From 1e2abee10bd634592dff42910b313c985c27b151 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Fri, 24 Sep 2010 09:17:22 +0200 Subject: [PATCH] Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. --- policy/modules/services/razor.te | 204 ++++++++++++------------ policy/modules/services/rgmanager.te | 6 +- policy/modules/services/rhcs.te | 12 +- policy/modules/services/rpc.te | 16 +- policy/modules/services/snmp.te | 4 +- policy/modules/services/spamassassin.te | 112 ++++++------- policy/modules/services/squid.te | 14 +- policy/modules/services/ssh.te | 59 ++++--- policy/modules/services/sssd.te | 3 +- policy/modules/services/stunnel.te | 3 +- policy/modules/services/sysstat.te | 1 - policy/modules/services/tftp.te | 8 +- policy/modules/services/tor.te | 11 +- policy/modules/services/ulogd.te | 4 +- 14 files changed, 224 insertions(+), 233 deletions(-) diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te index 3e4d47c4..8aef127c 100644 --- a/policy/modules/services/razor.te +++ b/policy/modules/services/razor.te @@ -6,7 +6,6 @@ policy_module(razor, 2.1.1) # ifdef(`distro_redhat',` - gen_require(` type spamc_t, spamc_exec_t, spamd_log_t; type spamd_spool_t, spamd_var_lib_t, spamd_etc_t; @@ -23,126 +22,123 @@ ifdef(`distro_redhat',` typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; - ',` + type razor_exec_t; + corecmd_executable_file(razor_exec_t) -type razor_exec_t; -corecmd_executable_file(razor_exec_t) + type razor_etc_t; + files_config_file(razor_etc_t) -type razor_etc_t; -files_config_file(razor_etc_t) + type razor_home_t; + typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; + typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; + files_poly_member(razor_home_t) + userdom_user_home_content(razor_home_t) -type razor_home_t; -typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; -typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; -files_poly_member(razor_home_t) -userdom_user_home_content(razor_home_t) + type razor_log_t; + logging_log_file(razor_log_t) -type razor_log_t; -logging_log_file(razor_log_t) + type razor_tmp_t; + typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; + typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; + files_tmp_file(razor_tmp_t) + ubac_constrained(razor_tmp_t) -type razor_tmp_t; -typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; -typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; -files_tmp_file(razor_tmp_t) -ubac_constrained(razor_tmp_t) + type razor_var_lib_t; + files_type(razor_var_lib_t) -type razor_var_lib_t; -files_type(razor_var_lib_t) + # these are here due to ordering issues: + razor_common_domain_template(razor) + typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t }; + typealias razor_t alias { auditadm_razor_t secadm_razor_t }; + ubac_constrained(razor_t) -# these are here due to ordering issues: -razor_common_domain_template(razor) -typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t }; -typealias razor_t alias { auditadm_razor_t secadm_razor_t }; -ubac_constrained(razor_t) + razor_common_domain_template(system_razor) + role system_r types system_razor_t; -razor_common_domain_template(system_razor) -role system_r types system_razor_t; + ######################################## + # + # System razor local policy + # -######################################## -# -# System razor local policy -# + # this version of razor is invoked typically + # via the system spam filter -# this version of razor is invoked typically -# via the system spam filter + allow system_razor_t self:tcp_socket create_socket_perms; -allow system_razor_t self:tcp_socket create_socket_perms; + manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t) + manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) + manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) + files_search_etc(system_razor_t) -manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t) -manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) -manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) -files_search_etc(system_razor_t) + allow system_razor_t razor_log_t:file manage_file_perms; + logging_log_filetrans(system_razor_t, razor_log_t, file) -allow system_razor_t razor_log_t:file