Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes.
This commit is contained in:
parent
39178aaf8a
commit
1e2abee10b
@ -6,7 +6,6 @@ policy_module(razor, 2.1.1)
|
||||
#
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
|
||||
gen_require(`
|
||||
type spamc_t, spamc_exec_t, spamd_log_t;
|
||||
type spamd_spool_t, spamd_var_lib_t, spamd_etc_t;
|
||||
@ -23,126 +22,123 @@ ifdef(`distro_redhat',`
|
||||
typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
|
||||
typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
|
||||
typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
|
||||
|
||||
',`
|
||||
type razor_exec_t;
|
||||
corecmd_executable_file(razor_exec_t)
|
||||
|
||||
type razor_exec_t;
|
||||
corecmd_executable_file(razor_exec_t)
|
||||
type razor_etc_t;
|
||||
files_config_file(razor_etc_t)
|
||||
|
||||
type razor_etc_t;
|
||||
files_config_file(razor_etc_t)
|
||||
type razor_home_t;
|
||||
typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
|
||||
typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
|
||||
files_poly_member(razor_home_t)
|
||||
userdom_user_home_content(razor_home_t)
|
||||
|
||||
type razor_home_t;
|
||||
typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
|
||||
typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
|
||||
files_poly_member(razor_home_t)
|
||||
userdom_user_home_content(razor_home_t)
|
||||
type razor_log_t;
|
||||
logging_log_file(razor_log_t)
|
||||
|
||||
type razor_log_t;
|
||||
logging_log_file(razor_log_t)
|
||||
type razor_tmp_t;
|
||||
typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
|
||||
typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
|
||||
files_tmp_file(razor_tmp_t)
|
||||
ubac_constrained(razor_tmp_t)
|
||||
|
||||
type razor_tmp_t;
|
||||
typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
|
||||
typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
|
||||
files_tmp_file(razor_tmp_t)
|
||||
ubac_constrained(razor_tmp_t)
|
||||
type razor_var_lib_t;
|
||||
files_type(razor_var_lib_t)
|
||||
|
||||
type razor_var_lib_t;
|
||||
files_type(razor_var_lib_t)
|
||||
# these are here due to ordering issues:
|
||||
razor_common_domain_template(razor)
|
||||
typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
|
||||
typealias razor_t alias { auditadm_razor_t secadm_razor_t };
|
||||
ubac_constrained(razor_t)
|
||||
|
||||
# these are here due to ordering issues:
|
||||
razor_common_domain_template(razor)
|
||||
typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
|
||||
typealias razor_t alias { auditadm_razor_t secadm_razor_t };
|
||||
ubac_constrained(razor_t)
|
||||
razor_common_domain_template(system_razor)
|
||||
role system_r types system_razor_t;
|
||||
|
||||
razor_common_domain_template(system_razor)
|
||||
role system_r types system_razor_t;
|
||||
########################################
|
||||
#
|
||||
# System razor local policy
|
||||
#
|
||||
|
||||
########################################
|
||||
#
|
||||
# System razor local policy
|
||||
#
|
||||
# this version of razor is invoked typically
|
||||
# via the system spam filter
|
||||
|
||||
# this version of razor is invoked typically
|
||||
# via the system spam filter
|
||||
allow system_razor_t self:tcp_socket create_socket_perms;
|
||||
|
||||
allow system_razor_t self:tcp_socket create_socket_perms;
|
||||
manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
|
||||
manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
|
||||
manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
|
||||
files_search_etc(system_razor_t)
|
||||
|
||||
manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
|
||||
manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
|
||||
manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
|
||||
files_search_etc(system_razor_t)
|
||||
allow system_razor_t razor_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(system_razor_t, razor_log_t, file)
|
||||
|
||||
allow system_razor_t razor_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(system_razor_t, razor_log_t, file)
|
||||
manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
|
||||
files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
|
||||
|
||||
manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
|
||||
files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
|
||||
corenet_all_recvfrom_unlabeled(system_razor_t)
|
||||
corenet_all_recvfrom_netlabel(system_razor_t)
|
||||
corenet_tcp_sendrecv_generic_if(system_razor_t)
|
||||
corenet_raw_sendrecv_generic_if(system_razor_t)
|
||||
corenet_tcp_sendrecv_generic_node(system_razor_t)
|
||||
corenet_raw_sendrecv_generic_node(system_razor_t)
|
||||
corenet_tcp_sendrecv_razor_port(system_razor_t)
|
||||
corenet_tcp_connect_razor_port(system_razor_t)
|
||||
corenet_sendrecv_razor_client_packets(system_razor_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(system_razor_t)
|
||||
corenet_all_recvfrom_netlabel(system_razor_t)
|
||||
corenet_tcp_sendrecv_generic_if(system_razor_t)
|
||||
corenet_raw_sendrecv_generic_if(system_razor_t)
|
||||
corenet_tcp_sendrecv_generic_node(system_razor_t)
|
||||
corenet_raw_sendrecv_generic_node(system_razor_t)
|
||||
corenet_tcp_sendrecv_razor_port(system_razor_t)
|
||||
corenet_tcp_connect_razor_port(system_razor_t)
|
||||
corenet_sendrecv_razor_client_packets(system_razor_t)
|
||||
sysnet_read_config(system_razor_t)
|
||||
|
||||
sysnet_read_config(system_razor_t)
|
||||
# cjp: this shouldn't be needed
|
||||
userdom_use_unpriv_users_fds(system_razor_t)
|
||||
|
||||
# cjp: this shouldn't be needed
|
||||
userdom_use_unpriv_users_fds(system_razor_t)
|
||||
|
||||
optional_policy(`
|
||||
logging_send_syslog_msg(system_razor_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(system_razor_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# User razor local policy
