
||||
kernel_read_network_state(dbskkd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(dbskkd_t)
|
||||
corenet_tcp_sendrecv_all_if(dbskkd_t)
|
||||
corenet_udp_sendrecv_all_if(dbskkd_t)
|
||||
corenet_raw_sendrecv_all_if(dbskkd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(dbskkd_t)
|
||||
corenet_udp_sendrecv_all_nodes(dbskkd_t)
|
||||
corenet_raw_sendrecv_all_nodes(dbskkd_t)
|
||||
corenet_tcp_sendrecv_all_ports(dbskkd_t)
|
||||
corenet_udp_sendrecv_all_ports(dbskkd_t)
|
||||
corenet_non_ipsec_sendrecv(dbskkd_t)
|
||||
corenet_tcp_bind_all_nodes(dbskkd_t)
|
||||
corenet_udp_bind_all_nodes(dbskkd_t)
|
||||
|
||||
dev_read_urand(dbskkd_t)
|
||||
|
||||
|
||||
@ -106,12 +106,10 @@ template(`dbus_per_userdomain_template',`
|
||||
kernel_read_system_state($1_dbusd_t)
|
||||
kernel_read_kernel_sysctls($1_dbusd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if($1_dbusd_t)
|
||||
corenet_raw_sendrecv_all_if($1_dbusd_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_dbusd_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_dbusd_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_dbusd_t)
|
||||
corenet_non_ipsec_sendrecv($1_dbusd_t)
|
||||
corenet_tcp_sendrecv_all_if($1_dbusd_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_dbusd_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_dbusd_t)
|
||||
corenet_tcp_bind_all_nodes($1_dbusd_t)
|
||||
corenet_tcp_bind_reserved_port($1_dbusd_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dbus,1.2.2)
|
||||
policy_module(dbus,1.2.3)
|
||||
|
||||
gen_require(`
|
||||
class dbus { send_msg acquire_svc };
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dcc,1.0.0)
|
||||
policy_module(dcc,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -253,6 +253,7 @@ corenet_udp_sendrecv_all_nodes(dccd_t)
|
||||
corenet_udp_sendrecv_all_ports(dccd_t)
|
||||
corenet_udp_bind_all_nodes(dccd_t)
|
||||
corenet_udp_bind_dcc_port(dccd_t)
|
||||
corenet_sendrecv_dcc_server_packets(dccd_t)
|
||||
|
||||
dev_read_sysfs(dccd_t)
|
||||
|
||||
@ -338,7 +339,6 @@ corenet_non_ipsec_sendrecv(dccifd_t)
|
||||
corenet_udp_sendrecv_generic_if(dccifd_t)
|
||||
corenet_udp_sendrecv_all_nodes(dccifd_t)
|
||||
corenet_udp_sendrecv_all_ports(dccifd_t)
|
||||
corenet_udp_bind_all_nodes(dccifd_t)
|
||||
|
||||
dev_read_sysfs(dccifd_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ddclient,1.0.0)
|
||||
policy_module(ddclient,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -66,18 +66,15 @@ kernel_read_kernel_sysctls(ddclient_t)
|
||||
corecmd_exec_shell(ddclient_t)
|
||||
corecmd_exec_bin(ddclient_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(ddclient_t)
|
||||
corenet_tcp_sendrecv_generic_if(ddclient_t)
|
||||
corenet_udp_sendrecv_generic_if(ddclient_t)
|
||||
corenet_raw_sendrecv_generic_if(ddclient_t)
|
||||
corenet_tcp_sendrecv_all_nodes(ddclient_t)
|
||||
corenet_udp_sendrecv_all_nodes(ddclient_t)
|
||||
corenet_raw_sendrecv_all_nodes(ddclient_t)
|
||||
corenet_tcp_sendrecv_all_ports(ddclient_t)
|
||||
corenet_udp_sendrecv_all_ports(ddclient_t)
|
||||
corenet_non_ipsec_sendrecv(ddclient_t)
|
||||
corenet_tcp_bind_all_nodes(ddclient_t)
|
||||
corenet_udp_bind_all_nodes(ddclient_t)
|
||||
corenet_tcp_connect_all_ports(ddclient_t)
|
||||
corenet_sendrecv_all_client_packets(ddclient_t)
|
||||
|
||||
dev_read_sysfs(ddclient_t)
|
||||
dev_read_urand(ddclient_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dhcp,1.1.0)
|
||||
policy_module(dhcp,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -54,6 +54,7 @@ files_pid_filetrans(dhcpd_t,dhcpd_var_run_t,file)
|
||||
kernel_read_system_state(dhcpd_t)
|
||||
kernel_read_kernel_sysctls(dhcpd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(dhcpd_t)
|
||||
corenet_tcp_sendrecv_all_if(dhcpd_t)
|
||||
corenet_udp_sendrecv_all_if(dhcpd_t)
|
||||
corenet_raw_sendrecv_all_if(dhcpd_t)
|
||||
@ -62,13 +63,15 @@ corenet_udp_sendrecv_all_nodes(dhcpd_t)
|
||||
corenet_raw_sendrecv_all_nodes(dhcpd_t)
|
||||
corenet_tcp_sendrecv_all_ports(dhcpd_t)
|
||||
corenet_udp_sendrecv_all_ports(dhcpd_t)
|
||||
corenet_non_ipsec_sendrecv(dhcpd_t)
|
||||
corenet_tcp_bind_all_nodes(dhcpd_t)
|
||||
corenet_udp_bind_all_nodes(dhcpd_t)
|
||||
corenet_tcp_bind_dhcpd_port(dhcpd_t)
|
||||
corenet_udp_bind_dhcpd_port(dhcpd_t)
|
||||
corenet_udp_bind_pxe_port(dhcpd_t)
|
||||
corenet_tcp_connect_all_ports(dhcpd_t)
|
||||
corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
|
||||
corenet_sendrecv_pxe_server_packets(dhcpd_t)
|
||||
corenet_sendrecv_all_client_packets(dhcpd_t)
|
||||
|
||||
dev_read_sysfs(dhcpd_t)
|
||||
dev_read_rand(dhcpd_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dictd,1.1.0)
|
||||
policy_module(dictd,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -38,6 +38,7 @@ kernel_read_system_state(dictd_t)
|
||||
kernel_read_kernel_sysctls(dictd_t)
|
||||
kernel_tcp_recvfrom(dictd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(dictd_t)
|
||||
corenet_tcp_sendrecv_all_if(dictd_t)
|
||||
corenet_raw_sendrecv_all_if(dictd_t)
|
||||
corenet_udp_sendrecv_all_if(dictd_t)
|
||||
@ -46,10 +47,9 @@ corenet_udp_sendrecv_all_nodes(dictd_t)
|
||||
corenet_raw_sendrecv_all_nodes(dictd_t)
|
||||
corenet_tcp_sendrecv_all_ports(dictd_t)
|
||||
corenet_udp_sendrecv_all_ports(dictd_t)
|
||||
corenet_non_ipsec_sendrecv(dictd_t)
|
||||
corenet_tcp_bind_all_nodes(dictd_t)
|
||||
corenet_udp_bind_all_nodes(dictd_t)
|
||||
corenet_tcp_bind_dict_port(dictd_t)
|
||||
corenet_sendrecv_dict_server_packets(dictd_t)
|
||||
|
||||
dev_read_sysfs(dictd_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(distcc,1.1.0)
|
||||
policy_module(distcc,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -45,18 +45,16 @@ files_pid_filetrans(distccd_t,distccd_var_run_t,file)
|
||||
kernel_read_system_state(distccd_t)
|
||||
kernel_read_kernel_sysctls(distccd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(distccd_t)
|
||||
corenet_tcp_sendrecv_all_if(distccd_t)
|
||||
corenet_udp_sendrecv_all_if(distccd_t)
|
||||
corenet_raw_sendrecv_all_if(distccd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(distccd_t)
|
||||
corenet_udp_sendrecv_all_nodes(distccd_t)
|
||||
corenet_raw_sendrecv_all_nodes(distccd_t)
|
||||
corenet_tcp_sendrecv_all_ports(distccd_t)
|
||||
corenet_udp_sendrecv_all_ports(distccd_t)
|
||||
corenet_non_ipsec_sendrecv(distccd_t)
|
||||
corenet_tcp_bind_all_nodes(distccd_t)
|
||||
corenet_udp_bind_all_nodes(distccd_t)
|
||||
corenet_tcp_bind_distccd_port(distccd_t)
|
||||
corenet_sendrecv_distccd_server_packets(distccd_t)
|
||||
|
||||
dev_read_sysfs(distccd_t)
|
||||
|
||||
|
||||
@ -32,13 +32,13 @@ template(`djbdns_daemontools_domain_template',`
|
||||
allow djbdns_$1_t djbdns_$1_conf_t:dir r_dir_perms;
|
||||
allow djbdns_$1_t djbdns_$1_conf_t:file r_file_perms;
|
||||
|
||||
corenet_non_ipsec_sendrecv(djbdns_$1_t)
|
||||
corenet_tcp_sendrecv_all_if(djbdns_$1_t)
|
||||
corenet_udp_sendrecv_all_if(djbdns_$1_t)
|
||||
corenet_tcp_sendrecv_all_nodes(djbdns_$1_t)
|
||||
corenet_udp_sendrecv_all_nodes(djbdns_$1_t)
|
||||
corenet_tcp_sendrecv_all_ports(djbdns_$1_t)
|
||||
corenet_udp_sendrecv_all_ports(djbdns_$1_t)
|
||||
corenet_non_ipsec_sendrecv(djbdns_$1_t)
|
||||
corenet_tcp_bind_all_nodes(djbdns_$1_t)
|
||||
corenet_udp_bind_all_nodes(djbdns_$1_t)
|
||||
corenet_tcp_bind_dns_port(djbdns_$1_t)
|
||||
@ -49,6 +49,4 @@ template(`djbdns_daemontools_domain_template',`
|
||||
|
||||
libs_use_ld_so(djbdns_$1_t)
|
||||
libs_use_shared_libs(djbdns_$1_t)
|
||||
|
||||
')
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dnsmasq,1.0.0)
|
||||
policy_module(dnsmasq,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -41,6 +41,7 @@ kernel_read_kernel_sysctls(dnsmasq_t)
|
||||
kernel_list_proc(dnsmasq_t)
|
||||
kernel_read_proc_symlinks(dnsmasq_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(dnsmasq_t)
|
||||
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
|
||||
corenet_udp_sendrecv_generic_if(dnsmasq_t)
|
||||
corenet_raw_sendrecv_generic_if(dnsmasq_t)
|
||||
@ -49,12 +50,13 @@ corenet_udp_sendrecv_all_nodes(dnsmasq_t)
|
||||
corenet_raw_sendrecv_all_nodes(dnsmasq_t)
|
||||
corenet_tcp_sendrecv_all_ports(dnsmasq_t)
|
||||
corenet_udp_sendrecv_all_ports(dnsmasq_t)
|
||||
corenet_non_ipsec_sendrecv(dnsmasq_t)
|
||||
corenet_tcp_bind_all_nodes(dnsmasq_t)
|
||||
corenet_udp_bind_all_nodes(dnsmasq_t)
|
||||
corenet_tcp_bind_dns_port(dnsmasq_t)
|
||||
corenet_udp_bind_dns_port(dnsmasq_t)
|
||||
corenet_udp_bind_dhcpd_port(dnsmasq_t)
|
||||
corenet_sendrecv_dns_server_packets(dnsmasq_t)
|
||||
corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
|
||||
|
||||
dev_read_sysfs(dnsmasq_t)
|
||||
dev_read_urand(dnsmasq_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(gatekeeper,1.0.1)
|
||||
policy_module(gatekeeper,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -66,6 +66,7 @@ corenet_tcp_bind_all_nodes(gatekeeper_t)
|
||||
corenet_udp_bind_all_nodes(gatekeeper_t)
|
||||
corenet_tcp_bind_gatekeeper_port(gatekeeper_t)
|
||||
corenet_udp_bind_gatekeeper_port(gatekeeper_t)
|
||||
