fixes from sediff
This commit is contained in:
parent
f8964c04ba
commit
2db2c7d099
@ -128,7 +128,7 @@ corenet_tcp_sendrecv_all_ports(amanda_t)
|
|||||||
corenet_udp_sendrecv_all_ports(amanda_t)
|
corenet_udp_sendrecv_all_ports(amanda_t)
|
||||||
|
|
||||||
dev_getattr_all_blk_files(amanda_t)
|
dev_getattr_all_blk_files(amanda_t)
|
||||||
dev_getattr_all_blk_files(amanda_t)
|
dev_getattr_all_chr_files(amanda_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(amanda_t)
|
fs_getattr_xattr_fs(amanda_t)
|
||||||
fs_list_all(amanda_t)
|
fs_list_all(amanda_t)
|
||||||
|
@ -1043,6 +1043,6 @@ interface(`corenet_unconfined',`
|
|||||||
|
|
||||||
# Bind to any network address.
|
# Bind to any network address.
|
||||||
# cjp: rawip_socket doesnt make any sense
|
# cjp: rawip_socket doesnt make any sense
|
||||||
allow $1 port_type:{ tcp_socket udp_socket } name_bind;
|
allow $1 port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
|
||||||
allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
|
allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
|
||||||
')
|
')
|
||||||
|
@ -544,7 +544,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
|
|||||||
attribute device_node;
|
attribute device_node;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 device_node:blk_file getattr;
|
dontaudit $1 device_node:blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -217,11 +217,9 @@ files_read_usr_files(kernel_t)
|
|||||||
mls_process_read_up(kernel_t)
|
mls_process_read_up(kernel_t)
|
||||||
mls_process_write_down(kernel_t)
|
mls_process_write_down(kernel_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
unconfined_domain(kernel_t)
|
unconfined_domain_template(kernel_t)
|
||||||
')
|
')
|
||||||
') dnl end TODO
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -48,7 +48,9 @@ corenet_tcp_sendrecv_all_nodes(comsat_t)
|
|||||||
corenet_udp_sendrecv_all_nodes(comsat_t)
|
corenet_udp_sendrecv_all_nodes(comsat_t)
|
||||||
corenet_raw_sendrecv_all_nodes(comsat_t)
|
corenet_raw_sendrecv_all_nodes(comsat_t)
|
||||||
corenet_tcp_sendrecv_all_ports(comsat_t)
|
corenet_tcp_sendrecv_all_ports(comsat_t)
|
||||||
|
corenet_udp_sendrecv_all_ports(comsat_t)
|
||||||
corenet_tcp_bind_all_nodes(comsat_t)
|
corenet_tcp_bind_all_nodes(comsat_t)
|
||||||
|
corenet_udp_bind_all_nodes(comsat_t)
|
||||||
|
|
||||||
dev_read_urand(comsat_t)
|
dev_read_urand(comsat_t)
|
||||||
|
|
||||||
|
@ -35,7 +35,11 @@ files_type(crontab_exec_t)
|
|||||||
type system_cron_spool_t, cron_spool_type;
|
type system_cron_spool_t, cron_spool_type;
|
||||||
files_type(system_cron_spool_t)
|
files_type(system_cron_spool_t)
|
||||||
|
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
typealias crond_t alias system_crond_t;
|
||||||
|
',`
|
||||||
type system_crond_t;
|
type system_crond_t;
|
||||||
|
')
|
||||||
init_daemon_domain(system_crond_t,anacron_exec_t)
|
init_daemon_domain(system_crond_t,anacron_exec_t)
|
||||||
corecmd_shell_entry_type(system_crond_t)
|
corecmd_shell_entry_type(system_crond_t)
|
||||||
role system_r types system_crond_t;
|
role system_r types system_crond_t;
|
||||||
|
@ -194,8 +194,9 @@ corenet_raw_sendrecv_all_if(inetd_child_t)
|
|||||||
corenet_tcp_sendrecv_all_nodes(inetd_child_t)
|
corenet_tcp_sendrecv_all_nodes(inetd_child_t)
|
||||||
corenet_udp_sendrecv_all_nodes(inetd_child_t)
|
corenet_udp_sendrecv_all_nodes(inetd_child_t)
|
||||||
corenet_raw_sendrecv_all_nodes(inetd_child_t)
|
corenet_raw_sendrecv_all_nodes(inetd_child_t)
|
||||||
corenet_tcp_bind_all_nodes(inetd_child_t)
