Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
This commit is contained in:
Dan Walsh
commit
55bffb7189
@ -222,7 +222,8 @@ ifdef(`distro_gentoo',`
|
||||
/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/libsexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
|
||||
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
|
||||
@ -179,7 +179,7 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow nrpe_t self:capability { setuid setgid };
|
||||
dontaudit nrpe_t self:capability {sys_tty_config sys_resource};
|
||||
dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
|
||||
allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
|
||||
allow nrpe_t self:fifo_file rw_fifo_file_perms;
|
||||
allow nrpe_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
@ -51,7 +51,7 @@ files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
|
||||
manage_files_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
|
||||
files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir } )
|
||||
files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir })
|
||||
|
||||
manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t)
|
||||
files_pid_filetrans(ntop_t, ntop_var_run_t, file)
|
||||
|
||||
@ -39,7 +39,7 @@ allow nx_server_t self:fifo_file rw_fifo_file_perms;
|
||||
allow nx_server_t self:tcp_socket create_socket_perms;
|
||||
allow nx_server_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr };
|
||||
allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
|
||||
term_create_pty(nx_server_t, nx_server_devpts_t)
|
||||
|
||||
manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
|
||||
@ -89,10 +89,10 @@ seutil_dontaudit_search_config(nx_server_t)
|
||||
sysnet_read_config(nx_server_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
# clients already have create permissions; the nxclient wants to also have unlink rights
|
||||
allow userdomain xdm_tmp_t:sock_file unlink;
|
||||
# for a lockfile created by the client process
|
||||
allow nx_server_t user_tmpfile:file getattr;
|
||||
# clients already have create permissions; the nxclient wants to also have unlink rights
|
||||
allow userdomain xdm_tmp_t:sock_file delete_sock_file_perms;
|
||||
# for a lockfile created by the client process
|
||||
allow nx_server_t user_tmpfile:file getattr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -7,7 +7,6 @@ policy_module(oddjob, 1.7.0)
|
||||
|
||||
type oddjob_t;
|
||||
type oddjob_exec_t;
|
||||
domain_type(oddjob_t)
|
||||
init_daemon_domain(oddjob_t, oddjob_exec_t)
|
||||
domain_obj_id_change_exemption(oddjob_t)
|
||||
domain_role_change_exemption(oddjob_t)
|
||||
@ -15,7 +14,6 @@ domain_subj_id_change_exemption(oddjob_t)
|
||||
|
||||
type oddjob_mkhomedir_t;
|
||||
type oddjob_mkhomedir_exec_t;
|
||||
domain_type(oddjob_mkhomedir_t)
|
||||
domain_obj_id_change_exemption(oddjob_mkhomedir_t)
|
||||
init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
|
||||
oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
|
||||
@ -102,4 +100,3 @@ userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
|
||||
userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
|
||||
userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
|
||||
userdom_manage_user_home_content(oddjob_mkhomedir_t)
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(oident, 2.1.0)
|
||||
policy_module(oident, 2.1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -26,10 +26,10 @@ files_config_file(oidentd_config_t)
|
||||
#
|
||||
|
||||
allow oidentd_t self:capability { setuid setgid };
|
||||
allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
|
||||
allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
|
||||
allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
|
||||
allow oidentd_t self:udp_socket { write read create connect getattr ioctl };
|
||||
allow oidentd_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow oidentd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
||||
allow oidentd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow oidentd_t self:udp_socket create_socket_perms;
|
||||
allow oidentd_t self:unix_dgram_socket { create connect };
