diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te index 3e4d47c4..8aef127c 100644 --- a/policy/modules/services/razor.te +++ b/policy/modules/services/razor.te @@ -6,7 +6,6 @@ policy_module(razor, 2.1.1) # ifdef(`distro_redhat',` - gen_require(` type spamc_t, spamc_exec_t, spamd_log_t; type spamd_spool_t, spamd_var_lib_t, spamd_etc_t; @@ -23,126 +22,123 @@ ifdef(`distro_redhat',` typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; - ',` + type razor_exec_t; + corecmd_executable_file(razor_exec_t) -type razor_exec_t; -corecmd_executable_file(razor_exec_t) + type razor_etc_t; + files_config_file(razor_etc_t) -type razor_etc_t; -files_config_file(razor_etc_t) + type razor_home_t; + typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; + typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; + files_poly_member(razor_home_t) + userdom_user_home_content(razor_home_t) -type razor_home_t; -typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; -typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; -files_poly_member(razor_home_t) -userdom_user_home_content(razor_home_t) + type razor_log_t; + logging_log_file(razor_log_t) -type razor_log_t; -logging_log_file(razor_log_t) + type razor_tmp_t; + typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; + typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; + files_tmp_file(razor_tmp_t) + ubac_constrained(razor_tmp_t) -type razor_tmp_t; -typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; -typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; -files_tmp_file(razor_tmp_t) -ubac_constrained(razor_tmp_t) + type razor_var_lib_t; + files_type(razor_var_lib_t) -type razor_var_lib_t; -files_type(razor_var_lib_t) + # these are here due to ordering issues: + razor_common_domain_template(razor) + typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t }; + typealias razor_t alias { auditadm_razor_t secadm_razor_t }; + ubac_constrained(razor_t) -# these are here due to ordering issues: -razor_common_domain_template(razor) -typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t }; -typealias razor_t alias { auditadm_razor_t secadm_razor_t }; -ubac_constrained(razor_t) + razor_common_domain_template(system_razor) + role system_r types system_razor_t; -razor_common_domain_template(system_razor) -role system_r types system_razor_t; + ######################################## + # + # System razor local policy + # -######################################## -# -# System razor local policy -# + # this version of razor is invoked typically + # via the system spam filter -# this version of razor is invoked typically -# via the system spam filter + allow system_razor_t self:tcp_socket create_socket_perms; -allow system_razor_t self:tcp_socket create_socket_perms; + manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t) + manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) + manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) + files_search_etc(system_razor_t) -manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t) -manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) -manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) -files_search_etc(system_razor_t) + allow system_razor_t razor_log_t:file manage_file_perms; + logging_log_filetrans(system_razor_t, razor_log_t, file) -allow system_razor_t razor_log_t:file manage_file_perms; -logging_log_filetrans(system_razor_t, razor_log_t, file) + manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) + files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file) -manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) -files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file) + corenet_all_recvfrom_unlabeled(system_razor_t) + corenet_all_recvfrom_netlabel(system_razor_t) + corenet_tcp_sendrecv_generic_if(system_razor_t) + corenet_raw_sendrecv_generic_if(system_razor_t) + corenet_tcp_sendrecv_generic_node(system_razor_t) + corenet_raw_sendrecv_generic_node(system_razor_t) + corenet_tcp_sendrecv_razor_port(system_razor_t) + corenet_tcp_connect_razor_port(system_razor_t) + corenet_sendrecv_razor_client_packets(system_razor_t) -corenet_all_recvfrom_unlabeled(system_razor_t) -corenet_all_recvfrom_netlabel(system_razor_t) -corenet_tcp_sendrecv_generic_if(system_razor_t) -corenet_raw_sendrecv_generic_if(system_razor_t) -corenet_tcp_sendrecv_generic_node(system_razor_t) -corenet_raw_sendrecv_generic_node(system_razor_t) -corenet_tcp_sendrecv_razor_port(system_razor_t) -corenet_tcp_connect_razor_port(system_razor_t) -corenet_sendrecv_razor_client_packets(system_razor_t) + sysnet_read_config(system_razor_t) -sysnet_read_config(system_razor_t) + # cjp: this shouldn't be needed + userdom_use_unpriv_users_fds(system_razor_t) -# cjp: this shouldn't be needed -userdom_use_unpriv_users_fds(system_razor_t) - -optional_policy(` - logging_send_syslog_msg(system_razor_t) -') - -optional_policy(` - nscd_socket_use(system_razor_t) -') - -######################################## -# -# User razor local policy -# - -# Allow razor to be run by hand. Needed by any action other than -# invocation from a spam filter. - -allow razor_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(razor_t, razor_home_t, razor_home_t) -manage_files_pattern(razor_t, razor_home_t, razor_home_t) -manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t) -userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir) - -manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t) -manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t) -files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) - -auth_use_nsswitch(razor_t) - -logging_send_syslog_msg(razor_t) - -userdom_search_user_home_dirs(razor_t) -userdom_use_user_terminals(razor_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(razor_t) - fs_manage_nfs_files(razor_t) - fs_manage_nfs_symlinks(razor_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(razor_t) - fs_manage_cifs_files(razor_t) - fs_manage_cifs_symlinks(razor_t) -') - -optional_policy(` - milter_manage_spamass_state(razor_t) -') + optional_policy(` + logging_send_syslog_msg(system_razor_t) + ') + optional_policy(` + nscd_socket_use(system_razor_t) + ') + + ######################################## + # + # User razor local policy + # + + # Allow razor to be run by hand. Needed by any action other than + # invocation from a spam filter. + + allow razor_t self:unix_stream_socket create_stream_socket_perms; + + manage_dirs_pattern(razor_t, razor_home_t, razor_home_t) + manage_files_pattern(razor_t, razor_home_t, razor_home_t) + manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t) + userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir) + + manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t) + manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t) + files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) + + auth_use_nsswitch(razor_t) + + logging_send_syslog_msg(razor_t) + + userdom_search_user_home_dirs(razor_t) + userdom_use_user_terminals(razor_t) + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(razor_t) + fs_manage_nfs_files(razor_t) + fs_manage_nfs_symlinks(razor_t) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(razor_t) + fs_manage_cifs_files(razor_t) + fs_manage_cifs_symlinks(razor_t) + ') + + optional_policy(` + milter_manage_spamass_state(razor_t) + ') ') diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te index 9ab1d808..3b5909f9 100644 --- a/policy/modules/services/rgmanager.te +++ b/policy/modules/services/rgmanager.te @@ -6,9 +6,9 @@ policy_module(rgmanager, 1.0.0) # ## -##