corenet_sendrecv_gatekeeper_server_packets(gatekeeper_t)
|
||||
|
||||
dev_read_sysfs(gatekeeper_t)
|
||||
# for SSP
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(hal,1.3.7)
|
||||
policy_module(hal,1.3.8)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -55,17 +55,13 @@ auth_read_pam_console_data(hald_t)
|
||||
|
||||
corecmd_exec_all_executables(hald_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(hald_t)
|
||||
corenet_tcp_sendrecv_all_if(hald_t)
|
||||
corenet_udp_sendrecv_all_if(hald_t)
|
||||
corenet_raw_sendrecv_all_if(hald_t)
|
||||
corenet_tcp_sendrecv_all_nodes(hald_t)
|
||||
corenet_udp_sendrecv_all_nodes(hald_t)
|
||||
corenet_raw_sendrecv_all_nodes(hald_t)
|
||||
corenet_tcp_sendrecv_all_ports(hald_t)
|
||||
corenet_udp_sendrecv_all_ports(hald_t)
|
||||
corenet_non_ipsec_sendrecv(hald_t)
|
||||
corenet_tcp_bind_all_nodes(hald_t)
|
||||
corenet_udp_bind_all_nodes(hald_t)
|
||||
|
||||
dev_rw_usbfs(hald_t)
|
||||
dev_read_urand(hald_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(howl,1.1.1)
|
||||
policy_module(howl,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -46,6 +46,7 @@ corenet_tcp_bind_all_nodes(howl_t)
|
||||
corenet_udp_bind_all_nodes(howl_t)
|
||||
corenet_tcp_bind_howl_port(howl_t)
|
||||
corenet_udp_bind_howl_port(howl_t)
|
||||
corenet_sendrecv_howl_server_packets(howl_t)
|
||||
|
||||
dev_read_sysfs(howl_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(i18n_input,1.1.1)
|
||||
policy_module(i18n_input,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -48,6 +48,8 @@ corenet_udp_sendrecv_all_ports(i18n_input_t)
|
||||
corenet_tcp_bind_all_nodes(i18n_input_t)
|
||||
corenet_tcp_bind_i18n_input_port(i18n_input_t)
|
||||
corenet_tcp_connect_all_ports(i18n_input_t)
|
||||
corenet_sendrecv_i18n_input_server_packets(i18n_input_t)
|
||||
corenet_sendrecv_all_client_packets(i18n_input_t)
|
||||
|
||||
dev_read_sysfs(i18n_input_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(imaze,1.0.1)
|
||||
policy_module(imaze,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -67,6 +67,7 @@ corenet_tcp_bind_all_nodes(imazesrv_t)
|
||||
corenet_udp_bind_all_nodes(imazesrv_t)
|
||||
corenet_tcp_bind_imaze_port(imazesrv_t)
|
||||
corenet_udp_bind_imaze_port(imazesrv_t)
|
||||
corenet_sendrecv_imaze_server_packets(imazesrv_t)
|
||||
|
||||
dev_read_sysfs(imazesrv_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(inn,1.1.1)
|
||||
policy_module(inn,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -73,6 +73,8 @@ corenet_udp_sendrecv_all_ports(innd_t)
|
||||
corenet_tcp_bind_all_nodes(innd_t)
|
||||
corenet_tcp_bind_innd_port(innd_t)
|
||||
corenet_tcp_connect_all_ports(innd_t)
|
||||
corenet_sendrecv_innd_server_packets(innd_t)
|
||||
corenet_sendrecv_all_client_packets(innd_t)
|
||||
|
||||
dev_read_sysfs(innd_t)
|
||||
dev_read_urand(innd_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ircd,1.0.1)
|
||||
policy_module(ircd,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -63,6 +63,7 @@ corenet_tcp_sendrecv_all_ports(ircd_t)
|
||||
corenet_udp_sendrecv_all_ports(ircd_t)
|
||||
corenet_tcp_bind_all_nodes(ircd_t)
|
||||
corenet_tcp_bind_ircd_port(ircd_t)
|
||||
corenet_sendrecv_ircd_server_packets(ircd_t)
|
||||
|
||||
dev_read_sysfs(ircd_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(jabber,1.0.1)
|
||||
policy_module(jabber,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -58,6 +58,8 @@ corenet_udp_sendrecv_all_ports(jabberd_t)
|
||||
corenet_tcp_bind_all_nodes(jabberd_t)
|
||||
corenet_tcp_bind_jabber_client_port(jabberd_t)
|
||||
corenet_tcp_bind_jabber_interserver_port(jabberd_t)
|
||||
corenet_sendrecv_jabber_client_server_packets(jabberd_t)
|
||||
corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
|
||||
|
||||
dev_read_sysfs(jabberd_t)
|
||||
# For SSL
|
||||
|
||||
@ -43,18 +43,19 @@ interface(`kerberos_use',`
|
||||
tunable_policy(`allow_kerberos',`
|
||||
allow $1 self:tcp_socket create_socket_perms;
|
||||
allow $1 self:udp_socket create_socket_perms;
|
||||
|
||||
corenet_non_ipsec_sendrecv($1)
|
||||
corenet_tcp_sendrecv_all_if($1)
|
||||
corenet_udp_sendrecv_all_if($1)
|
||||
corenet_raw_sendrecv_all_if($1)
|
||||
corenet_tcp_sendrecv_all_nodes($1)
|
||||
corenet_udp_sendrecv_all_nodes($1)
|
||||
corenet_raw_sendrecv_all_nodes($1)
|
||||
corenet_tcp_sendrecv_kerberos_port($1)
|
||||
corenet_udp_sendrecv_kerberos_port($1)
|
||||
corenet_non_ipsec_sendrecv($1)
|
||||
corenet_tcp_bind_all_nodes($1)
|
||||
corenet_udp_bind_all_nodes($1)
|
||||
corenet_tcp_connect_kerberos_port($1)
|
||||
corenet_sendrecv_kerberos_client_packets($1)
|
||||
|
||||
sysnet_read_config($1)
|
||||
sysnet_dns_name_resolve($1)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kerberos,1.1.1)
|
||||
policy_module(kerberos,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -100,6 +100,7 @@ corenet_tcp_bind_kerberos_admin_port(kadmind_t)
|
||||
corenet_udp_bind_kerberos_admin_port(kadmind_t)
|
||||
corenet_tcp_bind_reserved_port(kadmind_t)
|
||||
corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
|
||||
corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
|
||||
|
||||
dev_read_sysfs(kadmind_t)
|
||||
dev_read_rand(kadmind_t)
|
||||
@ -199,6 +200,7 @@ corenet_tcp_bind_all_nodes(krb5kdc_t)
|
||||
corenet_udp_bind_all_nodes(krb5kdc_t)
|
||||
corenet_tcp_bind_kerberos_port(krb5kdc_t)
|
||||
corenet_udp_bind_kerberos_port(krb5kdc_t)
|
||||
corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
|
||||
|
||||
dev_read_sysfs(krb5kdc_t)
|
||||
dev_read_urand(krb5kdc_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ldap,1.2.1)
|
||||
policy_module(ldap,1.2.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -81,15 +81,15 @@ kernel_tcp_recvfrom(slapd_t)
|
||||
corenet_non_ipsec_sendrecv(slapd_t)
|
||||
corenet_tcp_sendrecv_all_if(slapd_t)
|
||||
corenet_udp_sendrecv_all_if(slapd_t)
|
||||
corenet_raw_sendrecv_all_if(slapd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(slapd_t)
|
||||
corenet_udp_sendrecv_all_nodes(slapd_t)
|
||||
corenet_raw_sendrecv_all_nodes(slapd_t)
|
||||
corenet_tcp_sendrecv_all_ports(slapd_t)
|
||||
corenet_udp_sendrecv_all_ports(slapd_t)
|
||||
corenet_tcp_bind_all_nodes(slapd_t)
|
||||
corenet_tcp_bind_ldap_port(slapd_t)
|
||||
corenet_tcp_connect_all_ports(slapd_t)
|
||||
corenet_sendrecv_ldap_server_packets(slapd_t)
|
||||
corenet_sendrecv_all_client_packets(slapd_t)
|
||||
|
||||
dev_read_urand(slapd_t)
|
||||
dev_read_sysfs(slapd_t)
|
||||
|
||||
@ -112,15 +112,12 @@ template(`lpd_per_userdomain_template',`
|
||||
|
||||
corenet_tcp_sendrecv_generic_if($1_lpr_t)
|
||||
corenet_udp_sendrecv_generic_if($1_lpr_t)
|
||||
corenet_raw_sendrecv_generic_if($1_lpr_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_lpr_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_lpr_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_lpr_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_lpr_t)
|
||||
corenet_udp_sendrecv_all_ports($1_lpr_t)
|
||||
corenet_tcp_bind_all_nodes($1_lpr_t)
|
||||
corenet_udp_bind_all_nodes($1_lpr_t)
|
||||
corenet_tcp_connect_all_ports($1_lpr_t)
|
||||
corenet_sendrecv_all_client_packets($1_lpr_t)
|
||||
|
||||
# for /dev/null
|
||||
dev_list_all_dev_nodes($1_lpr_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(lpd,1.2.3)
|
||||
policy_module(lpd,1.2.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -73,6 +73,7 @@ corenet_udp_sendrecv_all_nodes(checkpc_t)
|
||||
corenet_tcp_sendrecv_all_ports(checkpc_t)
|
||||
corenet_udp_sendrecv_all_ports(checkpc_t)
|
||||
corenet_tcp_connect_all_ports(checkpc_t)
|
||||
corenet_sendrecv_all_client_packets(checkpc_t)
|
||||
|
||||
dev_append_printer(checkpc_t)
|
||||
|
||||
@ -166,6 +167,7 @@ corenet_tcp_sendrecv_all_ports(lpd_t)
|
||||
corenet_udp_sendrecv_all_ports(lpd_t)
|
||||
corenet_tcp_bind_all_nodes(lpd_t)
|
||||
corenet_tcp_bind_printer_port(lpd_t)
|
||||
corenet_sendrecv_printer_server_packets(lpd_t)
|
||||
|
||||
dev_read_sysfs(lpd_t)
|
||||
dev_rw_printer(lpd_t)
|
||||
|
||||
@ -50,6 +50,7 @@ template(`mailman_domain_template', `
|
||||
kernel_read_kernel_sysctls(mailman_$1_t)
|
||||
kernel_read_system_state(mailman_$1_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(mailman_$1_t)
|
||||
corenet_tcp_sendrecv_all_if(mailman_$1_t)
|
||||
corenet_udp_sendrecv_all_if(mailman_$1_t)
|
||||
corenet_raw_sendrecv_all_if(mailman_$1_t)
|
||||
@ -58,7 +59,6 @@ template(`mailman_domain_template', `
|
||||
corenet_raw_sendrecv_all_nodes(mailman_$1_t)
|
||||
corenet_tcp_sendrecv_all_ports(mailman_$1_t)
|
||||
corenet_udp_sendrecv_all_ports(mailman_$1_t)
|
||||
corenet_non_ipsec_sendrecv(mailman_$1_t)
|
||||
corenet_tcp_bind_all_nodes(mailman_$1_t)
|
||||
corenet_udp_bind_all_nodes(mailman_$1_t)
|
||||
corenet_tcp_connect_smtp_port(mailman_$1_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(monop,1.0.0)
|
||||
policy_module(monop,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -44,18 +44,16 @@ kernel_read_kernel_sysctls(monopd_t)
|
||||
kernel_list_proc(monopd_t)
|
||||
kernel_read_proc_symlinks(monopd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(monopd_t)
