trunk: whitespace fixes
This commit is contained in:
Chris PeBenito
parent
20272c2b27
commit
3f67f722bb
|
|
@ -97,8 +97,8 @@ allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
|
|||
allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
|
||||
allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
|
||||
|
||||
manage_dirs_pattern(amanda_t,amanda_var_lib_t,amanda_var_lib_t)
|
||||
manage_files_pattern(amanda_t,amanda_var_lib_t,amanda_var_lib_t)
|
||||
manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
|
||||
manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
|
||||
|
||||
manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t)
|
||||
manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t)
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ interface(`dpkg_domtrans_script',`
|
|||
')
|
||||
|
||||
# transition to dpkg script:
|
||||
corecmd_shell_domtrans($1,dpkg_script_t)
|
||||
corecmd_shell_domtrans($1, dpkg_script_t)
|
||||
allow dpkg_script_t $1:fd use;
|
||||
allow dpkg_script_t $1:fifo_file rw_file_perms;
|
||||
allow dpkg_script_t $1:process sigchld;
|
||||
|
|
|
|||
|
|
@ -89,7 +89,7 @@ files_search_var(kudzu_t)
|
|||
files_search_locks(kudzu_t)
|
||||
files_manage_etc_files(kudzu_t)
|
||||
files_manage_etc_runtime_files(kudzu_t)
|
||||
files_etc_filetrans_etc_runtime(kudzu_t,file)
|
||||
files_etc_filetrans_etc_runtime(kudzu_t, file)
|
||||
files_manage_mnt_files(kudzu_t)
|
||||
files_manage_mnt_symlinks(kudzu_t)
|
||||
files_dontaudit_search_src(kudzu_t)
|
||||
|
|
|
|||
|
|
@ -132,7 +132,7 @@ ifdef(`distro_debian', `
|
|||
# for syslogd-listfiles
|
||||
logging_read_syslog_config(logrotate_t)
|
||||
|
||||
# for "test -x /sbin/syslogd"
|
||||
# for "test -x /sbin/syslogd"
|
||||
logging_check_exec_syslog(logrotate_t)
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
|
|||
manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
|
||||
|
||||
allow logwatch_t logwatch_lock_t:file manage_file_perms;
|
||||
files_lock_filetrans(logwatch_t,logwatch_lock_t,file)
|
||||
files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
|
||||
|
||||
manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
|
||||
manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
|
||||
|
|
|
|||
|
|
@ -54,7 +54,7 @@ manage_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t)
|
|||
manage_lnk_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t)
|
||||
|
||||
allow mrtg_t mrtg_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(mrtg_t,mrtg_var_run_t,file)
|
||||
files_pid_filetrans(mrtg_t, mrtg_var_run_t, file)
|
||||
|
||||
kernel_read_system_state(mrtg_t)
|
||||
kernel_read_network_state(mrtg_t)
|
||||
|
|
|
|||
|
|
@ -99,7 +99,7 @@ interface(`portage_compile_domain',`
|
|||
allow $1 self:dbus send_msg;
|
||||
|
||||
allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr };
|
||||
term_create_pty($1,portage_devpts_t)
|
||||
term_create_pty($1, portage_devpts_t)
|
||||
|
||||
# write compile logs
|
||||
allow $1 portage_log_t:dir setattr;
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ interface(`rpm_domtrans_script',`
|
|||
')
|
||||
|
||||
# transition to rpm script:
|
||||
corecmd_shell_domtrans($1,rpm_script_t)
|
||||
corecmd_shell_domtrans($1, rpm_script_t)
|
||||
allow rpm_script_t $1:fd use;
|
||||
allow rpm_script_t $1:fifo_file rw_file_perms;
|
||||
allow rpm_script_t $1:process sigchld;
|
||||
|
|
|
|||
|
|
@ -166,7 +166,7 @@ template(`su_role_template',`
|
|||
')
|
||||
|
||||
type $1_su_t, su_domain_type;
|
||||
domain_entry_file($1_su_t,su_exec_t)
|
||||
domain_entry_file($1_su_t, su_exec_t)
|
||||
domain_type($1_su_t)
|
||||
domain_interactive_fd($1_su_t)
|
||||
ubac_constrained($1_su_t)
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ allow sxid_t self:tcp_socket create_stream_socket_perms;
|
|||
allow sxid_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow sxid_t sxid_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(sxid_t,sxid_log_t,file)
|
||||
logging_log_filetrans(sxid_t, sxid_log_t, file)
|
||||
|
||||
manage_dirs_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t)
|
||||
manage_files_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t)
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@ files_tmp_file(sysadm_passwd_tmp_t)
|
|||
type useradd_t;
|
||||
type useradd_exec_t;
|
||||
domain_obj_id_change_exemption(useradd_t)
|
||||
init_system_domain(useradd_t,useradd_exec_t)
|
||||
init_system_domain(useradd_t, useradd_exec_t)
|
||||
role system_r types useradd_t;
|
||||
|
||||
########################################
|
||||
|
|
@ -210,7 +210,7 @@ files_manage_etc_files(groupadd_t)
|
|||
files_relabel_etc_files(groupadd_t)
|
||||
files_read_etc_runtime_files(groupadd_t)
|
||||
|
||||
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
||||
# Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
|
||||
corecmd_exec_bin(groupadd_t)
|
||||
|
||||
logging_send_audit_msgs(groupadd_t)
|
||||
|
|
|
|||
|
|
@ -480,7 +480,7 @@ userdom_search_user_home_dirs(evolution_exchange_t)
|
|||
# until properly implemented
|
||||
userdom_dontaudit_read_user_home_content_files(evolution_exchange_t)
|
||||
|
||||
xserver_user_x_domain_template(evolution_exchange,evolution_exchange_t, evolution_exchange_tmpfs_t)
|
||||
xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t)
|
||||
|
||||
# Access evolution home
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
|
|
|
|||
|
|
@ -11,4 +11,4 @@
|
|||
/usr/bin/vlc -- gen_context(system_u:object_r:mplayer_exec_t,s0)
|
||||
/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
|
||||
|
||||
HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0)
|
||||
HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0)
|
||||
|
|
|
|||
|
|
@ -67,12 +67,12 @@ interface(`mplayer_domtrans',`
|
|||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute mplayer in the caller domain.