|
|
||||||
corenet_tcp_sendrecv_all_ports(inetd_child_t)
|
corenet_tcp_sendrecv_all_ports(inetd_child_t)
|
||||||
|
corenet_udp_sendrecv_all_ports(inetd_child_t)
|
||||||
|
corenet_tcp_bind_all_nodes(inetd_child_t)
|
||||||
|
|
||||||
dev_read_urand(inetd_child_t)
|
dev_read_urand(inetd_child_t)
|
||||||
|
|
||||||
|
@ -34,7 +34,7 @@ allow innd_t self:process { setsched signal_perms };
|
|||||||
allow innd_t self:fifo_file rw_file_perms;
|
allow innd_t self:fifo_file rw_file_perms;
|
||||||
allow innd_t self:tcp_socket create_stream_socket_perms;
|
allow innd_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow innd_t self:udp_socket create_socket_perms;
|
allow innd_t self:udp_socket create_socket_perms;
|
||||||
allow innd_t self:unix_dgram_socket create_socket_perms;
|
allow innd_t self:unix_dgram_socket { sendto create_socket_perms };
|
||||||
allow innd_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
allow innd_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||||
|
|
||||||
allow innd_t innd_etc_t:file r_file_perms;
|
allow innd_t innd_etc_t:file r_file_perms;
|
||||||
@ -43,7 +43,7 @@ allow innd_t innd_etc_t:lnk_file { getattr read };
|
|||||||
|
|
||||||
can_exec(innd_t, innd_exec_t)
|
can_exec(innd_t, innd_exec_t)
|
||||||
|
|
||||||
allow innd_t innd_log_t:file { create ra_file_perms };
|
allow innd_t innd_log_t:file manage_file_perms;
|
||||||
allow innd_t innd_log_t:dir { setattr ra_dir_perms };
|
allow innd_t innd_log_t:dir { setattr ra_dir_perms };
|
||||||
logging_create_log(innd_t,innd_log_t)
|
logging_create_log(innd_t,innd_log_t)
|
||||||
|
|
||||||
|
@ -126,10 +126,11 @@ ifdef(`TODO',`
|
|||||||
optional_policy(`rhgb.te',`
|
optional_policy(`rhgb.te',`
|
||||||
rhgb_domain(pegasus_t)
|
rhgb_domain(pegasus_t)
|
||||||
')
|
')
|
||||||
|
') dnl end TODO
|
||||||
|
|
||||||
#type pegasus_conf_exec_t, exec_type;
|
# bad rules
|
||||||
|
type pegasus_conf_exec_t, entry_type;
|
||||||
files_type(pegasus_conf_exec_t)
|
files_type(pegasus_conf_exec_t)
|
||||||
allow pegasus_conf_exec_t pegasus_conf_t:dir rw_dir_perms;
|
allow pegasus_conf_exec_t pegasus_conf_t:dir rw_dir_perms;
|
||||||
allow pegasus_conf_exec_t pegasus_conf_t:file create_file_perms;
|
allow pegasus_conf_exec_t pegasus_conf_t:file create_file_perms;
|
||||||
allow pegasus_conf_exec_t pegasus_conf_t:lnk_file create_lnk_perms;
|
allow pegasus_conf_exec_t pegasus_conf_t:lnk_file create_lnk_perms;
|
||||||
') dnl end TODO
|
|
||||||
|
@ -80,11 +80,19 @@ interface(`domain_type',`
|
|||||||
ldap_use($1)
|
ldap_use($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
# this seems highly questionable:
|
# these 3 seem highly questionable:
|
||||||
optional_policy(`rpm.te',`
|
optional_policy(`rpm.te',`
|
||||||
rpm_use_fd($1)
|
rpm_use_fd($1)
|
||||||
rpm_read_pipe($1)
|
rpm_read_pipe($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`selinux.te',`
|
||||||
|
selinux_dontaudit_search_fs($1)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`selinuxutil.te',`
|
||||||
|
seutil_dontaudit_read_config($1)
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -7,6 +7,10 @@ policy_module(files,1.0)
|
|||||||
#
|
#
|
||||||
|
|
||||||
attribute file_type;
|
attribute file_type;
|
||||||
|
|
||||||
|
# cjp: should handle this different
|
||||||
|
allow file_type self:filesystem associate;
|
||||||
|
|
||||||
attribute lockfile;
|
attribute lockfile;
|
||||||
attribute mountpoint;
|
attribute mountpoint;
|
||||||
attribute pidfile;
|
attribute pidfile;
