trunk: additional whitespace fixes.

This commit is contained in:
Chris PeBenito 2008-10-17 15:52:39 +00:00
parent 88cf0a9c2b
commit 2a98379a24
43 changed files with 106 additions and 121 deletions

View File

@ -68,7 +68,7 @@ template(`cdrecord_per_role_template', `
# allow searching for cdrom-drive
dev_list_all_dev_nodes($1_cdrecord_t)
domain_interactive_fd($1_cdrecord_t)
domain_use_interactive_fds($1_cdrecord_t)
@ -80,7 +80,7 @@ template(`cdrecord_per_role_template', `
# allow cdrecord to write the CD
storage_raw_write_removable_device($1_cdrecord_t)
storage_write_scsi_generic($1_cdrecord_t)
libs_use_ld_so($1_cdrecord_t)
libs_use_shared_libs($1_cdrecord_t)
@ -100,7 +100,7 @@ template(`cdrecord_per_role_template', `
files_list_home($1_cdrecord_t)
fs_read_nfs_files($1_cdrecord_t)
fs_read_nfs_symlinks($1_cdrecord_t)
',`
files_dontaudit_list_home($1_cdrecord_t)
fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)
@ -119,7 +119,7 @@ template(`cdrecord_per_role_template', `
fs_dontaudit_read_cifs_files($1_cdrecord_t)
fs_dontaudit_list_cifs($1_cdrecord_t)
')
# Handle removable media, /tmp, and /home
tunable_policy(`cdrecord_read_content',`
userdom_list_user_tmp($1, $1_cdrecord_t)
@ -128,7 +128,7 @@ template(`cdrecord_per_role_template', `
userdom_search_user_home_dirs($1, $1_cdrecord_t)
userdom_read_user_home_content_files($1, $1_cdrecord_t)
userdom_read_user_home_content_symlinks($1, $1_cdrecord_t)
ifdef(`enable_mls',`
',`
fs_search_removable($1_cdrecord_t)
@ -145,7 +145,7 @@ template(`cdrecord_per_role_template', `
userdom_dontaudit_list_user_home_dirs($1, $1_cdrecord_t)
userdom_dontaudit_read_user_home_content_files($1, $1_cdrecord_t)
')
# Handle default_t content
tunable_policy(`cdrecord_read_content && read_default_t',`
files_list_default($1_cdrecord_t)
@ -155,7 +155,7 @@ template(`cdrecord_per_role_template', `
files_dontaudit_read_default_files($1_cdrecord_t)
files_dontaudit_list_default($1_cdrecord_t)
')
# Handle untrusted content
tunable_policy(`cdrecord_read_content && read_untrusted_content',`
files_list_tmp($1_cdrecord_t)
@ -183,7 +183,7 @@ template(`cdrecord_per_role_template', `
fs_read_nfs_files($1_cdrecord_t)
fs_read_nfs_symlinks($1_cdrecord_t)
')
optional_policy(`
resmgr_stream_connect($1_cdrecord_t)
')

View File

@ -114,7 +114,7 @@ template(`ethereal_per_role_template',`
corenet_tcp_connect_generic_port($1_ethereal_t)
corenet_tcp_sendrecv_generic_if($1_ethereal_t)
dev_read_urand($1_ethereal_t)
files_read_etc_files($1_ethereal_t)
@ -135,7 +135,7 @@ template(`ethereal_per_role_template',`
sysnet_read_config($1_ethereal_t)
userdom_manage_user_home_content_files($1, $1_ethereal_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_ethereal_t)
fs_manage_nfs_files($1_ethereal_t)
@ -162,7 +162,7 @@ template(`ethereal_per_role_template',`
xserver_user_x_domain_template($1, $1_ethereal, $1_ethereal_t, $1_ethereal_tmpfs_t)
xserver_create_xdm_tmp_sockets($1_ethereal_t)
')
ifdef(`TODO',`
# Why does it write this?
optional_policy(`
@ -173,7 +173,7 @@ template(`ethereal_per_role_template',`
gnome_file_dialog($1_ethereal, $1)
# FIXME: policy is incomplete
')
')
#######################################
@ -204,7 +204,7 @@ template(`ethereal_admin_template',`
allow $1_ethereal_t self:packet_socket create_socket_perms;
allow $1_ethereal_t self:unix_stream_socket create_stream_socket_perms;
allow $1_ethereal_t self:tcp_socket create_socket_perms;
userdom_use_user_terminals($1, $1_ethereal_t)
# Ethereal tries to write to user terminal
userdom_dontaudit_use_user_terminals($1, $1_ethereal_t)