|
||||
|
||||
allow oidentd_t oidentd_config_t:file read_file_perms;
|
||||
|
||||
@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow openvpn to read home directories
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow openvpn to read home directories
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(openvpn_enable_homedirs, false)
|
||||
|
||||
@ -46,7 +46,6 @@ files_pid_file(openvpn_var_run_t)
|
||||
allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
|
||||
allow openvpn_t self:process { signal getsched };
|
||||
allow openvpn_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow openvpn_t self:udp_socket create_socket_perms;
|
||||
@ -129,12 +128,12 @@ tunable_policy(`openvpn_enable_homedirs',`
|
||||
')
|
||||
|
||||
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
|
||||
fs_read_nfs_files(openvpn_t)
|
||||
')
|
||||
fs_read_nfs_files(openvpn_t)
|
||||
')
|
||||
|
||||
tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(openvpn_t)
|
||||
')
|
||||
fs_read_cifs_files(openvpn_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
daemontools_service_domain(openvpn_t, openvpn_exec_t)
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(pads, 1.0.0)
|
||||
policy_module(pads, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -8,7 +8,6 @@ policy_module(pads, 1.0.0)
|
||||
type pads_t;
|
||||
type pads_exec_t;
|
||||
init_daemon_domain(pads_t, pads_exec_t)
|
||||
role system_r types pads_t;
|
||||
|
||||
type pads_initrc_exec_t;
|
||||
init_script_file(pads_initrc_exec_t)
|
||||
@ -25,10 +24,10 @@ files_pid_file(pads_var_run_t)
|
||||
#
|
||||
|
||||
allow pads_t self:capability { dac_override net_raw };
|
||||
allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
|
||||
allow pads_t self:packet_socket { ioctl setopt getopt read bind create };
|
||||
allow pads_t self:udp_socket { create ioctl };
|
||||
allow pads_t self:unix_dgram_socket { write create connect };
|
||||
allow pads_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow pads_t self:packet_socket create_socket_perms;
|
||||
allow pads_t self:udp_socket create_socket_perms;
|
||||
allow pads_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
allow pads_t pads_config_t:file manage_file_perms;
|
||||
files_etc_filetrans(pads_t, pads_config_t, file)
|
||||
|
||||
@ -1,5 +1,4 @@
|
||||
|
||||
policy_module(passanger,1.0.0)
|
||||
policy_module(passanger, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -30,7 +29,6 @@ permissive passenger_t;
|
||||
|
||||
allow passenger_t self:capability { dac_override fsetid fowner chown setuid setgid };
|
||||
allow passenger_t self:process signal;
|
||||
|
||||
allow passenger_t self:fifo_file rw_fifo_file_perms;
|
||||
allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
|
||||
|
||||
@ -7,7 +7,6 @@ policy_module(pcscd, 1.6.1)
|
||||
|
||||
type pcscd_t;
|
||||
type pcscd_exec_t;
|
||||
domain_type(pcscd_t)
|
||||
init_daemon_domain(pcscd_t, pcscd_exec_t)
|
||||
|
||||
# pid files
|
||||
|
||||
@ -38,7 +38,7 @@ allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow pegasus_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
|
||||
allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
|
||||
allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms };
|
||||
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||
@ -56,7 +56,7 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
|
||||
manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
|
||||
files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
|
||||
|
||||
allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
|
||||
allow pegasus_t pegasus_var_run_t:sock_file { create_sock_file_perms setattr_sock_file_perms delete_sock_file_perms };
|
||||
manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
|
||||
manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
|
||||
files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir })
|
||||
|
||||
@ -27,7 +27,7 @@ files_type(pingd_modules_t)
|
||||
|
||||
allow pingd_t self:capability net_raw;
|
||||
allow pingd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow pingd_t self:rawip_socket { write read create bind };