|
||||
## Execute mplayer in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
#
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ interface(`locate_read_lib_files',`
|
|||
type locate_var_lib_t;
|
||||
')
|
||||
|
||||
read_files_pattern($1,locate_var_lib_t,locate_var_lib_t)
|
||||
read_files_pattern($1, locate_var_lib_t, locate_var_lib_t)
|
||||
allow $1 locate_var_lib_t:dir list_dir_perms;
|
||||
files_search_var_lib($1)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -54,7 +54,7 @@ corecmd_search_bin(wireshark_t)
|
|||
manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
|
||||
manage_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
|
||||
manage_lnk_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
|
||||
userdom_user_home_dir_filetrans(wireshark_t, wireshark_home_t,dir)
|
||||
userdom_user_home_dir_filetrans(wireshark_t, wireshark_home_t, dir)
|
||||
|
||||
# Store temporary files
|
||||
manage_dirs_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t)
|
||||
|
|
|
|||
|
|
@ -74,7 +74,7 @@ ifdef(`distro_redhat',`
|
|||
|
||||
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -218,11 +218,11 @@ ifdef(`distro_gentoo',`
|
|||
/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -241,8 +241,8 @@ ifdef(`distro_redhat', `
|
|||
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -305,7 +305,7 @@ ifdef(`distro_suse', `
|
|||
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
|
||||
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
|
||||
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/var/qmail/rc -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ interface(`corecmd_bin_entry_type',`
|
|||
type bin_t;
|
||||
')
|
||||
|
||||
domain_entry_file($1,bin_t)
|
||||
domain_entry_file($1, bin_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -230,7 +230,7 @@ type netif_t, netif_type;
|
|||
sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
|
||||
|
||||
build_option(`enable_mls',`
|
||||
network_interface(lo, lo,s0 - mls_systemhigh)
|
||||
network_interface(lo, lo, s0 - mls_systemhigh)
|
||||
',`
|
||||
typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||
')
|
||||
|
|
|
|||
|
|
@ -68,8 +68,8 @@ interface(`dev_relabel_all_dev_nodes',`
|
|||
relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
|
||||
relabelfrom_fifo_files_pattern($1, device_t, device_node)
|
||||
relabelfrom_sock_files_pattern($1, device_t, device_node)
|
||||
relabel_blk_files_pattern($1,device_t,{ device_t device_node })
|
||||
relabel_chr_files_pattern($1,device_t,{ device_t device_node })
|
||||
relabel_blk_files_pattern($1, device_t,{ device_t device_node })
|
||||
relabel_chr_files_pattern($1, device_t,{ device_t device_node })
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -1247,7 +1247,7 @@ interface(`dev_create_cardmgr_dev',`
|
|||
|
||||
create_chr_files_pattern($1, device_t, cardmgr_dev_t)
|
||||
create_blk_files_pattern($1, device_t, cardmgr_dev_t)
|
||||
filetrans_pattern($1,device_t, cardmgr_dev_t, { chr_file blk_file })
|
||||
filetrans_pattern($1, device_t, cardmgr_dev_t, { chr_file blk_file })
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -1709,11 +1709,11 @@ interface(`dev_read_kvm',`
|
|||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write to kvm devices.
|
||||
## Read and write to kvm devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
|
|||
|
|
@ -2138,7 +2138,7 @@ interface(`files_create_boot_flag',`
|
|||
')
|
||||
|
||||
allow $1 etc_runtime_t:file manage_file_perms;
|
||||
filetrans_pattern($1,root_t,etc_runtime_t,file)
|
||||
filetrans_pattern($1, root_t, etc_runtime_t, file)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -4662,7 +4662,7 @@ interface(`files_rw_generic_pids',`
|
|||
type var_t, var_run_t;
|
||||
')
|
||||
|
||||
list_dirs_pattern($1,var_t,var_run_t)
|
||||
list_dirs_pattern($1, var_t, var_run_t)
|
||||
rw_files_pattern($1, var_run_t, var_run_t)
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -103,7 +103,7 @@ interface(`fs_exec_noxattr',`
|
|||
attribute noxattrfs;
|
||||
')
|
||||
|
||||
can_exec($1,noxattrfs)
|
||||
can_exec($1, noxattrfs)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -1455,7 +1455,7 @@ interface(`fs_read_fusefs_files',`
|
|||
type fusefs_t;
|
||||
')
|
||||
|
||||
read_files_pattern($1,fusefs_t,fusefs_t)
|
||||
read_files_pattern($1, fusefs_t, fusefs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -959,7 +959,7 @@ interface(`mls_dbus_send_all_levels',`
|
|||
attribute mlsdbussend;
|
||||
')
|
||||
|
||||
typeattribute $1 mlsdbussend;
|
||||
typeattribute $1 mlsdbussend;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -980,5 +980,5 @@ interface(`mls_dbus_recv_all_levels',`
|
|||
attribute mlsdbusrecv;
|
||||
')
|
||||
|
||||
typeattribute $1 mlsdbusrecv;
|
||||
typeattribute $1 mlsdbusrecv;
|
||||
')
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
## </summary>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
## </summary>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
## </summary>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
|
|
|
|||
|
|
@ -65,7 +65,7 @@ allow afs_bosserver_t self:process { setsched signal_perms };
|
|||
allow afs_bosserver_t self:tcp_socket create_stream_socket_perms;
|
||||
allow afs_bosserver_t self:udp_socket create_socket_perms;
|
||||
|
||||
can_exec(afs_bosserver_t,afs_bosserver_exec_t)
|
||||
can_exec(afs_bosserver_t, afs_bosserver_exec_t)
|
||||
|
||||
manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
|
||||
manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
|
||||
|
|
@ -236,7 +236,7 @@ allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
|
|||
allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
|
||||
allow afs_ptserver_t self:udp_socket create_socket_perms;
|
||||
|
||||
read_files_pattern(afs_ptserver_t,afs_config_t,afs_config_t)
|
||||
read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t)
|
||||
allow afs_ptserver_t afs_config_t:dir list_dir_perms;
|
||||
|
||||
manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
|
||||
|
|
@ -274,14 +274,14 @@ allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
|
|||
allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
|
||||
allow afs_vlserver_t self:udp_socket create_socket_perms;
|
||||
|
||||
read_files_pattern(afs_vlserver_t,afs_config_t,afs_config_t)
|
||||
read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t)
|
||||
allow afs_vlserver_t afs_config_t:dir list_dir_perms;
|
||||
|
||||
manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
|
||||
manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
|
||||
|
||||
manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
|
||||
filetrans_pattern(afs_vlserver_t, afs_dbdir_t,afs_vl_db_t, file)
|
||||
filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(afs_vlserver_t)
|
||||
corenet_all_recvfrom_netlabel(afs_vlserver_t)
|
||||
|
|
|
|||
|
|
@ -78,7 +78,7 @@ files_search_spool(amavis_t)
|
|||
# tmp files
|
||||
manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
|
||||
allow amavis_t amavis_tmp_t:dir setattr;
|
||||
files_tmp_filetrans(amavis_t,amavis_tmp_t,file)
|
||||
files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
|
||||
|
||||
# var/lib files for amavis
|
||||
manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
|
||||
|
|
|
|||
|
|
@ -79,8 +79,8 @@ template(`apache_content_template',`
|
|||
read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
|
||||
|
||||
allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms;
|
||||
read_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
|
||||
read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
|
||||
read_files_pattern(httpd_$1_script_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
|
||||
read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
|
||||
|
||||
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
|
||||
manage_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
|
||||
|
|
@ -268,33 +268,33 @@ interface(`apache_role',`
|
|||
|
||||
allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
|
||||
|
||||
manage_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
|
||||
manage_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
|
||||
manage_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
|
||||
relabel_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
|
||||
relabel_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