View File

@ -53,7 +53,7 @@ template(`evolution_per_role_template',`
type $1_evolution_orbit_tmp_t;
files_tmp_file($1_evolution_orbit_tmp_t)
type $1_evolution_alarm_t;
application_domain($1_evolution_alarm_t, evolution_alarm_exec_t)
role $3 types $1_evolution_alarm_t;
@ -153,7 +153,7 @@ template(`evolution_per_role_template',`
allow $1_evolution_t $2:file read;
domain_auto_trans($2, evolution_exec_t, $1_evolution_t)
allow $2 $1_evolution_t:unix_stream_socket connectto;
allow $2 $1_evolution_t:process noatsecure;
allow $2 $1_evolution_t:process signal_perms;
@ -267,7 +267,7 @@ template(`evolution_per_role_template',`
files_list_home($1_evolution_t)
fs_read_nfs_files($1_evolution_t)
fs_read_nfs_symlinks($1_evolution_t)
',`
files_dontaudit_list_home($1_evolution_t)
fs_dontaudit_list_auto_mountpoints($1_evolution_t)
@ -294,7 +294,7 @@ template(`evolution_per_role_template',`
userdom_search_user_home_dirs($1, $1_evolution_t)
userdom_read_user_home_content_files($1, $1_evolution_t)
userdom_read_user_home_content_symlinks($1, $1_evolution_t)
ifndef(`enable_mls',`
fs_search_removable($1_evolution_t)
fs_read_removable_files($1_evolution_t)
@ -324,7 +324,7 @@ template(`evolution_per_role_template',`
files_list_tmp($1_evolution_t)
files_list_home($1_evolution_t)
userdom_search_user_home_dirs($1,$1_evolution_t)
userdom_list_user_untrusted_content($1, $1_evolution_t)
userdom_read_user_untrusted_content_files($1, $1_evolution_t)
userdom_read_user_untrusted_content_symlinks($1, $1_evolution_t)
@ -343,7 +343,7 @@ template(`evolution_per_role_template',`
tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
files_search_home($1_evolution_t)
fs_search_auto_mountpoints($1_evolution_t)
fs_manage_nfs_dirs($1_evolution_t)
fs_manage_nfs_files($1_evolution_t)
@ -356,7 +356,7 @@ template(`evolution_per_role_template',`
tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
files_search_home($1_evolution_t)
fs_search_auto_mountpoints($1_evolution_t)
fs_manage_cifs_dirs($1_evolution_t)
fs_manage_cifs_files($1_evolution_t)
@ -369,7 +369,7 @@ template(`evolution_per_role_template',`
tunable_policy(`write_untrusted_content',`
files_search_home($1_evolution_t)
userdom_manage_user_untrusted_content_files($1, $1_evolution_t)
userdom_user_home_dir_filetrans($1, $1_evolution_t, $1_untrusted_content_tmp_t, { file dir })
userdom_user_home_content_filetrans($1, $1_evolution_t, $1_untrusted_content_tmp_t, { file dir })
@ -377,7 +377,7 @@ template(`evolution_per_role_template',`
',`
files_dontaudit_list_home($1_evolution_t)
files_dontaudit_list_tmp($1_evolution_t)
userdom_dontaudit_list_user_home_dirs($1, $1_evolution_t)
#userdom_dontaudit_manage_user_tmp($1,$1_evolution_t)
#userdom_dontaudit_manage_user_tmp_files($1,$1_evolution_t)
@ -449,12 +449,12 @@ template(`evolution_per_role_template',`
# (different from home, not directly accessible from ROLE_t)
type $1_evolutioin_secret_t;
userdom_user_home_content($1,$1_evolutioin_secret_t)
# Put secret files in .gnome2_private
allow $1_evolution_t $1_gnome_secret_t:dir rw_dir_perms;
allow $1_evolution_t $1_evolutioin_secret_t:file manage_file_perms;
type_transition $1_evolution_t $1_gnome_secret_t:file $1_evolutioin_secret_t;
allow $2 $1_evolution_secret_t:file unlink;
ifdef(`TODO',`
@ -503,7 +503,7 @@ template(`evolution_per_role_template',`
libs_use_ld_so($1_evolution_alarm_t)
libs_use_shared_libs($1_evolution_alarm_t)
miscfiles_read_localization($1_evolution_alarm_t)
# Access evolution home
@ -588,7 +588,7 @@ template(`evolution_per_role_template',`
# Transition from user domain
domain_auto_trans($2, evolution_exchange_exec_t, $1_evolution_exchange_t)
kernel_read_network_state($1_evolution_exchange_t)
kernel_read_net_sysctls($1_evolution_exchange_t)
@ -607,7 +607,7 @@ template(`evolution_per_role_template',`
libs_use_shared_libs($1_evolution_exchange_t)
miscfiles_read_localization($1_evolution_exchange_t)
# Access evolution home
userdom_search_user_home_dirs($1, $1_evolution_exchange_t)
# FIXME: suppress access to .local/.icons/.themes until properly implemented
@ -629,7 +629,7 @@ template(`evolution_per_role_template',`
optional_policy(`
gnome_stream_connect_gconf_template($1, $1_evolution_exchange_t)
')
optional_policy(`
nscd_socket_use($1_evolution_exchange_t)
')
@ -740,7 +740,7 @@ template(`evolution_per_role_template',`
#
allow $1_evolution_webcal_t self:tcp_socket create_socket_perms;
# X/evolution common stuff
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:dir rw_dir_perms;
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:file manage_file_perms;

