corenet fixes
This commit is contained in:
parent
a3754ffe12
commit
162dfc3395
@ -30,6 +30,7 @@ allow hald_t self:unix_dgram_socket create_socket_perms;
|
|||||||
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
|
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
|
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||||
allow hald_t self:tcp_socket create_stream_socket_perms;
|
allow hald_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
allow hald_t self:udp_socket create_socket_perms;
|
||||||
# For backwards compatibility with older kernels
|
# For backwards compatibility with older kernels
|
||||||
allow hald_t self:netlink_socket create_socket_perms;
|
allow hald_t self:netlink_socket create_socket_perms;
|
||||||
|
|
||||||
@ -52,7 +53,9 @@ corenet_tcp_sendrecv_all_nodes(hald_t)
|
|||||||
corenet_udp_sendrecv_all_nodes(hald_t)
|
corenet_udp_sendrecv_all_nodes(hald_t)
|
||||||
corenet_raw_sendrecv_all_nodes(hald_t)
|
corenet_raw_sendrecv_all_nodes(hald_t)
|
||||||
corenet_tcp_sendrecv_all_ports(hald_t)
|
corenet_tcp_sendrecv_all_ports(hald_t)
|
||||||
|
corenet_udp_sendrecv_all_ports(hald_t)
|
||||||
corenet_tcp_bind_all_nodes(hald_t)
|
corenet_tcp_bind_all_nodes(hald_t)
|
||||||
|
corenet_udp_bind_all_nodes(hald_t)
|
||||||
|
|
||||||
dev_read_sysfs(hald_t)
|
dev_read_sysfs(hald_t)
|
||||||
dev_rw_usbfs(hald_t)
|
dev_rw_usbfs(hald_t)
|
||||||
|
@ -169,6 +169,7 @@ optional_policy(`rhgb.te',`
|
|||||||
allow inetd_child_t self:process signal_perms;
|
allow inetd_child_t self:process signal_perms;
|
||||||
allow inetd_child_t self:fifo_file rw_file_perms;
|
allow inetd_child_t self:fifo_file rw_file_perms;
|
||||||
allow inetd_child_t self:tcp_socket { listen accept connected_socket_perms };
|
allow inetd_child_t self:tcp_socket { listen accept connected_socket_perms };
|
||||||
|
allow inetd_child_t self:udp_socket connected_socket_perms;
|
||||||
|
|
||||||
# for identd
|
# for identd
|
||||||
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||||
@ -197,6 +198,7 @@ corenet_raw_sendrecv_all_nodes(inetd_child_t)
|
|||||||
corenet_tcp_sendrecv_all_ports(inetd_child_t)
|
corenet_tcp_sendrecv_all_ports(inetd_child_t)
|
||||||
corenet_udp_sendrecv_all_ports(inetd_child_t)
|
corenet_udp_sendrecv_all_ports(inetd_child_t)
|
||||||
corenet_tcp_bind_all_nodes(inetd_child_t)
|
corenet_tcp_bind_all_nodes(inetd_child_t)
|
||||||
|
corenet_udp_bind_all_nodes(inetd_child_t)
|
||||||
|
|
||||||
dev_read_urand(inetd_child_t)
|
dev_read_urand(inetd_child_t)
|
||||||
|
|
||||||
|
@ -85,11 +85,15 @@ kernel_list_proc(kadmind_t)
|
|||||||
kernel_read_proc_symlinks(kadmind_t)
|
kernel_read_proc_symlinks(kadmind_t)