|
||||
relabel_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
|
||||
manage_dirs_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
|
||||
manage_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
|
||||
manage_lnk_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
|
||||
relabel_dirs_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
|
||||
relabel_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
|
||||
relabel_lnk_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
|
||||
|
||||
manage_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
|
||||
manage_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
|
||||
manage_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
|
||||
relabel_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
|
||||
relabel_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
|
||||
relabel_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
|
||||
manage_dirs_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
|
||||
manage_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
|
||||
manage_lnk_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
|
||||
relabel_dirs_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
|
||||
relabel_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
|
||||
relabel_lnk_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
|
||||
|
||||
manage_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
|
||||
manage_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
|
||||
manage_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
|
||||
relabel_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
|
||||
relabel_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
|
||||
relabel_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
|
||||
manage_dirs_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
|
||||
manage_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
|
||||
manage_lnk_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
|
||||
relabel_dirs_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
|
||||
relabel_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
|
||||
relabel_lnk_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
|
||||
|
||||
manage_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
|
||||
manage_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
|
||||
manage_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
|
||||
relabel_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
|
||||
relabel_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
|
||||
relabel_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
|
||||
manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
||||
manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
||||
manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
||||
relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
||||
relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
||||
relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
||||
|
||||
tunable_policy(`httpd_enable_cgi',`
|
||||
# If a user starts a script by hand it gets the proper context
|
||||
|
|
@ -735,7 +735,7 @@ interface(`apache_exec_modules',`
|
|||
|
||||
allow $1 httpd_modules_t:dir list_dir_perms;
|
||||
allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
|
||||
can_exec($1,httpd_modules_t)
|
||||
can_exec($1, httpd_modules_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -430,7 +430,7 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
|||
')
|
||||
|
||||
tunable_policy(`httpd_ssi_exec',`
|
||||
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
||||
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
|
||||
allow httpd_sys_script_t httpd_t:fd use;
|
||||
allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
|
||||
allow httpd_sys_script_t httpd_t:process sigchld;
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
|
|||
allow apcupsd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
|
||||
files_lock_filetrans(apcupsd_t,apcupsd_lock_t,file)
|
||||
files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file)
|
||||
|
||||
allow apcupsd_t apcupsd_log_t:dir setattr;
|
||||
manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
|
||||
|
|
@ -47,7 +47,7 @@ manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
|
|||
files_tmp_filetrans(apcupsd_t, apcupsd_tmp_t, file)
|
||||
|
||||
manage_files_pattern(apcupsd_t, apcupsd_var_run_t, apcupsd_var_run_t)
|
||||
files_pid_filetrans(apcupsd_t,apcupsd_var_run_t, file)
|
||||
files_pid_filetrans(apcupsd_t, apcupsd_var_run_t, file)
|
||||
|
||||
kernel_read_system_state(apcupsd_t)
|
||||
|
||||
|
|
@ -73,7 +73,7 @@ files_read_etc_files(apcupsd_t)
|
|||
files_search_locks(apcupsd_t)
|
||||
# Creates /etc/nologin
|
||||
files_manage_etc_runtime_files(apcupsd_t)
|
||||
files_etc_filetrans_etc_runtime(apcupsd_t,file)
|
||||
files_etc_filetrans_etc_runtime(apcupsd_t, file)
|
||||
|
||||
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
|
||||
term_use_unallocated_ttys(apcupsd_t)
|
||||
|
|
|
|||
|
|
@ -67,7 +67,7 @@ allow apmd_t self:unix_dgram_socket create_socket_perms;
|
|||
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow apmd_t apmd_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(apmd_t,apmd_log_t,file)
|
||||
logging_log_filetrans(apmd_t, apmd_log_t, file)
|
||||
|
||||
manage_dirs_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
|
||||
manage_files_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
|
||||
|
|
@ -139,7 +139,7 @@ userdom_dontaudit_search_user_home_content(apmd_t) # Excessive?
|
|||
|
||||
ifdef(`distro_redhat',`
|
||||
allow apmd_t apmd_lock_t:file manage_file_perms;
|
||||
files_lock_filetrans(apmd_t,apmd_lock_t,file)
|
||||
files_lock_filetrans(apmd_t, apmd_lock_t, file)
|
||||
|
||||
can_exec(apmd_t, apmd_var_run_t)
|
||||
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
|
|||
manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
|
||||
manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
|
||||
allow avahi_t avahi_var_run_t:dir setattr;
|
||||
files_pid_filetrans(avahi_t,avahi_var_run_t,file)
|
||||
files_pid_filetrans(avahi_t, avahi_var_run_t, file)
|
||||
|
||||
kernel_read_kernel_sysctls(avahi_t)
|
||||
kernel_list_proc(avahi_t)
|
||||
|
|
|
|||
|
|
@ -151,7 +151,7 @@ userdom_dontaudit_search_user_home_dirs(named_t)
|
|||
|
||||
tunable_policy(`named_write_master_zones',`
|
||||
manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
|
||||
manage_files_pattern(named_t, named_zone_t,named_zone_t)
|
||||
manage_files_pattern(named_t, named_zone_t, named_zone_t)
|
||||
manage_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -77,7 +77,7 @@ filetrans_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t, { dir file
|
|||
can_exec(bluetooth_t, bluetooth_helper_exec_t)
|
||||
|
||||
allow bluetooth_t bluetooth_lock_t:file manage_file_perms;
|
||||
files_lock_filetrans(bluetooth_t,bluetooth_lock_t,file)
|
||||
files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
|
||||
|
||||
manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
|
||||
manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ interface(`canna_stream_connect',`
|
|||
')
|
||||
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, canna_var_run_t, canna_var_run_t,canna_t)
|
||||
stream_connect_pattern($1, canna_var_run_t, canna_var_run_t, canna_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0)
|
||||
/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0)
|
||||
|
||||
/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0)
|
||||
|
||||
/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0)
|
||||
/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0)
|
||||
/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0)
|
||||
|
|
|
|||
|
|
@ -20,60 +20,60 @@ interface(`certmaster_domtrans',`
|
|||
|
||||
#######################################
|
||||
## <summary>
|
||||
## read certmaster logs.
|
||||
## read certmaster logs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`certmaster_read_log',`
|
||||
gen_require(`
|
||||
type certmaster_var_log_t;
|
||||
')
|
||||
gen_require(`
|
||||
type certmaster_var_log_t;
|
||||
')
|
||||
|
||||
read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
|
||||
read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
|
||||
logging_search_logs($1)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Append to certmaster logs.