|
||||
#
|
||||
|
||||
# Allow razor to be run by hand. Needed by any action other than
|
||||
# invocation from a spam filter.
|
||||
|
||||
allow razor_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
|
||||
manage_files_pattern(razor_t, razor_home_t, razor_home_t)
|
||||
manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
|
||||
userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
|
||||
|
||||
manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
|
||||
manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
|
||||
files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
|
||||
|
||||
auth_use_nsswitch(razor_t)
|
||||
|
||||
logging_send_syslog_msg(razor_t)
|
||||
|
||||
userdom_search_user_home_dirs(razor_t)
|
||||
userdom_use_user_terminals(razor_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(razor_t)
|
||||
fs_manage_nfs_files(razor_t)
|
||||
fs_manage_nfs_symlinks(razor_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_dirs(razor_t)
|
||||
fs_manage_cifs_files(razor_t)
|
||||
fs_manage_cifs_symlinks(razor_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
milter_manage_spamass_state(razor_t)
|
||||
')
|
||||
optional_policy(`
|
||||
logging_send_syslog_msg(system_razor_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(system_razor_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# User razor local policy
|
||||
#
|
||||
|
||||
# Allow razor to be run by hand. Needed by any action other than
|
||||
# invocation from a spam filter.
|
||||
|
||||
allow razor_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
|
||||
manage_files_pattern(razor_t, razor_home_t, razor_home_t)
|
||||
manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
|
||||
userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
|
||||
|
||||
manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
|
||||
manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
|
||||
files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
|
||||
|
||||
auth_use_nsswitch(razor_t)
|
||||
|
||||
logging_send_syslog_msg(razor_t)
|
||||
|
||||
userdom_search_user_home_dirs(razor_t)
|
||||
userdom_use_user_terminals(razor_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(razor_t)
|
||||
fs_manage_nfs_files(razor_t)
|
||||
fs_manage_nfs_symlinks(razor_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_dirs(razor_t)
|
||||
fs_manage_cifs_files(razor_t)
|
||||
fs_manage_cifs_symlinks(razor_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
milter_manage_spamass_state(razor_t)
|
||||
')
|
||||
')
|
||||
|
@ -6,9 +6,9 @@ policy_module(rgmanager, 1.0.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow rgmanager domain to connect to the network using TCP.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow rgmanager domain to connect to the network using TCP.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(rgmanager_can_network_connect, false)
|
||||
|
||||
|
@ -6,9 +6,9 @@ policy_module(rhcs, 1.1.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow fenced domain to connect to the network using TCP.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow fenced domain to connect to the network using TCP.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(fenced_can_network_connect, false)
|
||||
|
||||
@ -111,7 +111,7 @@ tunable_policy(`fenced_can_network_connect',`
|
||||
|
||||
# needed by fence_scsi
|
||||
optional_policy(`
|
||||
corosync_exec(fenced_t)
|
||||
corosync_exec(fenced_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -129,7 +129,6 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow gfs_controld_t self:capability { net_admin sys_resource };
|
||||
|
||||
allow gfs_controld_t self:shm create_shm_perms;
|
||||
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
||||
@ -159,7 +158,6 @@ optional_policy(`
|
||||
|
||||
allow groupd_t self:capability { sys_nice sys_resource };
|
||||
allow groupd_t self:process setsched;
|
||||
|
||||
allow groupd_t self:shm create_shm_perms;
|
||||
|
||||
dev_list_sysfs(groupd_t)
|
||||
@ -174,7 +172,6 @@ init_rw_script_tmp_files(groupd_t)
|
||||
#
|
||||
|
||||
allow qdiskd_t self:capability { ipc_lock sys_boot };
|
||||
|
||||
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow qdiskd_t self:udp_socket create_socket_perms;
|
||||
|
||||
@ -226,7 +223,6 @@ optional_policy(`
|
||||
|
||||
allow cluster_domain self:capability { sys_nice };
|
||||
allow cluster_domain self:process setsched;
|
||||
|
||||
allow cluster_domain self:sem create_sem_perms;
|
||||
allow cluster_domain self:fifo_file rw_fifo_file_perms;
|
||||
allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
|
||||
|