manage_file_perms; -logging_log_filetrans(system_razor_t, razor_log_t, file) + manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) + files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file) -manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) -files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file) + corenet_all_recvfrom_unlabeled(system_razor_t) + corenet_all_recvfrom_netlabel(system_razor_t) + corenet_tcp_sendrecv_generic_if(system_razor_t) + corenet_raw_sendrecv_generic_if(system_razor_t) + corenet_tcp_sendrecv_generic_node(system_razor_t) + corenet_raw_sendrecv_generic_node(system_razor_t) + corenet_tcp_sendrecv_razor_port(system_razor_t) + corenet_tcp_connect_razor_port(system_razor_t) + corenet_sendrecv_razor_client_packets(system_razor_t) -corenet_all_recvfrom_unlabeled(system_razor_t) -corenet_all_recvfrom_netlabel(system_razor_t) -corenet_tcp_sendrecv_generic_if(system_razor_t) -corenet_raw_sendrecv_generic_if(system_razor_t) -corenet_tcp_sendrecv_generic_node(system_razor_t) -corenet_raw_sendrecv_generic_node(system_razor_t) -corenet_tcp_sendrecv_razor_port(system_razor_t) -corenet_tcp_connect_razor_port(system_razor_t) -corenet_sendrecv_razor_client_packets(system_razor_t) + sysnet_read_config(system_razor_t) -sysnet_read_config(system_razor_t) + # cjp: this shouldn't be needed + userdom_use_unpriv_users_fds(system_razor_t) -# cjp: this shouldn't be needed -userdom_use_unpriv_users_fds(system_razor_t) - -optional_policy(` - logging_send_syslog_msg(system_razor_t) -') - -optional_policy(` - nscd_socket_use(system_razor_t) -') - -######################################## -# -# User razor local policy -# - -# Allow razor to be run by hand. Needed by any action other than -# invocation from a spam filter. - -allow razor_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(razor_t, razor_home_t, razor_home_t) -manage_files_pattern(razor_t, razor_home_t, razor_home_t) -manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t) -userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir) - -manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t) -manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t) -files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) - -auth_use_nsswitch(razor_t) - -logging_send_syslog_msg(razor_t) - -userdom_search_user_home_dirs(razor_t) -userdom_use_user_terminals(razor_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(razor_t) - fs_manage_nfs_files(razor_t) - fs_manage_nfs_symlinks(razor_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(razor_t) - fs_manage_cifs_files(razor_t) - fs_manage_cifs_symlinks(razor_t) -') - -optional_policy(` - milter_manage_spamass_state(razor_t) -') + optional_policy(` + logging_send_syslog_msg(system_razor_t) + ') + optional_policy(` + nscd_socket_use(system_razor_t) + ') + + ######################################## + # + # User razor local policy + # + + # Allow razor to be run by hand. Needed by any action other than + # invocation from a spam filter. + + allow razor_t self:unix_stream_socket create_stream_socket_perms; + + manage_dirs_pattern(razor_t, razor_home_t, razor_home_t) + manage_files_pattern(razor_t, razor_home_t, razor_home_t) + manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t) + userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir) + + manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t) + manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t) + files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) + + auth_use_nsswitch(razor_t) + + logging_send_syslog_msg(razor_t) + + userdom_search_user_home_dirs(razor_t) + userdom_use_user_terminals(razor_t) + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(razor_t) + fs_manage_nfs_files(razor_t) + fs_manage_nfs_symlinks(razor_t) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(razor_t) + fs_manage_cifs_files(razor_t) + fs_manage_cifs_symlinks(razor_t) + ') + + optional_policy(` + milter_manage_spamass_state(razor_t) + ') ') diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te index 9ab1d808..3b5909f9 100644 --- a/policy/modules/services/rgmanager.te +++ b/policy/modules/services/rgmanager.te @@ -6,9 +6,9 @@ policy_module(rgmanager, 1.0.0) # ## -##