|
||||
corenet_tcp_sendrecv_generic_if(monopd_t)
|
||||
corenet_udp_sendrecv_generic_if(monopd_t)
|
||||
corenet_raw_sendrecv_generic_if(monopd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(monopd_t)
|
||||
corenet_udp_sendrecv_all_nodes(monopd_t)
|
||||
corenet_raw_sendrecv_all_nodes(monopd_t)
|
||||
corenet_tcp_sendrecv_all_ports(monopd_t)
|
||||
corenet_udp_sendrecv_all_ports(monopd_t)
|
||||
corenet_non_ipsec_sendrecv(monopd_t)
|
||||
corenet_tcp_bind_all_nodes(monopd_t)
|
||||
corenet_udp_bind_all_nodes(monopd_t)
|
||||
corenet_tcp_bind_monopd_port(monopd_t)
|
||||
corenet_sendrecv_monopd_server_packets(monopd_t)
|
||||
|
||||
dev_read_sysfs(monopd_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(munin,1.0.0)
|
||||
policy_module(munin,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -66,17 +66,13 @@ kernel_read_kernel_sysctls(munin_t)
|
||||
|
||||
corecmd_exec_bin(munin_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(munin_t)
|
||||
corenet_tcp_sendrecv_generic_if(munin_t)
|
||||
corenet_udp_sendrecv_generic_if(munin_t)
|
||||
corenet_raw_sendrecv_generic_if(munin_t)
|
||||
corenet_tcp_sendrecv_all_nodes(munin_t)
|
||||
corenet_udp_sendrecv_all_nodes(munin_t)
|
||||
corenet_raw_sendrecv_all_nodes(munin_t)
|
||||
corenet_tcp_sendrecv_all_ports(munin_t)
|
||||
corenet_udp_sendrecv_all_ports(munin_t)
|
||||
corenet_non_ipsec_sendrecv(munin_t)
|
||||
corenet_tcp_bind_all_nodes(munin_t)
|
||||
corenet_udp_bind_all_nodes(munin_t)
|
||||
|
||||
dev_read_sysfs(munin_t)
|
||||
dev_read_urand(munin_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mysql,1.2.1)
|
||||
policy_module(mysql,1.2.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -60,24 +60,21 @@ allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
|
||||
allow mysqld_t mysqld_var_run_t:file create_file_perms;
|
||||
files_pid_filetrans(mysqld_t,mysqld_var_run_t,file)
|
||||
|
||||
kernel_list_proc(mysqld_t)
|
||||
kernel_read_kernel_sysctls(mysqld_t)
|
||||
kernel_read_proc_symlinks(mysqld_t)
|
||||
kernel_read_system_state(mysqld_t)
|
||||
kernel_read_kernel_sysctls(mysqld_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(mysqld_t)
|
||||
corenet_tcp_sendrecv_all_if(mysqld_t)
|
||||
corenet_udp_sendrecv_all_if(mysqld_t)
|
||||
corenet_raw_sendrecv_all_if(mysqld_t)
|
||||
corenet_tcp_sendrecv_all_nodes(mysqld_t)
|
||||
corenet_udp_sendrecv_all_nodes(mysqld_t)
|
||||
corenet_raw_sendrecv_all_nodes(mysqld_t)
|
||||
corenet_tcp_sendrecv_all_ports(mysqld_t)
|
||||
corenet_udp_sendrecv_all_ports(mysqld_t)
|
||||
corenet_non_ipsec_sendrecv(mysqld_t)
|
||||
corenet_tcp_bind_all_nodes(mysqld_t)
|
||||
corenet_udp_bind_all_nodes(mysqld_t)
|
||||
corenet_tcp_bind_mysqld_port(mysqld_t)
|
||||
corenet_tcp_connect_mysqld_port(mysqld_t)
|
||||
corenet_sendrecv_mysqld_client_packets(mysqld_t)
|
||||
corenet_sendrecv_mysqld_server_packets(mysqld_t)
|
||||
|
||||
dev_read_sysfs(mysqld_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(nagios,1.0.1)
|
||||
policy_module(nagios,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -68,17 +68,13 @@ kernel_read_kernel_sysctls(nagios_t)
|
||||
corecmd_exec_bin(nagios_t)
|
||||
corecmd_exec_shell(nagios_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(nagios_t)
|
||||
corenet_tcp_sendrecv_generic_if(nagios_t)
|
||||
corenet_udp_sendrecv_generic_if(nagios_t)
|
||||
corenet_raw_sendrecv_generic_if(nagios_t)
|
||||
corenet_tcp_sendrecv_all_nodes(nagios_t)
|
||||
corenet_udp_sendrecv_all_nodes(nagios_t)
|
||||
corenet_raw_sendrecv_all_nodes(nagios_t)
|
||||
corenet_tcp_sendrecv_all_ports(nagios_t)
|
||||
corenet_udp_sendrecv_all_ports(nagios_t)
|
||||
corenet_non_ipsec_sendrecv(nagios_t)
|
||||
corenet_tcp_bind_all_nodes(nagios_t)
|
||||
corenet_udp_bind_all_nodes(nagios_t)
|
||||
|
||||
dev_read_sysfs(nagios_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(nessus,1.0.0)
|
||||
policy_module(nessus,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -60,6 +60,7 @@ kernel_tcp_recvfrom(nessusd_t)
|
||||
# for nmap etc
|
||||
corecmd_exec_bin(nessusd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(nessusd_t)
|
||||
corenet_tcp_sendrecv_generic_if(nessusd_t)
|
||||
corenet_udp_sendrecv_generic_if(nessusd_t)
|
||||
corenet_raw_sendrecv_generic_if(nessusd_t)
|
||||
@ -68,11 +69,11 @@ corenet_udp_sendrecv_all_nodes(nessusd_t)
|
||||
corenet_raw_sendrecv_all_nodes(nessusd_t)
|
||||
corenet_tcp_sendrecv_all_ports(nessusd_t)
|
||||
corenet_udp_sendrecv_all_ports(nessusd_t)
|
||||
corenet_non_ipsec_sendrecv(nessusd_t)
|
||||
corenet_tcp_bind_all_nodes(nessusd_t)
|
||||
corenet_udp_bind_all_nodes(nessusd_t)
|
||||
corenet_tcp_bind_nessus_port(nessusd_t)
|
||||
corenet_tcp_connect_all_ports(nessusd_t)
|
||||
corenet_sendrecv_all_client_packets(nessusd_t)
|
||||
corenet_sendrecv_nessus_server_packets(nessusd_t)
|
||||
|
||||
dev_read_sysfs(nessusd_t)
|
||||
dev_read_urand(nessusd_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(networkmanager,1.3.1)
|
||||
policy_module(networkmanager,1.3.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -39,6 +39,7 @@ kernel_read_network_state(NetworkManager_t)
|
||||
kernel_read_kernel_sysctls(NetworkManager_t)
|
||||
kernel_load_module(NetworkManager_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(NetworkManager_t)
|
||||
corenet_tcp_sendrecv_all_if(NetworkManager_t)
|
||||
corenet_udp_sendrecv_all_if(NetworkManager_t)
|
||||
corenet_raw_sendrecv_all_if(NetworkManager_t)
|
||||
@ -47,12 +48,13 @@ corenet_udp_sendrecv_all_nodes(NetworkManager_t)
|
||||
corenet_raw_sendrecv_all_nodes(NetworkManager_t)
|
||||
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
|
||||
corenet_udp_sendrecv_all_ports(NetworkManager_t)
|
||||
corenet_non_ipsec_sendrecv(NetworkManager_t)
|
||||
corenet_tcp_bind_all_nodes(NetworkManager_t)
|
||||
corenet_udp_bind_all_nodes(NetworkManager_t)
|
||||
corenet_tcp_connect_all_ports(NetworkManager_t)
|
||||
corenet_udp_bind_isakmp_port(NetworkManager_t)
|
||||
corenet_udp_bind_dhcpc_port(NetworkManager_t)
|
||||
corenet_tcp_connect_all_ports(NetworkManager_t)
|
||||
corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
|
||||
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
|
||||
corenet_sendrecv_all_client_packets(NetworkManager_t)
|
||||
|
||||
dev_read_sysfs(NetworkManager_t)
|
||||
dev_read_rand(NetworkManager_t)
|
||||
|
||||
@ -37,15 +37,13 @@ interface(`nis_use_ypbind_uncond',`
|
||||
allow $1 var_yp_t:lnk_file { getattr read };
|
||||
allow $1 var_yp_t:file r_file_perms;
|
||||
|
||||
corenet_non_ipsec_sendrecv($1)
|
||||
corenet_tcp_sendrecv_all_if($1)
|
||||
corenet_udp_sendrecv_all_if($1)
|
||||
corenet_raw_sendrecv_all_if($1)
|
||||
corenet_tcp_sendrecv_all_nodes($1)
|
||||
corenet_udp_sendrecv_all_nodes($1)
|
||||
corenet_raw_sendrecv_all_nodes($1)
|
||||
corenet_tcp_sendrecv_all_ports($1)
|
||||
corenet_udp_sendrecv_all_ports($1)
|
||||
corenet_non_ipsec_sendrecv($1)
|
||||
corenet_tcp_bind_all_nodes($1)
|
||||
corenet_udp_bind_all_nodes($1)
|
||||
corenet_tcp_bind_generic_port($1)
|
||||
@ -58,6 +56,9 @@ interface(`nis_use_ypbind_uncond',`
|
||||
corenet_tcp_connect_reserved_port($1)
|
||||
corenet_tcp_connect_generic_port($1)
|
||||
corenet_dontaudit_tcp_connect_all_reserved_ports($1)
|
||||
corenet_sendrecv_portmap_client_packets($1)
|
||||
corenet_sendrecv_generic_client_packets($1)
|
||||
corenet_sendrecv_generic_server_packets($1)
|
||||
|
||||
sysnet_read_config($1)
|
||||
')
|
||||
@ -78,47 +79,10 @@ interface(`nis_use_ypbind',`
|
||||
')
|
||||
|
||||
tunable_policy(`allow_ypbind',`
|
||||
dontaudit $1 self:capability net_bind_service;
|
||||
|
||||
allow $1 self:tcp_socket create_stream_socket_perms;
|
||||
allow $1 self:udp_socket create_socket_perms;
|
||||
|
||||
allow $1 var_yp_t:dir r_dir_perms;
|
||||
allow $1 var_yp_t:lnk_file { getattr read };
|
||||
allow $1 var_yp_t:file r_file_perms;
|
||||
|
||||
corenet_tcp_sendrecv_all_if($1)
|
||||
corenet_udp_sendrecv_all_if($1)
|
||||
corenet_raw_sendrecv_all_if($1)
|
||||
corenet_tcp_sendrecv_all_nodes($1)
|
||||
corenet_udp_sendrecv_all_nodes($1)
|
||||
corenet_raw_sendrecv_all_nodes($1)
|
||||
corenet_tcp_sendrecv_all_ports($1)
|
||||
corenet_udp_sendrecv_all_ports($1)
|
||||
corenet_non_ipsec_sendrecv($1)
|
||||
corenet_tcp_bind_all_nodes($1)
|
||||
corenet_udp_bind_all_nodes($1)
|
||||
corenet_tcp_bind_generic_port($1)
|
||||
corenet_udp_bind_generic_port($1)
|
||||
corenet_tcp_bind_reserved_port($1)
|
||||
corenet_udp_bind_reserved_port($1)
|
||||
corenet_dontaudit_tcp_bind_all_reserved_ports($1)
|
||||
corenet_dontaudit_udp_bind_all_reserved_ports($1)
|
||||
corenet_tcp_connect_portmap_port($1)
|
||||
corenet_tcp_connect_reserved_port($1)
|
||||
corenet_tcp_connect_generic_port($1)
|
||||
corenet_dontaudit_tcp_connect_all_reserved_ports($1)
|
||||
|
||||
sysnet_read_config($1)
|
||||
nis_use_ypbind_uncond($1)
|
||||
',`
|
||||
dontaudit $1 var_yp_t:dir search;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
tunable_policy(`allow_ypbind',`
|
||||