-## Allow rgmanager domain to connect to the network using TCP. -##

+##

+## Allow rgmanager domain to connect to the network using TCP. +##

##
gen_tunable(rgmanager_can_network_connect, false) diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te index 1ebc84d9..89eb689c 100644 --- a/policy/modules/services/rhcs.te +++ b/policy/modules/services/rhcs.te @@ -6,9 +6,9 @@ policy_module(rhcs, 1.1.0) # ## -##

-## Allow fenced domain to connect to the network using TCP. -##

+##

+## Allow fenced domain to connect to the network using TCP. +##

##
gen_tunable(fenced_can_network_connect, false) @@ -111,7 +111,7 @@ tunable_policy(`fenced_can_network_connect',` # needed by fence_scsi optional_policy(` - corosync_exec(fenced_t) + corosync_exec(fenced_t) ') optional_policy(` @@ -129,7 +129,6 @@ optional_policy(` # allow gfs_controld_t self:capability { net_admin sys_resource }; - allow gfs_controld_t self:shm create_shm_perms; allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -159,7 +158,6 @@ optional_policy(` allow groupd_t self:capability { sys_nice sys_resource }; allow groupd_t self:process setsched; - allow groupd_t self:shm create_shm_perms; dev_list_sysfs(groupd_t) @@ -174,7 +172,6 @@ init_rw_script_tmp_files(groupd_t) # allow qdiskd_t self:capability { ipc_lock sys_boot }; - allow qdiskd_t self:tcp_socket create_stream_socket_perms; allow qdiskd_t self:udp_socket create_socket_perms; @@ -226,7 +223,6 @@ optional_policy(` allow cluster_domain self:capability { sys_nice }; allow cluster_domain self:process setsched; - allow cluster_domain self:sem create_sem_perms; allow cluster_domain self:fifo_file rw_fifo_file_perms; allow cluster_domain self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index 9ae080e2..c5241712 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0) # ## -##