View File

@ -55,7 +55,7 @@ template(`games_per_role_template',`
type $1_games_tmp_t;
files_tmp_file($1_games_tmp_t)
########################################
#
# Local policy
@ -136,7 +136,7 @@ template(`games_per_role_template',`
userdom_manage_user_tmp_sockets($1,$1_games_t)
# Suppress .icons denial until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_games_t)
tunable_policy(`allow_execmem',`
allow $1_games_t self:process execmem;
')

View File

@ -108,7 +108,7 @@ template(`gnome_per_role_template',`
xserver_rw_xdm_pipes($1_gconfd_t)
')
')
########################################
## <summary>
## gconf connection template.

View File

@ -55,7 +55,7 @@ template(`irc_per_role_template',`
type $1_irc_tmp_t;
userdom_user_home_content($1, $1_irc_tmp_t)
########################################
#
# Local policy
@ -80,13 +80,13 @@ template(`irc_per_role_template',`
# Transition from the user domain to the derived domain.
domtrans_pattern($2, irc_exec_t, $1_irc_t)
allow $2 $1_irc_exec_t:file { relabelfrom relabelto manage_file_perms };
# allow ps to show irc
ps_process_pattern($2, $1_irc_t)
allow $2 $1_irc_t:process signal;
kernel_read_proc_symlinks($1_irc_t)
corenet_all_recvfrom_unlabeled($1_irc_t)

View File

@ -36,7 +36,7 @@ template(`java_per_role_template',`
gen_require(`
type java_exec_t;
')
########################################
#
# Declarations
@ -45,13 +45,13 @@ template(`java_per_role_template',`
type $1_javaplugin_t;
application_domain($1_javaplugin_t, java_exec_t)
role $3 types $1_javaplugin_t;
type $1_javaplugin_tmp_t;
files_tmp_file($1_javaplugin_tmp_t)
type $1_javaplugin_tmpfs_t;
files_tmpfs_file($1_javaplugin_tmpfs_t)
########################################
#
# Local policy
@ -61,7 +61,7 @@ template(`java_per_role_template',`
allow $1_javaplugin_t self:fifo_file rw_fifo_file_perms;
allow $1_javaplugin_t self:tcp_socket create_socket_perms;
allow $1_javaplugin_t self:udp_socket create_socket_perms;
allow $1_javaplugin_t $2:unix_stream_socket connectto;
allow $1_javaplugin_t $2:unix_stream_socket { read write };
userdom_write_user_tmp_sockets($1, $1_javaplugin_t)
@ -80,14 +80,14 @@ template(`java_per_role_template',`
read_files_pattern($1_javaplugin_t, $1_home_t, $1_home_t)
can_exec($1_javaplugin_t, java_exec_t)
# The user role is authorized for this domain.
domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
allow $1_javaplugin_t $2:fd use;
# Unrestricted inheritance from the caller.
allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
allow $1_javaplugin_t $2:process signull;
kernel_read_all_sysctls($1_javaplugin_t)
kernel_search_vm_sysctl($1_javaplugin_t)
kernel_read_network_state($1_javaplugin_t)

