remove dead selopt rules
This commit is contained in:
parent
bd56da4aa5
commit
33c7e6b4e8
@ -1,3 +1,4 @@
|
||||
- Remove old selopt rules.
|
||||
- Full support for netfilter_contexts.
|
||||
- MRTG patch for daemon operation from Stefan.
|
||||
- Add authlogin interface to abstract common access for login programs.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mrtg,1.0.2)
|
||||
policy_module(mrtg,1.0.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -167,7 +167,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
snmp_udp_chat(mrtg_t)
|
||||
snmp_read_snmp_var_lib_files(mrtg_t)
|
||||
')
|
||||
|
||||
|
@ -115,7 +115,6 @@ interface(`portage_compile_domain',`
|
||||
allow $1 self:udp_socket create_socket_perms;
|
||||
# misc networking stuff (esp needed for compiling perl):
|
||||
allow $1 self:rawip_socket { create ioctl };
|
||||
allow $1 self:udp_socket recvfrom;
|
||||
# needed for merging dbus:
|
||||
allow $1 self:netlink_selinux_socket { bind create read };
|
||||
allow $1 self:dbus send_msg;
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(portage,1.0.4)
|
||||
policy_module(portage,1.0.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(calamaris,1.0.0)
|
||||
policy_module(calamaris,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -76,10 +76,6 @@ optional_policy(`
|
||||
apache_search_sys_content(calamaris_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
bind_udp_chat_named(calamaris_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(calamaris_t,calamaris_exec_t)
|
||||
')
|
||||
|
@ -61,8 +61,6 @@ template(`games_per_userdomain_template',`
|
||||
allow $1_games_t self:sem create_sem_perms;
|
||||
allow $1_games_t self:tcp_socket create_stream_socket_perms;
|
||||
allow $1_games_t self:udp_socket create_socket_perms;
|
||||
allow $1_games_t self:tcp_socket { connectto sendto recvfrom };
|
||||
allow $1_games_t self:tcp_socket { acceptfrom recvfrom };
|
||||
|
||||
allow $1_games_t $1_games_tmpfs_t:dir rw_dir_perms;
|
||||
allow $1_games_t $1_games_tmpfs_t:file manage_file_perms;
|
||||
@ -87,8 +85,6 @@ template(`games_per_userdomain_template',`
|
||||
allow $2 $1_games_t:unix_stream_socket connectto;
|
||||
allow $1_games_t $2:unix_stream_socket connectto;
|
||||
|
||||
kernel_tcp_recvfrom($1_games_t)
|
||||
kernel_tcp_recvfrom($1_games_t)
|
||||
kernel_read_system_state($1_games_t)
|
||||
|
||||
corecmd_exec_bin($1_games_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(games,1.0.0)
|
||||
policy_module(games,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -156,13 +156,4 @@ template(`irc_per_userdomain_template',`
|
||||
optional_policy(`
|
||||
nis_use_ypbind($1_irc_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`
|
||||
allow $1_irc_t ircd_t:tcp_socket { connectto recvfrom };
|
||||
allow ircd_t $1_irc_t:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1_irc_t)
|
||||
kernel_tcp_recvfrom(ircd_t)
|
||||
')
|
||||
')
|
||||
')
|
||||
|
@ -353,10 +353,6 @@ template(`mozilla_per_userdomain_template',`
|
||||
nscd_socket_use($1_mozilla_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
squid_use($1_mozilla_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
lpd_domtrans_user_lpr($1,$1_mozilla_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mozilla,1.0.3)
|
||||
policy_module(mozilla,1.0.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -183,10 +183,6 @@ template(`uml_per_userdomain_template',`
|
||||
nis_use_ypbind($1_uml_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ssh_tcp_connect($1_uml_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# for X
|
||||
optional_policy(`
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(uml,1.0.2)
|
||||
policy_module(uml,1.0.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -220,7 +220,7 @@ interface(`kernel_dgram_send',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Receive messages from kernel TCP sockets.
|
||||
## Receive messages from kernel TCP sockets. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -229,16 +229,12 @@ interface(`kernel_dgram_send',`
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_tcp_recvfrom',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
')
|
||||
|
||||
allow $1 kernel_t:tcp_socket recvfrom;
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send UDP network traffic to the kernel.
|
||||
## Send UDP network traffic to the kernel. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -247,17 +243,12 @@ interface(`kernel_tcp_recvfrom',`
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_udp_send',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
')
|
||||
|
||||
allow $1 kernel_t:udp_socket sendto;
|
||||
allow kernel_t $1:udp_socket recvfrom;
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Receive messages from kernel UDP sockets.
|
||||
## Receive messages from kernel UDP sockets. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -266,11 +257,7 @@ interface(`kernel_udp_send',`
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_udp_recvfrom',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
')
|
||||
|
||||
allow $1 kernel_t:udp_socket recvfrom;
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kernel,1.3.13)
|
||||
policy_module(kernel,1.3.14)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -272,10 +272,6 @@ optional_policy(`
|
||||
nis_use_ypbind(kernel_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
portmap_udp_chat(kernel_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# nfs kernel server needs kernel UDP access. It is less risky and painful