-## Allow rgmanager domain to connect to the network using TCP. -##

+##

+## Allow rgmanager domain to connect to the network using TCP. +##

##
gen_tunable(rgmanager_can_network_connect, false) diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te index 1ebc84d9..89eb689c 100644 --- a/policy/modules/services/rhcs.te +++ b/policy/modules/services/rhcs.te @@ -6,9 +6,9 @@ policy_module(rhcs, 1.1.0) # ## -##

-## Allow fenced domain to connect to the network using TCP. -##

+##

+## Allow fenced domain to connect to the network using TCP. +##

##
gen_tunable(fenced_can_network_connect, false) @@ -111,7 +111,7 @@ tunable_policy(`fenced_can_network_connect',` # needed by fence_scsi optional_policy(` - corosync_exec(fenced_t) + corosync_exec(fenced_t) ') optional_policy(` @@ -129,7 +129,6 @@ optional_policy(` # allow gfs_controld_t self:capability { net_admin sys_resource }; - allow gfs_controld_t self:shm create_shm_perms; allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -159,7 +158,6 @@ optional_policy(` allow groupd_t self:capability { sys_nice sys_resource }; allow groupd_t self:process setsched; - allow groupd_t self:shm create_shm_perms; dev_list_sysfs(groupd_t) @@ -174,7 +172,6 @@ init_rw_script_tmp_files(groupd_t) # allow qdiskd_t self:capability { ipc_lock sys_boot }; - allow qdiskd_t self:tcp_socket create_stream_socket_perms; allow qdiskd_t self:udp_socket create_socket_perms; @@ -226,7 +223,6 @@ optional_policy(` allow cluster_domain self:capability { sys_nice }; allow cluster_domain self:process setsched; - allow cluster_domain self:sem create_sem_perms; allow cluster_domain self:fifo_file rw_fifo_file_perms; allow cluster_domain self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index 9ae080e2..c5241712 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0) # ## -##

-## Allow gssd to read temp directory. For access to kerberos tgt. -##

+##

+## Allow gssd to read temp directory. For access to kerberos tgt. +##

##
gen_tunable(allow_gssd_read_tmp, true) ## -##

-## Allow nfs servers to modify public files -## used for public file transfer services. Files/Directories must be -## labeled public_content_rw_t. -##

+##

+## Allow nfs servers to modify public files +## used for public file transfer services. Files/Directories must be +## labeled public_content_rw_t. +##

##
gen_tunable(allow_nfsd_anon_write, false) diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te index b5cd366e..0927db4c 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0) # # Declarations # + type snmpd_t; type snmpd_exec_t; init_daemon_domain(snmpd_t, snmpd_exec_t) @@ -24,6 +25,7 @@ files_type(snmpd_var_lib_t) # # Local policy # + allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config }; dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; @@ -117,7 +119,7 @@ sysnet_read_config(snmpd_t) userdom_dontaudit_use_unpriv_user_fds(snmpd_t) userdom_dontaudit_search_user_home_dirs(snmpd_t) -ifdef(`distro_redhat', ` +ifdef(`distro_redhat',` optional_policy(` rpm_read_db(snmpd_t) rpm_dontaudit_manage_db(snmpd_t) diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index f4738d36..74ab7d8b 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -6,79 +6,79 @@ policy_module(spamassassin, 2.3.1) # ## -##

-## Allow user spamassassin clients to use the network. -##

+##

+## Allow user spamassassin clients to use the network. +##

##
gen_tunable(spamassassin_can_network, false) ## -##

-## Allow spamd to read/write user home directories. -##

+##

+## Allow spamd to read/write user home directories. +##

##
gen_tunable(spamd_enable_home_dirs, true) ifdef(`distro_redhat',` -# spamassassin client executable -type spamc_t; -type spamc_exec_t; -application_domain(spamc_t, spamc_exec_t) -role system_r types spamc_t; + # spamassassin client executable + type spamc_t; + type spamc_exec_t; + application_domain(spamc_t, spamc_exec_t) + role system_r types spamc_t; -type spamd_etc_t; -files_config_file(spamd_etc_t) + type spamd_etc_t; + files_config_file(spamd_etc_t) -typealias spamc_exec_t alias spamassassin_exec_t; -typealias spamc_t alias spamassassin_t; + typealias spamc_exec_t alias spamassassin_exec_t; + typealias spamc_t alias spamassassin_t; -type spamc_home_t; -userdom_user_home_content(spamc_home_t) -typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; -typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; -typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t }; -typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t }; + type spamc_home_t; + userdom_user_home_content(spamc_home_t) + typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; + typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; + typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t }; + typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t }; -type spamc_tmp_t; -files_tmp_file(spamc_tmp_t) -typealias spamc_tmp_t alias spamassassin_tmp_t; -typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; -typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; + type spamc_tmp_t; + files_tmp_file(spamc_tmp_t) + typealias spamc_tmp_t alias spamassassin_tmp_t; + typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; + typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; -typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; -typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; -', ` -type spamassassin_t; -type spamassassin_exec_t; -typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; -typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t }; -application_domain(spamassassin_t, spamassassin_exec_t) -ubac_constrained(spamassassin_t) + typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; + typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; +',` + type spamassassin_t; + type spamassassin_exec_t; + typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; + typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t }; + application_domain(spamassassin_t, spamassassin_exec_t) + ubac_constrained(spamassassin_t) -type spamassassin_home_t; -typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; -typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; -userdom_user_home_content(spamassassin_home_t) -files_poly_member(spamassassin_home_t) + type spamassassin_home_t; + typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; + typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; + userdom_user_home_content(spamassassin_home_t) + files_poly_member(spamassassin_home_t) -type spamassassin_tmp_t; -typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; -typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; -files_tmp_file(spamassassin_tmp_t) -ubac_constrained(spamassassin_tmp_t) + type spamassassin_tmp_t; + typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; + typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; + files_tmp_file(spamassassin_tmp_t) + ubac_constrained(spamassassin_tmp_t) -type spamc_t; -type spamc_exec_t; -typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t }; -typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t }; -application_domain(spamc_t, spamc_exec_t) -ubac_constrained(spamc_t) + type spamc_t; + type spamc_exec_t; + typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t }; + typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t }; + application_domain(spamc_t, spamc_exec_t) + ubac_constrained(spamc_t) -type spamc_tmp_t; -typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; -typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; -files_tmp_file(spamc_tmp_t) -ubac_constrained(spamc_tmp_t) + type spamc_tmp_t; + typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; + typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; + files_tmp_file(spamc_tmp_t) + ubac_constrained(spamc_tmp_t) ') type spamd_t; diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te index 4b2230e7..744b1723 100644 --- a/policy/modules/services/squid.te +++ b/policy/modules/services/squid.te @@ -6,17 +6,17 @@ policy_module(squid, 1.10.0) # ## -##