mount_send_nfs_client_request($1)
|
||||
')
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(nis,1.1.2)
|
||||
policy_module(nis,1.1.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(nscd,1.2.3)
|
||||
policy_module(nscd,1.2.4)
|
||||
|
||||
gen_require(`
|
||||
class nscd all_nscd_perms;
|
||||
@ -76,6 +76,7 @@ corenet_udp_sendrecv_all_nodes(nscd_t)
|
||||
corenet_tcp_sendrecv_all_ports(nscd_t)
|
||||
corenet_udp_sendrecv_all_ports(nscd_t)
|
||||
corenet_tcp_connect_all_ports(nscd_t)
|
||||
corenet_sendrecv_all_client_packets(nscd_t)
|
||||
corenet_rw_tun_tap_dev(nscd_t)
|
||||
|
||||
selinux_get_fs_mount(nscd_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(nsd,1.0.0)
|
||||
policy_module(nsd,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -64,19 +64,18 @@ kernel_read_kernel_sysctls(nsd_t)
|
||||
|
||||
corecmd_exec_bin(nsd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(nsd_t)
|
||||
corenet_tcp_sendrecv_generic_if(nsd_t)
|
||||
corenet_udp_sendrecv_generic_if(nsd_t)
|
||||
corenet_raw_sendrecv_generic_if(nsd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(nsd_t)
|
||||
corenet_udp_sendrecv_all_nodes(nsd_t)
|
||||
corenet_raw_sendrecv_all_nodes(nsd_t)
|
||||
corenet_tcp_sendrecv_all_ports(nsd_t)
|
||||
corenet_udp_sendrecv_all_ports(nsd_t)
|
||||
corenet_non_ipsec_sendrecv(nsd_t)
|
||||
corenet_tcp_bind_all_nodes(nsd_t)
|
||||
corenet_udp_bind_all_nodes(nsd_t)
|
||||
corenet_tcp_bind_dns_port(nsd_t)
|
||||
corenet_udp_bind_dns_port(nsd_t)
|
||||
corenet_sendrecv_dns_server_packets(nsd_t)
|
||||
|
||||
dev_read_sysfs(nsd_t)
|
||||
|
||||
@ -164,15 +163,12 @@ corecmd_exec_shell(nsd_crond_t)
|
||||
corenet_non_ipsec_sendrecv(nsd_crond_t)
|
||||
corenet_tcp_sendrecv_generic_if(nsd_crond_t)
|
||||
corenet_udp_sendrecv_generic_if(nsd_crond_t)
|
||||
corenet_raw_sendrecv_generic_if(nsd_crond_t)
|
||||
corenet_tcp_sendrecv_all_nodes(nsd_crond_t)
|
||||
corenet_udp_sendrecv_all_nodes(nsd_crond_t)
|
||||
corenet_raw_sendrecv_all_nodes(nsd_crond_t)
|
||||
corenet_tcp_sendrecv_all_ports(nsd_crond_t)
|
||||
corenet_udp_sendrecv_all_ports(nsd_crond_t)
|
||||
corenet_tcp_bind_all_nodes(nsd_crond_t)
|
||||
corenet_udp_bind_all_nodes(nsd_crond_t)
|
||||
corenet_tcp_connect_all_ports(nsd_crond_t)
|
||||
corenet_sendrecv_all_client_packets(nsd_crond_t)
|
||||
|
||||
# for SSP
|
||||
dev_read_urand(nsd_crond_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ntop,1.0.0)
|
||||
policy_module(ntop,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -62,6 +62,7 @@ kernel_read_kernel_sysctls(ntop_t)
|
||||
kernel_list_proc(ntop_t)
|
||||
kernel_read_proc_symlinks(ntop_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(ntop_t)
|
||||
corenet_tcp_sendrecv_generic_if(ntop_t)
|
||||
corenet_udp_sendrecv_generic_if(ntop_t)
|
||||
corenet_raw_sendrecv_generic_if(ntop_t)
|
||||
@ -70,9 +71,6 @@ corenet_udp_sendrecv_all_nodes(ntop_t)
|
||||
corenet_raw_sendrecv_all_nodes(ntop_t)
|
||||
corenet_tcp_sendrecv_all_ports(ntop_t)
|
||||
corenet_udp_sendrecv_all_ports(ntop_t)
|
||||
corenet_non_ipsec_sendrecv(ntop_t)
|
||||
corenet_tcp_bind_all_nodes(ntop_t)
|
||||
corenet_udp_bind_all_nodes(ntop_t)
|
||||
|
||||
dev_read_sysfs(ntop_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(nx,1.0.0)
|
||||
policy_module(nx,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -60,6 +60,7 @@ corenet_udp_sendrecv_all_nodes(nx_server_t)
|
||||
corenet_tcp_sendrecv_all_ports(nx_server_t)
|
||||
corenet_udp_sendrecv_all_ports(nx_server_t)
|
||||
corenet_tcp_connect_all_ports(nx_server_t)
|
||||
corenet_sendrecv_all_client_packets(nx_server_t)
|
||||
|
||||
dev_read_urand(nx_server_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(oav,1.0.0)
|
||||
policy_module(oav,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -50,17 +50,13 @@ allow oav_update_t oav_update_var_lib_t:lnk_file r_file_perms;
|
||||
|
||||
corecmd_exec_all_executables(oav_update_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(oav_update_t)
|
||||
corenet_tcp_sendrecv_generic_if(oav_update_t)
|
||||
corenet_udp_sendrecv_generic_if(oav_update_t)
|
||||
corenet_raw_sendrecv_generic_if(oav_update_t)
|
||||
corenet_tcp_sendrecv_all_nodes(oav_update_t)
|
||||
corenet_udp_sendrecv_all_nodes(oav_update_t)
|
||||
corenet_raw_sendrecv_all_nodes(oav_update_t)
|
||||
corenet_tcp_sendrecv_all_ports(oav_update_t)
|
||||
corenet_udp_sendrecv_all_ports(oav_update_t)
|
||||
corenet_non_ipsec_sendrecv(oav_update_t)
|
||||
corenet_tcp_bind_all_nodes(oav_update_t)
|
||||
corenet_udp_bind_all_nodes(oav_update_t)
|
||||
|
||||
files_exec_etc_files(oav_update_t)
|
||||
|
||||
@ -109,17 +105,13 @@ kernel_read_kernel_sysctls(scannerdaemon_t)
|
||||
# Can run kaffe
|
||||
corecmd_exec_all_executables(scannerdaemon_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(scannerdaemon_t)
|
||||
corenet_tcp_sendrecv_generic_if(scannerdaemon_t)
|
||||
corenet_udp_sendrecv_generic_if(scannerdaemon_t)
|
||||
corenet_raw_sendrecv_generic_if(scannerdaemon_t)
|
||||
corenet_tcp_sendrecv_all_nodes(scannerdaemon_t)
|
||||
corenet_udp_sendrecv_all_nodes(scannerdaemon_t)
|
||||
corenet_raw_sendrecv_all_nodes(scannerdaemon_t)
|
||||
corenet_tcp_sendrecv_all_ports(scannerdaemon_t)
|
||||
corenet_udp_sendrecv_all_ports(scannerdaemon_t)
|
||||
corenet_non_ipsec_sendrecv(scannerdaemon_t)
|
||||
corenet_tcp_bind_all_nodes(scannerdaemon_t)
|
||||
corenet_udp_bind_all_nodes(scannerdaemon_t)
|
||||
|
||||
dev_read_sysfs(scannerdaemon_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(openvpn,1.0.0)
|
||||
policy_module(openvpn,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -63,6 +63,7 @@ corenet_tcp_bind_all_nodes(openvpn_t)
|
||||
corenet_udp_bind_all_nodes(openvpn_t)
|
||||
corenet_tcp_bind_openvpn_port(openvpn_t)
|
||||
corenet_udp_bind_openvpn_port(openvpn_t)
|
||||
corenet_sendrecv_openvpn_server_packets(openvpn_t)
|
||||
corenet_rw_tun_tap_dev(openvpn_t)
|
||||
|
||||
dev_read_rand(openvpn_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(pegasus,1.1.2)
|
||||
policy_module(pegasus,1.1.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -66,18 +66,21 @@ kernel_read_fs_sysctls(pegasus_t)
|
||||
kernel_read_system_state(pegasus_t)
|
||||
kernel_search_vm_sysctl(pegasus_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(pegasus_t)
|
||||
corenet_raw_sendrecv_all_if(pegasus_t)
|
||||
corenet_tcp_sendrecv_all_nodes(pegasus_t)
|
||||
corenet_raw_sendrecv_all_nodes(pegasus_t)
|
||||
corenet_tcp_sendrecv_all_ports(pegasus_t)
|
||||
corenet_non_ipsec_sendrecv(pegasus_t)
|
||||
corenet_tcp_sendrecv_all_if(pegasus_t)
|
||||
corenet_tcp_sendrecv_all_nodes(pegasus_t)
|
||||
corenet_tcp_sendrecv_all_ports(pegasus_t)
|
||||
corenet_tcp_bind_all_nodes(pegasus_t)
|
||||
corenet_tcp_bind_pegasus_http_port(pegasus_t)
|
||||
corenet_tcp_bind_pegasus_https_port(pegasus_t)
|
||||
corenet_tcp_connect_pegasus_http_port(pegasus_t)
|
||||
corenet_tcp_connect_pegasus_https_port(pegasus_t)
|
||||
corenet_tcp_connect_generic_port(pegasus_t)
|
||||
corenet_sendrecv_generic_client_packets(pegasus_t)
|
||||
corenet_sendrecv_pegasus_http_client_packets(pegasus_t)
|
||||
corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
|
||||
corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
|
||||
corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
|
||||
|
||||
corecmd_exec_sbin(pegasus_t)
|
||||
corecmd_exec_bin(pegasus_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(perdition,1.0.0)
|
||||
policy_module(perdition,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -42,15 +42,13 @@ kernel_tcp_recvfrom(perdition_t)
|
||||
corenet_non_ipsec_sendrecv(perdition_t)
|
||||
corenet_tcp_sendrecv_generic_if(perdition_t)
|
||||
corenet_udp_sendrecv_generic_if(perdition_t)
|
||||
corenet_raw_sendrecv_generic_if(perdition_t)
|
||||
corenet_tcp_sendrecv_all_nodes(perdition_t)
|
||||
corenet_udp_sendrecv_all_nodes(perdition_t)
|
||||
corenet_raw_sendrecv_all_nodes(perdition_t)
|
||||
corenet_tcp_sendrecv_all_ports(perdition_t)
|
||||
corenet_udp_sendrecv_all_ports(perdition_t)
|
||||
corenet_tcp_bind_all_nodes(perdition_t)
|
||||
corenet_udp_bind_all_nodes(perdition_t)
|
||||
corenet_tcp_bind_pop_port(perdition_t)
|
||||
corenet_sendrecv_pop_server_packets(perdition_t)
|
||||
|
||||
dev_read_sysfs(perdition_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(portslave,1.0.0)
|
||||
policy_module(portslave,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -62,8 +62,6 @@ corenet_tcp_sendrecv_all_nodes(portslave_t)
|
||||
corenet_udp_sendrecv_all_nodes(portslave_t)
|
||||
corenet_tcp_sendrecv_all_ports(portslave_t)
|
||||
corenet_udp_sendrecv_all_ports(portslave_t)
|
||||
corenet_tcp_bind_all_nodes(portslave_t)
|
||||
corenet_udp_bind_all_nodes(portslave_t)
|
||||
corenet_rw_ppp_dev(portslave_t)
|
||||
|
||||
dev_read_sysfs(portslave_t)
|
||||
|
||||
@ -135,18 +135,17 @@ template(`postfix_server_domain_template',`
|
||||
allow postfix_$1_t postfix_master_t:fifo_file rw_file_perms;
|
||||
allow postfix_$1_t postfix_master_t:process sigchld;
|
||||
|
||||
corenet_non_ipsec_sendrecv(postfix_$1_t)