|
||||
# to just give it everything.
|
||||
@ -298,7 +294,6 @@ optional_policy(`
|
||||
rpc_manage_nfs_ro_content(kernel_t)
|
||||
rpc_manage_nfs_rw_content(kernel_t)
|
||||
rpc_udp_rw_nfs_sockets(kernel_t)
|
||||
rpc_udp_send_nfs(kernel_t)
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
fs_list_noxattr_fs(kernel_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(afs,1.0.1)
|
||||
policy_module(afs,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -134,8 +134,8 @@ allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice }
|
||||
dontaudit afs_fsserver_t self:capability fsetid;
|
||||
allow afs_fsserver_t self:process { setsched signal_perms };
|
||||
allow afs_fsserver_t self:fifo_file rw_file_perms;
|
||||
allow afs_fsserver_t self:tcp_socket { create_stream_socket_perms connectto acceptfrom recvfrom };
|
||||
allow afs_fsserver_t self:udp_socket { create_socket_perms sendto recvfrom };
|
||||
allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
|
||||
allow afs_fsserver_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow afs_fsserver_t afs_config_t:file r_file_perms;
|
||||
allow afs_fsserver_t afs_config_t:dir r_dir_perms;
|
||||
@ -157,10 +157,6 @@ can_exec(afs_fsserver_t, afs_fsserver_exec_t)
|
||||
allow afs_fsserver_t afs_logfile_t:file create_file_perms;
|
||||
allow afs_fsserver_t afs_logfile_t:dir create_dir_perms;
|
||||
|
||||
allow afs_fsserver_t afs_ptserver_t:udp_socket recvfrom;
|
||||
|
||||
allow afs_fsserver_t afs_vlserver_t:udp_socket recvfrom;
|
||||
|
||||
kernel_read_system_state(afs_fsserver_t)
|
||||
kernel_read_kernel_sysctls(afs_fsserver_t)
|
||||
|
||||
@ -269,8 +265,6 @@ allow afs_ptserver_t afs_config_t:dir r_dir_perms;
|
||||
allow afs_ptserver_t afs_logfile_t:file create_file_perms;
|
||||
allow afs_ptserver_t afs_logfile_t:dir create_dir_perms;
|
||||
|
||||
allow afs_ptserver_t afs_fsserver_t:udp_socket recvfrom;
|
||||
|
||||
allow afs_ptserver_t afs_pt_db_t:file manage_file_perms;
|
||||
allow afs_ptserver_t afs_dbdir_t:dir rw_dir_perms;
|
||||
type_transition afs_ptserver_t afs_dbdir_t:file afs_pt_db_t;
|
||||
@ -310,8 +304,6 @@ allow afs_vlserver_t self:udp_socket create_socket_perms;
|
||||
allow afs_vlserver_t afs_config_t:file r_file_perms;
|
||||
allow afs_vlserver_t afs_config_t:dir r_dir_perms;
|
||||
|
||||
allow afs_vlserver_t afs_fsserver_t:udp_socket recvfrom;
|
||||
|
||||
allow afs_vlserver_t afs_logfile_t:file create_file_perms;
|
||||
allow afs_vlserver_t afs_logfile_t:dir create_dir_perms;
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(amavis,1.0.5)
|
||||
policy_module(amavis,1.0.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -164,10 +164,6 @@ optional_policy(`
|
||||
dcc_stream_connect_dccifd(amavis_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ldap_use(amavis_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
pyzor_domtrans(amavis_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(apache,1.3.15)
|
||||
policy_module(apache,1.3.16)
|
||||
|
||||
#
|
||||
# NOTES:
|
||||
@ -142,7 +142,7 @@ allow httpd_t self:msg { send receive };
|
||||
allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
|
||||
allow httpd_t self:tcp_socket { create_stream_socket_perms acceptfrom connectto recvfrom };
|
||||
allow httpd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow httpd_t self:udp_socket create_socket_perms;
|
||||
|
||||
# Allow httpd_t to put files in /var/cache/httpd etc
|
||||
@ -206,7 +206,6 @@ allow httpd_t squirrelmail_spool_t:file create_file_perms;
|
||||
allow httpd_t squirrelmail_spool_t:lnk_file create_lnk_perms;
|
||||
|
||||
kernel_read_kernel_sysctls(httpd_t)
|
||||
kernel_tcp_recvfrom(httpd_t)
|
||||
# for modules that want to access /proc/meminfo
|
||||
kernel_read_system_state(httpd_t)
|
||||
|
||||
|
@ -256,7 +256,7 @@ interface(`bind_read_zone',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive datagrams to and from named.
|
||||
## Send and receive datagrams to and from named. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -265,9 +265,5 @@ interface(`bind_read_zone',`
|
||||
## </param>
|
||||
#
|
||||
interface(`bind_udp_chat_named',`
|
||||
gen_require(`
|
||||
type named_t;
|
||||
')
|
||||
allow $1 named_t:udp_socket sendto;
|
||||
allow named_t $1:udp_socket recvfrom;
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(bind,1.1.7)
|
||||
policy_module(bind,1.1.8)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -92,12 +92,9 @@ allow named_t named_zone_t:dir r_dir_perms;
|
||||
allow named_t named_zone_t:file r_file_perms;
|
||||
allow named_t named_zone_t:lnk_file r_file_perms;
|
||||
|
||||
allow named_t ndc_t:tcp_socket { acceptfrom recvfrom };
|
||||
|
||||
kernel_read_kernel_sysctls(named_t)
|
||||
kernel_read_system_state(named_t)
|
||||
kernel_read_network_state(named_t)
|
||||
kernel_tcp_recvfrom(named_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(named_t)
|
||||
corenet_tcp_sendrecv_all_if(named_t)
|
||||
@ -199,11 +196,6 @@ optional_policy(`
|
||||
nscd_socket_use(named_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nsd_tcp_connect(named_t)
|
||||
nsd_udp_chat(named_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(named_t)
|
||||
')
|
||||
@ -227,7 +219,6 @@ allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow ndc_t dnssec_t:file { getattr read };
|
||||
|
||||
allow ndc_t named_t:tcp_socket { connectto recvfrom };
|
||||
allow ndc_t named_t:unix_stream_socket connectto;
|
||||
|
||||
allow ndc_t named_conf_t:file { getattr read };
|
||||
@ -237,7 +228,6 @@ allow ndc_t named_var_run_t:sock_file rw_file_perms;
|
||||
allow ndc_t named_zone_t:dir search;
|
||||
|
||||
kernel_read_kernel_sysctls(ndc_t)
|
||||
kernel_tcp_recvfrom(ndc_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(ndc_t)
|
||||
corenet_tcp_sendrecv_all_if(ndc_t)
|
||||
|
@ -46,7 +46,7 @@ interface(`cups_stream_connect',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to cups over TCP.
|
||||
## Connect to cups over TCP. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -55,13 +55,7 @@ interface(`cups_stream_connect',`
|
||||
## </param>
|
||||
#
|
||||
interface(`cups_tcp_connect',`
|
||||
gen_require(`
|
||||
type cupsd_t;
|
||||
')
|
||||
|
||||
allow $1 cupsd_t:tcp_socket { connectto recvfrom };
|
||||
allow cupsd_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cups,1.3.10)
|
||||
policy_module(cups,1.3.11)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -82,7 +82,7 @@ allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow cupsd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow cupsd_t self:tcp_socket { create_stream_socket_perms connectto acceptfrom recvfrom };
|
||||
allow cupsd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow cupsd_t self:udp_socket create_socket_perms;
|
||||
allow cupsd_t self:appletalk_socket create_socket_perms;
|
||||
# generic socket here until appletalk socket is available in kernels
|
||||
@ -126,7 +126,6 @@ allow cupsd_t ptal_t:unix_stream_socket connectto;
|
||||
kernel_read_system_state(cupsd_t)
|
||||
kernel_read_network_state(cupsd_t)
|
||||
kernel_read_all_sysctls(cupsd_t)
|
||||
kernel_tcp_recvfrom(cupsd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(cupsd_t)
|
||||
corenet_tcp_sendrecv_all_if(cupsd_t)
|
||||
@ -258,10 +257,6 @@ optional_policy(`
|
||||
nscd_socket_use(cupsd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
portmap_udp_chat(cupsd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# from old usercanread attrib:
|
||||
rpc_read_nfs_content(cupsd_t)
|
||||
@ -290,13 +285,7 @@ optional_policy(`
|
||||
xserver_read_xkb_libs(cupsd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow web_client_domain cupsd_t:tcp_socket { connectto recvfrom };
|
||||
allow cupsd_t web_client_domain:tcp_socket { acceptfrom recvfrom };
|
||||
allow cupsd_t kernel_t:tcp_socket recvfrom;
|
||||
allow web_client_domain kernel_t:tcp_socket recvfrom;
|
||||
') dnl end TODO
|
||||
|
||||
#FIXME:
|
||||
allow cupsd_t usercanread:dir r_dir_perms;
|
||||
allow cupsd_t usercanread:file r_file_perms;
|
||||
allow cupsd_t usercanread:lnk_file { getattr read };
|
||||
@ -315,9 +304,6 @@ allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
|
||||
allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
|
||||
allow cupsd_config_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow cupsd_config_t cupsd_t:tcp_socket { connectto recvfrom };
|
||||
allow cupsd_t cupsd_config_t:tcp_socket { acceptfrom recvfrom };
|
||||
|
||||
# old can_ps() on cupsd_t:
|
||||
allow cupsd_config_t cupsd_t:process { signal };
|
||||
allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
|
||||
@ -350,7 +336,6 @@ allow cupsd_config_t cupsd_var_run_t:file { getattr read };
|
||||
|
||||
kernel_read_system_state(cupsd_config_t)
|
||||
kernel_read_kernel_sysctls(cupsd_config_t)
|
||||
kernel_tcp_recvfrom(cupsd_config_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(cupsd_config_t)
|
||||
corenet_tcp_sendrecv_all_if(cupsd_config_t)