|
||||
allow pingd_t self:rawip_socket create_socket_perms;
|
||||
|
||||
read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t)
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(piranha,1.0.0)
|
||||
policy_module(piranha, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -6,9 +6,9 @@ policy_module(piranha,1.0.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow piranha-lvs domain to connect to the network using TCP.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow piranha-lvs domain to connect to the network using TCP.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(piranha_lvs_can_network_connect, false)
|
||||
|
||||
@ -65,7 +65,6 @@ init_domtrans_script(piranha_fos_t)
|
||||
allow piranha_web_t self:capability { setuid sys_nice kill setgid };
|
||||
allow piranha_web_t self:process { getsched setsched signal signull ptrace };
|
||||
allow piranha_web_t self:rawip_socket create_socket_perms;
|
||||
|
||||
allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow piranha_web_t self:sem create_sem_perms;
|
||||
allow piranha_web_t self:shm create_shm_perms;
|
||||
@ -80,7 +79,7 @@ rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t)
|
||||
|
||||
manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
|
||||
manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
|
||||
logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file } )
|
||||
logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file })
|
||||
|
||||
can_exec(piranha_web_t, piranha_web_tmp_t)
|
||||
manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
|
||||
@ -119,7 +118,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
sasl_connect(piranha_web_t)
|
||||
sasl_connect(piranha_web_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
@ -129,9 +128,7 @@ optional_policy(`
|
||||
|
||||
# neede by nanny
|
||||
allow piranha_lvs_t self:capability { net_raw sys_nice };
|
||||
|
||||
allow piranha_lvs_t self:process signal;
|
||||
|
||||
allow piranha_lvs_t self:unix_dgram_socket create_socket_perms;
|
||||
allow piranha_lvs_t self:rawip_socket create_socket_perms;
|
||||
|
||||
@ -145,7 +142,7 @@ sysnet_dns_name_resolve(piranha_lvs_t)
|
||||
|
||||
# needed by nanny
|
||||
tunable_policy(`piranha_lvs_can_network_connect',`
|
||||
corenet_tcp_connect_all_ports(piranha_lvs_t)
|
||||
corenet_tcp_connect_all_ports(piranha_lvs_t)
|
||||
')
|
||||
|
||||
# needed by ipvsadm
|
||||
@ -176,7 +173,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
sysnet_domtrans_ifconfig(piranha_pulse_t)
|
||||
sysnet_domtrans_ifconfig(piranha_pulse_t)
|
||||
')
|
||||
|
||||
####################################
|
||||
@ -210,9 +207,6 @@ files_read_etc_files(piranha_domain)
|
||||
corecmd_exec_bin(piranha_domain)
|
||||
corecmd_exec_shell(piranha_domain)
|
||||
|
||||
libs_use_ld_so(piranha_domain)
|
||||
libs_use_shared_libs(piranha_domain)
|
||||
|
||||
logging_send_syslog_msg(piranha_domain)
|
||||
|
||||
miscfiles_read_localization(piranha_domain)
|
||||
|
||||
@ -92,7 +92,7 @@ sysnet_read_config(plymouth_t)
|
||||
|
||||
plymouthd_stream_connect(plymouth_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
optional_policy(`
|
||||
hal_dontaudit_write_log(plymouth_t)
|
||||
hal_dontaudit_rw_pipes(plymouth_t)
|
||||
|
||||
@ -41,7 +41,6 @@ files_pid_file(policykit_var_run_t)
|
||||
allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace };
|
||||
allow policykit_t self:process { getsched getattr signal };
|
||||
allow policykit_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
allow policykit_t self:unix_dgram_socket create_socket_perms;
|
||||
allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
|
||||
@ -275,4 +274,3 @@ optional_policy(`
|
||||
kernel_search_proc(policykit_resolve_t)
|
||||
hal_read_state(policykit_resolve_t)
|
||||
')
|
||||
|
||||
|
||||
@ -12,7 +12,6 @@ init_daemon_domain(portmap_t, portmap_exec_t)
|
||||
type portmap_helper_t;
|
||||
type portmap_helper_exec_t;
|
||||
init_system_domain(portmap_helper_t, portmap_helper_exec_t)
|
||||
role system_r types portmap_helper_t;
