Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.
This commit is contained in:
Dominick Grift 2010-09-24 09:17:22 +02:00
parent 39178aaf8a
commit 1e2abee10b
14 changed files with 224 additions and 233 deletions

View File

@ -6,7 +6,6 @@ policy_module(razor, 2.1.1)
# #
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
gen_require(` gen_require(`
type spamc_t, spamc_exec_t, spamd_log_t; type spamc_t, spamc_exec_t, spamd_log_t;
type spamd_spool_t, spamd_var_lib_t, spamd_etc_t; type spamd_spool_t, spamd_var_lib_t, spamd_etc_t;
@ -23,126 +22,123 @@ ifdef(`distro_redhat',`
typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
',` ',`
type razor_exec_t;
corecmd_executable_file(razor_exec_t)
type razor_exec_t; type razor_etc_t;
corecmd_executable_file(razor_exec_t) files_config_file(razor_etc_t)
type razor_etc_t; type razor_home_t;
files_config_file(razor_etc_t) typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
files_poly_member(razor_home_t)
userdom_user_home_content(razor_home_t)
type razor_home_t; type razor_log_t;
typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; logging_log_file(razor_log_t)
typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
files_poly_member(razor_home_t)
userdom_user_home_content(razor_home_t)
type razor_log_t; type razor_tmp_t;
logging_log_file(razor_log_t) typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
files_tmp_file(razor_tmp_t)
ubac_constrained(razor_tmp_t)
type razor_tmp_t; type razor_var_lib_t;
typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; files_type(razor_var_lib_t)
typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
files_tmp_file(razor_tmp_t)
ubac_constrained(razor_tmp_t)
type razor_var_lib_t; # these are here due to ordering issues:
files_type(razor_var_lib_t) razor_common_domain_template(razor)
typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
typealias razor_t alias { auditadm_razor_t secadm_razor_t };
ubac_constrained(razor_t)
# these are here due to ordering issues: razor_common_domain_template(system_razor)
razor_common_domain_template(razor) role system_r types system_razor_t;
typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
typealias razor_t alias { auditadm_razor_t secadm_razor_t };
ubac_constrained(razor_t)
razor_common_domain_template(system_razor) ########################################
role system_r types system_razor_t; #
# System razor local policy
#
######################################## # this version of razor is invoked typically
# # via the system spam filter
# System razor local policy
#
# this version of razor is invoked typically allow system_razor_t self:tcp_socket create_socket_perms;
# via the system spam filter
allow system_razor_t self:tcp_socket create_socket_perms; manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
files_search_etc(system_razor_t)
manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t) allow system_razor_t razor_log_t:file manage_file_perms;
manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) logging_log_filetrans(system_razor_t, razor_log_t, file)
manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
files_search_etc(system_razor_t)
allow system_razor_t razor_log_t:file manage_file_perms; manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
logging_log_filetrans(system_razor_t, razor_log_t, file) files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) corenet_all_recvfrom_unlabeled(system_razor_t)
files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file) corenet_all_recvfrom_netlabel(system_razor_t)
corenet_tcp_sendrecv_generic_if(system_razor_t)
corenet_raw_sendrecv_generic_if(system_razor_t)
corenet_tcp_sendrecv_generic_node(system_razor_t)
corenet_raw_sendrecv_generic_node(system_razor_t)
corenet_tcp_sendrecv_razor_port(system_razor_t)
corenet_tcp_connect_razor_port(system_razor_t)
corenet_sendrecv_razor_client_packets(system_razor_t)
corenet_all_recvfrom_unlabeled(system_razor_t) sysnet_read_config(system_razor_t)
corenet_all_recvfrom_netlabel(system_razor_t)
corenet_tcp_sendrecv_generic_if(system_razor_t)
corenet_raw_sendrecv_generic_if(system_razor_t)
corenet_tcp_sendrecv_generic_node(system_razor_t)
corenet_raw_sendrecv_generic_node(system_razor_t)
corenet_tcp_sendrecv_razor_port(system_razor_t)
corenet_tcp_connect_razor_port(system_razor_t)
corenet_sendrecv_razor_client_packets(system_razor_t)
sysnet_read_config(system_razor_t) # cjp: this shouldn't be needed
userdom_use_unpriv_users_fds(system_razor_t)
# cjp: this shouldn't be needed optional_policy(`
userdom_use_unpriv_users_fds(system_razor_t) logging_send_syslog_msg(system_razor_t)
')
optional_policy(`
logging_send_syslog_msg(system_razor_t)
')
optional_policy(`
nscd_socket_use(system_razor_t)
')
########################################
#
# User razor local policy
#
# Allow razor to be run by hand. Needed by any action other than
# invocation from a spam filter.
allow razor_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
manage_files_pattern(razor_t, razor_home_t, razor_home_t)
manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
auth_use_nsswitch(razor_t)
logging_send_syslog_msg(razor_t)
userdom_search_user_home_dirs(razor_t)
userdom_use_user_terminals(razor_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(razor_t)
fs_manage_nfs_files(razor_t)
fs_manage_nfs_symlinks(razor_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(razor_t)
fs_manage_cifs_files(razor_t)
fs_manage_cifs_symlinks(razor_t)
')
optional_policy(`
milter_manage_spamass_state(razor_t)
')
optional_policy(`
nscd_socket_use(system_razor_t)
')
########################################
#
# User razor local policy
#
# Allow razor to be run by hand. Needed by any action other than
# invocation from a spam filter.
allow razor_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
manage_files_pattern(razor_t, razor_home_t, razor_home_t)
manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
auth_use_nsswitch(razor_t)
logging_send_syslog_msg(razor_t)
userdom_search_user_home_dirs(razor_t)
userdom_use_user_terminals(razor_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(razor_t)
fs_manage_nfs_files(razor_t)
fs_manage_nfs_symlinks(razor_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(razor_t)
fs_manage_cifs_files(razor_t)
fs_manage_cifs_symlinks(razor_t)
')
optional_policy(`
milter_manage_spamass_state(razor_t)
')
') ')