|
||||
|
@ -3,7 +3,7 @@
|
||||
########################################
|
||||
## <summary>
|
||||
## Use dictionary services by connecting
|
||||
## over TCP.
|
||||
## over TCP. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -12,11 +12,5 @@
|
||||
## </param>
|
||||
#
|
||||
interface(`dictd_tcp_connect',`
|
||||
gen_require(`
|
||||
type dictd_t;
|
||||
')
|
||||
|
||||
allow $1 dictd_t:tcp_socket { connectto recvfrom };
|
||||
allow dictd_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dictd,1.1.1)
|
||||
policy_module(dictd,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -36,7 +36,6 @@ allow dictd_t dictd_var_lib_t:file r_file_perms;
|
||||
|
||||
kernel_read_system_state(dictd_t)
|
||||
kernel_read_kernel_sysctls(dictd_t)
|
||||
kernel_tcp_recvfrom(dictd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(dictd_t)
|
||||
corenet_tcp_sendrecv_all_if(dictd_t)
|
||||
|
@ -25,7 +25,7 @@ interface(`finger_domtrans',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to connect to fingerd with a tcp socket.
|
||||
## Allow the specified domain to connect to fingerd with a tcp socket. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -34,11 +34,5 @@ interface(`finger_domtrans',`
|
||||
## </param>
|
||||
#
|
||||
interface(`finger_tcp_connect',`
|
||||
gen_require(`
|
||||
type fingerd_t;
|
||||
')
|
||||
|
||||
kernel_tcp_recvfrom($1)
|
||||
allow $1 fingerd_t:tcp_socket { connectto recvfrom };
|
||||
allow fingerd_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(finger,1.1.1)
|
||||
policy_module(finger,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -47,7 +47,6 @@ logging_log_filetrans(fingerd_t,fingerd_log_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(fingerd_t)
|
||||
kernel_read_system_state(fingerd_t)
|
||||
kernel_tcp_recvfrom(fingerd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(fingerd_t)
|
||||
corenet_tcp_sendrecv_all_if(fingerd_t)
|
||||
|
@ -35,7 +35,7 @@ template(`ftp_per_userdomain_template',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Use ftp by connecting over TCP.
|
||||
## Use ftp by connecting over TCP. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -44,13 +44,7 @@ template(`ftp_per_userdomain_template',`
|
||||
## </param>
|
||||
#
|
||||
interface(`ftp_tcp_connect',`
|
||||
gen_require(`
|
||||
type ftpd_t;
|
||||
')
|
||||
|
||||
allow $1 ftpd_t:tcp_socket { connectto recvfrom };
|
||||
allow ftpd_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ftp,1.2.7)
|
||||
policy_module(ftp,1.2.8)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(gatekeeper,1.0.2)
|
||||
policy_module(gatekeeper,1.0.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -113,16 +113,3 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
udev_read_db(gatekeeper_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# for local users to run VOIP software
|
||||
allow userdomain gatekeeper_t:udp_socket sendto;
|
||||
allow gatekeeper_t userdomain:udp_socket recvfrom;
|
||||
allow gatekeeper_t userdomain:udp_socket sendto;
|
||||
allow userdomain gatekeeper_t:udp_socket recvfrom;
|
||||
|
||||
allow gatekeeper_t userdomain:tcp_socket { connectto recvfrom };
|
||||
allow userdomain gatekeeper_t:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom(gatekeeper_t)
|
||||
kernel_tcp_recvfrom(userdomain)
|
||||
')
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Use i18n_input over a TCP connection.
|
||||
## Use i18n_input over a TCP connection. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -11,11 +11,5 @@
|
||||
## </param>
|
||||
#
|
||||
interface(`i18n_use',`
|
||||
gen_require(`
|
||||
type i18n_input_t;
|
||||
')
|
||||
|
||||
allow $1 i18n_input_t:tcp_socket { connectto recvfrom };
|
||||
allow i18n_input_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(i18n_input,1.1.3)
|
||||
policy_module(i18n_input,1.1.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -36,7 +36,6 @@ can_exec(i18n_input_t, i18n_input_exec_t)
|
||||
|
||||
kernel_read_kernel_sysctls(i18n_input_t)
|
||||
kernel_read_system_state(i18n_input_t)
|
||||
kernel_tcp_recvfrom(i18n_input_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(i18n_input_t)
|
||||
corenet_tcp_sendrecv_generic_if(i18n_input_t)
|
||||
|
@ -169,7 +169,7 @@ interface(`inetd_use_fds',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to the inetd service using a TCP connection.
|
||||
## Connect to the inetd service using a TCP connection. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -178,13 +178,7 @@ interface(`inetd_use_fds',`
|
||||
## </param>
|
||||
#
|
||||
interface(`inetd_tcp_connect',`
|
||||
gen_require(`
|
||||
type inetd_t;
|
||||
')
|
||||
|
||||
allow $1 inetd_t:tcp_socket { connectto recvfrom };
|
||||
allow inetd_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -213,7 +207,7 @@ interface(`inetd_domtrans_child',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send UDP network traffic to inetd.
|
||||
## Send UDP network traffic to inetd. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -222,12 +216,7 @@ interface(`inetd_domtrans_child',`
|
||||
## </param>
|
||||
#
|
||||
interface(`inetd_udp_send',`
|
||||
gen_require(`
|
||||
type inetd_t;
|
||||
')
|
||||
|
||||
allow $1 inetd_t:udp_socket sendto;
|
||||
allow inetd_t $1:udp_socket recvfrom;
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(inetd,1.1.5)
|
||||
policy_module(inetd,1.1.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -55,7 +55,6 @@ files_pid_filetrans(inetd_t,inetd_var_run_t,file)
|
||||
kernel_read_kernel_sysctls(inetd_t)
|
||||
kernel_list_proc(inetd_t)
|
||||
kernel_read_proc_symlinks(inetd_t)
|
||||
kernel_tcp_recvfrom(inetd_t)
|
||||
|
||||
# base networking:
|
||||
corenet_non_ipsec_sendrecv(inetd_t)
|
||||
@ -145,11 +144,6 @@ optional_policy(`
|
||||
amanda_search_lib(inetd_t)
|
||||
')
|
||||
|
||||
# Communicate with the portmapper.
|
||||
optional_policy(`
|
||||
portmap_udp_send(inetd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(inetd_t)
|
||||
')
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to jabber over a TCP socket
|
||||
## Connect to jabber over a TCP socket (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -11,11 +11,5 @@
|
||||
## </param>
|
||||
#
|
||||
interface(`jabber_tcp_connect',`
|
||||
gen_require(`
|
||||
type jabberd_t;
|
||||
')
|
||||
|
||||
allow $1 jabberd_t:tcp_socket { connectto recvfrom };
|
||||
allow jabberd_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(jabber,1.0.2)
|
||||
policy_module(jabber,1.0.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -46,7 +46,6 @@ files_pid_filetrans(jabberd_t,jabberd_var_run_t,file)
|
||||
kernel_read_kernel_sysctls(jabberd_t)
|
||||
kernel_list_proc(jabberd_t)
|
||||
kernel_read_proc_symlinks(jabberd_t)
|
||||
kernel_tcp_recvfrom(jabberd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(jabberd_t)
|
||||
corenet_tcp_sendrecv_generic_if(jabberd_t)
|
||||
|
@ -40,7 +40,7 @@ interface(`ldap_read_config',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Use LDAP over TCP connection.