View File

@ -68,14 +68,14 @@ template(`lockdev_per_role_template',`
files_read_all_locks($1_lockdev_t)
fs_getattr_xattr_fs($1_lockdev_t)
libs_use_ld_so($1_lockdev_t)
libs_use_shared_libs($1_lockdev_t)
logging_send_syslog_msg($1_lockdev_t)
userdom_use_user_terminals($1, $1_lockdev_t)
optional_policy(`
logging_send_syslog_msg($1_t)
')

View File

@ -111,7 +111,7 @@ template(`mozilla_per_role_template',`
# Allow the user domain to signal/ps.
ps_process_pattern($2, $1_mozilla_t)
allow $2 $1_mozilla_t:process signal_perms;
kernel_read_kernel_sysctls($1_mozilla_t)
kernel_read_network_state($1_mozilla_t)
# Access /proc, sysctl
@ -171,7 +171,7 @@ template(`mozilla_per_role_template',`
fs_rw_tmpfs_files($1_mozilla_t)
term_dontaudit_getattr_pty_dirs($1_mozilla_t)
libs_use_ld_so($1_mozilla_t)
libs_use_shared_libs($1_mozilla_t)
@ -183,14 +183,14 @@ template(`mozilla_per_role_template',`
# Browse the web, connect to printer
sysnet_dns_name_resolve($1_mozilla_t)
sysnet_read_config($1_mozilla_t)
userdom_manage_user_home_content_dirs($1, $1_mozilla_t)
userdom_manage_user_home_content_files($1, $1_mozilla_t)
userdom_manage_user_home_content_symlinks($1, $1_mozilla_t)
userdom_manage_user_tmp_dirs($1, $1_mozilla_t)
userdom_manage_user_tmp_files($1, $1_mozilla_t)
userdom_manage_user_tmp_sockets($1, $1_mozilla_t)
xserver_user_x_domain_template($1, $1_mozilla, $1_mozilla_t, $1_mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t)
@ -217,7 +217,7 @@ template(`mozilla_per_role_template',`
files_list_home($1_mozilla_t)
fs_read_nfs_files($1_mozilla_t)
fs_read_nfs_symlinks($1_mozilla_t)
',`
files_dontaudit_list_home($1_mozilla_t)
fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
@ -244,7 +244,7 @@ template(`mozilla_per_role_template',`
userdom_search_user_home_dirs($1, $1_mozilla_t)
userdom_read_user_home_content_files($1, $1_mozilla_t)
userdom_read_user_home_content_symlinks($1, $1_mozilla_t)
ifdef(`enable_mls',`',`
fs_search_removable($1_mozilla_t)
fs_read_removable_files($1_mozilla_t)
@ -274,7 +274,7 @@ template(`mozilla_per_role_template',`
files_list_tmp($1_mozilla_t)
files_list_home($1_mozilla_t)
userdom_search_user_home_dirs($1, $1_mozilla_t)
userdom_list_user_untrusted_content($1, $1_mozilla_t)
userdom_read_user_untrusted_content_files($1, $1_mozilla_t)
userdom_read_user_untrusted_content_symlinks($1, $1_mozilla_t)
@ -389,7 +389,7 @@ template(`mozilla_per_role_template',`
#domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
#domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
#')
# Macros for mozilla/mozilla (or other browser) domains.
# FIXME: Rules were removed to centralize policy in a gnome_app macro
# A similar thing might be necessary for mozilla compiled without GNOME