|
||||||
|
|
||||||
corenet_tcp_sendrecv_all_if(kadmind_t)
|
corenet_tcp_sendrecv_all_if(kadmind_t)
|
||||||
|
corenet_udp_sendrecv_all_if(kadmind_t)
|
||||||
corenet_raw_sendrecv_all_if(kadmind_t)
|
corenet_raw_sendrecv_all_if(kadmind_t)
|
||||||
corenet_tcp_sendrecv_all_nodes(kadmind_t)
|
corenet_tcp_sendrecv_all_nodes(kadmind_t)
|
||||||
|
corenet_udp_sendrecv_all_nodes(kadmind_t)
|
||||||
corenet_raw_sendrecv_all_nodes(kadmind_t)
|
corenet_raw_sendrecv_all_nodes(kadmind_t)
|
||||||
corenet_tcp_sendrecv_all_ports(kadmind_t)
|
corenet_tcp_sendrecv_all_ports(kadmind_t)
|
||||||
|
corenet_udp_sendrecv_all_ports(kadmind_t)
|
||||||
corenet_tcp_bind_all_nodes(kadmind_t)
|
corenet_tcp_bind_all_nodes(kadmind_t)
|
||||||
|
corenet_udp_bind_all_nodes(kadmind_t)
|
||||||
corenet_tcp_bind_kerberos_admin_port(kadmind_t)
|
corenet_tcp_bind_kerberos_admin_port(kadmind_t)
|
||||||
corenet_udp_bind_kerberos_admin_port(kadmind_t)
|
corenet_udp_bind_kerberos_admin_port(kadmind_t)
|
||||||
corenet_tcp_bind_reserved_port(kadmind_t)
|
corenet_tcp_bind_reserved_port(kadmind_t)
|
||||||
@ -186,11 +190,15 @@ kernel_list_proc(krb5kdc_t)
|
|||||||
kernel_read_proc_symlinks(krb5kdc_t)
|
kernel_read_proc_symlinks(krb5kdc_t)
|
||||||
|
|
||||||
corenet_tcp_sendrecv_all_if(krb5kdc_t)
|
corenet_tcp_sendrecv_all_if(krb5kdc_t)
|
||||||
|
corenet_udp_sendrecv_all_if(krb5kdc_t)
|
||||||
corenet_raw_sendrecv_all_if(krb5kdc_t)
|
corenet_raw_sendrecv_all_if(krb5kdc_t)
|
||||||
corenet_tcp_sendrecv_all_nodes(krb5kdc_t)
|
corenet_tcp_sendrecv_all_nodes(krb5kdc_t)
|
||||||
|
corenet_udp_sendrecv_all_nodes(krb5kdc_t)
|
||||||
corenet_raw_sendrecv_all_nodes(krb5kdc_t)
|
corenet_raw_sendrecv_all_nodes(krb5kdc_t)
|
||||||
corenet_tcp_sendrecv_all_ports(krb5kdc_t)
|
corenet_tcp_sendrecv_all_ports(krb5kdc_t)
|
||||||
|
corenet_udp_sendrecv_all_ports(krb5kdc_t)
|
||||||
corenet_tcp_bind_all_nodes(krb5kdc_t)
|
corenet_tcp_bind_all_nodes(krb5kdc_t)
|
||||||
|
corenet_udp_bind_all_nodes(krb5kdc_t)
|
||||||
corenet_tcp_bind_kerberos_port(krb5kdc_t)
|
corenet_tcp_bind_kerberos_port(krb5kdc_t)
|
||||||
corenet_udp_bind_kerberos_port(krb5kdc_t)
|
corenet_udp_bind_kerberos_port(krb5kdc_t)
|
||||||
|
|
||||||
|
@ -25,6 +25,7 @@ files_pid_file(ktalkd_var_run_t)
|
|||||||
allow ktalkd_t self:process signal_perms;
|
allow ktalkd_t self:process signal_perms;
|
||||||
allow ktalkd_t self:fifo_file rw_file_perms;
|
allow ktalkd_t self:fifo_file rw_file_perms;
|
||||||
allow ktalkd_t self:tcp_socket connected_stream_socket_perms;
|
allow ktalkd_t self:tcp_socket connected_stream_socket_perms;
|
||||||
|
allow ktalkd_t self:udp_socket connected_socket_perms;