|
||||
## Append to certmaster logs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`certmaster_append_log',`
|
||||
gen_require(`
|
||||
type certmaster_var_log_t;
|
||||
')
|
||||
gen_require(`
|
||||
type certmaster_var_log_t;
|
||||
')
|
||||
|
||||
append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
|
||||
append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
|
||||
logging_search_logs($1)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete
|
||||
## certmaster logs.
|
||||
## Create, read, write, and delete
|
||||
## certmaster logs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`certmaster_manage_log',`
|
||||
gen_require(`
|
||||
type certmaster_var_log_t;
|
||||
')
|
||||
gen_require(`
|
||||
type certmaster_var_log_t;
|
||||
')
|
||||
|
||||
manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
|
||||
manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
|
||||
manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
|
||||
manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
|
||||
logging_search_logs($1)
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -120,7 +120,7 @@ cron_rw_pipes(clamd_t)
|
|||
optional_policy(`
|
||||
amavis_read_lib_files(clamd_t)
|
||||
amavis_read_spool_files(clamd_t)
|
||||
amavis_spool_filetrans(clamd_t,clamd_var_run_t,sock_file)
|
||||
amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
|
||||
amavis_create_pid_files(clamd_t)
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ template(`courier_domain_template',`
|
|||
|
||||
can_exec(courier_$1_t, courier_$1_exec_t)
|
||||
|
||||
read_files_pattern(courier_$1_t,courier_etc_t,courier_etc_t)
|
||||
read_files_pattern(courier_$1_t, courier_etc_t, courier_etc_t)
|
||||
allow courier_$1_t courier_etc_t:dir list_dir_perms;
|
||||
|
||||
manage_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ template(`cron_common_crontab_template',`
|
|||
allow $1_t self:process signal_perms;
|
||||
|
||||
allow $1_t $1_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans($1_t,$1_tmp_t,file)
|
||||
files_tmp_filetrans($1_t,$1_tmp_t, file)
|
||||
|
||||
# create files in /var/spool/cron
|
||||
# cjp: change this to a role transition
|
||||
|
|
@ -411,7 +411,7 @@ interface(`cron_anacron_domtrans_system_job',`
|
|||
type system_cronjob_t, anacron_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1,anacron_exec_t,system_cronjob_t)
|
||||
domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -90,7 +90,7 @@ type system_cronjob_tmp_t alias system_crond_tmp_t;
|
|||
files_tmp_file(system_cronjob_tmp_t)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh)
|
||||
init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
|
||||
')
|
||||
|
||||
type unconfined_cronjob_t;
|
||||
|
|
@ -147,7 +147,7 @@ allow crond_t self:msg { send receive };
|
|||
allow crond_t self:key { search write link };
|
||||
|
||||
allow crond_t crond_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(crond_t,crond_var_run_t,file)
|
||||
files_pid_filetrans(crond_t, crond_var_run_t, file)
|
||||
|
||||
allow crond_t cron_spool_t:dir rw_dir_perms;
|
||||
allow crond_t cron_spool_t:file read_file_perms;
|
||||
|
|
@ -306,7 +306,7 @@ allow system_cronjob_t crond_t:process sigchld;
|
|||
|
||||
# Write /var/lock/makewhatis.lock.
|
||||
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
|
||||
files_lock_filetrans(system_cronjob_t,system_cronjob_lock_t,file)
|
||||
files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
|
||||
|
||||
# write temporary files
|
||||
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
|
||||
|
|
|
|||
|
|
@ -66,11 +66,11 @@ type ptal_var_run_t;
|
|||
files_pid_file(ptal_var_run_t)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
|
||||
init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, s0 - mcs_systemhigh)
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,mls_systemhigh)
|
||||
init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ allow ddclient_t self:udp_socket create_socket_perms;
|
|||
allow ddclient_t ddclient_etc_t:file read_file_perms;
|
||||
|
||||
allow ddclient_t ddclient_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(ddclient_t,ddclient_log_t,file)
|
||||
logging_log_filetrans(ddclient_t, ddclient_log_t, file)
|
||||
|
||||
manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
|
||||
manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ allow dnsmasq_t self:rawip_socket create_socket_perms;
|
|||
|
||||
# dhcp leases
|
||||
manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
|
||||
files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file)
|
||||
files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
|
||||
|
||||
manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
|
||||
files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
|
||||
|
|
|
|||
|
|
@ -53,14 +53,14 @@ files_pid_file(exim_var_run_t)
|
|||
# exim local policy
|
||||
#
|
||||
|
||||
allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };
|
||||
allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };
|
||||
allow exim_t self:process { setrlimit setpgid };
|
||||
allow exim_t self:fifo_file rw_fifo_file_perms;
|
||||
allow exim_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow exim_t self:tcp_socket create_stream_socket_perms;
|
||||
allow exim_t self:udp_socket create_socket_perms;
|
||||
|
||||
can_exec(exim_t,exim_exec_t)
|
||||
can_exec(exim_t, exim_exec_t)
|
||||
|
||||
manage_files_pattern(exim_t, exim_log_t, exim_log_t)
|
||||
logging_log_filetrans(exim_t, exim_log_t, { file dir })
|
||||
|
|
@ -132,8 +132,8 @@ mta_mailserver_delivery(exim_t)
|
|||
tunable_policy(`exim_can_connect_db',`
|
||||
corenet_tcp_connect_mysqld_port(exim_t)
|
||||
corenet_sendrecv_mysqld_client_packets(exim_t)
|
||||
corenet_tcp_connect_postgresql_port(exim_t)
|
||||
corenet_sendrecv_postgresql_client_packets(exim_t)
|
||||
corenet_tcp_connect_postgresql_port(exim_t)
|
||||
corenet_sendrecv_postgresql_client_packets(exim_t)
|
||||
')
|
||||
|
||||
tunable_policy(`exim_read_user_files',`
|
||||
|
|
|
|||
|
|
@ -246,7 +246,7 @@ optional_policy(`
|
|||
|
||||
files_read_usr_files(ftpd_t)
|
||||
|
||||
cron_system_entry(ftpd_t, ftpd_exec_t)
|
||||
cron_system_entry(ftpd_t, ftpd_exec_t)
|
||||
|
||||
optional_policy(`
|
||||
logrotate_exec(ftpd_t)
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ manage_files_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t)
|
|||
files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir })
|
||||
|
||||
allow gpm_t gpm_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(gpm_t,gpm_var_run_t,file)
|
||||
files_pid_filetrans(gpm_t, gpm_var_run_t, file)
|
||||
|
||||
allow gpm_t gpmctl_t:sock_file manage_sock_file_perms;
|
||||
allow gpm_t gpmctl_t:fifo_file manage_fifo_file_perms;
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0)
|
||||
/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0)
|
||||
|
|
|
|||
|
|
@ -2,71 +2,71 @@
|
|||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run gpsd.
|
||||
## Execute a domain transition to run gpsd.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`gpsd_domtrans',`
|
||||
gen_require(`
|
||||
type gpsd_t, gpsd_exec_t;
|
||||
')
|
||||
gen_require(`
|
||||
type gpsd_t, gpsd_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, gpsd_exec_t, gpsd_t)
|
||||
domtrans_pattern($1, gpsd_exec_t, gpsd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute gpsd in the gpsd domain, and
|
||||
## allow the specified role the gpsd domain.
|
||||
## Execute gpsd in the gpsd domain, and
|
||||
## allow the specified role the gpsd domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access
|
||||
## </summary>
|
||||
## <summary>
|
||||
## Domain allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed the gpsd domain.
|
||||
## </summary>
|
||||
## <summary>
|
||||
## The role to be allowed the gpsd domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the role's terminal.
|
||||
## </summary>
|
||||
## <summary>
|
||||
## The type of the role's terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`gpsd_run',`
|
||||
gen_require(`
|
||||
type gpsd_t;
|
||||
')
|
||||
gen_require(`
|
||||
type gpsd_t;
|
||||
')
|
||||
|
||||
gpsd_domtrans($1)
|
||||
role $2 types gpsd_t;
|
||||
allow gpsd_t $3:chr_file rw_term_perms;
|
||||
gpsd_domtrans($1)
|
||||
role $2 types gpsd_t;
|
||||
allow gpsd_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write gpsd shared memory.
