The process and capability IPC goes on top of local policy.

The process and capability IPC goes on top of local policy.

The process and capability IPC goes on top of local policy.

The process and capability IPC goes on top of local policy.
This commit is contained in:
Dominick Grift 2010-09-24 09:33:35 +02:00
parent daed45f480
commit 568349bd70
4 changed files with 4 additions and 7 deletions

View File

@ -27,13 +27,12 @@ files_pid_file(rlogind_var_run_t)
# Local policy # Local policy
# #
allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override }; allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
allow rlogind_t self:process signal_perms; allow rlogind_t self:process signal_perms;
allow rlogind_t self:fifo_file rw_fifo_file_perms; allow rlogind_t self:fifo_file rw_fifo_file_perms;
allow rlogind_t self:tcp_socket connected_stream_socket_perms; allow rlogind_t self:tcp_socket connected_stream_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules? # for identd; cjp: this should probably only be inetd_child rules?
allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow rlogind_t self:capability { setuid setgid };
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr }; allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(rlogind_t, rlogind_devpts_t) term_create_pty(rlogind_t, rlogind_devpts_t)

View File

@ -23,14 +23,13 @@ files_pid_file(telnetd_var_run_t)
# Local policy # Local policy
# #
allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override }; allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
allow telnetd_t self:process signal_perms; allow telnetd_t self:process signal_perms;
allow telnetd_t self:fifo_file rw_fifo_file_perms; allow telnetd_t self:fifo_file rw_fifo_file_perms;
allow telnetd_t self:tcp_socket connected_stream_socket_perms; allow telnetd_t self:tcp_socket connected_stream_socket_perms;
allow telnetd_t self:udp_socket create_socket_perms; allow telnetd_t self:udp_socket create_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules? # for identd; cjp: this should probably only be inetd_child rules?
allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow telnetd_t self:capability { setuid setgid };
allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr }; allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(telnetd_t, telnetd_devpts_t) term_create_pty(telnetd_t, telnetd_devpts_t)

View File

@ -32,11 +32,11 @@ files_type(tftpdir_rw_t)
# #
allow tftpd_t self:capability { setgid setuid sys_chroot }; allow tftpd_t self:capability { setgid setuid sys_chroot };
dontaudit tftpd_t self:capability sys_tty_config;
allow tftpd_t self:tcp_socket create_stream_socket_perms; allow tftpd_t self:tcp_socket create_stream_socket_perms;
allow tftpd_t self:udp_socket create_socket_perms; allow tftpd_t self:udp_socket create_socket_perms;
allow tftpd_t self:unix_dgram_socket create_socket_perms; allow tftpd_t self:unix_dgram_socket create_socket_perms;
allow tftpd_t self:unix_stream_socket create_stream_socket_perms; allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
dontaudit tftpd_t self:capability sys_tty_config;
allow tftpd_t tftpdir_t:dir list_dir_perms; allow tftpd_t tftpdir_t:dir list_dir_perms;
allow tftpd_t tftpdir_t:file read_file_perms; allow tftpd_t tftpdir_t:file read_file_perms;

View File

@ -399,8 +399,7 @@ optional_policy(`
# #
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace }; allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate ptrace }; allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched setsched setrlimit signal_perms setkeycreate ptrace };
allow xdm_t self:process { getattr getcap setcap };
allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms; allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms; allow xdm_t self:sem create_sem_perms;