|
||||||
|
@ -89,16 +89,16 @@ interface(`init_daemon_domain',`
|
|||||||
# _t at the end of the domain type. If there is no _t
|
# _t at the end of the domain type. If there is no _t
|
||||||
# at the end of the type, it returns empty!
|
# at the end of the type, it returns empty!
|
||||||
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
|
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
|
||||||
if(! regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
|
if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
|
||||||
|
can_exec(initrc_t,$2)
|
||||||
|
can_exec(direct_run_init,$2)
|
||||||
|
} else {
|
||||||
domain_auto_trans(initrc_t,$2,$1)
|
domain_auto_trans(initrc_t,$2,$1)
|
||||||
allow initrc_t $1:fd use;
|
allow initrc_t $1:fd use;
|
||||||
allow $1 initrc_t:fd use;
|
allow $1 initrc_t:fd use;
|
||||||
allow $1 initrc_t:fifo_file rw_file_perms;
|
allow $1 initrc_t:fifo_file rw_file_perms;
|
||||||
allow $1 initrc_t:process sigchld;
|
allow $1 initrc_t:process sigchld;
|
||||||
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
|
allow initrc_t $1:process { noatsecure siginh rlimitinh };
|
||||||
} else {
|
|
||||||
can_exec(initrc_t,$2)
|
|
||||||
can_exec(direct_run_init,$2)
|
|
||||||
}
|
}
|
||||||
',`
|
',`
|
||||||
domain_auto_trans(initrc_t,$2,$1)
|
domain_auto_trans(initrc_t,$2,$1)
|
||||||
|
@ -78,6 +78,8 @@ init_dontaudit_use_fd(auditctl_t)
|
|||||||
|
|
||||||
locallogin_dontaudit_use_fd(auditctl_t)
|
locallogin_dontaudit_use_fd(auditctl_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(auditctl_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
role secadm_r types auditctl_t;
|
role secadm_r types auditctl_t;
|
||||||
role sysadm_r types auditctl_t;
|
role sysadm_r types auditctl_t;
|
||||||
@ -110,6 +112,7 @@ allow auditd_t auditd_log_t:file create_file_perms;
|
|||||||
allow auditd_t var_log_t:dir search;
|
allow auditd_t var_log_t:dir search;
|
||||||
|
|
||||||
allow auditd_t auditd_var_run_t:file create_file_perms;
|
allow auditd_t auditd_var_run_t:file create_file_perms;
|
||||||
|
allow auditd_t auditd_var_run_t:dir rw_dir_perms;
|
||||||
files_create_pid(auditd_t,auditd_var_run_t)
|
files_create_pid(auditd_t,auditd_var_run_t)
|
||||||
|
|
||||||
kernel_read_kernel_sysctl(auditd_t)
|
kernel_read_kernel_sysctl(auditd_t)
|
||||||
@ -143,7 +146,9 @@ libs_use_shared_libs(auditd_t)
|
|||||||
|
|
||||||
miscfiles_read_localization(auditd_t)
|
miscfiles_read_localization(auditd_t)
|
||||||
|
|
||||||
mls_file_read_up(klogd_t)
|
mls_file_read_up(auditd_t)
|
||||||
|
|
||||||
|
seutil_dontaudit_read_config(auditd_t)
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fd(auditd_t)
|
userdom_dontaudit_use_unpriv_user_fd(auditd_t)
|
||||||
userdom_dontaudit_search_sysadm_home_dir(auditd_t)
|
userdom_dontaudit_search_sysadm_home_dir(auditd_t)
|
||||||
|
Loading…
Reference in New Issue
Block a user