View File

@ -70,7 +70,7 @@ template(`mplayer_per_role_template',`
allow $1_mencoder_t mplayer_etc_t:dir list_dir_perms;
read_files_pattern($1_mencoder_t, mplayer_etc_t, mplayer_etc_t)
read_lnk_files_pattern($1_mencoder_t, mplayer_etc_t, mplayer_etc_t)
# domain transition
domtrans_pattern($2, mencoder_exec_t, $1_mencoder_t)
@ -150,7 +150,7 @@ template(`mplayer_per_role_template',`
files_list_home($1_mencoder_t)
fs_read_nfs_files($1_mencoder_t)
fs_read_nfs_symlinks($1_mencoder_t)
',`
files_dontaudit_list_home($1_mencoder_t)
fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
@ -182,7 +182,7 @@ template(`mplayer_per_role_template',`
tunable_policy(`read_untrusted_content',`
files_list_tmp($1_mencoder_t)
files_list_home($1_mencoder_t)
userdom_list_user_untrusted_content($1, $1_mencoder_t)
userdom_read_user_untrusted_content_files($1, $1_mencoder_t)
userdom_read_user_untrusted_content_symlinks($1, $1_mencoder_t)
@ -342,7 +342,7 @@ template(`mplayer_per_role_template',`
userdom_read_user_home_content_symlinks($1, $1_mplayer_t)
xserver_user_x_domain_template($1, $1_mplayer, $1_mplayer_t, $1_mplayer_tmpfs_t)
# Read songs
ifdef(`enable_mls',`',`
fs_search_removable($1_mplayer_t)
@ -384,7 +384,7 @@ template(`mplayer_per_role_template',`
files_list_home($1_mplayer_t)
fs_read_nfs_files($1_mplayer_t)
fs_read_nfs_symlinks($1_mplayer_t)
',`
files_dontaudit_list_home($1_mplayer_t)
fs_dontaudit_list_auto_mountpoints($1_mplayer_t)
@ -416,7 +416,7 @@ template(`mplayer_per_role_template',`
tunable_policy(`read_untrusted_content',`
files_list_tmp($1_mplayer_t)
files_list_home($1_mplayer_t)
userdom_list_user_untrusted_content($1, $1_mplayer_t)
userdom_read_user_untrusted_content_files($1, $1_mplayer_t)
userdom_read_user_untrusted_content_symlinks($1, $1_mplayer_t)

View File

@ -55,7 +55,7 @@ template(`screen_per_role_template',`
type $1_screen_var_run_t;
files_pid_file($1_screen_var_run_t)
########################################
#
# Local policy
@ -97,7 +97,7 @@ template(`screen_per_role_template',`
relabel_dirs_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
relabel_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
relabel_lnk_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
kernel_read_system_state($1_screen_t)
kernel_read_kernel_sysctls($1_screen_t)

View File

@ -49,7 +49,7 @@ template(`thunderbird_per_role_template',`
type $1_thunderbird_tmpfs_t;
files_tmpfs_file($1_thunderbird_tmpfs_t)
########################################
#
# Local policy
@ -94,12 +94,12 @@ template(`thunderbird_per_role_template',`
relabel_dirs_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
relabel_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
relabel_lnk_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
# Allow netstat
kernel_read_network_state($1_thunderbird_t)
kernel_read_net_sysctls($1_thunderbird_t)
kernel_read_system_state($1_thunderbird_t)
# Startup shellscript
corecmd_exec_shell($1_thunderbird_t)
@ -144,7 +144,7 @@ template(`thunderbird_per_role_template',`
fs_list_inotifyfs($1_thunderbird_t)
# Access ~/.thunderbird
fs_search_auto_mountpoints($1_thunderbird_t)
auth_use_nsswitch($1_thunderbird_t)
libs_use_shared_libs($1_thunderbird_t)
@ -204,14 +204,14 @@ template(`thunderbird_per_role_template',`
fs_dontaudit_read_cifs_files($1_thunderbird_t)
fs_dontaudit_list_cifs($1_thunderbird_t)
')
tunable_policy(`mail_read_content',`
userdom_list_user_tmp($1, $1_thunderbird_t)
userdom_read_user_tmp_files($1, $1_thunderbird_t)
userdom_read_user_tmp_symlinks($1, $1_thunderbird_t)
userdom_search_user_home_dirs($1, $1_thunderbird_t)
userdom_read_user_home_content_files($1, $1_thunderbird_t)
ifndef(`enable_mls',`
fs_search_removable($1_thunderbird_t)
fs_read_removable_files($1_thunderbird_t)
@ -229,7 +229,7 @@ template(`thunderbird_per_role_template',`
userdom_dontaudit_list_user_home_dirs($1, $1_thunderbird_t)
userdom_dontaudit_read_user_home_content_files($1, $1_thunderbird_t)
')
tunable_policy(`mail_read_content && read_default_t',`
files_list_default($1_thunderbird_t)
files_read_default_files($1_thunderbird_t)
@ -238,7 +238,7 @@ template(`thunderbird_per_role_template',`
files_dontaudit_read_default_files($1_thunderbird_t)
files_dontaudit_list_default($1_thunderbird_t)
')
tunable_policy(`mail_read_content && read_untrusted_content',`
files_list_tmp($1_thunderbird_t)
files_list_home($1_thunderbird_t)
@ -274,7 +274,7 @@ template(`thunderbird_per_role_template',`
fs_dontaudit_manage_nfs_dirs($1_thunderbird_t)
fs_dontaudit_manage_nfs_files($1_thunderbird_t)
')
# Manage samba homedirs
tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
files_search_home($1_thunderbird_t)
@ -288,7 +288,7 @@ template(`thunderbird_per_role_template',`
fs_dontaudit_manage_cifs_dirs($1_thunderbird_t)
fs_dontaudit_manage_cifs_files($1_thunderbird_t)
')
# Manage /tmp and /home
tunable_policy(`write_untrusted_content',`
files_search_home($1_thunderbird_t)