|
||||
corenet_tcp_sendrecv_all_if(postfix_$1_t)
|
||||
corenet_udp_sendrecv_all_if(postfix_$1_t)
|
||||
corenet_raw_sendrecv_all_if(postfix_$1_t)
|
||||
corenet_tcp_sendrecv_all_nodes(postfix_$1_t)
|
||||
corenet_udp_sendrecv_all_nodes(postfix_$1_t)
|
||||
corenet_raw_sendrecv_all_nodes(postfix_$1_t)
|
||||
corenet_tcp_sendrecv_all_ports(postfix_$1_t)
|
||||
corenet_udp_sendrecv_all_ports(postfix_$1_t)
|
||||
corenet_non_ipsec_sendrecv(postfix_$1_t)
|
||||
corenet_tcp_bind_all_nodes(postfix_$1_t)
|
||||
corenet_udp_bind_all_nodes(postfix_$1_t)
|
||||
corenet_tcp_connect_all_ports(postfix_$1_t)
|
||||
corenet_sendrecv_all_client_packets(postfix_$1_t)
|
||||
|
||||
sysnet_read_config(postfix_$1_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(postfix,1.2.4)
|
||||
policy_module(postfix,1.2.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(postgresql,1.1.0)
|
||||
policy_module(postgresql,1.1.1)
|
||||
|
||||
#################################
|
||||
#
|
||||
@ -85,19 +85,18 @@ kernel_read_all_sysctls(postgresql_t)
|
||||
kernel_read_proc_symlinks(postgresql_t)
|
||||
kernel_tcp_recvfrom(postgresql_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(postgresql_t)
|
||||
corenet_tcp_sendrecv_all_if(postgresql_t)
|
||||
corenet_udp_sendrecv_all_if(postgresql_t)
|
||||
corenet_raw_sendrecv_all_if(postgresql_t)
|
||||
corenet_tcp_sendrecv_all_nodes(postgresql_t)
|
||||
corenet_udp_sendrecv_all_nodes(postgresql_t)
|
||||
corenet_raw_sendrecv_all_nodes(postgresql_t)
|
||||
corenet_tcp_sendrecv_all_ports(postgresql_t)
|
||||
corenet_udp_sendrecv_all_ports(postgresql_t)
|
||||
corenet_non_ipsec_sendrecv(postgresql_t)
|
||||
corenet_tcp_bind_all_nodes(postgresql_t)
|
||||
corenet_udp_bind_all_nodes(postgresql_t)
|
||||
corenet_tcp_bind_postgresql_port(postgresql_t)
|
||||
corenet_tcp_connect_auth_port(postgresql_t)
|
||||
corenet_sendrecv_postgresql_server_packets(postgresql_t)
|
||||
corenet_sendrecv_auth_client_packets(postgresql_t)
|
||||
|
||||
dev_read_sysfs(postgresql_t)
|
||||
dev_read_urand(postgresql_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(postgrey,1.0.0)
|
||||
policy_module(postgrey,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -50,12 +50,11 @@ corecmd_search_sbin(postgrey_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(postgrey_t)
|
||||
corenet_tcp_sendrecv_generic_if(postgrey_t)
|
||||
corenet_raw_sendrecv_generic_if(postgrey_t)
|
||||
corenet_tcp_sendrecv_all_nodes(postgrey_t)
|
||||
corenet_raw_sendrecv_all_nodes(postgrey_t)
|
||||
corenet_tcp_sendrecv_all_ports(postgrey_t)
|
||||
corenet_tcp_bind_all_nodes(postgrey_t)
|
||||
corenet_tcp_bind_postgrey_port(postgrey_t)
|
||||
corenet_sendrecv_postgrey_server_packets(postgrey_t)
|
||||
|
||||
dev_read_urand(postgrey_t)
|
||||
dev_read_sysfs(postgrey_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ppp,1.2.2)
|
||||
policy_module(ppp,1.2.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -57,8 +57,8 @@ files_pid_file(pptp_var_run_t)
|
||||
# PPPD Local policy
|
||||
#
|
||||
|
||||
dontaudit pppd_t self:capability sys_tty_config;
|
||||
allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
|
||||
dontaudit pppd_t self:capability sys_tty_config;
|
||||
allow pppd_t self:fifo_file rw_file_perms;
|
||||
allow pppd_t self:file { read getattr };
|
||||
allow pppd_t self:socket create_socket_perms;
|
||||
@ -117,6 +117,7 @@ dev_read_urand(pppd_t)
|
||||
dev_search_sysfs(pppd_t)
|
||||
dev_read_sysfs(pppd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(pppd_t)
|
||||
corenet_tcp_sendrecv_all_if(pppd_t)
|
||||
corenet_raw_sendrecv_all_if(pppd_t)
|
||||
corenet_udp_sendrecv_all_if(pppd_t)
|
||||
@ -125,9 +126,6 @@ corenet_raw_sendrecv_all_nodes(pppd_t)
|
||||
corenet_udp_sendrecv_all_nodes(pppd_t)
|
||||
corenet_tcp_sendrecv_all_ports(pppd_t)
|
||||
corenet_udp_sendrecv_all_ports(pppd_t)
|
||||
corenet_non_ipsec_sendrecv(pppd_t)
|
||||
corenet_tcp_bind_all_nodes(pppd_t)
|
||||
corenet_udp_bind_all_nodes(pppd_t)
|
||||
# Access /dev/ppp.
|
||||
corenet_rw_ppp_dev(pppd_t)
|
||||
|
||||
@ -265,15 +263,16 @@ kernel_read_proc_symlinks(pptp_t)
|
||||
|
||||
dev_read_sysfs(pptp_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(pptp_t)
|
||||
corenet_tcp_sendrecv_all_if(pptp_t)
|
||||
corenet_raw_sendrecv_all_if(pptp_t)
|
||||
corenet_tcp_sendrecv_all_nodes(pptp_t)
|
||||
corenet_raw_sendrecv_all_nodes(pptp_t)
|
||||
corenet_tcp_sendrecv_all_ports(pptp_t)
|
||||
corenet_non_ipsec_sendrecv(pptp_t)
|
||||
corenet_tcp_bind_all_nodes(pptp_t)
|
||||
corenet_tcp_connect_generic_port(pptp_t)
|
||||
corenet_tcp_connect_all_reserved_ports(pptp_t)
|
||||
corenet_sendrecv_generic_client_packets(pptp_t)
|
||||
|
||||
fs_getattr_all_fs(pptp_t)
|
||||
fs_search_auto_mountpoints(pptp_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(privoxy,1.1.2)
|
||||
policy_module(privoxy,1.1.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -52,6 +52,11 @@ corenet_tcp_connect_http_port(privoxy_t)
|
||||
corenet_tcp_connect_http_cache_port(privoxy_t)
|
||||
corenet_tcp_connect_ftp_port(privoxy_t)
|
||||
corenet_tcp_connect_tor_port(privoxy_t)
|
||||
corenet_sendrecv_http_cache_client_packets(privoxy_t)
|
||||
corenet_sendrecv_http_cache_server_packets(privoxy_t)
|
||||
corenet_sendrecv_http_client_packets(privoxy_t)
|
||||
corenet_sendrecv_ftp_client_packets(privoxy_t)
|
||||
corenet_sendrecv_tor_client_packets(privoxy_t)
|
||||
|
||||
dev_read_sysfs(privoxy_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(procmail,1.2.1)
|
||||
policy_module(procmail,1.2.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -18,7 +18,7 @@ role system_r types procmail_t;
|
||||
#
|
||||
|
||||
allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
|
||||
allow procmail_t self:process { setsched fork sigchld signal };
|
||||
allow procmail_t self:process { setsched signal };
|
||||
allow procmail_t self:fifo_file rw_file_perms;
|
||||
allow procmail_t self:unix_stream_socket create_socket_perms;
|
||||
allow procmail_t self:unix_dgram_socket create_socket_perms;
|
||||
@ -28,18 +28,15 @@ allow procmail_t self:udp_socket create_socket_perms;
|
||||
kernel_read_system_state(procmail_t)
|
||||
kernel_read_kernel_sysctls(procmail_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(procmail_t)
|
||||
corenet_tcp_sendrecv_all_if(procmail_t)
|
||||
corenet_raw_sendrecv_all_if(procmail_t)
|
||||
corenet_udp_sendrecv_all_if(procmail_t)
|
||||
corenet_tcp_sendrecv_all_nodes(procmail_t)
|
||||
corenet_udp_sendrecv_all_nodes(procmail_t)
|
||||
corenet_raw_sendrecv_all_nodes(procmail_t)
|
||||
corenet_tcp_sendrecv_all_ports(procmail_t)
|
||||
corenet_udp_sendrecv_all_ports(procmail_t)
|
||||
corenet_non_ipsec_sendrecv(procmail_t)
|
||||
corenet_tcp_bind_all_nodes(procmail_t)
|
||||
corenet_udp_bind_all_nodes(procmail_t)
|
||||
corenet_tcp_connect_spamd_port(procmail_t)
|
||||
corenet_sendrecv_spamd_client_packets(procmail_t)
|
||||
|
||||
dev_read_urand(procmail_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(pyzor,1.0.1)
|
||||
policy_module(pyzor,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -79,14 +79,13 @@ dev_read_urand(pyzord_t)
|
||||
|
||||
corecmd_exec_bin(pyzord_t)
|
||||
|
||||
corenet_raw_sendrecv_all_if(pyzord_t)
|
||||
corenet_non_ipsec_sendrecv(pyzord_t)
|
||||
corenet_udp_sendrecv_all_if(pyzord_t)
|
||||
corenet_udp_sendrecv_all_nodes(pyzord_t)
|
||||
corenet_raw_sendrecv_all_nodes(pyzord_t)
|
||||
corenet_udp_sendrecv_all_ports(pyzord_t)
|
||||
corenet_non_ipsec_sendrecv(pyzord_t)
|
||||
corenet_udp_bind_all_nodes(pyzord_t)
|
||||
corenet_udp_bind_pyzor_port(pyzord_t)
|
||||
corenet_sendrecv_pyzor_server_packets(pyzord_t)
|
||||
|
||||
files_read_etc_files(pyzord_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(qmail,1.0.0)
|
||||
policy_module(qmail,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -183,6 +183,7 @@ corenet_udp_sendrecv_generic_node(qmail_remote_t)
|
||||
corenet_tcp_sendrecv_smtp_port(qmail_remote_t)
|
||||
corenet_udp_sendrecv_dns_port(qmail_remote_t)
|
||||
corenet_tcp_connect_smtp_port(qmail_remote_t)
|
||||
corenet_sendrecv_smtp_client_packets(qmail_remote_t)
|
||||
|
||||
dev_read_rand(qmail_remote_t)
|
||||
dev_read_urand(qmail_remote_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(radius,1.1.0)
|
||||
policy_module(radius,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -50,21 +50,21 @@ files_pid_filetrans(radiusd_t,radiusd_var_run_t,file)
|
||||
kernel_read_kernel_sysctls(radiusd_t)
|
||||
kernel_read_system_state(radiusd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(radiusd_t)
|
||||
corenet_tcp_sendrecv_all_if(radiusd_t)
|
||||
corenet_udp_sendrecv_all_if(radiusd_t)
|
||||
corenet_raw_sendrecv_all_if(radiusd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(radiusd_t)
|
||||
corenet_udp_sendrecv_all_nodes(radiusd_t)
|
||||
corenet_raw_sendrecv_all_nodes(radiusd_t)
|
||||
corenet_tcp_sendrecv_all_ports(radiusd_t)
|
||||
corenet_udp_sendrecv_all_ports(radiusd_t)
|
||||
corenet_non_ipsec_sendrecv(radiusd_t)
|
||||
corenet_tcp_bind_all_nodes(radiusd_t)
|