View File

@ -6,9 +6,9 @@ policy_module(rgmanager, 1.0.0)
# #
## <desc> ## <desc>
## <p> ## <p>
## Allow rgmanager domain to connect to the network using TCP. ## Allow rgmanager domain to connect to the network using TCP.
## </p> ## </p>
## </desc> ## </desc>
gen_tunable(rgmanager_can_network_connect, false) gen_tunable(rgmanager_can_network_connect, false)

View File

@ -6,9 +6,9 @@ policy_module(rhcs, 1.1.0)
# #
## <desc> ## <desc>
## <p> ## <p>
## Allow fenced domain to connect to the network using TCP. ## Allow fenced domain to connect to the network using TCP.
## </p> ## </p>
## </desc> ## </desc>
gen_tunable(fenced_can_network_connect, false) gen_tunable(fenced_can_network_connect, false)
@ -111,7 +111,7 @@ tunable_policy(`fenced_can_network_connect',`
# needed by fence_scsi # needed by fence_scsi
optional_policy(` optional_policy(`
corosync_exec(fenced_t) corosync_exec(fenced_t)
') ')
optional_policy(` optional_policy(`
@ -129,7 +129,6 @@ optional_policy(`
# #
allow gfs_controld_t self:capability { net_admin sys_resource }; allow gfs_controld_t self:capability { net_admin sys_resource };
allow gfs_controld_t self:shm create_shm_perms; allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
@ -159,7 +158,6 @@ optional_policy(`
allow groupd_t self:capability { sys_nice sys_resource }; allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched; allow groupd_t self:process setsched;
allow groupd_t self:shm create_shm_perms; allow groupd_t self:shm create_shm_perms;
dev_list_sysfs(groupd_t) dev_list_sysfs(groupd_t)
@ -174,7 +172,6 @@ init_rw_script_tmp_files(groupd_t)
# #
allow qdiskd_t self:capability { ipc_lock sys_boot }; allow qdiskd_t self:capability { ipc_lock sys_boot };
allow qdiskd_t self:tcp_socket create_stream_socket_perms; allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms; allow qdiskd_t self:udp_socket create_socket_perms;
@ -226,7 +223,6 @@ optional_policy(`
allow cluster_domain self:capability { sys_nice }; allow cluster_domain self:capability { sys_nice };
allow cluster_domain self:process setsched; allow cluster_domain self:process setsched;
allow cluster_domain self:sem create_sem_perms; allow cluster_domain self:sem create_sem_perms;
allow cluster_domain self:fifo_file rw_fifo_file_perms; allow cluster_domain self:fifo_file rw_fifo_file_perms;
allow cluster_domain self:unix_stream_socket create_stream_socket_perms; allow cluster_domain self:unix_stream_socket create_stream_socket_perms;