|
||||
## Read and write gpsd shared memory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`gpsd_rw_shm',`
|
||||
gen_require(`
|
||||
type gpsd_t, gpsd_tmpfs_t;
|
||||
')
|
||||
gen_require(`
|
||||
type gpsd_t, gpsd_tmpfs_t;
|
||||
')
|
||||
|
||||
allow $1 gpsd_t:shm rw_shm_perms;
|
||||
allow $1 gpsd_tmpfs_t:dir list_dir_perms;
|
||||
rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
|
||||
read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
|
||||
fs_search_tmpfs($1)
|
||||
allow $1 gpsd_t:shm rw_shm_perms;
|
||||
allow $1 gpsd_tmpfs_t:dir list_dir_perms;
|
||||
rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
|
||||
read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
|
||||
fs_search_tmpfs($1)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -47,7 +47,7 @@ logging_send_syslog_msg(gpsd_t)
|
|||
miscfiles_read_localization(gpsd_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(gpsd_t)
|
||||
dbus_system_bus_client(gpsd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
/etc/ifplugd(/.*)? gen_context(system_u:object_r:ifplugd_etc_t,s0)
|
||||
/etc/ifplugd(/.*)? gen_context(system_u:object_r:ifplugd_etc_t,s0)
|
||||
|
||||
/etc/rc\.d/init\.d/ifplugd -- gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/ifplugd -- gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0)
|
||||
|
||||
/usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0)
|
||||
|
||||
|
|
|
|||
|
|
@ -73,5 +73,5 @@ sysnet_read_dhcpc_pid(ifplugd_t)
|
|||
sysnet_signal_dhcpc(ifplugd_t)
|
||||
|
||||
optional_policy(`
|
||||
consoletype_exec(ifplugd_t)
|
||||
consoletype_exec(ifplugd_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ type inetd_child_var_run_t;
|
|||
files_pid_file(inetd_child_var_run_t)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_daemon_domain(inetd_t, inetd_exec_t,s0 - mcs_systemhigh)
|
||||
init_ranged_daemon_domain(inetd_t, inetd_exec_t, s0 - mcs_systemhigh)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -281,7 +281,7 @@ interface(`kerberos_connect_524',`
|
|||
tunable_policy(`allow_kerberos',`
|
||||
allow $1 self:udp_socket create_socket_perms;
|
||||
|
||||
corenet_all_recvfrom_unlabeled($1)
|
||||
corenet_all_recvfrom_unlabeled($1)
|
||||
corenet_udp_sendrecv_generic_if($1)
|
||||
corenet_udp_sendrecv_generic_node($1)
|
||||
corenet_udp_sendrecv_kerberos_master_port($1)
|
||||
|
|
|
|||
|
|
@ -84,7 +84,7 @@ allow kadmind_t self:tcp_socket connected_stream_socket_perms;
|
|||
allow kadmind_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow kadmind_t kadmind_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(kadmind_t,kadmind_log_t,file)
|
||||
logging_log_filetrans(kadmind_t, kadmind_log_t, file)
|
||||
|
||||
allow kadmind_t krb5_conf_t:file read_file_perms;
|
||||
dontaudit kadmind_t krb5_conf_t:file write;
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@ manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
|
|||
allow slapd_t slapd_etc_t:file read_file_perms;
|
||||
|
||||
allow slapd_t slapd_lock_t:file manage_file_perms;
|
||||
files_lock_filetrans(slapd_t,slapd_lock_t,file)
|
||||
files_lock_filetrans(slapd_t, slapd_lock_t, file)
|
||||
|
||||
# Allow access to write the replication log (should tighten this)
|
||||
manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
|
||||
|
|
|
|||
|
|
@ -21,39 +21,39 @@ interface(`lircd_domtrans',`
|
|||
|
||||
######################################
|
||||
## <summary>
|
||||
## Connect to lircd over a unix domain
|
||||
## stream socket.
|
||||
## Connect to lircd over a unix domain
|
||||
## stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`lircd_stream_connect',`
|
||||
gen_require(`
|
||||
type lircd_sock_t, lircd_t;
|
||||
')
|
||||
gen_require(`
|
||||
type lircd_sock_t, lircd_t;
|
||||
')
|
||||
|
||||
allow $1 lircd_t:unix_stream_socket connectto;
|
||||
allow $1 lircd_sock_t:sock_file write_sock_file_perms;
|
||||
files_search_pids($1)
|
||||
allow $1 lircd_t:unix_stream_socket connectto;
|
||||
allow $1 lircd_sock_t:sock_file write_sock_file_perms;
|
||||
files_search_pids($1)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Read lircd etc file
|
||||
## Read lircd etc file
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`lircd_read_config',`
|
||||
gen_require(`
|
||||
type lircd_etc_t;
|
||||
')
|
||||
')
|
||||
|
||||
read_files_pattern($1, lircd_etc_t, lircd_etc_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -148,7 +148,7 @@ files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
|
|||
|
||||
manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
|
||||
manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
|
||||
files_pid_filetrans(lpd_t, lpd_var_run_t,file)
|
||||
files_pid_filetrans(lpd_t, lpd_var_run_t, file)
|
||||
|
||||
# Write to /var/spool/lpd.
|
||||
manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
|
||||
|
|
@ -304,14 +304,14 @@ tunable_policy(`use_lpd_server',`
|
|||
manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
|
||||
files_tmp_filetrans(lpr_t, lpr_tmp_t, { file dir })
|
||||
|
||||
manage_files_pattern(lpr_t,print_spool_t,print_spool_t)
|
||||
filetrans_pattern(lpr_t,print_spool_t,print_spool_t,file)
|
||||
manage_files_pattern(lpr_t, print_spool_t, print_spool_t)
|
||||
filetrans_pattern(lpr_t, print_spool_t, print_spool_t, file)
|
||||
# Read and write shared files in the spool directory.
|
||||
allow lpr_t print_spool_t:file rw_file_perms;
|
||||
|
||||
allow lpr_t printconf_t:dir list_dir_perms;
|
||||
read_files_pattern(lpr_t,printconf_t,printconf_t)
|
||||
read_lnk_files_pattern(lpr_t,printconf_t,printconf_t)
|
||||
read_files_pattern(lpr_t, printconf_t, printconf_t)
|
||||
read_lnk_files_pattern(lpr_t, printconf_t, printconf_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ interface(`memcached_domtrans',`
|
|||
type memcached_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1,memcached_exec_t,memcached_t)
|
||||
domtrans_pattern($1, memcached_exec_t, memcached_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ corenet_udp_bind_memcache_port(memcached_t)
|
|||
|
||||
manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
|
||||
manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
|
||||
files_pid_filetrans(memcached_t,memcached_var_run_t, { file dir })
|
||||
files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir })
|
||||
|
||||
files_read_etc_files(memcached_t)
|
||||
|
||||
|
|
|
|||
|
|
@ -257,7 +257,7 @@ interface(`mta_sendmail_mailserver',`
|
|||
type sendmail_exec_t;
|
||||
')
|
||||
|
||||
init_system_domain($1,sendmail_exec_t)
|
||||
init_system_domain($1, sendmail_exec_t)
|
||||
typeattribute $1 mailserver_domain;
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -101,7 +101,7 @@ optional_policy(`
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(munin_t,munin_exec_t)
|
||||
cron_system_entry(munin_t, munin_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@
|
|||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
|
||||
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
|
||||
|
||||
/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
|
||||
|
||||
|
|
|
|||
|
|
@ -142,18 +142,18 @@ interface(`mysql_manage_db_dirs',`
|
|||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Append to the MySQL database directory.