@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow gssd to read temp directory. For access to kerberos tgt.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow gssd to read temp directory. For access to kerberos tgt.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_gssd_read_tmp, true)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow nfs servers to modify public files
|
||||
## used for public file transfer services. Files/Directories must be
|
||||
## labeled public_content_rw_t.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow nfs servers to modify public files
|
||||
## used for public file transfer services. Files/Directories must be
|
||||
## labeled public_content_rw_t.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_nfsd_anon_write, false)
|
||||
|
||||
|
@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type snmpd_t;
|
||||
type snmpd_exec_t;
|
||||
init_daemon_domain(snmpd_t, snmpd_exec_t)
|
||||
@ -24,6 +25,7 @@ files_type(snmpd_var_lib_t)
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config };
|
||||
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
|
||||
allow snmpd_t self:process { signal_perms getsched setsched };
|
||||
@ -117,7 +119,7 @@ sysnet_read_config(snmpd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
|
||||
userdom_dontaudit_search_user_home_dirs(snmpd_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
ifdef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
rpm_read_db(snmpd_t)
|
||||
rpm_dontaudit_manage_db(snmpd_t)
|
||||
|
@ -6,79 +6,79 @@ policy_module(spamassassin, 2.3.1)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow user spamassassin clients to use the network.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow user spamassassin clients to use the network.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(spamassassin_can_network, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow spamd to read/write user home directories.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow spamd to read/write user home directories.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(spamd_enable_home_dirs, true)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# spamassassin client executable
|
||||
type spamc_t;
|
||||
type spamc_exec_t;
|
||||
application_domain(spamc_t, spamc_exec_t)
|
||||
role system_r types spamc_t;
|
||||
# spamassassin client executable
|
||||
type spamc_t;
|
||||
type spamc_exec_t;
|
||||
application_domain(spamc_t, spamc_exec_t)
|
||||
role system_r types spamc_t;
|
||||
|
||||
type spamd_etc_t;
|
||||
files_config_file(spamd_etc_t)
|
||||
type spamd_etc_t;
|
||||
files_config_file(spamd_etc_t)
|
||||
|
||||
typealias spamc_exec_t alias spamassassin_exec_t;
|
||||
typealias spamc_t alias spamassassin_t;
|
||||
typealias spamc_exec_t alias spamassassin_exec_t;
|
||||
typealias spamc_t alias spamassassin_t;
|
||||
|
||||
type spamc_home_t;
|
||||
userdom_user_home_content(spamc_home_t)
|
||||
typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
|
||||
typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
|
||||
typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
|
||||
typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
|
||||
type spamc_home_t;
|
||||
userdom_user_home_content(spamc_home_t)
|
||||
typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
|
||||
typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
|
||||
typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
|
||||
typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
|
||||
|
||||
type spamc_tmp_t;
|
||||
files_tmp_file(spamc_tmp_t)
|
||||
typealias spamc_tmp_t alias spamassassin_tmp_t;
|
||||
typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
|
||||
typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
|
||||
type spamc_tmp_t;
|
||||
files_tmp_file(spamc_tmp_t)
|
||||
typealias spamc_tmp_t alias spamassassin_tmp_t;
|
||||
typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
|
||||
typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
|
||||
|
||||
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
|
||||
typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
|
||||
', `
|
||||
type spamassassin_t;
|
||||
type spamassassin_exec_t;
|
||||
typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
|
||||
typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
|
||||
application_domain(spamassassin_t, spamassassin_exec_t)
|
||||
ubac_constrained(spamassassin_t)
|
||||
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
|
||||
typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
|
||||
',`
|
||||
type spamassassin_t;
|
||||
type spamassassin_exec_t;
|
||||
typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
|
||||
typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
|
||||
application_domain(spamassassin_t, spamassassin_exec_t)
|
||||
ubac_constrained(spamassassin_t)
|
||||
|
||||