|
||||
## Use LDAP over TCP connection. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -49,13 +49,7 @@ interface(`ldap_read_config',`
|
||||
## </param>
|
||||
#
|
||||
interface(`ldap_use',`
|
||||
gen_require(`
|
||||
type slapd_t;
|
||||
')
|
||||
|
||||
allow $1 slapd_t:tcp_socket { connectto recvfrom };
|
||||
allow slapd_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ldap,1.2.4)
|
||||
policy_module(ldap,1.2.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -76,7 +76,6 @@ files_pid_filetrans(slapd_t,slapd_var_run_t,file)
|
||||
|
||||
kernel_read_system_state(slapd_t)
|
||||
kernel_read_kernel_sysctls(slapd_t)
|
||||
kernel_tcp_recvfrom(slapd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(slapd_t)
|
||||
corenet_tcp_sendrecv_all_if(slapd_t)
|
||||
|
@ -72,9 +72,6 @@ template(`lpd_per_userdomain_template',`
|
||||
# Connect to lpd via a Unix domain socket.
|
||||
allow $1_lpr_t printer_t:sock_file rw_file_perms;
|
||||
allow $1_lpr_t lpd_t:unix_stream_socket connectto;
|
||||
# connecto to a network lpd
|
||||
allow $1_lpr_t lpd_t:tcp_socket { connectto recvfrom };
|
||||
allow lpd_t $1_lpr_t:tcp_socket { acceptfrom recvfrom };
|
||||
# Send SIGHUP to lpd.
|
||||
allow $1_lpr_t lpd_t:process signal;
|
||||
|
||||
@ -109,7 +106,6 @@ template(`lpd_per_userdomain_template',`
|
||||
allow lpd_t $1_print_spool_t:file r_file_perms;
|
||||
allow lpd_t $1_print_spool_t:file link_file_perms;
|
||||
|
||||
kernel_tcp_recvfrom($1_lpr_t)
|
||||
kernel_read_kernel_sysctls($1_lpr_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_lpr_t)
|
||||
@ -186,9 +182,7 @@ template(`lpd_per_userdomain_template',`
|
||||
|
||||
optional_policy(`
|
||||
cups_read_config($1_lpr_t)
|
||||
cups_tcp_connect($1_lpr_t)
|
||||
cups_read_config($2)
|
||||
cups_tcp_connect($2)
|
||||
cups_stream_connect($1_lpr_t)
|
||||
')
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(lpd,1.2.5)
|
||||
policy_module(lpd,1.2.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -154,7 +154,6 @@ allow lpd_t printer_t:unix_stream_socket name_bind;
|
||||
allow lpd_t printer_t:unix_dgram_socket name_bind;
|
||||
|
||||
kernel_read_kernel_sysctls(lpd_t)
|
||||
kernel_tcp_recvfrom(lpd_t)
|
||||
# bash wants access to /proc/meminfo
|
||||
kernel_read_system_state(lpd_t)
|
||||
|
||||
@ -220,11 +219,6 @@ ifdef(`targeted_policy',`
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(lpd_t)
|
||||
nis_tcp_connect_ypbind(lpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
portmap_udp_send(lpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mailman,1.1.6)
|
||||
policy_module(mailman,1.1.7)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -44,14 +44,11 @@ optional_policy(`
|
||||
allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
|
||||
allow mailman_cgi_t mailman_archive_t:file create_file_perms;
|
||||
|
||||
kernel_tcp_recvfrom(mailman_cgi_t)
|
||||
|
||||
term_use_controlling_term(mailman_cgi_t)
|
||||
|
||||
files_search_spool(mailman_cgi_t)
|
||||
|
||||
mta_tcp_connect_all_mailservers(mailman_cgi_t)
|
||||
|
||||
apache_sigchld(mailman_cgi_t)
|
||||
apache_use_fds(mailman_cgi_t)
|
||||
apache_dontaudit_append_log(mailman_cgi_t)
|
||||
@ -95,7 +92,6 @@ allow mailman_queue_t mailman_archive_t:file create_file_perms;
|
||||
allow mailman_queue_t mailman_archive_t:lnk_file create_lnk_perms;
|
||||
|
||||
kernel_read_proc_symlinks(mailman_queue_t)
|
||||
kernel_tcp_recvfrom(mailman_queue_t)
|
||||
|
||||
auth_domtrans_chk_passwd(mailman_queue_t)
|
||||
|
||||
@ -109,8 +105,6 @@ seutil_dontaudit_search_config(mailman_queue_t)
|
||||
userdom_search_sysadm_home_dirs(mailman_queue_t)
|
||||
userdom_getattr_sysadm_home_dirs(mailman_queue_t)
|
||||
|
||||
mta_tcp_connect_all_mailservers(mailman_queue_t)
|
||||
|
||||
su_exec(mailman_queue_t)
|
||||
|
||||
optional_policy(`
|
||||
|
@ -199,11 +199,6 @@ template(`mta_per_userdomain_template',`
|
||||
allow $1_mail_t $2:fifo_file rw_file_perms;
|
||||
allow $1_mail_t $2:process sigchld;
|
||||
|
||||
# For when the user wants to send mail via port 25 localhost
|
||||
kernel_tcp_recvfrom($2)
|
||||
allow $2 mailserver_domain:tcp_socket { connectto recvfrom };
|
||||
allow mailserver_domain $2:tcp_socket { acceptfrom recvfrom };
|
||||
|
||||
domain_use_interactive_fds($1_mail_t)
|
||||
|
||||
userdom_use_user_terminals($1,$1_mail_t)
|
||||
@ -313,9 +308,6 @@ interface(`mta_mailserver',`
|
||||
attribute mailserver_domain;
|
||||
')
|
||||
|
||||
# For when the user wants to send mail via port 25 localhost
|
||||
kernel_tcp_recvfrom($1)
|
||||
|
||||
init_daemon_domain($1,$2)
|
||||
typeattribute $1 mailserver_domain;
|
||||
')
|
||||
@ -355,9 +347,6 @@ interface(`mta_sendmail_mailserver',`
|
||||
type sendmail_exec_t;
|
||||
')
|
||||
|
||||
# For when the user wants to send mail via port 25 localhost
|
||||
kernel_tcp_recvfrom($1)
|
||||
|
||||
init_system_domain($1,sendmail_exec_t)
|
||||
typeattribute $1 mailserver_domain;
|
||||
')
|
||||
@ -624,7 +613,7 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Connect to all mail servers over TCP.
