changed rules fixes
This commit is contained in:
Chris PeBenito
parent
3797efb0ce
commit
2e0a880165
@ -35,7 +35,7 @@ allow netutils_t self:process { sigkill sigstop signull signal };
|
||||
allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
|
||||
allow netutils_t self:packet_socket create_socket_perms;
|
||||
allow netutils_t self:udp_socket create_socket_perms;
|
||||
allow netutils_t self:tcp_socket create_socket_perms;
|
||||
allow netutils_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
allow netutils_t netutils_tmp_t:dir create_dir_perms;
|
||||
allow netutils_t netutils_tmp_t:file create_file_perms;
|
||||
|
||||
@ -21,6 +21,7 @@ template(`su_restricted_domain_template', `
|
||||
allow $1_su_t self:process { setexec setsched setrlimit };
|
||||
allow $1_su_t self:fifo_file rw_file_perms;
|
||||
allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
|
||||
allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
# Transition from the user domain to this domain.
|
||||
domain_auto_trans($2, su_exec_t, $1_su_t)
|
||||
|
||||
@ -564,7 +564,7 @@ interface(`kernel_write_proc_file',`
|
||||
')
|
||||
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 proc_t:file write;
|
||||
allow $1 proc_t:file { append write };
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -68,10 +68,9 @@ interface(`storage_setattr_fixed_disk',`
|
||||
interface(`storage_dontaudit_setattr_fixed_disk',`
|
||||
gen_require(`
|
||||
type fixed_disk_device_t;
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 fixed_disk_device_t:blk_file getattr;
|
||||
dontaudit $1 fixed_disk_device_t:blk_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -53,6 +53,7 @@ template(`apache_content_template',`
|
||||
allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };
|
||||
|
||||
allow httpd_$1_script_t self:fifo_file rw_file_perms;
|
||||
allow httpd_$1_script_t self:unix_stream_socket connectto;
|
||||
|
||||
allow httpd_$1_script_t httpd_t:fifo_file write;
|
||||
# apache should set close-on-exec
|
||||
|
||||
@ -401,6 +401,7 @@ allow initrc_t ptal_var_run_t:fifo_file unlink;
|
||||
#
|
||||
|
||||
dontaudit hplip_t self:capability sys_tty_config;
|
||||
allow hplip_t self:process signal_perms;
|
||||
allow hplip_t self:unix_dgram_socket create_socket_perms;
|
||||
allow hplip_t self:unix_stream_socket create_socket_perms;
|
||||
allow hplip_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
@ -40,7 +40,7 @@ allow dovecot_t self:process { setrlimit signal_perms };
|
||||
allow dovecot_t self:fifo_file rw_file_perms;
|
||||
allow dovecot_t self:tcp_socket create_stream_socket_perms;
|
||||
allow dovecot_t self:unix_dgram_socket create_socket_perms;
|
||||
allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
|
||||
domain_auto_trans(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
|
||||
allow dovecot_t dovecot_auth_t:fd use;
|
||||
|
||||
@ -168,8 +168,8 @@ optional_policy(`rhgb.te',`
|
||||
|
||||
allow inetd_child_t self:process signal_perms;
|
||||
allow inetd_child_t self:fifo_file rw_file_perms;
|
||||
allow inetd_child_t self:tcp_socket { listen accept connected_socket_perms };
|
||||
allow inetd_child_t self:udp_socket connected_socket_perms;
|
||||
allow inetd_child_t self:tcp_socket connected_stream_socket_perms;
|
||||
allow inetd_child_t self:udp_socket create_socket_perms;
|
||||
|
||||
# for identd
|
||||
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||
|
||||
@ -44,7 +44,7 @@ allow innd_t innd_etc_t:lnk_file { getattr read };
|
||||
can_exec(innd_t, innd_exec_t)
|
||||
|
||||
allow innd_t innd_log_t:file manage_file_perms;
|
||||
allow innd_t innd_log_t:dir { setattr ra_dir_perms };
|
||||
allow innd_t innd_log_t:dir { setattr rw_dir_perms };
|
||||
logging_create_log(innd_t,innd_log_t)
|
||||
|
||||
allow innd_t innd_var_lib_t:dir create_dir_perms;
|
||||
|
||||
@ -55,6 +55,7 @@ files_pid_file(krb5kdc_var_run_t)
|
||||
# Use capabilities. Surplus capabilities may be allowed.
|
||||
allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
|
||||
dontaudit kadmind_t self:capability sys_tty_config;
|
||||
allow kadmind_t self:process signal_perms;
|
||||
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow kadmind_t self:unix_dgram_socket { connect create write };
|
||||
allow kadmind_t self:tcp_socket connected_stream_socket_perms;