|
||||
|
||||
type portmap_tmp_t;
|
||||
files_tmp_file(portmap_tmp_t)
|
||||
|
||||
@ -6,10 +6,9 @@ policy_module(postfix, 1.12.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow postfix_local domain full write access to mail_spool directories
|
||||
##
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow postfix_local domain full write access to mail_spool directories
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_postfix_local_write_mail_spool, false)
|
||||
|
||||
@ -21,7 +20,7 @@ attribute postfix_user_domtrans;
|
||||
|
||||
postfix_server_domain_template(bounce)
|
||||
|
||||
type postfix_spool_bounce_t, postfix_spool_type;
|
||||
type postfix_spool_bounce_t, postfix_spool_type;
|
||||
files_type(postfix_spool_bounce_t)
|
||||
|
||||
postfix_server_domain_template(cleanup)
|
||||
@ -35,21 +34,12 @@ application_executable_file(postfix_exec_t)
|
||||
postfix_server_domain_template(local)
|
||||
mta_mailserver_delivery(postfix_local_t)
|
||||
|
||||
# Handle vacation script
|
||||
mta_send_mail(postfix_local_t)
|
||||
|
||||
userdom_read_user_home_content_files(postfix_local_t)
|
||||
|
||||
tunable_policy(`allow_postfix_local_write_mail_spool',`
|
||||
mta_manage_spool(postfix_local_t)
|
||||
')
|
||||
|
||||
# Program for creating database files
|
||||
type postfix_map_t;
|
||||
type postfix_map_exec_t;
|
||||
application_domain(postfix_map_t, postfix_map_exec_t)
|
||||
role system_r types postfix_map_t;
|
||||
|
||||
|
||||
type postfix_map_tmp_t;
|
||||
files_tmp_file(postfix_map_tmp_t)
|
||||
|
||||
@ -116,10 +106,10 @@ mta_mailserver_delivery(postfix_virtual_t)
|
||||
|
||||
# chown is to set the correct ownership of queue dirs
|
||||
allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
|
||||
allow postfix_master_t self:process setrlimit;
|
||||
allow postfix_master_t self:fifo_file rw_fifo_file_perms;
|
||||
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
|
||||
allow postfix_master_t self:udp_socket create_socket_perms;
|
||||
allow postfix_master_t self:process setrlimit;
|
||||
|
||||
allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
|
||||
allow postfix_master_t postfix_etc_t:file rw_file_perms;
|
||||
@ -130,11 +120,11 @@ can_exec(postfix_master_t, postfix_exec_t)
|
||||
allow postfix_master_t postfix_data_t:dir manage_dir_perms;
|
||||
allow postfix_master_t postfix_data_t:file manage_file_perms;
|
||||
|
||||
allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
|
||||
allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
|
||||
|
||||
allow postfix_master_t postfix_postdrop_exec_t:file getattr;
|
||||
allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
|
||||
|
||||
allow postfix_master_t postfix_postqueue_exec_t:file getattr;
|
||||
allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
|
||||
|
||||
manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
|
||||
manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
|
||||
@ -154,7 +144,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
|
||||
files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
|
||||
|
||||
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
|
||||
allow postfix_master_t postfix_spool_bounce_t:file getattr;
|
||||
allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms;
|
||||
|
||||
manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
|
||||
manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
|
||||
@ -249,7 +239,7 @@ allow postfix_bounce_t self:capability dac_read_search;
|
||||
allow postfix_bounce_t self:tcp_socket create_socket_perms;
|
||||
|
||||
allow postfix_bounce_t postfix_public_t:sock_file write;
|
||||
allow postfix_bounce_t postfix_public_t:dir search;
|
||||
allow postfix_bounce_t postfix_public_t:dir search_dir_perms;
|
||||
|
||||
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
|
||||
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
|
||||
@ -293,8 +283,8 @@ optional_policy(`
|
||||
# Postfix local local policy
|
||||
#
|
||||
|
||||
allow postfix_local_t self:fifo_file rw_fifo_file_perms;
|
||||
allow postfix_local_t self:process { setsched setrlimit };