-## Allow gssd to read temp directory. For access to kerberos tgt. -##

+##

+## Allow gssd to read temp directory. For access to kerberos tgt. +##

##
gen_tunable(allow_gssd_read_tmp, true) ## -##

-## Allow nfs servers to modify public files -## used for public file transfer services. Files/Directories must be -## labeled public_content_rw_t. -##

+##

+## Allow nfs servers to modify public files +## used for public file transfer services. Files/Directories must be +## labeled public_content_rw_t. +##

##
gen_tunable(allow_nfsd_anon_write, false) diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te index b5cd366e..0927db4c 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0) # # Declarations # + type snmpd_t; type snmpd_exec_t; init_daemon_domain(snmpd_t, snmpd_exec_t) @@ -24,6 +25,7 @@ files_type(snmpd_var_lib_t) # # Local policy # + allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config }; dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; @@ -117,7 +119,7 @@ sysnet_read_config(snmpd_t) userdom_dontaudit_use_unpriv_user_fds(snmpd_t) userdom_dontaudit_search_user_home_dirs(snmpd_t) -ifdef(`distro_redhat', ` +ifdef(`distro_redhat',` optional_policy(` rpm_read_db(snmpd_t) rpm_dontaudit_manage_db(snmpd_t) diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index f4738d36..74ab7d8b 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -6,79 +6,79 @@ policy_module(spamassassin, 2.3.1) # ## -##

-## Allow user spamassassin clients to use the network. -##

+##

+## Allow user spamassassin clients to use the network. +##

##
gen_tunable(spamassassin_can_network, false) ## -##

-## Allow spamd to read/write user home directories. -##

+##

+## Allow spamd to read/write user home directories. +##

##
gen_tunable(spamd_enable_home_dirs, true) ifdef(`distro_redhat',` -# spamassassin client executable -type spamc_t; -type spamc_exec_t; -application_domain(spamc_t, spamc_exec_t) -role system_r types spamc_t; + # spamassassin client executable + type spamc_t; + type spamc_exec_t; + application_domain(spamc_t, spamc_exec_t) + role system_r types spamc_t; -type spamd_etc_t; -files_config_file(spamd_etc_t) + type spamd_etc_t; + files_config_file(spamd_etc_t) -typealias spamc_exec_t alias spamassassin_exec_t; -typealias spamc_t alias spamassassin_t; + typealias spamc_exec_t alias spamassassin_exec_t; + typealias spamc_t alias spamassassin_t; -type spamc_home_t; -userdom_user_home_content(spamc_home_t) -typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; -typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; -typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t }; -typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t }; + type spamc_home_t; + userdom_user_home_content(spamc_home_t) + typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; + typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; + typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t }; + typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t }; -type spamc_tmp_t; -files_tmp_file(spamc_tmp_t) -typealias spamc_tmp_t alias spamassassin_tmp_t; -typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; -typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; + type spamc_tmp_t; + files_tmp_file(spamc_tmp_t) + typealias spamc_tmp_t alias spamassassin_tmp_t; + typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; + typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; -typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; -typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; -', ` -type spamassassin_t; -type spamassassin_exec_t; -typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; -typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t }; -application_domain(spamassassin_t, spamassassin_exec_t) -ubac_constrained(spamassassin_t) + typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; + typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; +',` + type spamassassin_t; + type spamassassin_exec_t; + typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; + typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t }; + application_domain(spamassassin_t, spamassassin_exec_t) + ubac_constrained(spamassassin_t) -type spamassassin_home_t; -typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; -typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; -userdom_user_home_content(spamassassin_home_t) -files_poly_member(spamassassin_home_t) + type spamassassin_home_t; + typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; + typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; + userdom_user_home_content(spamassassin_home_t) + files_poly_member(spamassassin_home_t) -type spamassassin_tmp_t; -typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; -typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; -files_tmp_file(spamassassin_tmp_t) -ubac_constrained(spamassassin_tmp_t) + type spamassassin_tmp_t; + typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; + typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; + files_tmp_file(spamassassin_tmp_t) + ubac_constrained(spamassassin_tmp_t) -type spamc_t; -type spamc_exec_t; -typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t }; -typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t }; -application_domain(spamc_t, spamc_exec_t) -ubac_constrained(spamc_t) + type spamc_t; + type spamc_exec_t; + typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t }; + typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t }; + application_domain(spamc_t, spamc_exec_t) + ubac_constrained(spamc_t) -type spamc_tmp_t; -typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; -typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; -files_tmp_file(spamc_tmp_t) -ubac_constrained(spamc_tmp_t) + type spamc_tmp_t; + typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; + typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; + files_tmp_file(spamc_tmp_t) + ubac_constrained(spamc_tmp_t) ') type spamd_t; diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te index 4b2230e7..744b1723 100644 --- a/policy/modules/services/squid.te +++ b/policy/modules/services/squid.te @@ -6,17 +6,17 @@ policy_module(squid, 1.10.0) # ## -##