||||
corenet_udp_bind_all_nodes(radiusd_t)
|
||||
corenet_udp_bind_radacct_port(radiusd_t)
|
||||
corenet_udp_bind_radius_port(radiusd_t)
|
||||
corenet_sendrecv_radius_server_packets(radiusd_t)
|
||||
corenet_sendrecv_radacct_server_packets(radiusd_t)
|
||||
# for RADIUS proxy port
|
||||
corenet_udp_bind_generic_port(radiusd_t)
|
||||
corenet_sendrecv_generic_server_packets(radiusd_t)
|
||||
|
||||
dev_read_sysfs(radiusd_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(radvd,1.1.0)
|
||||
policy_module(radvd,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -39,6 +39,7 @@ kernel_read_net_sysctls(radvd_t)
|
||||
kernel_read_network_state(radvd_t)
|
||||
kernel_read_system_state(radvd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(radvd_t)
|
||||
corenet_tcp_sendrecv_all_if(radvd_t)
|
||||
corenet_udp_sendrecv_all_if(radvd_t)
|
||||
corenet_raw_sendrecv_all_if(radvd_t)
|
||||
@ -47,9 +48,6 @@ corenet_udp_sendrecv_all_nodes(radvd_t)
|
||||
corenet_raw_sendrecv_all_nodes(radvd_t)
|
||||
corenet_tcp_sendrecv_all_ports(radvd_t)
|
||||
corenet_udp_sendrecv_all_ports(radvd_t)
|
||||
corenet_non_ipsec_sendrecv(radvd_t)
|
||||
corenet_tcp_bind_all_nodes(radvd_t)
|
||||
corenet_udp_bind_all_nodes(radvd_t)
|
||||
|
||||
dev_read_sysfs(radvd_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(rdisc,1.1.0)
|
||||
policy_module(rdisc,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -26,13 +26,12 @@ kernel_list_proc(rdisc_t)
|
||||
kernel_read_proc_symlinks(rdisc_t)
|
||||
kernel_read_kernel_sysctls(rdisc_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(rdisc_t)
|
||||
corenet_udp_sendrecv_generic_if(rdisc_t)
|
||||
corenet_raw_sendrecv_generic_if(rdisc_t)
|
||||
corenet_udp_sendrecv_all_nodes(rdisc_t)
|
||||
corenet_raw_sendrecv_all_nodes(rdisc_t)
|
||||
corenet_udp_sendrecv_all_ports(rdisc_t)
|
||||
corenet_non_ipsec_sendrecv(rdisc_t)
|
||||
corenet_udp_bind_all_nodes(rdisc_t)
|
||||
|
||||
dev_read_sysfs(rdisc_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(rhgb,1.0.0)
|
||||
policy_module(rhgb,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -46,18 +46,15 @@ kernel_read_system_state(rhgb_t)
|
||||
corecmd_exec_bin(rhgb_t)
|
||||
corecmd_exec_sbin(rhgb_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(rhgb_t)
|
||||
corenet_tcp_sendrecv_generic_if(rhgb_t)
|
||||
corenet_udp_sendrecv_generic_if(rhgb_t)
|
||||
corenet_raw_sendrecv_generic_if(rhgb_t)
|
||||
corenet_tcp_sendrecv_all_nodes(rhgb_t)
|
||||
corenet_udp_sendrecv_all_nodes(rhgb_t)
|
||||
corenet_raw_sendrecv_all_nodes(rhgb_t)
|
||||
corenet_tcp_sendrecv_all_ports(rhgb_t)
|
||||
corenet_udp_sendrecv_all_ports(rhgb_t)
|
||||
corenet_non_ipsec_sendrecv(rhgb_t)
|
||||
corenet_tcp_bind_all_nodes(rhgb_t)
|
||||
corenet_udp_bind_all_nodes(rhgb_t)
|
||||
corenet_tcp_connect_all_ports(rhgb_t)
|
||||
corenet_sendrecv_all_client_packets(rhgb_t)
|
||||
|
||||
dev_read_sysfs(rhgb_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(rlogin,1.1.0)
|
||||
policy_module(rlogin,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -51,17 +51,13 @@ kernel_read_kernel_sysctls(rlogind_t)
|
||||
kernel_read_system_state(rlogind_t)
|
||||
kernel_read_network_state(rlogind_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(rlogind_t)
|
||||
corenet_tcp_sendrecv_all_if(rlogind_t)
|
||||
corenet_udp_sendrecv_all_if(rlogind_t)
|
||||
corenet_raw_sendrecv_all_if(rlogind_t)
|
||||
corenet_tcp_sendrecv_all_nodes(rlogind_t)
|
||||
corenet_udp_sendrecv_all_nodes(rlogind_t)
|
||||
corenet_raw_sendrecv_all_nodes(rlogind_t)
|
||||
corenet_tcp_sendrecv_all_ports(rlogind_t)
|
||||
corenet_udp_sendrecv_all_ports(rlogind_t)
|
||||
corenet_non_ipsec_sendrecv(rlogind_t)
|
||||
corenet_tcp_bind_all_nodes(rlogind_t)
|
||||
corenet_udp_bind_all_nodes(rlogind_t)
|
||||
|
||||
dev_read_urand(rlogind_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(roundup,1.0.0)
|
||||
policy_module(roundup,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -55,9 +55,10 @@ corenet_raw_sendrecv_all_nodes(roundup_t)
|
||||
corenet_tcp_sendrecv_all_ports(roundup_t)
|
||||
corenet_udp_sendrecv_all_ports(roundup_t)
|
||||
corenet_tcp_bind_all_nodes(roundup_t)
|
||||
corenet_udp_bind_all_nodes(roundup_t)
|
||||
corenet_tcp_bind_http_cache_port(roundup_t)
|
||||
corenet_tcp_connect_smtp_port(roundup_t)
|
||||
corenet_sendrecv_http_cache_server_packets(roundup_t)
|
||||
corenet_sendrecv_smtp_client_packets(roundup_t)
|
||||
|
||||
# /usr/share/mysql/charsets/Index.xml
|
||||
dev_read_urand(roundup_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(rshd,1.1.0)
|
||||
policy_module(rshd,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -16,24 +16,23 @@ role system_r types rshd_t;
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override};
|
||||
allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override };
|
||||
allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
|
||||
allow rshd_t self:fifo_file rw_file_perms;
|
||||
allow rshd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
kernel_read_kernel_sysctls(rshd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(rshd_t)
|
||||
corenet_tcp_sendrecv_generic_if(rshd_t)
|
||||
corenet_udp_sendrecv_generic_if(rshd_t)
|
||||
corenet_raw_sendrecv_generic_if(rshd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(rshd_t)
|
||||
corenet_udp_sendrecv_all_nodes(rshd_t)
|
||||
corenet_raw_sendrecv_all_nodes(rshd_t)
|
||||
corenet_tcp_sendrecv_all_ports(rshd_t)
|
||||
corenet_udp_sendrecv_all_ports(rshd_t)
|
||||
corenet_non_ipsec_sendrecv(rshd_t)
|
||||
corenet_tcp_bind_all_nodes(rshd_t)
|
||||
corenet_tcp_bind_rsh_port(rshd_t)
|
||||
corenet_sendrecv_rsh_server_packets(rshd_t)
|
||||
|
||||
dev_read_urand(rshd_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(rsync,1.2.3)
|
||||
policy_module(rsync,1.2.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -28,7 +28,7 @@ files_pid_file(rsync_var_run_t)
|
||||
allow rsync_t self:capability sys_chroot;
|
||||
allow rsync_t self:process signal_perms;
|
||||
allow rsync_t self:fifo_file rw_file_perms;
|
||||
allow rsync_t self:tcp_socket { listen accept connected_socket_perms };
|
||||
allow rsync_t self:tcp_socket create_stream_socket_perms;
|
||||
allow rsync_t self:udp_socket connected_socket_perms;
|
||||
|
||||
# for identd
|
||||
@ -54,18 +54,16 @@ kernel_read_kernel_sysctls(rsync_t)
|
||||
kernel_read_system_state(rsync_t)
|
||||
kernel_read_network_state(rsync_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(rsync_t)
|
||||
corenet_tcp_sendrecv_all_if(rsync_t)
|
||||
corenet_udp_sendrecv_all_if(rsync_t)
|
||||
corenet_raw_sendrecv_all_if(rsync_t)
|
||||
corenet_tcp_sendrecv_all_nodes(rsync_t)
|
||||
corenet_udp_sendrecv_all_nodes(rsync_t)
|
||||
corenet_raw_sendrecv_all_nodes(rsync_t)
|
||||
corenet_tcp_sendrecv_all_ports(rsync_t)
|
||||
corenet_udp_sendrecv_all_ports(rsync_t)
|
||||
corenet_non_ipsec_sendrecv(rsync_t)
|
||||
corenet_tcp_bind_all_nodes(rsync_t)
|
||||
corenet_udp_bind_all_nodes(rsync_t)
|
||||
corenet_tcp_bind_rsync_port(rsync_t)
|
||||
corenet_sendrecv_rsync_server_packets(rsync_t)
|
||||
|
||||
dev_read_urand(rsync_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(sasl,1.2.0)
|
||||
policy_module(sasl,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -34,14 +34,12 @@ files_pid_filetrans(saslauthd_t,saslauthd_var_run_t,file)
|
||||
kernel_read_kernel_sysctls(saslauthd_t)
|
||||
kernel_read_system_state(saslauthd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(saslauthd_t)
|
||||
corenet_raw_sendrecv_all_if(saslauthd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(saslauthd_t)
|
||||
corenet_raw_sendrecv_all_nodes(saslauthd_t)
|
||||
corenet_tcp_sendrecv_all_ports(saslauthd_t)
|
||||
corenet_non_ipsec_sendrecv(saslauthd_t)
|
||||
corenet_tcp_bind_all_nodes(saslauthd_t)
|
||||
corenet_tcp_sendrecv_all_if(saslauthd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(saslauthd_t)
|
||||
corenet_tcp_sendrecv_all_ports(saslauthd_t)
|
||||
corenet_tcp_connect_pop_port(saslauthd_t)
|
||||
corenet_sendrecv_pop_client_packets(saslauthd_t)
|
||||
|
||||
dev_read_sysfs(saslauthd_t)
|
||||
dev_read_urand(saslauthd_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(smartmon,1.0.1)
|
||||
policy_module(smartmon,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -45,11 +45,8 @@ corecmd_exec_all_executables(fsdaemon_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(fsdaemon_t)
|
||||
corenet_udp_sendrecv_generic_if(fsdaemon_t)
|
||||
corenet_raw_sendrecv_generic_if(fsdaemon_t)
|
||||
corenet_udp_sendrecv_all_nodes(fsdaemon_t)
|
||||
corenet_raw_sendrecv_all_nodes(fsdaemon_t)
|
||||
corenet_udp_sendrecv_all_ports(fsdaemon_t)
|
||||
corenet_udp_bind_all_nodes(fsdaemon_t)
|
||||
|
||||
dev_read_sysfs(fsdaemon_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(snmp,1.1.1)
|
||||
policy_module(snmp,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -61,19 +61,18 @@ corecmd_exec_bin(snmpd_t)
|
||||
corecmd_exec_sbin(snmpd_t)
|
||||
corecmd_exec_shell(snmpd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(snmpd_t)