|
||||
allow postfix_local_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
# connect to master process
|
||||
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
|
||||
@ -302,6 +292,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
|
||||
# for .forward - maybe we need a new type for it?
|
||||
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
|
||||
|
||||
domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
|
||||
|
||||
allow postfix_local_t postfix_spool_t:file rw_file_perms;
|
||||
|
||||
corecmd_exec_shell(postfix_local_t)
|
||||
@ -315,10 +307,14 @@ mta_read_aliases(postfix_local_t)
|
||||
mta_delete_spool(postfix_local_t)
|
||||
# For reading spamassasin
|
||||
mta_read_config(postfix_local_t)
|
||||
# Handle vacation script
|
||||
mta_send_mail(postfix_local_t)
|
||||
|
||||
domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
|
||||
# Might be a leak, but I need a postfix expert to explain
|
||||
allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
|
||||
userdom_read_user_home_content_files(postfix_local_t)
|
||||
|
||||
tunable_policy(`allow_postfix_local_write_mail_spool',`
|
||||
mta_manage_spool(postfix_local_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
clamav_search_lib(postfix_local_t)
|
||||
@ -427,8 +423,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
|
||||
# Postfix pipe local policy
|
||||
#
|
||||
|
||||
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
|
||||
allow postfix_pipe_t self:process setrlimit;
|
||||
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
|
||||
|
||||
@ -476,6 +472,9 @@ allow postfix_postdrop_t self:capability sys_resource;
|
||||
allow postfix_postdrop_t self:tcp_socket create;
|
||||
allow postfix_postdrop_t self:udp_socket create_socket_perms;
|
||||
|
||||
# Might be a leak, but I need a postfix expert to explain
|
||||
allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
|
||||
|
||||
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
|
||||
|
||||
postfix_list_spool(postfix_postdrop_t)
|
||||
@ -559,7 +558,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
|
||||
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
corecmd_exec_bin(postfix_qmgr_t)
|
||||
|
||||
@ -579,7 +578,7 @@ postfix_list_spool(postfix_showq_t)
|
||||
|
||||
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
|
||||
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
|
||||
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
|
||||
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
# to write the mailq output, it really should not need read access!
|
||||
term_use_all_ptys(postfix_showq_t)
|
||||
@ -656,8 +655,8 @@ optional_policy(`
|
||||
# Postfix virtual local policy
|
||||
#
|
||||
|
||||
allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
|
||||
allow postfix_virtual_t self:process { setsched setrlimit };
|
||||
allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
|
||||
|
||||
|
||||
@ -23,14 +23,14 @@ files_pid_file(postfix_policyd_var_run_t)
|
||||
# Local Policy
|
||||
#
|
||||
|
||||
allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
|
||||
allow postfix_policyd_t self:process setrlimit;
|
||||
allow postfix_policyd_t self:unix_dgram_socket { connect create write};
|
||||
allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow postfix_policyd_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
|
||||
allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms;
|
||||
allow postfix_policyd_t postfix_policyd_conf_t:lnk_file { getattr read };
|
||||
allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
|
||||
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
|
||||
|
||||
@ -15,16 +15,16 @@ gen_require(`
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow unprived users to execute DDL statement
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow unprived users to execute DDL statement
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(sepgsql_enable_users_ddl, true)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow database admins to execute DML statement
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow database admins to execute DML statement
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(sepgsql_unconfined_dbadm, true)
|
||||
|
||||
@ -185,7 +185,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
|
||||
read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
|
||||
read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
|
||||
|
||||
allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
|
||||
allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms;
|
||||
can_exec(postgresql_t, postgresql_exec_t )
|
||||
|
||||
allow postgresql_t postgresql_lock_t:file manage_file_perms;
|
||||
|
||||
@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow pppd to load kernel modules for certain modems
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow pppd to load kernel modules for certain modems
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(pppd_can_insmod, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow pppd to be run for a regular user
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow pppd to be run for a regular user
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(pppd_for_user, false)
|
||||
|
||||
@ -84,11 +84,11 @@ allow pppd_t self:packet_socket create_socket_perms;
|
||||
|
||||
domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
|
||||
|
||||
allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr };
|
||||
allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
|
||||
|
||||
allow pppd_t pppd_etc_t:dir rw_dir_perms;
|
||||
allow pppd_t pppd_etc_t:file read_file_perms;
|
||||
allow pppd_t pppd_etc_t:lnk_file { getattr read };
|
||||
allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
|
||||
# Automatically label newly created files under /etc/ppp with this type
|
||||
|
||||
@ -35,7 +35,6 @@ files_pid_file(prelude_audisp_var_run_t)
|
||||
type prelude_correlator_t;
|
||||
type prelude_correlator_exec_t;
|
||||
init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t)
|
||||
role system_r types prelude_correlator_t;
|
||||
|
||||
type prelude_correlator_config_t;
|
||||
files_config_file(prelude_correlator_config_t)
|
||||
@ -210,8 +209,8 @@ prelude_manage_spool(prelude_correlator_t)
|
||||
#
|
||||
|
||||
allow prelude_lml_t self:capability dac_override;
|
||||
allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect };
|
||||
allow prelude_lml_t self:unix_dgram_socket { write create connect };
|
||||
allow prelude_lml_t self:tcp_socket { setopt create_socket_perms };
|
||||
allow prelude_lml_t self:unix_dgram_socket create_socket_perms;
|
||||
allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
|
||||
allow prelude_lml_t self:unix_stream_socket connectto;
|
||||
|
||||
|
||||
@ -6,10 +6,10 @@ policy_module(privoxy, 1.10.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow privoxy to connect to all ports, not just
|
||||
## HTTP, FTP, and Gopher ports.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow privoxy to connect to all ports, not just
|
||||
## HTTP, FTP, and Gopher ports.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(privoxy_connect_any, false)
|
||||
|
||||
|
||||
@ -35,7 +35,7 @@ allow procmail_t self:udp_socket create_socket_perms;
|
||||
can_exec(procmail_t, procmail_exec_t)
|
||||
|
||||
# Write log to /var/log/procmail.log or /var/log/procmail/.*
|
||||
allow procmail_t procmail_log_t:dir setattr;
|
||||
allow procmail_t procmail_log_t:dir setattr_dir_perms;
|
||||
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
|
||||
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
|
||||
read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
|
||||
|
||||
@ -6,10 +6,10 @@ policy_module(puppet, 1.0.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow Puppet client to manage all file
|
||||
## types.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow Puppet client to manage all file
|
||||
## types.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(puppet_manage_all_files, false)
|
||||
|
||||
@ -176,8 +176,8 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
|
||||
list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
|
||||
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
|
||||
|
||||
allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
|
||||
allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
|
||||
allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms };
|
||||
allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms };
|
||||
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
|
||||
allow puppetmaster_t puppet_log_t:file relabel_file_perms;
|
||||
|
||||
|
||||
@ -5,21 +5,12 @@ policy_module(pyzor, 2.1.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
|
||||
gen_require(`
|
||||
type spamc_t;
|
||||
type spamc_exec_t;
|
||||
type spamd_t;
|
||||
type spamd_initrc_exec_t;
|
||||
type spamd_exec_t;
|
||||
type spamc_tmp_t;
|
||||
type spamd_log_t;
|
||||
type spamd_var_lib_t;
|
||||
type spamd_etc_t;
|
||||
type spamc_tmp_t;
|
||||
type spamc_home_t;