-## Allow squid to connect to all ports, not just -## HTTP, FTP, and Gopher ports. -##

+##

+## Allow squid to connect to all ports, not just +## HTTP, FTP, and Gopher ports. +##

##
gen_tunable(squid_connect_any, false) ## -##

-## Allow squid to run as a transparent proxy (TPROXY) -##

+##

+## Allow squid to run as a transparent proxy (TPROXY) +##

##
gen_tunable(squid_use_tproxy, false) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 68c30574..5315f9b5 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,23 +6,23 @@ policy_module(ssh, 2.2.0) # ## -##

-## allow host key based authentication -##

+##

+## allow host key based authentication +##

##
gen_tunable(allow_ssh_keysign, false) ## -##

-## Allow ssh logins as sysadm_r:sysadm_t -##

+##

+## Allow ssh logins as sysadm_r:sysadm_t +##

##
gen_tunable(ssh_sysadm_login, false) ## -##

-## allow sshd to forward port connections -##

+##

+## allow sshd to forward port connections +##

##
gen_tunable(sshd_forward_ports, false) @@ -217,7 +217,6 @@ optional_policy(` dontaudit ssh_keygen_t self:capability sys_tty_config; allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; - allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; allow ssh_keygen_t sshd_key_t:file manage_file_perms; @@ -287,7 +286,6 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; - allow sshd_t self:process setcurrent; kernel_search_key(sshd_t) @@ -303,7 +301,7 @@ term_use_ptmx(sshd_t) corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) -tunable_policy(`sshd_forward_ports', ` +tunable_policy(`sshd_forward_ports',` corenet_tcp_bind_all_unreserved_ports(sshd_t) corenet_tcp_connect_all_ports(sshd_t) ') @@ -373,26 +371,26 @@ optional_policy(` ') ifdef(`TODO',` -tunable_policy(`ssh_sysadm_login',` - # Relabel and access ptys created by sshd - # ioctl is necessary for logout() processing for utmp entry and for w to - # display the tty. - # some versions of sshd on the new SE Linux require setattr - allow sshd_t ptyfile:chr_file relabelto; + tunable_policy(`ssh_sysadm_login',` + # Relabel and access ptys created by sshd + # ioctl is necessary for logout() processing for utmp entry and for w to + # display the tty. + # some versions of sshd on the new SE Linux require setattr + allow sshd_t ptyfile:chr_file relabelto; - optional_policy(` - domain_trans(sshd_t, xauth_exec_t, userdomain) + optional_policy(` + domain_trans(sshd_t, xauth_exec_t, userdomain) + ') + ',` + optional_policy(` + domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) + ') + # Relabel and access ptys created by sshd + # ioctl is necessary for logout() processing for utmp entry and for w to + # display the tty. + # some versions of sshd on the new SE Linux require setattr + allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr }; ') -',` - optional_policy(` - domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) - ') - # Relabel and access ptys created by sshd - # ioctl is necessary for logout() processing for utmp entry and for w to - # display the tty. - # some versions of sshd on the new SE Linux require setattr - allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr }; -') ') dnl endif TODO ######################################## @@ -405,7 +403,6 @@ tunable_policy(`ssh_sysadm_login',` dontaudit ssh_keygen_t self:capability sys_tty_config; allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; - allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; allow