|
||||
corenet_tcp_sendrecv_all_if(snmpd_t)
|
||||
corenet_udp_sendrecv_all_if(snmpd_t)
|
||||
corenet_raw_sendrecv_all_if(snmpd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(snmpd_t)
|
||||
corenet_udp_sendrecv_all_nodes(snmpd_t)
|
||||
corenet_raw_sendrecv_all_nodes(snmpd_t)
|
||||
corenet_tcp_sendrecv_all_ports(snmpd_t)
|
||||
corenet_udp_sendrecv_all_ports(snmpd_t)
|
||||
corenet_non_ipsec_sendrecv(snmpd_t)
|
||||
corenet_tcp_bind_all_nodes(snmpd_t)
|
||||
corenet_udp_bind_all_nodes(snmpd_t)
|
||||
corenet_tcp_bind_snmp_port(snmpd_t)
|
||||
corenet_udp_bind_snmp_port(snmpd_t)
|
||||
corenet_sendrecv_snmp_server_packets(snmpd_t)
|
||||
|
||||
dev_list_sysfs(snmpd_t)
|
||||
dev_read_sysfs(snmpd_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(snort,1.0.0)
|
||||
policy_module(snort,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -65,8 +65,6 @@ corenet_udp_sendrecv_all_nodes(snort_t)
|
||||
corenet_raw_sendrecv_all_nodes(snort_t)
|
||||
corenet_tcp_sendrecv_all_ports(snort_t)
|
||||
corenet_udp_sendrecv_all_ports(snort_t)
|
||||
corenet_tcp_bind_all_nodes(snort_t)
|
||||
corenet_udp_bind_all_nodes(snort_t)
|
||||
|
||||
dev_read_sysfs(snort_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(soundserver,1.0.0)
|
||||
policy_module(soundserver,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -66,18 +66,16 @@ kernel_list_proc(soundd_t)
|
||||
kernel_read_proc_symlinks(soundd_t)
|
||||
kernel_tcp_recvfrom(soundd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(soundd_t)
|
||||
corenet_tcp_sendrecv_generic_if(soundd_t)
|
||||
corenet_udp_sendrecv_generic_if(soundd_t)
|
||||
corenet_raw_sendrecv_generic_if(soundd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(soundd_t)
|
||||
corenet_udp_sendrecv_all_nodes(soundd_t)
|
||||
corenet_raw_sendrecv_all_nodes(soundd_t)
|
||||
corenet_tcp_sendrecv_all_ports(soundd_t)
|
||||
corenet_udp_sendrecv_all_ports(soundd_t)
|
||||
corenet_non_ipsec_sendrecv(soundd_t)
|
||||
corenet_tcp_bind_all_nodes(soundd_t)
|
||||
corenet_udp_bind_all_nodes(soundd_t)
|
||||
corenet_tcp_bind_soundd_port(soundd_t)
|
||||
corenet_sendrecv_soundd_server_packets(soundd_t)
|
||||
|
||||
dev_read_sysfs(soundd_t)
|
||||
dev_read_sound(soundd_t)
|
||||
|
||||
@ -99,18 +99,15 @@ template(`spamassassin_per_userdomain_template',`
|
||||
kernel_read_kernel_sysctls($1_spamc_t)
|
||||
kernel_tcp_recvfrom($1_spamc_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_spamc_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_spamc_t)
|
||||
corenet_udp_sendrecv_generic_if($1_spamc_t)
|
||||
corenet_raw_sendrecv_generic_if($1_spamc_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_spamc_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_spamc_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_spamc_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_spamc_t)
|
||||
corenet_udp_sendrecv_all_ports($1_spamc_t)
|
||||
corenet_non_ipsec_sendrecv($1_spamc_t)
|
||||
corenet_tcp_bind_all_nodes($1_spamc_t)
|
||||
corenet_udp_bind_all_nodes($1_spamc_t)
|
||||
corenet_tcp_connect_all_ports($1_spamc_t)
|
||||
corenet_sendrecv_all_client_packets($1_spamc_t)
|
||||
|
||||
fs_search_auto_mountpoints($1_spamc_t)
|
||||
|
||||
@ -166,10 +163,6 @@ template(`spamassassin_per_userdomain_template',`
|
||||
evolution_stream_connect($1,$1_spamc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mount_send_nfs_client_request($1_spamc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind($1_spamc_t)
|
||||
')
|
||||
@ -287,18 +280,15 @@ template(`spamassassin_per_userdomain_template',`
|
||||
allow $1_spamassassin_t self:tcp_socket create_stream_socket_perms;
|
||||
allow $1_spamassassin_t self:udp_socket create_socket_perms;
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_spamassassin_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_spamassassin_t)
|
||||
corenet_udp_sendrecv_generic_if($1_spamassassin_t)
|
||||
corenet_raw_sendrecv_generic_if($1_spamassassin_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_spamassassin_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_spamassassin_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_spamassassin_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_spamassassin_t)
|
||||
corenet_udp_sendrecv_all_ports($1_spamassassin_t)
|
||||
corenet_non_ipsec_sendrecv($1_spamassassin_t)
|
||||
corenet_tcp_bind_all_nodes($1_spamassassin_t)
|
||||
corenet_udp_bind_all_nodes($1_spamassassin_t)
|
||||
corenet_tcp_connect_all_ports($1_spamassassin_t)
|
||||
corenet_sendrecv_all_client_packets($1_spamassassin_t)
|
||||
|
||||
sysnet_read_config($1_spamassassin_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(spamassassin,1.3.7)
|
||||
policy_module(spamassassin,1.3.8)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -69,14 +69,18 @@ corenet_udp_sendrecv_all_nodes(spamd_t)
|
||||
corenet_tcp_sendrecv_all_ports(spamd_t)
|
||||
corenet_udp_sendrecv_all_ports(spamd_t)
|
||||
corenet_tcp_bind_all_nodes(spamd_t)
|
||||
corenet_udp_bind_all_nodes(spamd_t)
|
||||
corenet_tcp_bind_spamd_port(spamd_t)
|
||||
corenet_tcp_connect_razor_port(spamd_t)
|
||||
corenet_sendrecv_razor_client_packets(spamd_t)
|
||||
corenet_sendrecv_spamd_server_packets(spamd_t)
|
||||
# spamassassin 3.1 needs this for its
|
||||
# DnsResolver.pm module which binds to
|
||||
# random ports >= 1024.
|
||||
corenet_udp_bind_all_nodes(spamd_t)
|
||||
corenet_udp_bind_generic_port(spamd_t)
|
||||
corenet_udp_bind_imaze_port(spamd_t)
|
||||
corenet_sendrecv_imaze_server_packets(spamd_t)
|
||||
corenet_sendrecv_generic_server_packets(spamd_t)
|
||||
|
||||
dev_read_sysfs(spamd_t)
|
||||
dev_read_urand(spamd_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ssh,1.3.4)
|
||||
policy_module(ssh,1.3.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -82,6 +82,7 @@ ifdef(`strict_policy',`
|
||||
|
||||
# for X forwarding
|
||||
corenet_tcp_bind_xserver_port(sshd_t)
|
||||
corenet_sendrecv_xserver_server_packets(sshd_t)
|
||||
|
||||
mls_file_read_up(sshd_t)
|
||||
mls_file_write_down(sshd_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(tcpd,1.0.2)
|
||||
policy_module(tcpd,1.0.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -23,13 +23,10 @@ allow tcpd_t tcpd_tmp_t:dir create_dir_perms;
|
||||
allow tcpd_t tcpd_tmp_t:file create_file_perms;
|
||||
files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
|
||||
|
||||
corenet_raw_sendrecv_all_if(tcpd_t)
|
||||
corenet_non_ipsec_sendrecv(tcpd_t)
|
||||
corenet_tcp_sendrecv_all_if(tcpd_t)
|
||||
corenet_raw_sendrecv_all_nodes(tcpd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(tcpd_t)
|
||||
corenet_tcp_sendrecv_all_ports(tcpd_t)
|
||||
corenet_non_ipsec_sendrecv(tcpd_t)
|
||||
corenet_tcp_bind_all_nodes(tcpd_t)
|
||||
|
||||
fs_getattr_xattr_fs(tcpd_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(tftp,1.1.0)
|
||||
policy_module(tftp,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -41,18 +41,17 @@ kernel_read_kernel_sysctls(tftpd_t)
|
||||
kernel_list_proc(tftpd_t)
|
||||
kernel_read_proc_symlinks(tftpd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(tftpd_t)
|
||||
corenet_tcp_sendrecv_all_if(tftpd_t)
|
||||
corenet_udp_sendrecv_all_if(tftpd_t)
|
||||
corenet_raw_sendrecv_all_if(tftpd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(tftpd_t)
|
||||
corenet_udp_sendrecv_all_nodes(tftpd_t)
|
||||
corenet_raw_sendrecv_all_nodes(tftpd_t)
|
||||
corenet_tcp_sendrecv_all_ports(tftpd_t)
|
||||
corenet_udp_sendrecv_all_ports(tftpd_t)
|
||||
corenet_non_ipsec_sendrecv(tftpd_t)
|
||||
corenet_tcp_bind_all_nodes(tftpd_t)
|
||||
corenet_udp_bind_all_nodes(tftpd_t)
|
||||
corenet_udp_bind_tftp_port(tftpd_t)
|
||||
corenet_sendrecv_tftp_server_packets(tftpd_t)
|
||||
|
||||
dev_read_sysfs(tftpd_t)
|
||||
|
||||
@ -90,10 +89,6 @@ ifdef(`targeted_policy', `
|
||||
files_dontaudit_read_root_files(tftpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mount_send_nfs_client_request(tftpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(tftpd_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(timidity,1.1.0)
|
||||
policy_module(timidity,1.1.1)
|
||||
|
||||
# Note: You only need this policy if you want to run timidity as a server
|
||||
|
||||
@ -39,17 +39,13 @@ kernel_read_kernel_sysctls(timidity_t)
|
||||
# read /proc/cpuinfo
|
||||
kernel_read_system_state(timidity_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(timidity_t)
|
||||
corenet_tcp_sendrecv_generic_if(timidity_t)
|
||||
corenet_udp_sendrecv_generic_if(timidity_t)
|
||||
corenet_raw_sendrecv_generic_if(timidity_t)
|
||||
corenet_tcp_sendrecv_all_nodes(timidity_t)
|
||||
corenet_udp_sendrecv_all_nodes(timidity_t)
|
||||
corenet_raw_sendrecv_all_nodes(timidity_t)
|
||||
corenet_tcp_sendrecv_all_ports(timidity_t)
|
||||
corenet_udp_sendrecv_all_ports(timidity_t)
|
||||
corenet_non_ipsec_sendrecv(timidity_t)
|
||||
corenet_tcp_bind_all_nodes(timidity_t)
|
||||
corenet_udp_bind_all_nodes(timidity_t)
|
||||
|
||||
dev_read_sysfs(timidity_t)
|
||||
dev_read_sound(timidity_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(tor,1.0.2)