|
||||
type spamc_t, spamc_exec_t, spamd_t;
|
||||
type spamd_initrc_exec_t, spamd_exec_t, spamc_tmp_t;
|
||||
type spamd_log_t, spamd_var_lib_t, spamd_etc_t;
|
||||
type spamc_tmp_t, spamc_home_t;
|
||||
')
|
||||
|
||||
typealias spamc_t alias pyzor_t;
|
||||
@ -34,43 +25,41 @@ ifdef(`distro_redhat',`
|
||||
typealias spamd_etc_t alias pyzor_etc_t;
|
||||
typealias spamc_home_t alias pyzor_home_t;
|
||||
typealias spamc_home_t alias user_pyzor_home_t;
|
||||
|
||||
',`
|
||||
type pyzor_t;
|
||||
type pyzor_exec_t;
|
||||
typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
|
||||
typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
|
||||
application_domain(pyzor_t, pyzor_exec_t)
|
||||
ubac_constrained(pyzor_t)
|
||||
role system_r types pyzor_t;
|
||||
|
||||
type pyzor_t;
|
||||
type pyzor_exec_t;
|
||||
typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
|
||||
typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
|
||||
application_domain(pyzor_t, pyzor_exec_t)
|
||||
ubac_constrained(pyzor_t)
|
||||
role system_r types pyzor_t;
|
||||
type pyzor_etc_t;
|
||||
files_type(pyzor_etc_t)
|
||||
|
||||
type pyzor_etc_t;
|
||||
files_type(pyzor_etc_t)
|
||||
type pyzor_home_t;
|
||||
typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
|
||||
typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
|
||||
userdom_user_home_content(pyzor_home_t)
|
||||
|
||||
type pyzor_home_t;
|
||||
typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
|
||||
typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
|
||||
userdom_user_home_content(pyzor_home_t)
|
||||
type pyzor_tmp_t;
|
||||
typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
|
||||
typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
|
||||
files_tmp_file(pyzor_tmp_t)
|
||||
ubac_constrained(pyzor_tmp_t)
|
||||
|
||||
type pyzor_tmp_t;
|
||||
typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
|
||||
typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
|
||||
files_tmp_file(pyzor_tmp_t)
|
||||
ubac_constrained(pyzor_tmp_t)
|
||||
type pyzor_var_lib_t;
|
||||
typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
|
||||
typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
|
||||
files_type(pyzor_var_lib_t)
|
||||
ubac_constrained(pyzor_var_lib_t)
|
||||
|
||||
type pyzor_var_lib_t;
|
||||
typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
|
||||
typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
|
||||
files_type(pyzor_var_lib_t)
|
||||
ubac_constrained(pyzor_var_lib_t)
|
||||
type pyzord_t;
|
||||
type pyzord_exec_t;
|
||||
init_daemon_domain(pyzord_t, pyzord_exec_t)
|
||||
|
||||
type pyzord_t;
|
||||
type pyzord_exec_t;
|
||||
init_daemon_domain(pyzord_t, pyzord_exec_t)
|
||||
|
||||
type pyzord_log_t;
|
||||
logging_log_file(pyzord_log_t)
|
||||
type pyzord_log_t;
|
||||
logging_log_file(pyzord_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -148,8 +137,8 @@ allow pyzord_t pyzor_etc_t:dir list_dir_perms;
|
||||
can_exec(pyzord_t, pyzor_exec_t)
|
||||
|
||||
manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
|
||||
allow pyzord_t pyzord_log_t:dir setattr;
|
||||
logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir } )
|
||||
allow pyzord_t pyzord_log_t:dir setattr_dir_perms;
|
||||
logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir })
|
||||
|
||||
kernel_read_kernel_sysctls(pyzord_t)
|
||||
kernel_read_system_state(pyzord_t)
|
||||
|
||||
@ -60,7 +60,7 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
|
||||
########################################
|
||||
#
|
||||
# qmail-clean local policy
|
||||
# this component cleans up the queue directory
|
||||
# this component cleans up the queue directory
|
||||
#
|
||||
|
||||
read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
|
||||
@ -69,11 +69,11 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
|
||||
########################################
|
||||
#
|
||||
# qmail-inject local policy
|
||||
# this component preprocesses mail from stdin and invokes qmail-queue
|
||||
# this component preprocesses mail from stdin and invokes qmail-queue
|
||||
#
|
||||
|
||||
allow qmail_inject_t self:fifo_file write_fifo_file_perms;
|
||||
allow qmail_inject_t self:process signal_perms;
|
||||
allow qmail_inject_t self:fifo_file write_fifo_file_perms;
|
||||
|
||||
allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
|
||||
|
||||
@ -88,11 +88,11 @@ qmail_read_config(qmail_inject_t)
|
||||
########################################
|
||||
#
|
||||
# qmail-local local policy
|
||||
