corenet fixes
This commit is contained in:
Chris PeBenito
parent
a3754ffe12
commit
162dfc3395
@ -30,6 +30,7 @@ allow hald_t self:unix_dgram_socket create_socket_perms;
|
||||
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
allow hald_t self:tcp_socket create_stream_socket_perms;
|
||||
allow hald_t self:udp_socket create_socket_perms;
|
||||
# For backwards compatibility with older kernels
|
||||
allow hald_t self:netlink_socket create_socket_perms;
|
||||
|
||||
@ -52,7 +53,9 @@ corenet_tcp_sendrecv_all_nodes(hald_t)
|
||||
corenet_udp_sendrecv_all_nodes(hald_t)
|
||||
corenet_raw_sendrecv_all_nodes(hald_t)
|
||||
corenet_tcp_sendrecv_all_ports(hald_t)
|
||||
corenet_udp_sendrecv_all_ports(hald_t)
|
||||
corenet_tcp_bind_all_nodes(hald_t)
|
||||
corenet_udp_bind_all_nodes(hald_t)
|
||||
|
||||
dev_read_sysfs(hald_t)
|
||||
dev_rw_usbfs(hald_t)
|
||||
|
||||
@ -169,6 +169,7 @@ optional_policy(`rhgb.te',`
|
||||
allow inetd_child_t self:process signal_perms;
|
||||
allow inetd_child_t self:fifo_file rw_file_perms;
|
||||
allow inetd_child_t self:tcp_socket { listen accept connected_socket_perms };
|
||||
allow inetd_child_t self:udp_socket connected_socket_perms;
|
||||
|
||||
# for identd
|
||||
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||
@ -197,6 +198,7 @@ corenet_raw_sendrecv_all_nodes(inetd_child_t)
|
||||
corenet_tcp_sendrecv_all_ports(inetd_child_t)
|
||||
corenet_udp_sendrecv_all_ports(inetd_child_t)
|
||||
corenet_tcp_bind_all_nodes(inetd_child_t)
|
||||
corenet_udp_bind_all_nodes(inetd_child_t)
|
||||
|
||||
dev_read_urand(inetd_child_t)
|
||||
|
||||
|
||||
@ -85,11 +85,15 @@ kernel_list_proc(kadmind_t)
|
||||
kernel_read_proc_symlinks(kadmind_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(kadmind_t)
|
||||
corenet_udp_sendrecv_all_if(kadmind_t)
|
||||
corenet_raw_sendrecv_all_if(kadmind_t)
|
||||
corenet_tcp_sendrecv_all_nodes(kadmind_t)
|
||||
corenet_udp_sendrecv_all_nodes(kadmind_t)
|
||||
corenet_raw_sendrecv_all_nodes(kadmind_t)
|
||||
corenet_tcp_sendrecv_all_ports(kadmind_t)
|
||||
corenet_udp_sendrecv_all_ports(kadmind_t)
|
||||
corenet_tcp_bind_all_nodes(kadmind_t)
|
||||
corenet_udp_bind_all_nodes(kadmind_t)
|
||||
corenet_tcp_bind_kerberos_admin_port(kadmind_t)
|
||||
corenet_udp_bind_kerberos_admin_port(kadmind_t)
|
||||
corenet_tcp_bind_reserved_port(kadmind_t)
|
||||
@ -186,11 +190,15 @@ kernel_list_proc(krb5kdc_t)
|
||||
kernel_read_proc_symlinks(krb5kdc_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(krb5kdc_t)
|
||||
corenet_udp_sendrecv_all_if(krb5kdc_t)
|
||||
corenet_raw_sendrecv_all_if(krb5kdc_t)
|
||||
corenet_tcp_sendrecv_all_nodes(krb5kdc_t)
|
||||
corenet_udp_sendrecv_all_nodes(krb5kdc_t)
|
||||
corenet_raw_sendrecv_all_nodes(krb5kdc_t)
|
||||
corenet_tcp_sendrecv_all_ports(krb5kdc_t)
|
||||
corenet_udp_sendrecv_all_ports(krb5kdc_t)
|
||||
corenet_tcp_bind_all_nodes(krb5kdc_t)
|
||||
corenet_udp_bind_all_nodes(krb5kdc_t)
|
||||
corenet_tcp_bind_kerberos_port(krb5kdc_t)
|
||||
corenet_udp_bind_kerberos_port(krb5kdc_t)
|
||||
|
||||
|
||||
@ -25,6 +25,7 @@ files_pid_file(ktalkd_var_run_t)
|
||||
allow ktalkd_t self:process signal_perms;
|
||||
allow ktalkd_t self:fifo_file rw_file_perms;
|
||||
allow ktalkd_t self:tcp_socket connected_stream_socket_perms;
|
||||
allow ktalkd_t self:udp_socket connected_socket_perms;