|
||||
## Connect to all mail servers over TCP. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -633,13 +622,7 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
|
||||
## </param>
|
||||
#
|
||||
interface(`mta_tcp_connect_all_mailservers',`
|
||||
gen_require(`
|
||||
attribute mailserver_domain;
|
||||
')
|
||||
|
||||
allow $1 mailserver_domain:tcp_socket { connectto recvfrom };
|
||||
allow mailserver_domain $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mta,1.3.7)
|
||||
policy_module(mta,1.3.8)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to nessus over a TCP socket
|
||||
## Connect to nessus over a TCP socket (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -11,11 +11,5 @@
|
||||
## </param>
|
||||
#
|
||||
interface(`nessus_tcp_connect',`
|
||||
gen_require(`
|
||||
type nessusd_t;
|
||||
')
|
||||
|
||||
allow $1 nessusd_t:tcp_socket { connectto recvfrom };
|
||||
allow nessusd_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(nessus,1.0.1)
|
||||
policy_module(nessus,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -55,7 +55,6 @@ files_pid_filetrans(nessusd_t,nessusd_var_run_t,file)
|
||||
|
||||
kernel_read_system_state(nessusd_t)
|
||||
kernel_read_kernel_sysctls(nessusd_t)
|
||||
kernel_tcp_recvfrom(nessusd_t)
|
||||
|
||||
# for nmap etc
|
||||
corecmd_exec_bin(nessusd_t)
|
||||
|
@ -148,7 +148,7 @@ interface(`nis_list_var_yp',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send UDP network traffic to NIS clients.
|
||||
## Send UDP network traffic to NIS clients. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -157,17 +157,12 @@ interface(`nis_list_var_yp',`
|
||||
## </param>
|
||||
#
|
||||
interface(`nis_udp_send_ypbind',`
|
||||
gen_require(`
|
||||
type ypbind_t;
|
||||
')
|
||||
|
||||
allow $1 ypbind_t:udp_socket sendto;
|
||||
allow ypbind_t $1:udp_socket recvfrom;
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to ypbind over TCP.
|
||||
## Connect to ypbind over TCP. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -176,13 +171,7 @@ interface(`nis_udp_send_ypbind',`
|
||||
## </param>
|
||||
#
|
||||
interface(`nis_tcp_connect_ypbind',`
|
||||
gen_require(`
|
||||
type ypbind_t;
|
||||
')
|
||||
|
||||
allow $1 ypbind_t:tcp_socket { connectto recvfrom };
|
||||
allow ypbind_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(nis,1.1.6)
|
||||
policy_module(nis,1.1.7)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -70,7 +70,6 @@ allow ypbind_t var_yp_t:file create_file_perms;
|
||||
kernel_read_kernel_sysctls(ypbind_t)
|
||||
kernel_list_proc(ypbind_t)
|
||||
kernel_read_proc_symlinks(ypbind_t)
|
||||
kernel_tcp_recvfrom(ypbind_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(ypbind_t)
|
||||
corenet_tcp_sendrecv_all_if(ypbind_t)
|
||||
@ -107,7 +106,6 @@ files_list_var(ypbind_t)
|
||||
|
||||
init_use_fds(ypbind_t)
|
||||
init_use_script_ptys(ypbind_t)
|
||||
init_udp_send_script(ypbind_t)
|
||||
|
||||
libs_use_ld_so(ypbind_t)
|
||||
libs_use_shared_libs(ypbind_t)
|
||||
@ -121,7 +119,6 @@ sysnet_read_config(ypbind_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
|
||||
|
||||
portmap_udp_send(ypbind_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_ttys(ypbind_t)
|
||||
@ -204,7 +201,6 @@ files_relabel_etc_files(yppasswdd_t)
|
||||
|
||||
init_use_fds(yppasswdd_t)
|
||||
init_use_script_ptys(yppasswdd_t)
|
||||
init_udp_send_script(yppasswdd_t)
|
||||
|
||||
libs_use_ld_so(yppasswdd_t)
|
||||
libs_use_shared_libs(yppasswdd_t)
|
||||
@ -218,7 +214,6 @@ sysnet_read_config(yppasswdd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(yppasswdd_t)
|
||||
|
||||
portmap_udp_send(yppasswdd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(yppasswdd_t)
|
||||
@ -299,7 +294,6 @@ files_read_var_files(ypserv_t)
|
||||
|
||||
init_use_fds(ypserv_t)
|
||||
init_use_script_ptys(ypserv_t)
|
||||
init_udp_send_script(ypserv_t)
|
||||
|
||||
libs_use_ld_so(ypserv_t)
|
||||
libs_use_shared_libs(ypserv_t)
|
||||
@ -315,7 +309,6 @@ sysnet_read_config(ypserv_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(ypserv_t)
|
||||
|
||||
portmap_udp_send(ypserv_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(ypserv_t)
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive datagrams from NSD.
|
||||
## Send and receive datagrams from NSD. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -11,16 +11,12 @@
|
||||
## </param>
|
||||
#
|
||||
interface(`nsd_udp_chat',`
|
||||
gen_require(`
|
||||
type nsd_t;
|
||||
')
|
||||
allow $1 nsd_t:udp_socket sendto;
|
||||
allow nsd_t $1:udp_socket recvfrom;
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to NSD over a TCP socket
|
||||
## Connect to NSD over a TCP socket (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -29,11 +25,5 @@ interface(`nsd_udp_chat',`
|
||||
## </param>
|
||||
#
|
||||
interface(`nsd_tcp_connect',`
|
||||
gen_require(`
|
||||
type nsd_t;
|
||||
')
|
||||
|
||||
allow $1 nsd_t:tcp_socket { connectto recvfrom };
|
||||
allow nsd_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(nsd,1.0.1)
|
||||
policy_module(nsd,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ntp,1.1.4)
|
||||
policy_module(ntp,1.1.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -40,7 +40,7 @@ allow ntpd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow ntpd_t self:unix_stream_socket create_socket_perms;
|
||||
allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow ntpd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow ntpd_t self:udp_socket { create_socket_perms sendto recvfrom };
|
||||
allow ntpd_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow ntpd_t ntp_drift_t:dir rw_dir_perms;
|
||||
allow ntpd_t ntp_drift_t:file create_file_perms;
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to perdition over a TCP socket
|
||||
## Connect to perdition over a TCP socket (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -11,11 +11,5 @@
|
||||
## </param>
|
||||
#
|
||||
interface(`perdition_tcp_connect',`
|
||||
gen_require(`
|
||||
type perdition_t;
|
||||
')
|
||||
|
||||
allow $1 perdition_t:tcp_socket { connectto recvfrom };
|
||||
allow perdition_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(perdition,1.0.1)
|
||||
policy_module(perdition,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -37,7 +37,6 @@ files_pid_filetrans(perdition_t,perdition_var_run_t,file)
|
||||
kernel_read_kernel_sysctls(perdition_t)
|
||||
kernel_list_proc(perdition_t)
|
||||
kernel_read_proc_symlinks(perdition_t)
|
||||
kernel_tcp_recvfrom(perdition_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(perdition_t)
|
||||
corenet_tcp_sendrecv_generic_if(perdition_t)
|
||||
|
@ -54,19 +54,11 @@ interface(`portmap_run_helper',`
|
||||
portmap_domtrans_helper($1)
|
||||
role $2 types portmap_helper_t;
|
||||
allow portmap_helper_t $3:chr_file { getattr read write ioctl };
|
||||
|
||||
# send to portmap
|
||||
allow $1 portmap_t:udp_socket sendto;
|
||||
allow portmap_t $1:udp_socket recvfrom;
|
||||
|
||||
# receive from portmap
|
||||
allow portmap_t $1:udp_socket sendto;
|
||||
allow $1 portmap_t:udp_socket recvfrom;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send UDP network traffic to portmap.