|
||||
## Append to the MySQL database directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mysql_append_db_files',`
|
||||
gen_require(`
|
||||
type mysqld_db_t;
|
||||
')
|
||||
gen_require(`
|
||||
type mysqld_db_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
append_files_pattern($1, mysqld_db_t, mysqld_db_t)
|
||||
|
|
@ -161,40 +161,40 @@ interface(`mysql_append_db_files',`
|
|||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Read and write to the MySQL database directory.
|
||||
## Read and write to the MySQL database directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mysql_rw_db_files',`
|
||||
gen_require(`
|
||||
type mysqld_db_t;
|
||||
')
|
||||
gen_require(`
|
||||
type mysqld_db_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
files_search_var_lib($1)
|
||||
rw_files_pattern($1, mysqld_db_t, mysqld_db_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete MySQL database files.
|
||||
## Create, read, write, and delete MySQL database files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mysql_manage_db_files',`
|
||||
gen_require(`
|
||||
type mysqld_db_t;
|
||||
')
|
||||
gen_require(`
|
||||
type mysqld_db_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
manage_files_pattern($1, mysqld_db_t, mysqld_db_t)
|
||||
files_search_var_lib($1)
|
||||
manage_files_pattern($1, mysqld_db_t, mysqld_db_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -239,21 +239,21 @@ interface(`mysql_write_log',`
|
|||
|
||||
#####################################
|
||||
## <summary>
|
||||
## Search MySQL PID files.
|
||||
## Search MySQL PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`mysql_search_pid_files',`
|
||||
gen_require(`
|
||||
type mysqld_var_run_t;
|
||||
')
|
||||
gen_require(`
|
||||
type mysqld_var_run_t;
|
||||
')
|
||||
|
||||
search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
|
||||
search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -152,7 +152,7 @@ hostname_exec(mysqld_safe_t)
|
|||
|
||||
miscfiles_read_localization(mysqld_safe_t)
|
||||
|
||||
mysql_append_db_files(mysqld_safe_t)
|
||||
mysql_append_db_files(mysqld_safe_t)
|
||||
mysql_read_config(mysqld_safe_t)
|
||||
mysql_search_pid_files(mysqld_safe_t)
|
||||
mysql_write_log(mysqld_safe_t)
|
||||
|
|
|
|||
|
|
@ -57,7 +57,7 @@ files_search_tmp(NetworkManager_t)
|
|||
manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
||||
manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
||||
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
||||
files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
|
||||
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
|
||||
|
||||
kernel_read_system_state(NetworkManager_t)
|
||||
kernel_read_network_state(NetworkManager_t)
|
||||
|
|
|
|||
|
|
@ -225,7 +225,7 @@ allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
|
|||
allow ypserv_t self:tcp_socket connected_stream_socket_perms;
|
||||
allow ypserv_t self:udp_socket create_socket_perms;
|
||||
|
||||
manage_files_pattern(ypserv_t,var_yp_t,var_yp_t)
|
||||
manage_files_pattern(ypserv_t, var_yp_t, var_yp_t)
|
||||
|
||||
allow ypserv_t ypserv_conf_t:file read_file_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,10 +1,10 @@
|
|||
|
||||
/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
|
||||
/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
|
||||
/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
|
||||
/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
|
||||
/etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
|
||||
|
||||
/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
|
||||
/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
|
||||
/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0)
|
||||
/usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0)
|
||||
/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
|
||||
|
|
|
|||
|
|
@ -56,24 +56,24 @@ interface(`ntp_domtrans_ntpdate',`
|
|||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write ntpd shared memory.
|
||||
## Read and write ntpd shared memory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ntpd_rw_shm',`
|
||||
gen_require(`
|
||||
type ntpd_t, ntpd_tmpfs_t;
|
||||
')
|
||||
gen_require(`
|
||||
type ntpd_t, ntpd_tmpfs_t;
|
||||
')
|
||||
|
||||
allow $1 ntpd_t:shm rw_shm_perms;
|
||||
list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
|
||||
rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
|
||||
read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
|
||||
fs_search_tmpfs($1)
|
||||
allow $1 ntpd_t:shm rw_shm_perms;
|
||||
list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
|
||||
rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
|
||||
read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
|
||||
fs_search_tmpfs($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -52,13 +52,13 @@ allow ntpd_t self:udp_socket create_socket_perms;
|
|||
|
||||
manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
|
||||
|
||||
can_exec(ntpd_t,ntpd_exec_t)
|
||||
can_exec(ntpd_t, ntpd_exec_t)
|
||||
|
||||
read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
|
||||
|
||||
allow ntpd_t ntpd_log_t:dir setattr;
|
||||
manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t)
|
||||
logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir })
|
||||
manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
|
||||
logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
|
||||
|
||||
# for some reason it creates a file in /tmp
|
||||
manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ allow nx_server_t self:tcp_socket create_socket_perms;
|
|||
allow nx_server_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr };
|
||||
term_create_pty(nx_server_t,nx_server_devpts_t)
|
||||
term_create_pty(nx_server_t, nx_server_devpts_t)
|
||||
|
||||
manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
|
||||
manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ interface(`openca_domtrans',`
|
|||
type openca_ca_t, openca_ca_exec_t, openca_usr_share_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1,openca_ca_exec_t,openca_ca_t)
|
||||
domtrans_pattern($1, openca_ca_exec_t, openca_ca_t)
|
||||
allow $1 openca_usr_share_t:dir search_dir_perms;
|
||||
files_search_usr($1)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -5,8 +5,8 @@
|
|||
/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
|
||||
/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
|
||||
|
||||
/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
|
||||
/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
|
||||
|
||||
/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
|
||||
/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
|
||||
|
||||
/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
|
||||
/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
|
||||
|
|
|
|||
|
|
@ -20,78 +20,78 @@ interface(`pingd_domtrans',`
|
|||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Read pingd etc configuration files.
|
||||
## Read pingd etc configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`pingd_read_config',`
|
||||
gen_require(`
|
||||
type pingd_etc_t;
|
||||
')
|
||||
gen_require(`
|
||||
type pingd_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
read_files_pattern($1, pingd_etc_t, pingd_etc_t)
|
||||
files_search_etc($1)
|
||||
read_files_pattern($1, pingd_etc_t, pingd_etc_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Manage pingd etc configuration files.