View File

@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
# #
## <desc> ## <desc>
## <p> ## <p>
## Allow gssd to read temp directory. For access to kerberos tgt. ## Allow gssd to read temp directory. For access to kerberos tgt.
## </p> ## </p>
## </desc> ## </desc>
gen_tunable(allow_gssd_read_tmp, true) gen_tunable(allow_gssd_read_tmp, true)
## <desc> ## <desc>
## <p> ## <p>
## Allow nfs servers to modify public files ## Allow nfs servers to modify public files
## used for public file transfer services. Files/Directories must be ## used for public file transfer services. Files/Directories must be
## labeled public_content_rw_t. ## labeled public_content_rw_t.
## </p> ## </p>
## </desc> ## </desc>
gen_tunable(allow_nfsd_anon_write, false) gen_tunable(allow_nfsd_anon_write, false)

View File

@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
# #
# Declarations # Declarations
# #
type snmpd_t; type snmpd_t;
type snmpd_exec_t; type snmpd_exec_t;
init_daemon_domain(snmpd_t, snmpd_exec_t) init_daemon_domain(snmpd_t, snmpd_exec_t)
@ -24,6 +25,7 @@ files_type(snmpd_var_lib_t)
# #
# Local policy # Local policy
# #
allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config }; allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config };
dontaudit snmpd_t self:capability { sys_module sys_tty_config }; dontaudit snmpd_t self:capability { sys_module sys_tty_config };
allow snmpd_t self:process { signal_perms getsched setsched }; allow snmpd_t self:process { signal_perms getsched setsched };
@ -117,7 +119,7 @@ sysnet_read_config(snmpd_t)
userdom_dontaudit_use_unpriv_user_fds(snmpd_t) userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
userdom_dontaudit_search_user_home_dirs(snmpd_t) userdom_dontaudit_search_user_home_dirs(snmpd_t)
ifdef(`distro_redhat', ` ifdef(`distro_redhat',`
optional_policy(` optional_policy(`
rpm_read_db(snmpd_t) rpm_read_db(snmpd_t)
rpm_dontaudit_manage_db(snmpd_t) rpm_dontaudit_manage_db(snmpd_t)

View File

@ -6,79 +6,79 @@ policy_module(spamassassin, 2.3.1)
# #
## <desc> ## <desc>
## <p> ## <p>
## Allow user spamassassin clients to use the network. ## Allow user spamassassin clients to use the network.
## </p> ## </p>
## </desc> ## </desc>
gen_tunable(spamassassin_can_network, false) gen_tunable(spamassassin_can_network, false)
## <desc> ## <desc>
## <p> ## <p>
## Allow spamd to read/write user home directories. ## Allow spamd to read/write user home directories.
## </p> ## </p>
## </desc> ## </desc>
gen_tunable(spamd_enable_home_dirs, true) gen_tunable(spamd_enable_home_dirs, true)
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
# spamassassin client executable # spamassassin client executable
type spamc_t; type spamc_t;
type spamc_exec_t; type spamc_exec_t;
application_domain(spamc_t, spamc_exec_t) application_domain(spamc_t, spamc_exec_t)
role system_r types spamc_t; role system_r types spamc_t;
type spamd_etc_t; type spamd_etc_t;
files_config_file(spamd_etc_t) files_config_file(spamd_etc_t)
typealias spamc_exec_t alias spamassassin_exec_t; typealias spamc_exec_t alias spamassassin_exec_t;
typealias spamc_t alias spamassassin_t; typealias spamc_t alias spamassassin_t;
type spamc_home_t; type spamc_home_t;
userdom_user_home_content(spamc_home_t) userdom_user_home_content(spamc_home_t)
typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t }; typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t }; typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
type spamc_tmp_t; type spamc_tmp_t;
files_tmp_file(spamc_tmp_t) files_tmp_file(spamc_tmp_t)
typealias spamc_tmp_t alias spamassassin_tmp_t; typealias spamc_tmp_t alias spamassassin_tmp_t;
typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
', ` ',`
type spamassassin_t; type spamassassin_t;
type spamassassin_exec_t; type spamassassin_exec_t;
typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t }; typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
application_domain(spamassassin_t, spamassassin_exec_t) application_domain(spamassassin_t, spamassassin_exec_t)
ubac_constrained(spamassassin_t) ubac_constrained(spamassassin_t)
type spamassassin_home_t; type spamassassin_home_t;
typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
userdom_user_home_content(spamassassin_home_t) userdom_user_home_content(spamassassin_home_t)
files_poly_member(spamassassin_home_t) files_poly_member(spamassassin_home_t)
type spamassassin_tmp_t; type spamassassin_tmp_t;
typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
files_tmp_file(spamassassin_tmp_t) files_tmp_file(spamassassin_tmp_t)
ubac_constrained(spamassassin_tmp_t) ubac_constrained(spamassassin_tmp_t)
type spamc_t; type spamc_t;
type spamc_exec_t; type spamc_exec_t;
typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t }; typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t }; typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
application_domain(spamc_t, spamc_exec_t) application_domain(spamc_t, spamc_exec_t)
ubac_constrained(spamc_t) ubac_constrained(spamc_t)
type spamc_tmp_t; type spamc_tmp_t;
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
files_tmp_file(spamc_tmp_t) files_tmp_file(spamc_tmp_t)
ubac_constrained(spamc_tmp_t) ubac_constrained(spamc_tmp_t)
') ')
type spamd_t; type spamd_t;