|
||||
policy_module(tor,1.0.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -62,17 +62,19 @@ allow tor_t tor_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(tor_t,tor_var_run_t, { file sock_file })
|
||||
|
||||
# networking basics
|
||||
corenet_non_ipsec_sendrecv(tor_t)
|
||||
corenet_tcp_sendrecv_all_if(tor_t)
|
||||
corenet_tcp_sendrecv_all_nodes(tor_t)
|
||||
corenet_tcp_sendrecv_all_ports(tor_t)
|
||||
corenet_tcp_sendrecv_all_reserved_ports(tor_t)
|
||||
corenet_non_ipsec_sendrecv(tor_t)
|
||||
corenet_tcp_bind_all_nodes(tor_t)
|
||||
corenet_tcp_bind_tor_port(tor_t)
|
||||
corenet_sendrecv_tor_server_packets(tor_t)
|
||||
# TOR will need to connect to various ports
|
||||
corenet_tcp_connect_all_ports(tor_t)
|
||||
corenet_sendrecv_all_client_packets(tor_t)
|
||||
# ... especially including port 80 and other privileged ports
|
||||
corenet_tcp_connect_all_reserved_ports(tor_t)
|
||||
corenet_tcp_bind_tor_port(tor_t)
|
||||
corenet_tcp_bind_all_nodes(tor_t)
|
||||
|
||||
# tor uses crypto and needs random
|
||||
dev_read_urand(tor_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(transproxy,1.0.0)
|
||||
policy_module(transproxy,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -33,12 +33,11 @@ kernel_read_proc_symlinks(transproxy_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(transproxy_t)
|
||||
corenet_tcp_sendrecv_generic_if(transproxy_t)
|
||||
corenet_raw_sendrecv_generic_if(transproxy_t)
|
||||
corenet_tcp_sendrecv_all_nodes(transproxy_t)
|
||||
corenet_raw_sendrecv_all_nodes(transproxy_t)
|
||||
corenet_tcp_sendrecv_all_ports(transproxy_t)
|
||||
corenet_tcp_bind_all_nodes(transproxy_t)
|
||||
corenet_tcp_bind_transproxy_port(transproxy_t)
|
||||
corenet_sendrecv_transproxy_server_packets(transproxy_t)
|
||||
|
||||
dev_read_sysfs(transproxy_t)
|
||||
|
||||
|
||||
@ -52,9 +52,8 @@ optional_policy(`
|
||||
# Local policy for tcpserver
|
||||
#
|
||||
|
||||
allow ucspitcp_t self:capability { net_bind_service setgid setuid };
|
||||
allow ucspitcp_t self:capability { setgid setuid };
|
||||
allow ucspitcp_t self:fifo_file { read write };
|
||||
allow ucspitcp_t self:process { fork sigchld };
|
||||
allow ucspitcp_t self:tcp_socket create_stream_socket_perms;
|
||||
allow ucspitcp_t self:udp_socket create_socket_perms;
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(uucp,1.1.0)
|
||||
policy_module(uucp,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -67,17 +67,13 @@ kernel_read_kernel_sysctls(uucpd_t)
|
||||
kernel_read_system_state(uucpd_t)
|
||||
kernel_read_network_state(uucpd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(uucpd_t)
|
||||
corenet_tcp_sendrecv_all_if(uucpd_t)
|
||||
corenet_udp_sendrecv_all_if(uucpd_t)
|
||||
corenet_raw_sendrecv_all_if(uucpd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(uucpd_t)
|
||||
corenet_udp_sendrecv_all_nodes(uucpd_t)
|
||||
corenet_raw_sendrecv_all_nodes(uucpd_t)
|
||||
corenet_tcp_sendrecv_all_ports(uucpd_t)
|
||||
corenet_udp_sendrecv_all_ports(uucpd_t)
|
||||
corenet_non_ipsec_sendrecv(uucpd_t)
|
||||
corenet_tcp_bind_all_nodes(uucpd_t)
|
||||
corenet_udp_bind_all_nodes(uucpd_t)
|
||||
|
||||
dev_read_urand(uucpd_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(uwimap,1.0.0)
|
||||
policy_module(uwimap,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -42,13 +42,13 @@ kernel_read_proc_symlinks(imapd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(imapd_t)
|
||||
corenet_tcp_sendrecv_generic_if(imapd_t)
|
||||
corenet_raw_sendrecv_generic_if(imapd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(imapd_t)
|
||||
corenet_raw_sendrecv_all_nodes(imapd_t)
|
||||
corenet_tcp_sendrecv_all_ports(imapd_t)
|
||||
corenet_tcp_bind_all_nodes(imapd_t)
|
||||
corenet_tcp_bind_pop_port(imapd_t)
|
||||
corenet_tcp_connect_all_ports(imapd_t)
|
||||
corenet_sendrecv_pop_server_packets(imapd_t)
|
||||
corenet_sendrecv_all_client_packets(imapd_t)
|
||||
|
||||
dev_read_sysfs(imapd_t)
|
||||
#urandom, for ssl
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(watchdog,1.0.0)
|
||||
policy_module(watchdog,1.0.1)
|
||||
|
||||
#################################
|
||||
#
|
||||
@ -48,15 +48,12 @@ corecmd_exec_shell(watchdog_t)
|
||||
corenet_non_ipsec_sendrecv(watchdog_t)
|
||||
corenet_tcp_sendrecv_generic_if(watchdog_t)
|
||||
corenet_udp_sendrecv_generic_if(watchdog_t)
|
||||
corenet_raw_sendrecv_generic_if(watchdog_t)
|
||||
corenet_tcp_sendrecv_all_nodes(watchdog_t)
|
||||
corenet_udp_sendrecv_all_nodes(watchdog_t)
|
||||
corenet_raw_sendrecv_all_nodes(watchdog_t)
|
||||
corenet_tcp_sendrecv_all_ports(watchdog_t)
|
||||
corenet_udp_sendrecv_all_ports(watchdog_t)
|
||||
corenet_tcp_bind_all_nodes(watchdog_t)
|
||||
corenet_udp_bind_all_nodes(watchdog_t)
|
||||
corenet_tcp_connect_all_ports(watchdog_t)
|
||||
corenet_sendrecv_all_client_packets(watchdog_t)
|
||||
|
||||
dev_read_sysfs(watchdog_t)
|
||||
dev_write_watchdog(watchdog_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(xprint,1.0.0)
|
||||
policy_module(xprint,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -39,14 +39,10 @@ corecmd_exec_shell(xprint_t)
|
||||
corenet_non_ipsec_sendrecv(xprint_t)
|
||||
corenet_tcp_sendrecv_generic_if(xprint_t)
|
||||
corenet_udp_sendrecv_generic_if(xprint_t)
|
||||
corenet_raw_sendrecv_generic_if(xprint_t)
|
||||
corenet_tcp_sendrecv_all_nodes(xprint_t)
|
||||
corenet_udp_sendrecv_all_nodes(xprint_t)
|
||||
corenet_raw_sendrecv_all_nodes(xprint_t)
|
||||
corenet_tcp_sendrecv_all_ports(xprint_t)
|
||||
corenet_udp_sendrecv_all_ports(xprint_t)
|
||||
corenet_tcp_bind_all_nodes(xprint_t)
|
||||
corenet_udp_bind_all_nodes(xprint_t)
|
||||
|
||||
dev_read_sysfs(xprint_t)
|
||||
dev_read_urand(xprint_t)
|
||||
|
||||
@ -99,16 +99,15 @@ template(`xserver_common_domain_template',`
|
||||
corenet_non_ipsec_sendrecv($1_xserver_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_xserver_t)
|
||||
corenet_udp_sendrecv_generic_if($1_xserver_t)
|
||||
corenet_raw_sendrecv_generic_if($1_xserver_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_xserver_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_xserver_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_xserver_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_xserver_t)
|
||||
corenet_udp_sendrecv_all_ports($1_xserver_t)
|
||||
corenet_tcp_bind_all_nodes($1_xserver_t)
|
||||
corenet_udp_bind_all_nodes($1_xserver_t)
|
||||
corenet_tcp_bind_xserver_port($1_xserver_t)
|
||||
corenet_tcp_connect_all_ports($1_xserver_t)
|
||||
corenet_sendrecv_xserver_server_packets($1_xserver_t)
|
||||
corenet_sendrecv_all_client_packets($1_xserver_t)
|
||||
|
||||
dev_read_sysfs($1_xserver_t)
|
||||
dev_rw_mouse($1_xserver_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(xserver,1.1.6)
|
||||
policy_module(xserver,1.1.7)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -109,18 +109,17 @@ corecmd_exec_shell(xdm_t)
|
||||
corecmd_exec_bin(xdm_t)
|
||||
corecmd_exec_sbin(xdm_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(xdm_t)
|
||||
corenet_tcp_sendrecv_generic_if(xdm_t)
|
||||
corenet_udp_sendrecv_generic_if(xdm_t)
|
||||
corenet_raw_sendrecv_generic_if(xdm_t)
|
||||
corenet_tcp_sendrecv_all_nodes(xdm_t)
|
||||
corenet_udp_sendrecv_all_nodes(xdm_t)
|
||||
corenet_raw_sendrecv_all_nodes(xdm_t)
|
||||
corenet_tcp_sendrecv_all_ports(xdm_t)
|
||||
corenet_udp_sendrecv_all_ports(xdm_t)
|
||||
corenet_non_ipsec_sendrecv(xdm_t)
|
||||
corenet_tcp_bind_all_nodes(xdm_t)
|
||||
corenet_udp_bind_all_nodes(xdm_t)
|
||||
corenet_tcp_connect_all_ports(xdm_t)
|
||||
corenet_sendrecv_all_client_packets(xdm_t)
|
||||
# xdm tries to bind to biff_port_t
|
||||
corenet_dontaudit_tcp_bind_all_ports(xdm_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(zebra,1.2.0)
|
||||
policy_module(zebra,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -27,7 +27,7 @@ files_pid_file(zebra_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow zebra_t self:capability { setgid setuid net_admin net_raw net_bind_service };
|
||||
allow zebra_t self:capability { setgid setuid net_admin net_raw };
|
||||
dontaudit zebra_t self:capability sys_tty_config;
|
||||
allow zebra_t self:process { signal_perms setcap };
|
||||
allow zebra_t self:file { ioctl read write getattr lock append };
|
||||
@ -61,6 +61,7 @@ kernel_read_kernel_sysctls(zebra_t)
|
||||
kernel_tcp_recvfrom(zebra_t)
|
||||
kernel_rw_net_sysctls(zebra_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(zebra_t)
|
||||
corenet_tcp_sendrecv_all_if(zebra_t)
|
||||
corenet_udp_sendrecv_all_if(zebra_t)
|
||||
corenet_raw_sendrecv_all_if(zebra_t)
|
||||
@ -69,7 +70,6 @@ corenet_udp_sendrecv_all_nodes(zebra_t)
|
||||
corenet_raw_sendrecv_all_nodes(zebra_t)
|
||||
corenet_tcp_sendrecv_all_ports(zebra_t)
|
||||
corenet_udp_sendrecv_all_ports(zebra_t)
|
||||
corenet_non_ipsec_sendrecv(zebra_t)
|
||||
corenet_tcp_bind_all_nodes(zebra_t)
|
||||
corenet_udp_bind_all_nodes(zebra_t)
|
||||
corenet_tcp_bind_zebra_port(zebra_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user