|
||||
## Send UDP network traffic to portmap. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -75,17 +67,12 @@ interface(`portmap_run_helper',`
|
||||
## </param>
|
||||
#
|
||||
interface(`portmap_udp_send',`
|
||||
gen_require(`
|
||||
type portmap_t;
|
||||
')
|
||||
|
||||
allow $1 portmap_t:udp_socket sendto;
|
||||
allow portmap_t $1:udp_socket recvfrom;
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive UDP network traffic from portmap.
|
||||
## Send and receive UDP network traffic from portmap. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -94,19 +81,12 @@ interface(`portmap_udp_send',`
|
||||
## </param>
|
||||
#
|
||||
interface(`portmap_udp_chat',`
|
||||
gen_require(`
|
||||
type portmap_t;
|
||||
')
|
||||
|
||||
allow $1 portmap_t:udp_socket sendto;
|
||||
allow portmap_t $1:udp_socket recvfrom;
|
||||
allow portmap_t $1:udp_socket sendto;
|
||||
allow $1 portmap_t:udp_socket recvfrom;
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to portmap over a TCP socket
|
||||
## Connect to portmap over a TCP socket (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -115,11 +95,5 @@ interface(`portmap_udp_chat',`
|
||||
## </param>
|
||||
#
|
||||
interface(`portmap_tcp_connect',`
|
||||
gen_require(`
|
||||
type portmap_t;
|
||||
')
|
||||
|
||||
allow $1 portmap_t:tcp_socket { connectto recvfrom };
|
||||
allow portmap_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(portmap,1.2.4)
|
||||
policy_module(portmap,1.2.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -45,7 +45,6 @@ files_pid_filetrans(portmap_t,portmap_var_run_t,file)
|
||||
kernel_read_kernel_sysctls(portmap_t)
|
||||
kernel_list_proc(portmap_t)
|
||||
kernel_read_proc_symlinks(portmap_t)
|
||||
kernel_tcp_recvfrom(portmap_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(portmap_t)
|
||||
corenet_tcp_sendrecv_all_if(portmap_t)
|
||||
@ -82,8 +81,6 @@ files_read_etc_files(portmap_t)
|
||||
|
||||
init_use_fds(portmap_t)
|
||||
init_use_script_ptys(portmap_t)
|
||||
init_udp_send(portmap_t)
|
||||
init_udp_send_script(portmap_t)
|
||||
|
||||
libs_use_ld_so(portmap_t)
|
||||
libs_use_shared_libs(portmap_t)
|
||||
@ -103,23 +100,14 @@ ifdef(`targeted_policy', `
|
||||
files_dontaudit_read_root_files(portmap_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
inetd_udp_send(portmap_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(portmap_t)
|
||||
nis_udp_send_ypbind(portmap_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(portmap_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rpc_udp_send_nfs(portmap_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(portmap_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(portslave,1.0.1)
|
||||
policy_module(portslave,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -127,10 +127,6 @@ optional_policy(`
|
||||
nis_use_ypbind(portslave_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
radius_use(portslave_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(portslave_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(postfix,1.2.10)
|
||||
policy_module(postfix,1.2.11)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -563,14 +563,6 @@ allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
|
||||
|
||||
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
|
||||
|
||||
kernel_tcp_recvfrom(postfix_smtp_t)
|
||||
|
||||
# if you have two different mail servers on the same host let them talk via
|
||||
# SMTP, also if one mail server wants to talk to itself then allow it and let
|
||||
# the SMTP protocol sort it out (SE Linux is not to prevent mail server
|
||||
# misconfiguration)
|
||||
mta_tcp_connect_all_mailservers(postfix_smtp_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Postfix smtpd local policy
|
||||
|
@ -83,7 +83,7 @@ interface(`postgresql_read_config',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to connect to postgresql with a tcp socket.
|
||||
## Allow the specified domain to connect to postgresql with a tcp socket. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -92,13 +92,7 @@ interface(`postgresql_read_config',`
|
||||
## </param>
|
||||
#
|
||||
interface(`postgresql_tcp_connect',`
|
||||
gen_require(`
|
||||
type postgresql_t;
|
||||
')
|
||||
|
||||
kernel_tcp_recvfrom($1)
|
||||
allow $1 postgresql_t:tcp_socket { connectto recvfrom };
|
||||
allow postgresql_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(postgresql,1.1.2)
|
||||
policy_module(postgresql,1.1.3)
|
||||
|
||||
#################################
|
||||
#
|
||||
@ -83,7 +83,6 @@ kernel_read_system_state(postgresql_t)
|
||||
kernel_list_proc(postgresql_t)
|
||||
kernel_read_all_sysctls(postgresql_t)
|
||||
kernel_read_proc_symlinks(postgresql_t)
|
||||
kernel_tcp_recvfrom(postgresql_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(postgresql_t)
|
||||
corenet_tcp_sendrecv_all_if(postgresql_t)
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Use radius over a UDP connection.
|
||||
## Use radius over a UDP connection. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -11,13 +11,5 @@
|
||||
## </param>
|
||||
#
|
||||
interface(`radius_use',`
|
||||
gen_require(`
|
||||
type radiusd_t;
|
||||
')
|
||||
|
||||
allow $1 radiusd_t:udp_socket sendto;
|
||||
allow radiusd_t $1:udp_socket recvfrom;
|
||||
|
||||
allow radiusd_t $1:udp_socket sendto;
|
||||
allow $1 radiusd_t:udp_socket recvfrom;
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(radius,1.1.2)
|
||||
policy_module(radius,1.1.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -133,10 +133,6 @@ optional_policy(`
|
||||
seutil_sigchld_newrole(radiusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
snmp_tcp_connect(radiusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(radiusd_t)
|
||||
')
|
||||
|
@ -118,7 +118,7 @@ template(`rpc_domain_template', `
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send UDP network traffic to rpc and recieve UDP traffic from rpc.
|
||||
## Send UDP network traffic to rpc and recieve UDP traffic from rpc. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -127,12 +127,7 @@ template(`rpc_domain_template', `
|
||||
## </param>
|
||||
#
|
||||
interface(`rpc_udp_send',`
|
||||
gen_require(`
|
||||
type rpc_t;
|
||||
')
|
||||
|
||||
allow $1 rpc_t:udp_socket sendto;
|
||||
allow rpc_t $1:udp_socket recvfrom;
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -289,12 +284,11 @@ interface(`rpc_udp_rw_nfs_sockets',`
|
||||
')
|
||||
|
||||
allow $1 nfsd_t:udp_socket rw_socket_perms;
|
||||
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send UDP traffic to NFSd.