|
||||||
# for identd
|
# for identd
|
||||||
# cjp: this should probably only be inetd_child rules?
|
# cjp: this should probably only be inetd_child rules?
|
||||||
allow ktalkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
allow ktalkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||||
@ -49,11 +50,15 @@ kernel_read_system_state(ktalkd_t)
|
|||||||
kernel_read_network_state(ktalkd_t)
|
kernel_read_network_state(ktalkd_t)
|
||||||
|
|
||||||
corenet_tcp_sendrecv_all_if(ktalkd_t)
|
corenet_tcp_sendrecv_all_if(ktalkd_t)
|
||||||
|
corenet_udp_sendrecv_all_if(ktalkd_t)
|
||||||
corenet_raw_sendrecv_all_if(ktalkd_t)
|
corenet_raw_sendrecv_all_if(ktalkd_t)
|
||||||
corenet_tcp_sendrecv_all_nodes(ktalkd_t)
|
corenet_tcp_sendrecv_all_nodes(ktalkd_t)
|
||||||
|
corenet_udp_sendrecv_all_nodes(ktalkd_t)
|
||||||
corenet_raw_sendrecv_all_nodes(ktalkd_t)
|
corenet_raw_sendrecv_all_nodes(ktalkd_t)
|
||||||
corenet_tcp_bind_all_nodes(ktalkd_t)
|
|
||||||
corenet_tcp_sendrecv_all_ports(ktalkd_t)
|
corenet_tcp_sendrecv_all_ports(ktalkd_t)
|
||||||
|
corenet_udp_sendrecv_all_ports(ktalkd_t)
|
||||||
|
corenet_tcp_bind_all_nodes(ktalkd_t)
|
||||||
|
corenet_udp_bind_all_nodes(ktalkd_t)
|
||||||
|
|
||||||
dev_read_urand(ktalkd_t)
|
dev_read_urand(ktalkd_t)
|
||||||
|
|
||||||
|
@ -30,6 +30,7 @@ allow rsync_t self:capability sys_chroot;
|
|||||||
allow rsync_t self:process signal_perms;
|
allow rsync_t self:process signal_perms;
|
||||||
allow rsync_t self:fifo_file rw_file_perms;
|
allow rsync_t self:fifo_file rw_file_perms;
|
||||||
allow rsync_t self:tcp_socket { listen accept connected_socket_perms };
|
allow rsync_t self:tcp_socket { listen accept connected_socket_perms };
|
||||||
|
allow rsync_t self:udp_socket connected_socket_perms;
|
||||||
|
|
||||||
# for identd
|
# for identd
|
||||||
# cjp: this should probably only be inetd_child_t rules?
|
# cjp: this should probably only be inetd_child_t rules?
|
||||||
@ -54,11 +55,15 @@ kernel_read_system_state(rsync_t)
|
|||||||
kernel_read_network_state(rsync_t)
|
kernel_read_network_state(rsync_t)
|
||||||
|
|
||||||
corenet_tcp_sendrecv_all_if(rsync_t)
|
corenet_tcp_sendrecv_all_if(rsync_t)
|
||||||
|
corenet_udp_sendrecv_all_if(rsync_t)
|
||||||
corenet_raw_sendrecv_all_if(rsync_t)
|
corenet_raw_sendrecv_all_if(rsync_t)
|
||||||
corenet_tcp_sendrecv_all_nodes(rsync_t)
|
corenet_tcp_sendrecv_all_nodes(rsync_t)
|
||||||
|
corenet_udp_sendrecv_all_nodes(rsync_t)
|
||||||
corenet_raw_sendrecv_all_nodes(rsync_t)
|
corenet_raw_sendrecv_all_nodes(rsync_t)
|
||||||
corenet_tcp_sendrecv_all_ports(rsync_t)
|
corenet_tcp_sendrecv_all_ports(rsync_t)
|
||||||
|
corenet_udp_sendrecv_all_ports(rsync_t)
|
||||||
corenet_tcp_bind_all_nodes(rsync_t)
|
corenet_tcp_bind_all_nodes(rsync_t)
|
||||||
|
corenet_udp_bind_all_nodes(rsync_t)
|
||||||
|
|
||||||
dev_read_urand(rsync_t)
|
dev_read_urand(rsync_t)
|
||||||
|
|