View File

@ -55,7 +55,7 @@ template(`tvtime_per_role_template',`
type $1_tvtime_tmpfs_t;
files_tmpfs_file($1_tvtime_tmpfs_t)
########################################
#
# Local policy
@ -96,7 +96,7 @@ template(`tvtime_per_role_template',`
# Allow the user domain to signal/ps.
ps_process_pattern($2,$1_tvtime_t)
allow $2 $1_tvtime_t:process signal_perms;
kernel_read_all_sysctls($1_tvtime_t)
kernel_get_sysvipc_info($1_tvtime_t)
@ -111,7 +111,7 @@ template(`tvtime_per_role_template',`
# X access, Home files
fs_search_auto_mountpoints($1_tvtime_t)
libs_use_ld_so($1_tvtime_t)
libs_use_shared_libs($1_tvtime_t)
@ -120,7 +120,7 @@ template(`tvtime_per_role_template',`
userdom_use_user_terminals($1, $1_tvtime_t)
userdom_read_user_home_content_files($1, $1_tvtime_t)
# X access, Home files
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_tvtime_t)

View File

@ -1,5 +1,5 @@
## <summary>Policy for UML</summary>
#######################################
## <summary>
## The per role template for the uml module.
@ -142,7 +142,7 @@ template(`uml_per_role_template',`
# for mconsole
allow { $2 $1_uml_t } $1_uml_t:unix_dgram_socket sendto;
allow $1_uml_t $2:unix_dgram_socket sendto;
kernel_read_system_state($1_uml_t)
# for SKAS - need something better
kernel_write_proc_files($1_uml_t)
@ -161,7 +161,7 @@ template(`uml_per_role_template',`
corenet_tcp_connect_all_ports($1_uml_t)
corenet_sendrecv_all_client_packets($1_uml_t)
corenet_rw_tun_tap_dev($1_uml_t)
domain_use_interactive_fds($1_uml_t)
# for xterm

View File

@ -49,7 +49,7 @@ template(`userhelper_per_role_template',`
domain_interactive_fd($1_userhelper_t)
domain_subj_id_change_exemption($1_userhelper_t)
role $3 types $1_userhelper_t;
########################################
#
# Local policy
@ -78,7 +78,7 @@ template(`userhelper_per_role_template',`
can_exec($1_userhelper_t, userhelper_exec_t)
dontaudit $2 $1_userhelper_t:process signal;
kernel_read_all_sysctls($1_userhelper_t)
kernel_getattr_debugfs($1_userhelper_t)
kernel_read_system_state($1_userhelper_t)
@ -164,7 +164,7 @@ template(`userhelper_per_role_template',`
sysadm_bin_spec_domtrans($1_userhelper_t)
sysadm_entry_spec_domtrans($1_userhelper_t)
')
optional_policy(`
ethereal_domtrans_user_ethereal($1, $1_userhelper_t)
')