|
||||
## Send UDP traffic to NFSd. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -303,12 +297,7 @@ interface(`rpc_udp_rw_nfs_sockets',`
|
||||
## </param>
|
||||
#
|
||||
interface(`rpc_udp_send_nfs',`
|
||||
gen_require(`
|
||||
type nfsd_t;
|
||||
')
|
||||
|
||||
allow $1 nfsd_t:udp_socket sendto;
|
||||
allow nfsd_t $1:udp_socket recvfrom;
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(rpc,1.2.9)
|
||||
policy_module(rpc,1.2.10)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -64,7 +64,6 @@ miscfiles_read_certs(rpcd_t)
|
||||
|
||||
seutil_dontaudit_search_config(rpcd_t)
|
||||
|
||||
portmap_udp_chat(rpcd_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
allow rpcd_t self:capability { chown dac_override setgid setuid };
|
||||
@ -87,8 +86,6 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
|
||||
# for /proc/fs/nfs/exports - should we have a new type?
|
||||
kernel_read_system_state(nfsd_t)
|
||||
kernel_read_network_state(nfsd_t)
|
||||
kernel_udp_send(nfsd_t)
|
||||
kernel_tcp_recvfrom(nfsd_t)
|
||||
|
||||
fs_mount_nfsd_fs(nfsd_t)
|
||||
fs_search_nfsd_fs(nfsd_t)
|
||||
@ -107,9 +104,6 @@ files_manage_mounttab(rpcd_t)
|
||||
# Read access to public_content_t and public_content_rw_t
|
||||
miscfiles_read_public_files(nfsd_t)
|
||||
|
||||
portmap_tcp_connect(nfsd_t)
|
||||
portmap_udp_chat(nfsd_t)
|
||||
|
||||
# Write access to public_content_t and public_content_rw_t
|
||||
tunable_policy(`allow_nfsd_anon_write',`
|
||||
miscfiles_manage_public_files(nfsd_t)
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Use snmp over a TCP connection.
|
||||
## Use snmp over a TCP connection. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -11,18 +11,12 @@
|
||||
## </param>
|
||||
#
|
||||
interface(`snmp_tcp_connect',`
|
||||
gen_require(`
|
||||
type snmpd_t;
|
||||
')
|
||||
|
||||
allow $1 snmpd_t:tcp_socket { connectto recvfrom };
|
||||
allow snmpd_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive UDP traffic to SNMP
|
||||
## Send and receive UDP traffic to SNMP (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -31,12 +25,7 @@ interface(`snmp_tcp_connect',`
|
||||
## </param>
|
||||
#
|
||||
interface(`snmp_udp_chat',`
|
||||
gen_require(`
|
||||
type snmpd_t;
|
||||
')
|
||||
|
||||
allow $1 snmpd_t:udp_socket { sendto recvfrom };
|
||||
allow snmpd_t $1:udp_socket { sendto recvfrom };
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(snmp,1.1.2)
|
||||
policy_module(snmp,1.1.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -55,7 +55,6 @@ kernel_read_net_sysctls(snmpd_t)
|
||||
kernel_read_proc_symlinks(snmpd_t)
|
||||
kernel_read_system_state(snmpd_t)
|
||||
kernel_read_network_state(snmpd_t)
|
||||
kernel_tcp_recvfrom(snmpd_t)
|
||||
|
||||
corecmd_exec_bin(snmpd_t)
|
||||
corecmd_exec_sbin(snmpd_t)
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to the sound server over a TCP socket
|
||||
## Connect to the sound server over a TCP socket (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -11,11 +11,5 @@
|
||||
## </param>
|
||||
#
|
||||
interface(`soundserver_tcp_connect',`
|
||||
gen_require(`
|
||||
type soundd_t;
|
||||
')
|
||||
|
||||
allow $1 soundd_t:tcp_socket { connectto recvfrom };
|
||||
allow soundd_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(soundserver,1.0.1)
|
||||
policy_module(soundserver,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -64,7 +64,6 @@ files_pid_filetrans(soundd_t,soundd_var_run_t,file)
|
||||
kernel_read_kernel_sysctls(soundd_t)
|
||||
kernel_list_proc(soundd_t)
|
||||
kernel_read_proc_symlinks(soundd_t)
|
||||
kernel_tcp_recvfrom(soundd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(soundd_t)
|
||||
corenet_tcp_sendrecv_generic_if(soundd_t)
|
||||
|
@ -85,8 +85,6 @@ template(`spamassassin_per_userdomain_template',`
|
||||
files_tmp_filetrans($1_spamc_t, $1_spamc_tmp_t, { file dir })
|
||||
|
||||
# Allow connecting to a local spamd
|
||||
allow $1_spamc_t spamd_t:tcp_socket { connectto recvfrom };
|
||||
allow spamd_t $1_spamc_t:tcp_socket { acceptfrom recvfrom };
|
||||
allow $1_spamc_t spamd_t:unix_stream_socket connectto;
|
||||
allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms;
|
||||
|
||||
@ -97,7 +95,6 @@ template(`spamassassin_per_userdomain_template',`
|
||||
allow $1_spamc_t $2:process sigchld;
|
||||
|
||||
kernel_read_kernel_sysctls($1_spamc_t)
|
||||
kernel_tcp_recvfrom($1_spamc_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_spamc_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_spamc_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(spamassassin,1.3.9)
|
||||
policy_module(spamassassin,1.3.10)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -66,7 +66,6 @@ files_pid_filetrans(spamd_t,spamd_var_run_t,file)
|
||||
|
||||
kernel_read_all_sysctls(spamd_t)
|
||||
kernel_read_system_state(spamd_t)
|
||||
kernel_tcp_recvfrom(spamd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(spamd_t)
|
||||
corenet_tcp_sendrecv_all_if(spamd_t)
|
||||
|
@ -106,7 +106,7 @@ interface(`squid_manage_logs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Use squid services by connecting over TCP.
|
||||
## Use squid services by connecting over TCP. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -115,11 +115,5 @@ interface(`squid_manage_logs',`
|
||||
## </param>
|
||||
#
|
||||
interface(`squid_use',`
|
||||
gen_require(`
|
||||
type squid_t;
|
||||
')
|
||||
|
||||
allow $1 squid_t:tcp_socket { connectto recvfrom };
|
||||
allow squid_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(squid,1.1.4)
|
||||
policy_module(squid,1.1.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -66,7 +66,6 @@ files_pid_filetrans(squid_t,squid_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(squid_t)
|
||||
kernel_read_system_state(squid_t)
|
||||
kernel_tcp_recvfrom(squid_t)
|
||||
|
||||
files_dontaudit_getattr_boot_dirs(squid_t)
|
||||
|
||||
|
@ -663,7 +663,7 @@ interface(`ssh_dontaudit_rw_tcp_sockets',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to SSH daemons over TCP sockets.