ssh_keygen_t sshd_key_t:file manage_file_perms; diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te index 07d6748f..be42115f 100644 --- a/policy/modules/services/sssd.te +++ b/policy/modules/services/sssd.te @@ -28,6 +28,7 @@ files_pid_file(sssd_var_run_t) # # sssd local policy # + allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid }; allow sssd_t self:process { setfscreate setsched sigkill signal getsched }; allow sssd_t self:fifo_file rw_file_perms; @@ -40,7 +41,7 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } ) +files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir }) manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) logging_log_filetrans(sssd_t, sssd_var_log_t, file) diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te index 7ecb27b3..279efa6e 100644 --- a/policy/modules/services/stunnel.te +++ b/policy/modules/services/stunnel.te @@ -77,7 +77,7 @@ miscfiles_read_localization(stunnel_t) sysnet_read_config(stunnel_t) -ifdef(`distro_gentoo', ` +ifdef(`distro_gentoo',` dontaudit stunnel_t self:capability sys_tty_config; allow stunnel_t self:udp_socket create_socket_perms; @@ -120,4 +120,5 @@ ifdef(`distro_gentoo', ` gen_require(` type stunnel_port_t; ') + allow stunnel_t stunnel_port_t:tcp_socket name_bind; diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te index 111b041d..67607acc 100644 --- a/policy/modules/services/sysstat.te +++ b/policy/modules/services/sysstat.te @@ -71,4 +71,3 @@ optional_policy(` optional_policy(` nscd_socket_use(sysstat_t) ') - diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te index 66bfd1ca..b928f29e 100644 --- a/policy/modules/services/tftp.te +++ b/policy/modules/services/tftp.te @@ -6,10 +6,10 @@ policy_module(tftp, 1.12.0) # ## -##

-## Allow tftp to modify public files -## used for public file transfer services. -##

+##

+## Allow tftp to modify public files +## used for public file transfer services. +##

##
gen_tunable(tftp_anon_write, false) diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te index 0a0074cb..7f0d9a96 100644 --- a/policy/modules/services/tor.te +++ b/policy/modules/services/tor.te @@ -6,10 +6,10 @@ policy_module(tor, 1.7.0) # ## -##

-## Allow tor daemon to bind -## tcp sockets to all unreserved ports. -##

+##

+## Allow tor daemon to bind +## tcp sockets to all unreserved ports. +##

##
gen_tunable(tor_bind_all_unreserved_ports, false) @@ -43,7 +43,6 @@ files_pid_file(tor_var_run_t) allow tor_t self:capability { setgid setuid sys_tty_config }; allow tor_t self:process signal; - allow tor_t self:fifo_file rw_fifo_file_perms; allow tor_t self:unix_stream_socket create_stream_socket_perms; allow tor_t self:netlink_route_socket r_netlink_socket_perms; @@ -108,7 +107,7 @@ logging_send_syslog_msg(tor_t) miscfiles_read_localization(tor_t) -tunable_policy(`tor_bind_all_unreserved_ports', ` +tunable_policy(`tor_bind_all_unreserved_ports',` corenet_tcp_bind_all_unreserved_ports(tor_t) ') diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te index eb4d8d50..5ff5e927 100644 --- a/policy/modules/services/ulogd.te +++ b/policy/modules/services/ulogd.te @@ -54,10 +54,10 @@ miscfiles_read_localization(ulogd_t) sysnet_dns_name_resolve(ulogd_t) optional_policy(` - mysql_stream_connect(ulogd_t) + mysql_stream_connect(ulogd_t) ') optional_policy(` - postgresql_stream_connect(ulogd_t) + postgresql_stream_connect(ulogd_t) postgresql_tcp_connect(ulogd_t) ')