View File

@ -6,17 +6,17 @@ policy_module(squid, 1.10.0)
# #
## <desc> ## <desc>
## <p> ## <p>
## Allow squid to connect to all ports, not just ## Allow squid to connect to all ports, not just
## HTTP, FTP, and Gopher ports. ## HTTP, FTP, and Gopher ports.
## </p> ## </p>
## </desc> ## </desc>
gen_tunable(squid_connect_any, false) gen_tunable(squid_connect_any, false)
## <desc> ## <desc>
## <p> ## <p>
## Allow squid to run as a transparent proxy (TPROXY) ## Allow squid to run as a transparent proxy (TPROXY)
## </p> ## </p>
## </desc> ## </desc>
gen_tunable(squid_use_tproxy, false) gen_tunable(squid_use_tproxy, false)

View File

@ -6,23 +6,23 @@ policy_module(ssh, 2.2.0)
# #
## <desc> ## <desc>
## <p> ## <p>
## allow host key based authentication ## allow host key based authentication
## </p> ## </p>
## </desc> ## </desc>
gen_tunable(allow_ssh_keysign, false) gen_tunable(allow_ssh_keysign, false)
## <desc> ## <desc>
## <p> ## <p>
## Allow ssh logins as sysadm_r:sysadm_t ## Allow ssh logins as sysadm_r:sysadm_t
## </p> ## </p>
## </desc> ## </desc>
gen_tunable(ssh_sysadm_login, false) gen_tunable(ssh_sysadm_login, false)
## <desc> ## <desc>
## <p> ## <p>
## allow sshd to forward port connections ## allow sshd to forward port connections
## </p> ## </p>
## </desc> ## </desc>
gen_tunable(sshd_forward_ports, false) gen_tunable(sshd_forward_ports, false)
@ -217,7 +217,6 @@ optional_policy(`
dontaudit ssh_keygen_t self:capability sys_tty_config; dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms; allow ssh_keygen_t sshd_key_t:file manage_file_perms;
@ -287,7 +286,6 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel # so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write }; allow sshd_t self:key { search link write };
allow sshd_t self:process setcurrent; allow sshd_t self:process setcurrent;
kernel_search_key(sshd_t) kernel_search_key(sshd_t)
@ -303,7 +301,7 @@ term_use_ptmx(sshd_t)
corenet_tcp_bind_xserver_port(sshd_t) corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t)
tunable_policy(`sshd_forward_ports', ` tunable_policy(`sshd_forward_ports',`
corenet_tcp_bind_all_unreserved_ports(sshd_t) corenet_tcp_bind_all_unreserved_ports(sshd_t)
corenet_tcp_connect_all_ports(sshd_t) corenet_tcp_connect_all_ports(sshd_t)
') ')
@ -373,26 +371,26 @@ optional_policy(`
') ')
ifdef(`TODO',` ifdef(`TODO',`
tunable_policy(`ssh_sysadm_login',` tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd # Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to # ioctl is necessary for logout() processing for utmp entry and for w to
# display the tty. # display the tty.
# some versions of sshd on the new SE Linux require setattr # some versions of sshd on the new SE Linux require setattr
allow sshd_t ptyfile:chr_file relabelto; allow sshd_t ptyfile:chr_file relabelto;
optional_policy(` optional_policy(`
domain_trans(sshd_t, xauth_exec_t, userdomain) domain_trans(sshd_t, xauth_exec_t, userdomain)
')
',`
optional_policy(`
domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
')
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
# display the tty.
# some versions of sshd on the new SE Linux require setattr
allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
') ')
',`
optional_policy(`
domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
')
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
# display the tty.
# some versions of sshd on the new SE Linux require setattr
allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
')
') dnl endif TODO ') dnl endif TODO
######################################## ########################################
@ -405,7 +403,6 @@ tunable_policy(`ssh_sysadm_login',`
dontaudit ssh_keygen_t self:capability sys_tty_config; dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms; allow ssh_keygen_t sshd_key_t:file manage_file_perms;