-## Allow squid to connect to all ports, not just -## HTTP, FTP, and Gopher ports. -##

+##

+## Allow squid to connect to all ports, not just +## HTTP, FTP, and Gopher ports. +##

##
gen_tunable(squid_connect_any, false) ## -##

-## Allow squid to run as a transparent proxy (TPROXY) -##

+##

+## Allow squid to run as a transparent proxy (TPROXY) +##

##
gen_tunable(squid_use_tproxy, false) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 68c30574..5315f9b5 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,23 +6,23 @@ policy_module(ssh, 2.2.0) # ## -##

-## allow host key based authentication -##

+##

+## allow host key based authentication +##

##
gen_tunable(allow_ssh_keysign, false) ## -##

-## Allow ssh logins as sysadm_r:sysadm_t -##

+##

+## Allow ssh logins as sysadm_r:sysadm_t +##

##
gen_tunable(ssh_sysadm_login, false) ## -##

-## allow sshd to forward port connections -##

+##

+## allow sshd to forward port connections +##

##
gen_tunable(sshd_forward_ports, false) @@ -217,7 +217,6 @@ optional_policy(` dontaudit ssh_keygen_t self:capability sys_tty_config; allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; - allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; allow ssh_keygen_t sshd_key_t:file manage_file_perms; @@ -287,7 +286,6 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; - allow sshd_t self:process setcurrent; kernel_search_key(sshd_t) @@ -303,7 +301,7 @@ term_use_ptmx(sshd_t) corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) -tunable_policy(`sshd_forward_ports', ` +tunable_policy(`sshd_forward_ports',` corenet_tcp_bind_all_unreserved_ports(sshd_t) corenet_tcp_connect_all_ports(sshd_t) ') @@ -373,26 +371,26 @@ optional_policy(` ') ifdef(`TODO',` -tunable_policy(`ssh_sysadm_login',` - # Relabel and access ptys created by sshd - # ioctl is necessary for logout() processing for utmp entry and for w to - # display the tty. - # some versions of sshd on the new SE Linux require setattr - allow sshd_t ptyfile:chr_file relabelto; + tunable_policy(`ssh_sysadm_login',` + # Relabel and access ptys created by sshd + # ioctl is necessary for logout() processing for utmp entry and for w to + # display the tty. + # some versions of sshd on the new SE Linux require setattr + allow sshd_t ptyfile:chr_file relabelto; - optional_policy(` - domain_trans(sshd_t, xauth_exec_t, userdomain) + optional_policy(` + domain_trans(sshd_t, xauth_exec_t, userdomain) + ') + ',` + optional_policy(` + domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) + ') + # Relabel and access ptys created by sshd + # ioctl is necessary for logout() processing for utmp entry and for w to + # display the tty. + # some versions of sshd on the new SE Linux require setattr + allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr }; ') -',` - optional_policy(` - domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) - ') - # Relabel and access ptys created by sshd - # ioctl is necessary for logout() processing for utmp entry and for w to - # display the tty. - # some versions of sshd on the new SE Linux require setattr - allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr }; -') ') dnl endif TODO ######################################## @@ -405,7 +403,6 @@ tunable_policy(`ssh_sysadm_login',` dontaudit ssh_keygen_t self:capability sys_tty_config; allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; - allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; allow