|
||||
## Connect to SSH daemons over TCP sockets. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -672,13 +672,7 @@ interface(`ssh_dontaudit_rw_tcp_sockets',`
|
||||
## </param>
|
||||
#
|
||||
interface(`ssh_tcp_connect',`
|
||||
gen_require(`
|
||||
type sshd_t;
|
||||
')
|
||||
|
||||
allow $1 sshd_t:tcp_socket { connectto recvfrom };
|
||||
allow sshd_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ssh,1.3.8)
|
||||
policy_module(ssh,1.3.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -72,7 +72,6 @@ ifdef(`targeted_policy',`
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
# so a tunnel can point to another ssh tunnel
|
||||
allow sshd_t self:tcp_socket { acceptfrom connectto recvfrom };
|
||||
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow sshd_t sshd_tmp_t:dir create_dir_perms;
|
||||
@ -186,12 +185,6 @@ ifdef(`strict_policy',`
|
||||
domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
|
||||
role_transition sysadm_r sshd_exec_t system_r;
|
||||
')
|
||||
|
||||
# for port forwarding
|
||||
allow userdomain sshd_t:tcp_socket { connectto recvfrom };
|
||||
allow sshd_t userdomain:tcp_socket { acceptfrom recvfrom };
|
||||
allow userdomain kernel_t:tcp_socket recvfrom;
|
||||
allow sshd_t kernel_t:tcp_socket recvfrom;
|
||||
') dnl endif TODO
|
||||
')
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(tcpd,1.0.3)
|
||||
policy_module(tcpd,1.0.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -61,10 +61,6 @@ optional_policy(`
|
||||
nagios_domtrans_nrpe(tcpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
portmap_udp_send(tcpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rlogin_domtrans(tcpd_t)
|
||||
')
|
||||
|
@ -564,12 +564,6 @@ template(`xserver_user_client_template',`
|
||||
allow $2 $1_xserver_t:shm rw_shm_perms;
|
||||
allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
# for X over a ssh tunnel
|
||||
optional_policy(`
|
||||
kernel_tcp_recvfrom($2)
|
||||
ssh_tcp_connect($2)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(xserver,1.1.12)
|
||||
policy_module(xserver,1.1.13)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(zebra,1.2.3)
|
||||
policy_module(zebra,1.2.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -58,7 +58,6 @@ files_pid_filetrans(zebra_t,zebra_var_run_t, { file sock_file })
|
||||
|
||||
kernel_read_system_state(zebra_t)
|
||||
kernel_read_kernel_sysctls(zebra_t)
|
||||
kernel_tcp_recvfrom(zebra_t)
|
||||
kernel_rw_net_sysctls(zebra_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(zebra_t)
|
||||
@ -123,10 +122,6 @@ tunable_policy(`allow_zebra_write_config',`
|
||||
allow zebra_t zebra_conf_t:file write;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ldap_use(zebra_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(zebra_t)
|
||||
')
|
||||
|
@ -317,7 +317,7 @@ interface(`init_dontaudit_use_fds',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send UDP network traffic to init.
|
||||
## Send UDP network traffic to init. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -326,15 +326,7 @@ interface(`init_dontaudit_use_fds',`
|
||||
## </param>
|
||||
#
|
||||
interface(`init_udp_send',`
|
||||
gen_require(`
|
||||
type init_t;
|
||||
|
||||
# cjp: remove this when init_t decl is moved back to this module
|
||||
attribute direct_run_init;
|
||||
')
|
||||
|
||||
allow $1 init_t:udp_socket sendto;
|
||||
allow init_t $1:udp_socket recvfrom;
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -751,7 +743,7 @@ interface(`init_rw_script_pipes',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send UDP network traffic to init scripts.
|
||||
## Send UDP network traffic to init scripts. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -760,12 +752,7 @@ interface(`init_rw_script_pipes',`
|
||||
## </param>
|
||||
#
|
||||
interface(`init_udp_send_script',`
|
||||
gen_require(`
|
||||
type initrc_t;
|
||||
')
|
||||
|
||||
allow $1 initrc_t:udp_socket sendto;
|
||||
allow initrc_t $1:udp_socket recvfrom;
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(init,1.3.18)
|
||||
policy_module(init,1.3.19)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
@ -190,10 +190,6 @@ optional_policy(`
|
||||
nscd_socket_use(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
portmap_udp_send(init_t)
|
||||
')
|
||||
|
||||
# Run the shell in the sysadm_t domain for single-user mode.
|
||||
optional_policy(`
|
||||
userdom_shell_domtrans_sysadm(init_t)
|
||||
@ -635,7 +631,6 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(initrc_t)
|
||||
nis_udp_send_ypbind(initrc_t)
|
||||
nis_list_var_yp(initrc_t)
|
||||
')
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mount,1.3.8)
|
||||
policy_module(mount,1.3.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -140,8 +140,6 @@ optional_policy(`
|
||||
|
||||
fs_search_rpc(mount_t)
|
||||
|
||||
portmap_udp_chat(mount_t)
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(mount_t)
|
||||
')
|
||||
|
@ -97,7 +97,7 @@ template(`base_user_template',`
|
||||
allow $1_t self:msg { send receive };
|
||||
dontaudit $1_t self:socket create;
|
||||
allow $1_t self:tcp_socket create_stream_socket_perms;
|
||||
allow $1_t self:udp_socket { create_socket_perms sendto recvfrom };
|
||||
allow $1_t self:udp_socket create_socket_perms;
|
||||
|
||||
# evolution and gnome-session try to create a netlink socket
|
||||
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
@ -346,26 +346,6 @@ template(`base_user_template',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dictd_tcp_connect($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
tunable_policy(`ftpd_is_daemon',`
|
||||
ftp_tcp_connect($1_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
finger_tcp_connect($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
i18n_use($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
inetd_tcp_connect($1_t)
|
||||
inetd_udp_send($1_t)
|
||||
inetd_use_fds($1_t)
|
||||
inetd_rw_tcp_sockets($1_t)
|
||||
')
|
||||
@ -376,10 +356,6 @@ template(`base_user_template',`
|
||||
inn_read_news_spool($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
jabber_tcp_connect($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mta_rw_spool($1_t)
|
||||
')
|
||||
@ -396,10 +372,6 @@ template(`base_user_template',`
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nessus_tcp_connect($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_t)
|
||||
')
|
||||
@ -409,14 +381,6 @@ template(`base_user_template',`
|
||||
pcmcia_read_pid($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
perdition_tcp_connect($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
portmap_tcp_connect($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
quota_dontaudit_getattr_db($1_t)
|
||||
')
|
||||
@ -445,14 +409,6 @@ template(`base_user_template',`
|
||||
slrnpull_search_spool($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
soundserver_tcp_connect($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
squid_use($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||
usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||
@ -778,9 +734,6 @@ template(`admin_user_template',`
|
||||
# Manipulate other users crontab.
|
||||
allow $1_t self:passwd crontab;
|
||||
|
||||
# for the administrator to run TCP servers directly
|
||||
allow $1_t self:tcp_socket { acceptfrom connectto recvfrom };
|
||||
|
||||
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
|
||||
|
||||
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
|
||||
@ -802,8 +755,6 @@ template(`admin_user_template',`
|
||||
kernel_sigstop_unlabeled($1_t)
|
||||
kernel_signull_unlabeled($1_t)
|
||||
kernel_sigchld_unlabeled($1_t)
|
||||
# for the administrator to run TCP servers directly
|
||||
kernel_tcp_recvfrom($1_t)
|
||||
|
||||
corenet_tcp_bind_generic_port($1_t)
|
||||
# allow setting up tunnels
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(userdomain,1.3.29)
|
||||
policy_module(userdomain,1.3.30)
|
||||
|
||||
gen_require(`
|
||||
role sysadm_r, staff_r, user_r;
|
||||
@ -416,10 +416,6 @@ ifdef(`targeted_policy',`
|
||||
quota_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
radius_use(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rpm_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user