|
||||
## Manage pingd etc configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`pingd_manage_config',`
|
||||
gen_require(`
|
||||
type pingd_etc_t;
|
||||
')
|
||||
gen_require(`
|
||||
type pingd_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
|
||||
manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
|
||||
files_search_etc($1)
|
||||
manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
|
||||
manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
|
||||
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an pingd environment
|
||||
## All of the rules required to administrate
|
||||
## an pingd environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the pingd domain.
|
||||
## </summary>
|
||||
## <summary>
|
||||
## The role to be allowed to manage the pingd domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`pingd_admin',`
|
||||
gen_require(`
|
||||
type pingd_t, pingd_etc_t;
|
||||
type pingd_initrc_exec_t, pingd_modules_t;
|
||||
')
|
||||
gen_require(`
|
||||
type pingd_t, pingd_etc_t;
|
||||
type pingd_initrc_exec_t, pingd_modules_t;
|
||||
')
|
||||
|
||||
allow $1 pingd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, pingd_t)
|
||||
allow $1 pingd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, pingd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, pingd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 pingd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
init_labeled_script_domtrans($1, pingd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 pingd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, pingd_etc_t)
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, pingd_etc_t)
|
||||
|
||||
files_list_usr($1)
|
||||
admin_pattern($1, pingd_modules_t)
|
||||
admin_pattern($1, pingd_modules_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -365,7 +365,7 @@ interface(`postfix_exec_master',`
|
|||
type postfix_master_exec_t;
|
||||
')
|
||||
|
||||
can_exec($1,postfix_master_exec_t)
|
||||
can_exec($1, postfix_master_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -106,7 +106,7 @@ allow postfix_master_t self:udp_socket create_socket_perms;
|
|||
|
||||
allow postfix_master_t postfix_etc_t:file rw_file_perms;
|
||||
|
||||
can_exec(postfix_master_t,postfix_exec_t)
|
||||
can_exec(postfix_master_t, postfix_exec_t)
|
||||
|
||||
allow postfix_master_t postfix_data_t:dir manage_dir_perms;
|
||||
allow postfix_master_t postfix_data_t:file manage_file_perms;
|
||||
|
|
@ -363,7 +363,7 @@ optional_policy(`
|
|||
|
||||
allow postfix_pickup_t self:tcp_socket create_socket_perms;
|
||||
|
||||
stream_connect_pattern(postfix_pickup_t,postfix_private_t,postfix_private_t,postfix_master_t)
|
||||
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
|
||||
|
||||
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
|
||||
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
|
||||
|
|
@ -445,7 +445,7 @@ allow postfix_postqueue_t self:tcp_socket create;
|
|||
allow postfix_postqueue_t self:udp_socket { create ioctl };
|
||||
|
||||
# wants to write to /var/spool/postfix/public/showq
|
||||
stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t,postfix_master_t)
|
||||
stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t)
|
||||
|
||||
# write to /var/spool/postfix/public/qmgr
|
||||
write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t)
|
||||
|
|
|
|||
|
|
@ -53,7 +53,7 @@ interface(`postgresql_role',`
|
|||
allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
|
||||
')
|
||||
|
||||
allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock };
|
||||
allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock };
|
||||
allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
|
||||
allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
|
||||
type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;
|
||||
|
|
|
|||
|
|
@ -178,7 +178,7 @@ allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
|
|||
can_exec(postgresql_t, postgresql_exec_t )
|
||||
|
||||
allow postgresql_t postgresql_lock_t:file manage_file_perms;
|
||||
files_lock_filetrans(postgresql_t,postgresql_lock_t,file)
|
||||
files_lock_filetrans(postgresql_t, postgresql_lock_t, file)
|
||||
|
||||
manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
|
||||
logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
|
||||
|
|
@ -268,7 +268,7 @@ optional_policy(`
|
|||
|
||||
optional_policy(`
|
||||
cron_search_spool(postgresql_t)
|
||||
cron_system_entry(postgresql_t,postgresql_exec_t)
|
||||
cron_system_entry(postgresql_t, postgresql_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ allow procmail_t self:unix_dgram_socket create_socket_perms;
|
|||
allow procmail_t self:tcp_socket create_stream_socket_perms;
|
||||
allow procmail_t self:udp_socket create_socket_perms;
|
||||
|
||||
can_exec(procmail_t,procmail_exec_t)
|
||||
can_exec(procmail_t, procmail_exec_t)
|
||||
|
||||
# Write log to /var/log/procmail.log or /var/log/procmail/.*
|
||||
allow procmail_t procmail_log_t:dir setattr;
|
||||
|
|
|
|||
|
|
@ -84,13 +84,13 @@ interface(`psad_read_config',`
|
|||
## </param>
|
||||
#
|
||||
interface(`psad_manage_config',`
|
||||
gen_require(`
|
||||
type psad_etc_t;
|
||||
')
|
||||
gen_require(`
|
||||
type psad_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
|
||||
manage_files_pattern($1, psad_etc_t, psad_etc_t)
|
||||
manage_files_pattern($1, psad_etc_t, psad_etc_t)
|
||||
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -102,6 +102,6 @@ miscfiles_read_localization(psad_t)
|
|||
sysnet_exec_ifconfig(psad_t)
|
||||
|
||||
optional_policy(`
|
||||
mta_send_mail(psad_t)
|
||||
mta_send_mail(psad_t)
|
||||
mta_read_queue(psad_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ ubac_constrained(pyzor_var_lib_t)
|
|||
|
||||
type pyzord_t;
|
||||
type pyzord_exec_t;
|
||||
init_daemon_domain(pyzord_t,pyzord_exec_t)
|
||||
init_daemon_domain(pyzord_t, pyzord_exec_t)
|
||||
|
||||
type pyzord_log_t;
|
||||
logging_log_file(pyzord_log_t)
|
||||
|
|
@ -54,14 +54,14 @@ manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
|
|||
userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, { dir file lnk_file })
|
||||
|
||||
allow pyzor_t pyzor_var_lib_t:dir list_dir_perms;
|
||||
read_files_pattern(pyzor_t,pyzor_var_lib_t,pyzor_var_lib_t)
|
||||
read_files_pattern(pyzor_t, pyzor_var_lib_t, pyzor_var_lib_t)
|
||||
files_search_var_lib(pyzor_t)
|
||||
|
||||
manage_files_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t)
|
||||
manage_dirs_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t)
|
||||
files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir })
|
||||
|
||||
kernel_read_kernel_sysctls(pyzor_t)
|
||||
kernel_read_kernel_sysctls(pyzor_t)
|
||||
kernel_read_system_state(pyzor_t)
|
||||
|
||||
corecmd_list_bin(pyzor_t)
|
||||
|
|
|
|||
|
|
@ -147,5 +147,5 @@ interface(`qmail_smtpd_service_domain',`
|
|||
type qmail_smtpd_t;
|
||||
')
|
||||
|
||||
domtrans_pattern(qmail_smtpd_t, $2, $1)
|
||||
domtrans_pattern(qmail_smtpd_t, $2, $1)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/radiusd -- gen_context(system_u:object_r:radiusd_initrc_exec_t,s0)
|
||||
|
||||
/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0)
|
||||
/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0)
|
||||
/etc/raddb/db\.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0)
|
||||
|
||||
/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ allow rhgb_t self:udp_socket create_socket_perms;
|
|||
allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr };
|
||||
term_create_pty(rhgb_t,rhgb_devpts_t)
|
||||
term_create_pty(rhgb_t, rhgb_devpts_t)
|
||||
|
||||
manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
|
||||
manage_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
|
||||
|
|
|
|||
|
|
@ -71,7 +71,7 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',`
|
|||
type ricci_modcluster_t;
|
||||
')
|
||||
|
||||
dontaudit $1 ricci_modcluster_t:fifo_file { read write };
|
||||
dontaudit $1 ricci_modcluster_t:fifo_file { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -206,11 +206,11 @@ interface(`rpc_domtrans_nfsd',`
|
|||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute domain in nfsd domain.