|
||||
# for identd
|
||||
# cjp: this should probably only be inetd_child rules?
|
||||
allow ktalkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||
@ -49,11 +50,15 @@ kernel_read_system_state(ktalkd_t)
|
||||
kernel_read_network_state(ktalkd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(ktalkd_t)
|
||||
corenet_udp_sendrecv_all_if(ktalkd_t)
|
||||
corenet_raw_sendrecv_all_if(ktalkd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(ktalkd_t)
|
||||
corenet_udp_sendrecv_all_nodes(ktalkd_t)
|
||||
corenet_raw_sendrecv_all_nodes(ktalkd_t)
|
||||
corenet_tcp_bind_all_nodes(ktalkd_t)
|
||||
corenet_tcp_sendrecv_all_ports(ktalkd_t)
|
||||
corenet_udp_sendrecv_all_ports(ktalkd_t)
|
||||
corenet_tcp_bind_all_nodes(ktalkd_t)
|
||||
corenet_udp_bind_all_nodes(ktalkd_t)
|
||||
|
||||
dev_read_urand(ktalkd_t)
|
||||
|
||||
|
||||
@ -30,6 +30,7 @@ allow rsync_t self:capability sys_chroot;
|
||||
allow rsync_t self:process signal_perms;
|
||||
allow rsync_t self:fifo_file rw_file_perms;
|
||||
allow rsync_t self:tcp_socket { listen accept connected_socket_perms };
|
||||
allow rsync_t self:udp_socket connected_socket_perms;
|
||||
|
||||
# for identd
|
||||
# cjp: this should probably only be inetd_child_t rules?
|
||||
@ -54,11 +55,15 @@ kernel_read_system_state(rsync_t)
|
||||
kernel_read_network_state(rsync_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(rsync_t)
|
||||
corenet_udp_sendrecv_all_if(rsync_t)
|
||||
corenet_raw_sendrecv_all_if(rsync_t)
|
||||
corenet_tcp_sendrecv_all_nodes(rsync_t)
|
||||
corenet_udp_sendrecv_all_nodes(rsync_t)
|
||||
corenet_raw_sendrecv_all_nodes(rsync_t)
|
||||
corenet_tcp_sendrecv_all_ports(rsync_t)
|
||||
corenet_udp_sendrecv_all_ports(rsync_t)
|
||||
corenet_tcp_bind_all_nodes(rsync_t)
|
||||
corenet_udp_bind_all_nodes(rsync_t)
|
||||
|
||||
dev_read_urand(rsync_t)
|
||||
|
||||
|
||||
@ -30,6 +30,7 @@ allow snmpd_t self:fifo_file rw_file_perms;
|
||||
allow snmpd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow snmpd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow snmpd_t self:udp_socket connected_stream_socket_perms;
|
||||
|
||||
allow snmpd_t snmpd_etc_t:file { getattr read };
|
||||
|
||||
@ -55,11 +56,15 @@ kernel_read_network_state(snmpd_t)
|
||||
kernel_tcp_recvfrom(snmpd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(snmpd_t)
|
||||
corenet_udp_sendrecv_all_if(snmpd_t)
|
||||
corenet_raw_sendrecv_all_if(snmpd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(snmpd_t)
|
||||
corenet_udp_sendrecv_all_nodes(snmpd_t)
|
||||
corenet_raw_sendrecv_all_nodes(snmpd_t)
|
||||
corenet_tcp_sendrecv_all_ports(snmpd_t)
|
||||
corenet_udp_sendrecv_all_ports(snmpd_t)
|
||||
corenet_tcp_bind_all_nodes(snmpd_t)
|
||||
corenet_udp_bind_all_nodes(snmpd_t)
|
||||
corenet_tcp_bind_snmp_port(snmpd_t)
|
||||
corenet_udp_bind_snmp_port(snmpd_t)
|
||||
|
||||
|
||||
@ -65,9 +65,10 @@ corenet_raw_sendrecv_all_if(spamd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(spamd_t)
|
||||
corenet_udp_sendrecv_all_nodes(spamd_t)
|
||||
corenet_raw_sendrecv_all_nodes(spamd_t)
|
||||
corenet_tcp_sendrecv_all_ports(spamd_t)
|
||||
corenet_udp_sendrecv_all_ports(spamd_t)
|
||||
corenet_tcp_bind_all_nodes(spamd_t)
|
||||
corenet_udp_bind_all_nodes(spamd_t)
|
||||
corenet_tcp_sendrecv_all_ports(spamd_t)
|
||||
corenet_tcp_bind_spamd_port(spamd_t)
|
||||
|
||||
dev_read_sysfs(spamd_t)
|
||||
|
||||
@ -176,6 +176,10 @@ optional_policy(`authlogin.te',`
|
||||
auth_rw_login_records(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`portmap.te',`
|
||||
portmap_udp_sendto(init_t)
|
||||
')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user