|
||||
@ -161,6 +162,7 @@ optional_policy(`rhgb.te',`
|
||||
# Use capabilities. Surplus capabilities may be allowed.
|
||||
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
|
||||
dontaudit krb5kdc_t self:capability sys_tty_config;
|
||||
allow krb5kdc_t self:process signal_perms;
|
||||
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow krb5kdc_t self:tcp_socket connected_stream_socket_perms;
|
||||
allow krb5kdc_t self:udp_socket create_socket_perms;
|
||||
|
||||
@ -25,7 +25,7 @@ files_pid_file(ktalkd_var_run_t)
|
||||
allow ktalkd_t self:process signal_perms;
|
||||
allow ktalkd_t self:fifo_file rw_file_perms;
|
||||
allow ktalkd_t self:tcp_socket connected_stream_socket_perms;
|
||||
allow ktalkd_t self:udp_socket connected_socket_perms;
|
||||
allow ktalkd_t self:udp_socket create_socket_perms;
|
||||
# for identd
|
||||
# cjp: this should probably only be inetd_child rules?
|
||||
allow ktalkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||
|
||||
@ -119,6 +119,7 @@ optional_policy(`nis.te',`
|
||||
|
||||
allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
|
||||
dontaudit lpd_t self:capability sys_tty_config;
|
||||
allow lpd_t self:process signal_perms;
|
||||
allow lpd_t self:fifo_file rw_file_perms;
|
||||
allow lpd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow lpd_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
@ -30,9 +30,9 @@ files_tmp_file(mysqld_tmp_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow mysqld_t self:capability { dac_override setgid setuid };
|
||||
allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
|
||||
dontaudit mysqld_t self:capability sys_tty_config;
|
||||
allow mysqld_t self:process { setsched getsched signal_perms };
|
||||
allow mysqld_t self:process { setsched getsched setrlimit signal_perms };
|
||||
allow mysqld_t self:fifo_file { read write };
|
||||
allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
@ -90,6 +90,7 @@ kernel_udp_sendfrom(nfsd_t)
|
||||
kernel_tcp_recvfrom(nfsd_t)
|
||||
|
||||
corenet_udp_bind_generic_port(nfsd_t)
|
||||
corenet_udp_bind_reserved_port(nfsd_t)
|
||||
|
||||
fs_mount_nfsd_fs(nfsd_t)
|
||||
fs_search_nfsd_fs(nfsd_t)
|
||||
@ -130,6 +131,9 @@ files_create_tmp_files(gssd_t, gssd_tmp_t, { file dir })
|
||||
kernel_read_network_state(gssd_t)
|
||||
kernel_read_network_state_symlinks(gssd_t)
|
||||
|
||||
corenet_udp_bind_generic_port(gssd_t)
|
||||
corenet_udp_bind_reserved_port(gssd_t)
|
||||
|
||||
dev_read_urand(gssd_t)
|
||||
|
||||
fs_read_rpc_dirs(gssd_t)
|
||||
|
||||
@ -185,6 +185,10 @@ rhgb_domain(auditd_t)
|
||||
# klogd local policy
|
||||
#
|
||||
|
||||
allow klogd_t self:capability sys_admin;
|
||||
dontaudit klogd_t self:capability { sys_resource sys_tty_config };
|
||||
allow klogd_t self:process signal_perms;
|
||||
|
||||
allow klogd_t klogd_tmp_t:file create_file_perms;
|
||||
allow klogd_t klogd_tmp_t:dir create_dir_perms;
|
||||
files_create_tmp_files(klogd_t,klogd_tmp_t,{ file dir })
|
||||
@ -193,9 +197,6 @@ allow klogd_t klogd_var_run_t:file create_file_perms;
|
||||
allow klogd_t klogd_var_run_t:dir rw_dir_perms;
|
||||
files_create_pid(klogd_t,klogd_var_run_t)
|
||||
|
||||
allow klogd_t self:capability sys_admin;
|
||||
dontaudit klogd_t self:capability sys_resource;
|
||||
|
||||
kernel_read_system_state(klogd_t)
|
||||
kernel_read_messages(klogd_t)
|
||||
kernel_read_kernel_sysctl(klogd_t)
|
||||
|
||||
@ -208,7 +208,7 @@ allow newrole_t self:sem create_sem_perms;
|
||||
allow newrole_t self:msgq create_msgq_perms;
|
||||
allow newrole_t self:msg { send receive };
|
||||
allow newrole_t self:unix_dgram_socket sendto;
|
||||
allow newrole_t self:unix_stream_socket connectto;
|
||||
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow newrole_t self:netlink_audit_socket { create bind write nlmsg_read read };
|
||||
|
||||
allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user