ssh_keygen_t sshd_key_t:file manage_file_perms; diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te index 07d6748f..be42115f 100644 --- a/policy/modules/services/sssd.te +++ b/policy/modules/services/sssd.te @@ -28,6 +28,7 @@ files_pid_file(sssd_var_run_t) # # sssd local policy # + allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid }; allow sssd_t self:process { setfscreate setsched sigkill signal getsched }; allow sssd_t self:fifo_file rw_file_perms; @@ -40,7 +41,7 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } ) +files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir }) manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) logging_log_filetrans(sssd_t, sssd_var_log_t, file) diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te index 7ecb27b3..279efa6e 100644 --- a/policy/modules/services/stunnel.te +++ b/policy/modules/services/stunnel.te @@ -77,7 +77,7 @@ miscfiles_read_localization(stunnel_t) sysnet_read_config(stunnel_t) -ifdef(`distro_gentoo', ` +ifdef(`distro_gentoo',` dontaudit stunnel_t self:capability sys_tty_config; allow stunnel_t self:udp_socket create_socket_perms; @@ -120,4 +120,5 @@ ifdef(`distro_gentoo', ` gen_require(` type stunnel_port_t; ') + allow stunnel_t stunnel_port_t:tcp_socket name_bind; diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te index 111b041d..67607acc 100644 --- a/policy/modules/services/sysstat.te +++ b/policy/modules/services/sysstat.te @@ -71,4 +71,3 @@ optional_policy(` optional_policy(` nscd_socket_use(sysstat_t) ') - diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te index 66bfd1ca..b928f29e 100644 --- a/policy/modules/services/tftp.te +++ b/policy/modules/services/tftp.te @@ -6,10 +6,10 @@ policy_module(tftp, 1.12.0) # ## -##

-## Allow tftp to modify public files -## used for public file transfer services. -##

+##

+## Allow tftp to modify public files +## used for public file transfer services. +##

##
gen_tunable(tftp_anon_write, false) diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te index 0a0074cb..7f0d9a96 100644 --- a/policy/modules/services/tor.te +++ b/policy/modules/services/tor.te @@ -6,10 +6,10 @@ policy_module(tor, 1.7.0) # ## -##

-## Allow tor daemon to bind -## tcp sockets to all unreserved ports. -##

+##

+## Allow tor daemon to bind +## tcp sockets to all unreserved ports. +##

##
gen_tunable(tor_bind_all_unreserved_ports, false) @@ -43,7 +43,6 @@ files_pid_file(tor_var_run_t) allow tor_t self:capability { setgid setuid sys_tty_config }; allow tor_t self:process signal; - allow tor_t self:fifo_file rw_fifo_file_perms; allow tor_t self:unix_stream_socket create_stream_socket_perms; allow tor_t self:netlink_route_socket r_netlink_socket_perms; @@ -108,7 +107,7 @@ logging_send_syslog_msg(tor_t) miscfiles_read_localization(tor_t) -tunable_policy(`tor_bind_all_unreserved_ports', ` +tunable_policy(`tor_bind_all_unreserved_ports',` corenet_tcp_bind_all_unreserved_ports(tor_t) ') diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te index eb4d8d50..5ff5e927 100644 --- a/policy/modules/services/ulogd.te +++ b/policy/modules/services/ulogd.te @@ -54,10 +54,10 @@ miscfiles_read_localization(ulogd_t) sysnet_dns_name_resolve(ulogd_t) optional_policy(` - mysql_stream_connect(ulogd_t) + mysql_stream_connect(ulogd_t) ') optional_policy(` - postgresql_stream_connect(ulogd_t) + postgresql_stream_connect(ulogd_t) postgresql_tcp_connect(ulogd_t) ')