type spamassassin_home_t;
|
||||
typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
|
||||
typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
|
||||
userdom_user_home_content(spamassassin_home_t)
|
||||
files_poly_member(spamassassin_home_t)
|
||||
type spamassassin_home_t;
|
||||
typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
|
||||
typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
|
||||
userdom_user_home_content(spamassassin_home_t)
|
||||
files_poly_member(spamassassin_home_t)
|
||||
|
||||
type spamassassin_tmp_t;
|
||||
typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
|
||||
typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
|
||||
files_tmp_file(spamassassin_tmp_t)
|
||||
ubac_constrained(spamassassin_tmp_t)
|
||||
type spamassassin_tmp_t;
|
||||
typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
|
||||
typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
|
||||
files_tmp_file(spamassassin_tmp_t)
|
||||
ubac_constrained(spamassassin_tmp_t)
|
||||
|
||||
type spamc_t;
|
||||
type spamc_exec_t;
|
||||
typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
|
||||
typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
|
||||
application_domain(spamc_t, spamc_exec_t)
|
||||
ubac_constrained(spamc_t)
|
||||
type spamc_t;
|
||||
type spamc_exec_t;
|
||||
typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
|
||||
typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
|
||||
application_domain(spamc_t, spamc_exec_t)
|
||||
ubac_constrained(spamc_t)
|
||||
|
||||
type spamc_tmp_t;
|
||||
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
|
||||
typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
|
||||
files_tmp_file(spamc_tmp_t)
|
||||
ubac_constrained(spamc_tmp_t)
|
||||
type spamc_tmp_t;
|
||||
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
|
||||
typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
|
||||
files_tmp_file(spamc_tmp_t)
|
||||
ubac_constrained(spamc_tmp_t)
|
||||
')
|
||||
|
||||
type spamd_t;
|
||||
|
@ -6,17 +6,17 @@ policy_module(squid, 1.10.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow squid to connect to all ports, not just
|
||||
## HTTP, FTP, and Gopher ports.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow squid to connect to all ports, not just
|
||||
## HTTP, FTP, and Gopher ports.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(squid_connect_any, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow squid to run as a transparent proxy (TPROXY)
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow squid to run as a transparent proxy (TPROXY)
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(squid_use_tproxy, false)
|
||||
|
||||
|
@ -6,23 +6,23 @@ policy_module(ssh, 2.2.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## allow host key based authentication
|
||||
## </p>
|
||||
## <p>
|
||||
## allow host key based authentication
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_ssh_keysign, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow ssh logins as sysadm_r:sysadm_t
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow ssh logins as sysadm_r:sysadm_t
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(ssh_sysadm_login, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## allow sshd to forward port connections
|
||||
## </p>
|
||||
## <p>
|
||||
## allow sshd to forward port connections
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(sshd_forward_ports, false)
|
||||
|
||||
@ -217,7 +217,6 @@ optional_policy(`
|
||||
|
||||
dontaudit ssh_keygen_t self:capability sys_tty_config;
|
||||
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
|
||||
|
||||
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
|
||||
@ -287,7 +286,6 @@ optional_policy(`
|
||||
# so a tunnel can point to another ssh tunnel
|
||||
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow sshd_t self:key { search link write };
|
||||
|
||||
allow sshd_t self:process setcurrent;
|
||||
|
||||
kernel_search_key(sshd_t)
|
||||
@ -303,7 +301,7 @@ term_use_ptmx(sshd_t)
|
||||
corenet_tcp_bind_xserver_port(sshd_t)
|
||||
corenet_sendrecv_xserver_server_packets(sshd_t)
|
||||
|
||||
tunable_policy(`sshd_forward_ports', `
|
||||
tunable_policy(`sshd_forward_ports',`
|
||||
corenet_tcp_bind_all_unreserved_ports(sshd_t)
|
||||
corenet_tcp_connect_all_ports(sshd_t)
|
||||
')
|
||||
@ -373,26 +371,26 @@ optional_policy(`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
tunable_policy(`ssh_sysadm_login',`
|
||||
# Relabel and access ptys created by sshd
|
||||
# ioctl is necessary for logout() processing for utmp entry and for w to
|
||||
# display the tty.
|
||||
# some versions of sshd on the new SE Linux require setattr
|
||||
allow sshd_t ptyfile:chr_file relabelto;
