more fixes

This commit is contained in:
Chris PeBenito 2005-10-24 03:21:26 +00:00
parent 43989f82f8
commit 19b5555f77
7 changed files with 234 additions and 219 deletions

View File

@ -46,9 +46,10 @@ network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
network_port(auth, tcp,113,s0)
dnl network_port(biff) # no defined portcon in current strict
type biff_port_t, port_type; dnl network_port(biff) # no defined portcon in current strict
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dbskkd, tcp,1178,s0)
@ -66,7 +67,7 @@ network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,50000,s0, tcp,50002,s0)
dnl network_port(i18n_input) # no defined portcon in current strict
type i18n_input_t, port_type; dnl network_port(i18n_input) # no defined portcon in current strict
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
@ -109,7 +110,7 @@ network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
network_port(spamd, tcp,783,s0)
network_port(ssh, tcp,22,s0)
network_port(soundd, tcp,8000,s0, tcp,9433,s0)
dnl network_port(stunnel) # no defined portcon in current strict
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(swat, tcp,901,s0)
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)

View File

@ -48,6 +48,10 @@ type capifs_t, filesystem_type;
allow capifs_t self:filesystem associate;
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
type configfs_t, filesystem_type;
allow configfs_t self:filesystem associate;
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
type eventpollfs_t, filesystem_type;
genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)

View File

@ -254,9 +254,9 @@ optional_policy(`rpc.te',`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
auth_read_all_dirs_except_shadow(kernel_t)
auth_read_all_files_except_shadow(kernel_t)
auth_read_all_symlinks_except_shadow(kernel_t)
# auth_read_all_dirs_except_shadow(kernel_t)
# auth_read_all_files_except_shadow(kernel_t)
# auth_read_all_symlinks_except_shadow(kernel_t)
')
tunable_policy(`nfs_export_all_rw',`
@ -264,7 +264,7 @@ optional_policy(`rpc.te',`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
auth_manage_all_files_except_shadow(kernel_t)
# auth_manage_all_files_except_shadow(kernel_t)
')
')

View File

@ -21,6 +21,9 @@ domain_type(bluetooth_helper_t)
domain_entry_file(bluetooth_helper_t,bluetooth_helper_exec_t)
role system_r types bluetooth_helper_t;
type bluetooth_helper_tmp_t;
files_tmp_file(bluetooth_helper_tmp_t)
type bluetooth_lock_t;
files_lock_file(bluetooth_lock_t)
@ -168,9 +171,15 @@ allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms co
allow bluetooth_helper_t bluetooth_t:socket { read write };
allow bluetooth_helper_t bluetooth_helper_tmp_t:dir create_dir_perms;
allow bluetooth_helper_t bluetooth_helper_tmp_t:file create_file_perms;
files_create_tmp_files(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir })
kernel_read_system_state(bluetooth_helper_t)
kernel_read_kernel_sysctl(bluetooth_helper_t)
dev_read_urand(bluetooth_helper_t)
term_dontaudit_use_all_user_ttys(bluetooth_helper_t)
corecmd_exec_bin(bluetooth_helper_t)

View File

@ -204,7 +204,7 @@ allow crond_t user_home_dir_type:dir r_dir_perms;
#
# System cron process domain
#
ifdef(`targeted_policy',`',`
allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
allow system_crond_t self:process { signal_perms setsched };
allow system_crond_t self:fifo_file rw_file_perms;
@ -415,3 +415,4 @@ r_dir_file(system_mail_t, crond_tmp_t)
allow system_crond_t syslogd_t:lnk_file read;
') dnl end TODO
')

View File

@ -6,13 +6,13 @@
#
# /sbin
#
/sbin/rpc\..* -- gen_context(system_u:object_r:rpc_exec_t,s0)
/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
#
# /usr
#
/usr/sbin/exportfs -- gen_context(system_u:object_r:nfsd_exec_t,s0)
/usr/sbin/rpc.idmapd -- gen_context(system_u:object_r:rpc_exec_t,s0)
/usr/sbin/rpc.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
/usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
@ -21,5 +21,5 @@
#
# /var
#
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpc_var_run_t,s0)
/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpc_var_run_t,s0)
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)

View File

@ -14,12 +14,12 @@ rpc_domain_template(gssd)
type gssd_tmp_t;
files_tmp_file(gssd_tmp_t)
type rpc_var_run_t;
files_pid_file(rpc_var_run_t)
type rpcd_var_run_t;
files_pid_file(rpcd_var_run_t)
# rpc_t is the domain of rpc daemons.
# rpcd_t is the domain of rpc daemons.
# rpc_exec_t is the type of rpc daemon programs.
rpc_domain_template(rpc)
rpc_domain_template(rpcd)
rpc_domain_template(nfsd)
@ -37,32 +37,32 @@ files_type(var_lib_nfs_t)
# RPC local policy
#
allow rpc_t self:fifo_file rw_file_perms;
allow rpc_t self:file { getattr read };
allow rpcd_t self:fifo_file rw_file_perms;
allow rpcd_t self:file { getattr read };
dontaudit userdomain exports_t:file getattr;
allow rpc_t rpc_var_run_t:file create_file_perms;
allow rpc_t rpc_var_run_t:dir create_dir_perms;
allow rpc_t rpc_var_run_t:dir setattr;
files_create_pid(rpc_t,rpc_var_run_t)
allow rpcd_t rpcd_var_run_t:file create_file_perms;
allow rpcd_t rpcd_var_run_t:dir create_dir_perms;
allow rpcd_t rpcd_var_run_t:dir setattr;
files_create_pid(rpcd_t,rpcd_var_run_t)
kernel_search_network_state(rpc_t)
kernel_search_network_state(rpcd_t)
# for rpc.rquotad
kernel_read_sysctl(rpc_t)
kernel_read_sysctl(rpcd_t)
fs_read_rpc_dirs(rpc_t)
fs_read_rpc_files(rpc_t)
fs_read_rpc_symlinks(rpc_t)
fs_read_rpc_sockets(rpc_t)
term_use_controlling_term(rpc_t)
fs_read_rpc_dirs(rpcd_t)
fs_read_rpc_files(rpcd_t)
fs_read_rpc_symlinks(rpcd_t)
fs_read_rpc_sockets(rpcd_t)
term_use_controlling_term(rpcd_t)
seutil_dontaudit_search_config(rpc_t)
seutil_dontaudit_search_config(rpcd_t)
# rpc_t needs to talk to the portmap_t domain
portmap_udp_sendrecv(rpc_t)
# rpcd_t needs to talk to the portmap_t domain
portmap_udp_sendrecv(rpcd_t)
ifdef(`distro_redhat', `
allow rpc_t self:capability { chown dac_override setgid setuid };
allow rpcd_t self:capability { chown dac_override setgid setuid };
')
########################################