||||||
|
@ -30,6 +30,7 @@ allow snmpd_t self:fifo_file rw_file_perms;
|
|||||||
allow snmpd_t self:unix_dgram_socket create_socket_perms;
|
allow snmpd_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
|
allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow snmpd_t self:tcp_socket create_stream_socket_perms;
|
allow snmpd_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
allow snmpd_t self:udp_socket connected_stream_socket_perms;
|
||||||
|
|
||||||
allow snmpd_t snmpd_etc_t:file { getattr read };
|
allow snmpd_t snmpd_etc_t:file { getattr read };
|
||||||
|
|
||||||
@ -55,11 +56,15 @@ kernel_read_network_state(snmpd_t)
|
|||||||
kernel_tcp_recvfrom(snmpd_t)
|
kernel_tcp_recvfrom(snmpd_t)
|
||||||
|
|
||||||
corenet_tcp_sendrecv_all_if(snmpd_t)
|
corenet_tcp_sendrecv_all_if(snmpd_t)
|
||||||
|
corenet_udp_sendrecv_all_if(snmpd_t)
|
||||||
corenet_raw_sendrecv_all_if(snmpd_t)
|
corenet_raw_sendrecv_all_if(snmpd_t)
|
||||||
corenet_tcp_sendrecv_all_nodes(snmpd_t)
|
corenet_tcp_sendrecv_all_nodes(snmpd_t)
|
||||||
|
corenet_udp_sendrecv_all_nodes(snmpd_t)
|
||||||
corenet_raw_sendrecv_all_nodes(snmpd_t)
|
corenet_raw_sendrecv_all_nodes(snmpd_t)
|
||||||
corenet_tcp_sendrecv_all_ports(snmpd_t)
|
corenet_tcp_sendrecv_all_ports(snmpd_t)
|
||||||
|
corenet_udp_sendrecv_all_ports(snmpd_t)
|
||||||
corenet_tcp_bind_all_nodes(snmpd_t)
|
corenet_tcp_bind_all_nodes(snmpd_t)
|
||||||
|
corenet_udp_bind_all_nodes(snmpd_t)
|
||||||
corenet_tcp_bind_snmp_port(snmpd_t)
|
corenet_tcp_bind_snmp_port(snmpd_t)
|
||||||
corenet_udp_bind_snmp_port(snmpd_t)
|
corenet_udp_bind_snmp_port(snmpd_t)
|
||||||
|
|
||||||
|
@ -65,9 +65,10 @@ corenet_raw_sendrecv_all_if(spamd_t)
|
|||||||
corenet_tcp_sendrecv_all_nodes(spamd_t)
|
corenet_tcp_sendrecv_all_nodes(spamd_t)
|
||||||
corenet_udp_sendrecv_all_nodes(spamd_t)
|
corenet_udp_sendrecv_all_nodes(spamd_t)
|
||||||
corenet_raw_sendrecv_all_nodes(spamd_t)
|
corenet_raw_sendrecv_all_nodes(spamd_t)
|
||||||
|
corenet_tcp_sendrecv_all_ports(spamd_t)
|
||||||
|
corenet_udp_sendrecv_all_ports(spamd_t)
|
||||||
corenet_tcp_bind_all_nodes(spamd_t)
|
corenet_tcp_bind_all_nodes(spamd_t)
|
||||||
corenet_udp_bind_all_nodes(spamd_t)
|
corenet_udp_bind_all_nodes(spamd_t)
|
||||||
corenet_tcp_sendrecv_all_ports(spamd_t)
|
|
||||||
corenet_tcp_bind_spamd_port(spamd_t)
|
corenet_tcp_bind_spamd_port(spamd_t)
|
||||||
|
|
||||||
dev_read_sysfs(spamd_t)
|
dev_read_sysfs(spamd_t)
|
||||||
|
@ -176,6 +176,10 @@ optional_policy(`authlogin.te',`
|
|||||||
auth_rw_login_records(init_t)
|
auth_rw_login_records(init_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`nscd.te',`
|
||||||
|
nscd_use_socket(init_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`portmap.te',`
|
optional_policy(`portmap.te',`
|
||||||
portmap_udp_sendto(init_t)
|
portmap_udp_sendto(init_t)
|
||||||
')
|
')
|
||||||
|
Loading…
Reference in New Issue
Block a user