View File

@ -114,7 +114,7 @@ template(`wireshark_per_role_template',`
corenet_tcp_connect_generic_port($1_wireshark_t)
corenet_tcp_sendrecv_generic_if($1_wireshark_t)
dev_read_urand($1_wireshark_t)
files_read_etc_files($1_wireshark_t)
@ -135,7 +135,7 @@ template(`wireshark_per_role_template',`
sysnet_read_config($1_wireshark_t)
userdom_manage_user_home_content_files($1, $1_wireshark_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_wireshark_t)
fs_manage_nfs_files($1_wireshark_t)
@ -162,7 +162,7 @@ template(`wireshark_per_role_template',`
xserver_user_client_template($1, $1_wireshark_t, $1_wireshark_tmpfs_t)
xserver_create_xdm_tmp_sockets($1_wireshark_t)
')
ifdef(`TODO',`
# Why does it write this?
optional_policy(`
@ -173,7 +173,7 @@ template(`wireshark_per_role_template',`
gnome_file_dialog($1_wireshark, $1)
# FIXME: policy is incomplete
')
')
#######################################
@ -204,7 +204,7 @@ template(`wireshark_admin_template',`
allow $1_wireshark_t self:packet_socket create_socket_perms;
allow $1_wireshark_t self:unix_stream_socket create_stream_socket_perms;
allow $1_wireshark_t self:tcp_socket create_socket_perms;
userdom_use_user_terminals($1, $1_wireshark_t)
# wireshark tries to write to user terminal
userdom_dontaudit_use_user_terminals($1, $1_wireshark_t)

View File

@ -19,7 +19,6 @@ interface(`aide_domtrans',`
domtrans_pattern($1, aide_exec_t, aide_t)
')
########################################
## <summary>
## Execute aide programs in the AIDE domain.

View File

@ -37,7 +37,6 @@ interface(`apcupsd_read_pid_files',`
allow $1 apcupsd_var_run_t:file read_file_perms;
')
########################################
## <summary>
## Allow the specified domain to read apcupsd's log files.

View File

@ -110,10 +110,10 @@ optional_policy(`
optional_policy(`
apache_content_template(apcupsd_cgi)
allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
corenet_tcp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
@ -123,6 +123,6 @@ optional_policy(`
corenet_udp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
corenet_udp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
')

View File

@ -14,7 +14,6 @@ type apm_exec_t;
application_domain(apm_t, apm_exec_t)
role system_r types apm_t;
type apmd_log_t;
logging_log_file(apmd_log_t)

View File

@ -284,9 +284,9 @@ interface(`bind_admin',`
allow $1 named_t:process { ptrace signal_perms };
ps_process_pattern($1, named_t)
allow $1 ndc_t:process { ptrace signal_perms };
ps_process_pattern($1, ndc_t)
bind_run_ndc($1, $2, $3)
')

View File

@ -41,7 +41,7 @@ template(`bluetooth_per_role_template',`
type $1_bluetooth_t, bluetooth_helper_domain;
application_domain($1_bluetooth_t, bluetooth_helper_exec_t)
role $3 types $1_bluetooth_t;
type $1_bluetooth_tmp_t;
files_tmp_file($1_bluetooth_tmp_t)

View File

@ -63,7 +63,7 @@ interface(`cvs_admin',`
allow $1 cvs_t:process { ptrace signal_perms };
ps_process_pattern($1, cvs_t)
# Allow cvs_t to restart the apache service
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
domain_system_change_exemption($1)

View File

@ -20,7 +20,6 @@ interface(`cyrus_manage_data',`
manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
')
########################################
## <summary>
## Connect to Cyrus using a unix domain stream socket.
@ -81,4 +80,3 @@ interface(`cyrus_admin',`
admin_pattern($1, cyrus_var_run_t)
')

View File

@ -34,6 +34,3 @@ ifdef(`distro_redhat', `
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)

View File

@ -283,7 +283,6 @@ interface(`hal_read_pid_files',`
allow $1 hald_var_run_t:file read_file_perms;
')
########################################
## <summary>
## Read/Write hald PID files.

View File

@ -156,7 +156,6 @@ interface(`inn_dgram_send',`
allow $1 innd_t:unix_dgram_socket sendto;
')
########################################
## <summary>
## Execute inn in the inn domain.

View File

@ -53,7 +53,6 @@ interface(`ldap_use',`
refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
## Connect to slapd over an unix stream socket.