|
||||
tunable_policy(`ssh_sysadm_login',`
|
||||
# Relabel and access ptys created by sshd
|
||||
# ioctl is necessary for logout() processing for utmp entry and for w to
|
||||
# display the tty.
|
||||
# some versions of sshd on the new SE Linux require setattr
|
||||
allow sshd_t ptyfile:chr_file relabelto;
|
||||
|
||||
optional_policy(`
|
||||
domain_trans(sshd_t, xauth_exec_t, userdomain)
|
||||
optional_policy(`
|
||||
domain_trans(sshd_t, xauth_exec_t, userdomain)
|
||||
')
|
||||
',`
|
||||
optional_policy(`
|
||||
domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
|
||||
')
|
||||
# Relabel and access ptys created by sshd
|
||||
# ioctl is necessary for logout() processing for utmp entry and for w to
|
||||
# display the tty.
|
||||
# some versions of sshd on the new SE Linux require setattr
|
||||
allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
|
||||
')
|
||||
',`
|
||||
optional_policy(`
|
||||
domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
|
||||
')
|
||||
# Relabel and access ptys created by sshd
|
||||
# ioctl is necessary for logout() processing for utmp entry and for w to
|
||||
# display the tty.
|
||||
# some versions of sshd on the new SE Linux require setattr
|
||||
allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
|
||||
')
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
@ -405,7 +403,6 @@ tunable_policy(`ssh_sysadm_login',`
|
||||
|
||||
dontaudit ssh_keygen_t self:capability sys_tty_config;
|
||||
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
|
||||
|
||||
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
|
||||
|
@ -28,6 +28,7 @@ files_pid_file(sssd_var_run_t)
|
||||
#
|
||||
# sssd local policy
|
||||
#
|
||||
|
||||
allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid };
|
||||
allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
|
||||
allow sssd_t self:fifo_file rw_file_perms;
|
||||
@ -40,7 +41,7 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
|
||||
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
|
||||
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
|
||||
|
||||
manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
|
||||
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
|
||||
|
@ -77,7 +77,7 @@ miscfiles_read_localization(stunnel_t)
|
||||
|
||||
sysnet_read_config(stunnel_t)
|
||||
|
||||
ifdef(`distro_gentoo', `
|
||||
ifdef(`distro_gentoo',`
|
||||
dontaudit stunnel_t self:capability sys_tty_config;
|
||||
allow stunnel_t self:udp_socket create_socket_perms;
|
||||
|
||||
@ -120,4 +120,5 @@ ifdef(`distro_gentoo', `
|
||||
gen_require(`
|
||||
type stunnel_port_t;
|
||||
')
|
||||
|
||||
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
|
||||
|
@ -71,4 +71,3 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
nscd_socket_use(sysstat_t)
|
||||
')
|
||||
|
||||
|
@ -6,10 +6,10 @@ policy_module(tftp, 1.12.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow tftp to modify public files
|
||||
## used for public file transfer services.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow tftp to modify public files
|
||||
## used for public file transfer services.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(tftp_anon_write, false)
|
||||
|
||||
|
@ -6,10 +6,10 @@ policy_module(tor, 1.7.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow tor daemon to bind
|
||||
## tcp sockets to all unreserved ports.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow tor daemon to bind
|
||||
## tcp sockets to all unreserved ports.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(tor_bind_all_unreserved_ports, false)
|
||||
|
||||
@ -43,7 +43,6 @@ files_pid_file(tor_var_run_t)
|
||||
|
||||
allow tor_t self:capability { setgid setuid sys_tty_config };
|
||||
allow tor_t self:process signal;
|
||||
|
||||
allow tor_t self:fifo_file rw_fifo_file_perms;
|
||||
allow tor_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
@ -108,7 +107,7 @@ logging_send_syslog_msg(tor_t)
|
||||
|
||||
miscfiles_read_localization(tor_t)
|
||||
|
||||
tunable_policy(`tor_bind_all_unreserved_ports', `
|
||||
tunable_policy(`tor_bind_all_unreserved_ports',`
|
||||
corenet_tcp_bind_all_unreserved_ports(tor_t)
|
||||
')
|
||||
|
||||
|
@ -54,10 +54,10 @@ miscfiles_read_localization(ulogd_t)
|
||||
sysnet_dns_name_resolve(ulogd_t)
|
||||
|
||||
optional_policy(`
|
||||
mysql_stream_connect(ulogd_t)
|
||||
mysql_stream_connect(ulogd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postgresql_stream_connect(ulogd_t)
|
||||
postgresql_stream_connect(ulogd_t)
|
||||
postgresql_tcp_connect(ulogd_t)
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user