View File

@ -28,6 +28,7 @@ files_pid_file(sssd_var_run_t)
# #
# sssd local policy # sssd local policy
# #
allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid }; allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid };
allow sssd_t self:process { setfscreate setsched sigkill signal getsched }; allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
allow sssd_t self:fifo_file rw_file_perms; allow sssd_t self:fifo_file rw_file_perms;
@ -40,7 +41,7 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } ) files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
logging_log_filetrans(sssd_t, sssd_var_log_t, file) logging_log_filetrans(sssd_t, sssd_var_log_t, file)

View File

@ -77,7 +77,7 @@ miscfiles_read_localization(stunnel_t)
sysnet_read_config(stunnel_t) sysnet_read_config(stunnel_t)
ifdef(`distro_gentoo', ` ifdef(`distro_gentoo',`
dontaudit stunnel_t self:capability sys_tty_config; dontaudit stunnel_t self:capability sys_tty_config;
allow stunnel_t self:udp_socket create_socket_perms; allow stunnel_t self:udp_socket create_socket_perms;
@ -120,4 +120,5 @@ ifdef(`distro_gentoo', `
gen_require(` gen_require(`
type stunnel_port_t; type stunnel_port_t;
') ')
allow stunnel_t stunnel_port_t:tcp_socket name_bind; allow stunnel_t stunnel_port_t:tcp_socket name_bind;

View File

@ -71,4 +71,3 @@ optional_policy(`
optional_policy(` optional_policy(`
nscd_socket_use(sysstat_t) nscd_socket_use(sysstat_t)
') ')

View File

@ -6,10 +6,10 @@ policy_module(tftp, 1.12.0)
# #
## <desc> ## <desc>
## <p> ## <p>
## Allow tftp to modify public files ## Allow tftp to modify public files
## used for public file transfer services. ## used for public file transfer services.
## </p> ## </p>
## </desc> ## </desc>
gen_tunable(tftp_anon_write, false) gen_tunable(tftp_anon_write, false)

View File

@ -6,10 +6,10 @@ policy_module(tor, 1.7.0)
# #
## <desc> ## <desc>
## <p> ## <p>
## Allow tor daemon to bind ## Allow tor daemon to bind
## tcp sockets to all unreserved ports. ## tcp sockets to all unreserved ports.
## </p> ## </p>
## </desc> ## </desc>
gen_tunable(tor_bind_all_unreserved_ports, false) gen_tunable(tor_bind_all_unreserved_ports, false)
@ -43,7 +43,6 @@ files_pid_file(tor_var_run_t)
allow tor_t self:capability { setgid setuid sys_tty_config }; allow tor_t self:capability { setgid setuid sys_tty_config };
allow tor_t self:process signal; allow tor_t self:process signal;
allow tor_t self:fifo_file rw_fifo_file_perms; allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket create_stream_socket_perms; allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms; allow tor_t self:netlink_route_socket r_netlink_socket_perms;
@ -108,7 +107,7 @@ logging_send_syslog_msg(tor_t)
miscfiles_read_localization(tor_t) miscfiles_read_localization(tor_t)
tunable_policy(`tor_bind_all_unreserved_ports', ` tunable_policy(`tor_bind_all_unreserved_ports',`
corenet_tcp_bind_all_unreserved_ports(tor_t) corenet_tcp_bind_all_unreserved_ports(tor_t)
') ')

View File

@ -54,10 +54,10 @@ miscfiles_read_localization(ulogd_t)
sysnet_dns_name_resolve(ulogd_t) sysnet_dns_name_resolve(ulogd_t)
optional_policy(` optional_policy(`
mysql_stream_connect(ulogd_t) mysql_stream_connect(ulogd_t)
') ')
optional_policy(` optional_policy(`
postgresql_stream_connect(ulogd_t) postgresql_stream_connect(ulogd_t)
postgresql_tcp_connect(ulogd_t) postgresql_tcp_connect(ulogd_t)
') ')