View File

@ -62,7 +62,7 @@ template(`lpd_per_role_template',`
allow $1_lpr_t self:tcp_socket create_socket_perms;
allow $1_lpr_t self:udp_socket create_socket_perms;
allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms;
can_exec($1_lpr_t,lpr_exec_t)
tunable_policy(`use_lpd_server',`
@ -133,7 +133,7 @@ template(`lpd_per_role_template',`
# Access the terminal.
term_use_controlling_term($1_lpr_t)
term_use_generic_ptys($1_lpr_t)
libs_use_ld_so($1_lpr_t)
libs_use_shared_libs($1_lpr_t)

View File

@ -7,4 +7,3 @@ HOME_DIR/\.oidentd.conf gen_context(system_u:object_r:ROLE_oidentd_home_t, s0)
/usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t, s0)

View File

@ -331,7 +331,7 @@ interface(`ppp_admin',`
allow $1 pppd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, pppd_t)
files_list_tmp($1)
manage_files_pattern($1, pppd_tmp_t, pppd_tmp_t)

View File

@ -37,7 +37,6 @@ interface(`rpcbind_read_pid_files',`
allow $1 rpcbind_var_run_t:file read_file_perms;
')
########################################
## <summary>
## Search rpcbind lib directories.
@ -121,7 +120,7 @@ interface(`rpcbind_admin',`
allow $1 rpcbind_t:process { ptrace signal_perms };
ps_process_pattern($1, rpcbind_t)
init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 rpcbind_initrc_exec_t system_r;

View File

@ -57,7 +57,6 @@ interface(`rwho_read_log_files',`
logging_search_logs($1)
')
########################################
## <summary>
## Search rwho spool directories.

View File

@ -491,7 +491,7 @@ interface(`samba_stream_connect_winbind',`
files_search_pids($1)
allow $1 samba_var_t:dir search_dir_perms;
stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
ifndef(`distro_redhat',`
gen_require(`
type winbind_tmp_t;

View File

@ -650,7 +650,6 @@ optional_policy(`
# Winbind local policy
#
allow winbind_t self:capability { dac_override ipc_lock setuid };
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process signal_perms;

View File

@ -105,7 +105,7 @@ interface(`snmp_admin',`
allow $1 snmpd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, snmpd_t)
logging_list_logs($1)
manage_files_pattern($1, snmpd_log_t, snmpd_log_t)

View File

@ -195,7 +195,7 @@ interface(`squid_admin',`
allow $1 squid_t:process { ptrace signal_perms };
ps_process_pattern($1, squid_t)
init_labeled_script_domtrans($1, squid_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 squid_initrc_exec_t system_r;

View File

@ -19,7 +19,7 @@ interface(`tftp_admin',`
allow $1 tftpd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, tftpd_t)
admin_pattern($1, tftpdir_rw_t)
admin_pattern($1, tftpdir_t)

View File

@ -82,7 +82,7 @@ interface(`uucp_admin',`
allow $1 uucpd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, uucpd_t)
logging_list_logs($1)
admin_pattern($1, uucpd_log_t)

View File

@ -102,12 +102,12 @@ interface(`zabbix_admin',`
allow $1 zabbix_t:process { ptrace signal_perms };
ps_process_pattern($1, zabbix_t)
init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 zabbix_initrc_exec_t system_r;
allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, zabbix_log_t)

View File

@ -48,7 +48,7 @@ interface(`zebra_admin',`
allow $1 zebra_t:process { ptrace signal_perms };
ps_process_pattern($1, zebra_t)
init_labeled_script_domtrans($1, zebra_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 zebra_initrc_exec_t system_r;
@ -56,7 +56,7 @@ interface(`zebra_admin',`
files_list_etc($1)
admin_pattern($1, zebra_conf_t)
logging_list_logs($1)
admin_pattern($1, zebra_log_t)

View File

@ -307,7 +307,7 @@ ifdef(`distro_ubuntu',`
unconfined_domain(ifconfig_t)
')
')
ifdef(`hide_broken_symptoms',`
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)

View File

@ -1272,7 +1272,7 @@ template(`userdom_admin_user_template',`
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
')
typeattribute $1_devpts_t admin_terminal;
typeattribute $1_tty_device_t admin_terminal;