# this component delivers a mail message
|
||||
# this component delivers a mail message
|
||||
#
|
||||
|
||||
allow qmail_local_t self:fifo_file write_file_perms;
|
||||
allow qmail_local_t self:process signal_perms;
|
||||
allow qmail_local_t self:fifo_file write_file_perms;
|
||||
allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
|
||||
@ -131,7 +131,7 @@ optional_policy(`
|
||||
########################################
|
||||
#
|
||||
# qmail-lspawn local policy
|
||||
# this component schedules local deliveries
|
||||
# this component schedules local deliveries
|
||||
#
|
||||
|
||||
allow qmail_lspawn_t self:capability { setuid setgid };
|
||||
@ -154,15 +154,15 @@ files_search_tmp(qmail_lspawn_t)
|
||||
########################################
|
||||
#
|
||||
# qmail-queue local policy
|
||||
# this component places a mail in a delivery queue, later to be processed by qmail-send
|
||||
# this component places a mail in a delivery queue, later to be processed by qmail-send
|
||||
#
|
||||
|
||||
allow qmail_queue_t qmail_lspawn_t:fd use;
|
||||
allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms;
|
||||
|
||||
allow qmail_queue_t qmail_smtpd_t:process sigchld;
|
||||
allow qmail_queue_t qmail_smtpd_t:fd use;
|
||||
allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms;
|
||||
allow qmail_queue_t qmail_smtpd_t:process sigchld;
|
||||
|
||||
manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
|
||||
manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
|
||||
@ -179,7 +179,7 @@ optional_policy(`
|
||||
########################################
|
||||
#
|
||||
# qmail-remote local policy
|
||||
# this component sends mail via SMTP
|
||||
# this component sends mail via SMTP
|
||||
#
|
||||
|
||||
allow qmail_remote_t self:tcp_socket create_socket_perms;
|
||||
@ -206,7 +206,7 @@ sysnet_read_config(qmail_remote_t)
|
||||
########################################
|
||||
#
|
||||
# qmail-rspawn local policy
|
||||
# this component scedules remote deliveries
|
||||
# this component scedules remote deliveries
|
||||
#
|
||||
|
||||
allow qmail_rspawn_t self:process signal_perms;
|
||||
@ -221,7 +221,7 @@ corecmd_search_bin(qmail_rspawn_t)
|
||||
########################################
|
||||
#
|
||||
# qmail-send local policy
|
||||
# this component delivers mail messages from the queue
|
||||
# this component delivers mail messages from the queue
|
||||
#
|
||||
|
||||
allow qmail_send_t self:process signal_perms;
|
||||
@ -240,7 +240,7 @@ optional_policy(`
|
||||
########################################
|
||||
#
|
||||
# qmail-smtpd local policy
|
||||
# this component receives mails via SMTP
|
||||
# this component receives mails via SMTP
|
||||
#
|
||||
|
||||
allow qmail_smtpd_t self:process signal_perms;
|
||||
@ -269,7 +269,7 @@ optional_policy(`
|
||||
########################################
|
||||
#
|
||||
# splogger local policy
|
||||
# this component creates entries in syslog
|
||||
# this component creates entries in syslog
|
||||
#
|
||||
|
||||
allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
|
||||
@ -283,13 +283,13 @@ miscfiles_read_localization(qmail_splogger_t)
|
||||
########################################
|
||||
#
|
||||
# qmail-start local policy
|
||||
# this component starts up the mail delivery component
|
||||
# this component starts up the mail delivery component
|
||||
#
|
||||
|
||||
allow qmail_start_t self:capability { setgid setuid };
|
||||
dontaudit qmail_start_t self:capability sys_tty_config;
|
||||
allow qmail_start_t self:fifo_file rw_fifo_file_perms;
|
||||
allow qmail_start_t self:process signal_perms;
|
||||
allow qmail_start_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
can_exec(qmail_start_t, qmail_start_exec_t)
|
||||
|
||||
@ -307,7 +307,7 @@ optional_policy(`
|
||||
########################################
|
||||
#
|
||||
# tcp-env local policy
|
||||
# this component sets up TCP-related environment variables
|
||||
# this component sets up TCP-related environment variables
|
||||
#
|
||||
|
||||
allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(qpidd,1.0.0)
|
||||
policy_module(qpidd, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -32,7 +32,7 @@ allow qpidd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
|
||||
manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
|
||||
files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir } )
|
||||
files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
|
||||
manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user