|
||||
## Execute domain in nfsd domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -362,7 +362,7 @@ interface(`rpc_read_nfs_state_data',`
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
|
||||
/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
|
||||
|
||||
/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0)
|
||||
/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0)
|
||||
|
||||
/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
|
||||
/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
|
||||
|
|
|
|||
|
|
@ -111,7 +111,7 @@ interface(`rwho_manage_spool_files',`
|
|||
type rwho_spool_t;
|
||||
')
|
||||
|
||||
manage_files_pattern($1,rwho_spool_t,rwho_spool_t)
|
||||
manage_files_pattern($1, rwho_spool_t, rwho_spool_t)
|
||||
files_search_spool($1)
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -537,7 +537,7 @@ corecmd_list_bin(smbmount_t)
|
|||
files_list_mnt(smbmount_t)
|
||||
files_mounton_mnt(smbmount_t)
|
||||
files_manage_etc_runtime_files(smbmount_t)
|
||||
files_etc_filetrans_etc_runtime(smbmount_t,file)
|
||||
files_etc_filetrans_etc_runtime(smbmount_t, file)
|
||||
files_read_etc_files(smbmount_t)
|
||||
|
||||
auth_use_nsswitch(smbmount_t)
|
||||
|
|
@ -672,7 +672,7 @@ files_list_var_lib(winbind_t)
|
|||
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
|
||||
|
||||
allow winbind_t winbind_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(winbind_t,winbind_log_t,file)
|
||||
logging_log_filetrans(winbind_t, winbind_log_t, file)
|
||||
|
||||
manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
|
||||
manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
|
||||
|
|
|
|||
|
|
@ -48,7 +48,7 @@ logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir })
|
|||
# pid file
|
||||
manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
|
||||
manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
|
||||
files_pid_filetrans(setroubleshootd_t,setroubleshoot_var_run_t, { file sock_file })
|
||||
files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file })
|
||||
|
||||
kernel_read_kernel_sysctls(setroubleshootd_t)
|
||||
kernel_read_system_state(setroubleshootd_t)
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ allow snmpd_t self:tcp_socket create_stream_socket_perms;
|
|||
allow snmpd_t self:udp_socket connected_stream_socket_perms;
|
||||
|
||||
allow snmpd_t snmpd_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(snmpd_t,snmpd_log_t,file)
|
||||
logging_log_filetrans(snmpd_t, snmpd_log_t, file)
|
||||
|
||||
manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
|
||||
manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ files_tmp_file(sshd_tmp_t)
|
|||
files_poly_parent(sshd_tmp_t)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
|
||||
init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
|
||||
')
|
||||
|
||||
type ssh_t;
|
||||
|
|
@ -112,8 +112,8 @@ manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
|
|||
manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
|
||||
fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
manage_dirs_pattern(ssh_t,home_ssh_t,home_ssh_t)
|
||||
manage_sock_files_pattern(ssh_t,home_ssh_t,home_ssh_t)
|
||||
manage_dirs_pattern(ssh_t, home_ssh_t, home_ssh_t)
|
||||
manage_sock_files_pattern(ssh_t, home_ssh_t, home_ssh_t)
|
||||
userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file })
|
||||
|
||||
# Allow the ssh program to communicate with ssh-agent.
|
||||
|
|
@ -122,13 +122,13 @@ stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
|
|||
allow ssh_t sshd_t:unix_stream_socket connectto;
|
||||
|
||||
# ssh client can manage the keys and config
|
||||
manage_files_pattern(ssh_t,home_ssh_t,home_ssh_t)
|
||||
read_lnk_files_pattern(ssh_t,home_ssh_t,home_ssh_t)
|
||||
manage_files_pattern(ssh_t, home_ssh_t, home_ssh_t)
|
||||
read_lnk_files_pattern(ssh_t, home_ssh_t, home_ssh_t)
|
||||
|
||||
# ssh servers can read the user keys and config
|
||||
allow ssh_server home_ssh_t:dir list_dir_perms;
|
||||
read_files_pattern(ssh_server,home_ssh_t,home_ssh_t)
|
||||
read_lnk_files_pattern(ssh_server,home_ssh_t,home_ssh_t)
|
||||
read_files_pattern(ssh_server, home_ssh_t, home_ssh_t)
|
||||
read_lnk_files_pattern(ssh_server, home_ssh_t, home_ssh_t)
|
||||
|
||||
kernel_read_kernel_sysctls(ssh_t)
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0)
|
||||
/etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0)
|
||||
|
||||
/usr/bin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0)
|
||||
|
||||
|
|
|
|||
|
|
@ -16,6 +16,6 @@ interface(`sysstat_manage_log',`
|
|||
type sysstat_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
logging_search_logs($1)
|
||||
manage_files_pattern($1, sysstat_log_t, sysstat_log_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -89,6 +89,6 @@ files_read_etc_files(ucspitcp_t)
|
|||
sysnet_read_config(ucspitcp_t)
|
||||
|
||||
optional_policy(`
|
||||
daemontools_service_domain(ucspitcp_t,ucspitcp_exec_t)
|
||||
daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
|
||||
daemontools_read_svc(ucspitcp_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -62,21 +62,21 @@ interface(`ulogd_read_log',`
|
|||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Allow the specified domain to search ulogd's log files.
|
||||
## Allow the specified domain to search ulogd's log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ulogd_search_log',`
|
||||
gen_require(`
|
||||
type ulogd_var_log_t;
|
||||
')
|
||||
gen_require(`
|
||||
type ulogd_var_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 ulogd_var_log_t:dir search_dir_perms;
|
||||
logging_search_logs($1)
|
||||
allow $1 ulogd_var_log_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -3,4 +3,4 @@
|
|||
|
||||
/usr/sbin/uptimed -- gen_context(system_u:object_r:uptimed_exec_t,s0)
|
||||
|
||||
/var/spool/uptimed(/.*)? gen_context(system_u:object_r:uptimed_spool_t,s0)
|
||||
/var/spool/uptimed(/.*)? gen_context(system_u:object_r:uptimed_spool_t,s0)
|
||||
|
|
|
|||
|
|
@ -135,7 +135,7 @@ interface(`virt_manage_pid_files',`
|
|||
type virt_var_run_t;
|
||||
')
|
||||
|
||||
manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
|
||||
manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue