Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes.
This commit is contained in:
parent
0bdd855157
commit
68ac47d8c5
@ -100,7 +100,7 @@ allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
|
||||
|
||||
# Allow access to cache superstructure
|
||||
allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms };
|
||||
allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms};
|
||||
allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms };
|
||||
|
||||
# Permit statfs on the backing filesystem
|
||||
fs_getattr_xattr_fs(cachefilesd_t)
|
||||
|
@ -107,7 +107,7 @@ sysnet_dns_name_resolve(ccs_t)
|
||||
userdom_manage_unpriv_user_shared_mem(ccs_t)
|
||||
userdom_manage_unpriv_user_semaphores(ccs_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
corecmd_dontaudit_write_bin_dirs(ccs_t)
|
||||
files_manage_isid_type_files(ccs_t)
|
||||
')
|
||||
|
@ -43,12 +43,12 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
|
||||
|
||||
# log files
|
||||
manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
|
||||
logging_log_filetrans(certmaster_t, certmaster_var_log_t, file )
|
||||
logging_log_filetrans(certmaster_t, certmaster_var_log_t, file)
|
||||
|
||||
# pid file
|
||||
manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
|
||||
manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
|
||||
files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file })
|
||||
files_pid_filetrans(certmaster_t, certmaster_var_run_t, { file sock_file })
|
||||
|
||||
# read meminfo
|
||||
kernel_read_system_state(certmaster_t)
|
||||
|
@ -32,7 +32,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
|
||||
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
|
||||
files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } )
|
||||
files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
|
||||
manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
|
||||
|
@ -150,7 +150,7 @@ optional_policy(`
|
||||
tunable_policy(`clamd_use_jit',`
|
||||
allow clamd_t self:process execmem;
|
||||
allow clamscan_t self:process execmem;
|
||||
', `
|
||||
',`
|
||||
dontaudit clamd_t self:process execmem;
|
||||
dontaudit clamscan_t self:process execmem;
|
||||
')
|
||||
@ -226,7 +226,7 @@ optional_policy(`
|
||||
|
||||
tunable_policy(`clamd_use_jit',`
|
||||
allow freshclam_t self:process execmem;
|
||||
', `
|
||||
',`
|
||||
dontaudit freshclam_t self:process execmem;
|
||||
')
|
||||
|
||||
|
@ -23,7 +23,6 @@ files_pid_file(clogd_var_run_t)
|
||||
|
||||
allow clogd_t self:capability { net_admin mknod };
|
||||
allow clogd_t self:process signal;
|
||||
|
||||
allow clogd_t self:sem create_sem_perms;
|
||||
allow clogd_t self:shm create_shm_perms;
|
||||
allow clogd_t self:netlink_socket create_socket_perms;
|
||||
|
@ -1,4 +1,4 @@
|
||||
policy_module(cmirrord,1.0.0)
|
||||
policy_module(cmirrord, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -26,9 +26,7 @@ files_pid_file(cmirrord_var_run_t)
|
||||
allow cmirrord_t self:capability { net_admin kill };
|
||||
dontaudit cmirrord_t self:capability sys_tty_config;
|
||||
allow cmirrord_t self:process signal;
|
||||
|
||||
allow cmirrord_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
allow cmirrord_t self:sem create_sem_perms;
|
||||
allow cmirrord_t self:shm create_shm_perms;
|
||||
allow cmirrord_t self:netlink_socket create_socket_perms;
|
||||
|
@ -138,7 +138,7 @@ selinux_compute_create_context(admin_crontab_t)
|
||||
selinux_compute_relabel_context(admin_crontab_t)
|
||||
selinux_compute_user_contexts(admin_crontab_t)
|
||||
|
||||
tunable_policy(`fcron_crond', `
|
||||
tunable_policy(`fcron_crond',`
|
||||
# fcron wants an instant update of a crontab change for the administrator
|
||||
# also crontab does a security check for crontab -u
|
||||
allow admin_crontab_t self:process setfscreate;
|
||||
@ -251,7 +251,7 @@ ifdef(`distro_debian',`
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
ifdef(`distro_redhat',`
|
||||
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
||||
# via redirection of standard out.
|
||||
optional_policy(`
|
||||
@ -287,7 +287,7 @@ optional_policy(`
|
||||
mono_domtrans(crond_t)
|
||||
')
|
||||
|
||||
tunable_policy(`fcron_crond', `
|
||||
tunable_policy(`fcron_crond',`
|
||||
allow crond_t system_cron_spool_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
@ -472,7 +472,7 @@ miscfiles_manage_man_pages(system_cronjob_t)
|
||||
|
||||
seutil_read_config(system_cronjob_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
ifdef(`distro_redhat',`
|
||||
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
||||
allow crond_t system_cron_spool_t:file manage_file_perms;
|
||||
|
||||
@ -687,7 +687,7 @@ read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
||||
read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
||||
allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
|
||||
|
||||
tunable_policy(`fcron_crond', `
|
||||
tunable_policy(`fcron_crond',`
|
||||
allow crond_t user_cron_spool_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
|
@ -163,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
|
||||
allow cupsd_t hplip_var_run_t:file read_file_perms;
|
||||
|
||||
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
|
||||
allow cupsd_t ptal_var_run_t : sock_file setattr_sock_file_perms;
|
||||
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
|
||||
|
||||
kernel_read_system_state(cupsd_t)
|
||||
kernel_read_network_state(cupsd_t)
|
||||
@ -657,7 +657,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
|
||||
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
|
||||
|
||||
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
|
||||
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
|
||||
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
|
||||
|
||||
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
|
||||
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
|
||||
|
@ -309,4 +309,3 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
vbetool_domtrans(devicekit_power_t)
|
||||
')
|
||||
|
||||
|
@ -181,7 +181,7 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
|
||||
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
|
||||
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
|
||||
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
|
||||
files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
|
||||
files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
|
||||
|
||||
# proftpd requires the client side to bind a socket so that
|
||||
# it can stat the socket to perform access control decisions,
|
||||
@ -291,7 +291,7 @@ tunable_policy(`ftp_home_dir',`
|
||||
userdom_manage_user_home_content(ftpd_t)
|
||||
userdom_manage_user_tmp_files(ftpd_t)
|
||||
userdom_tmp_filetrans_user_tmp(ftpd_t, file)
|
||||
', `
|
||||
',`
|
||||
# Needed for permissive mode, to make sure everything gets labeled correctly
|
||||
userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
|
||||
files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
|
||||
@ -400,6 +400,7 @@ userdom_use_user_terminals(ftpdctl_t)
|
||||
#
|
||||
# sftpd local policy
|
||||
#
|
||||
|
||||
files_read_etc_files(sftpd_t)
|
||||
|
||||
# allow read access to /home by default
|
||||
@ -424,7 +425,7 @@ tunable_policy(`sftpd_enable_homedirs',`
|
||||
files_list_home(sftpd_t)
|
||||
userdom_read_user_home_content_files(sftpd_t)
|
||||
userdom_manage_user_home_content(sftpd_t)
|
||||
', `
|
||||
',`
|
||||
# Needed for permissive mode, to make sure everything gets labeled correctly
|
||||
userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
|
||||
')
|
||||
|
@ -119,26 +119,26 @@ list_dirs_pattern(git_system_t, git_content, git_content)
|
||||
read_files_pattern(git_system_t, git_content, git_content)
|
||||
files_search_var_lib(git_system_t)
|
||||
|
||||
tunable_policy(`git_system_enable_homedirs', `
|
||||
tunable_policy(`git_system_enable_homedirs',`
|
||||
userdom_search_user_home_dirs(git_system_t)
|
||||
')
|
||||
|
||||
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
|
||||
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
|
||||
fs_list_nfs(git_system_t)
|
||||
fs_read_nfs_files(git_system_t)
|
||||
')
|
||||
|
||||
tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
|
||||
tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_list_cifs(git_system_t)
|
||||
fs_read_cifs_files(git_system_t)
|
||||
')
|
||||
|
||||
tunable_policy(`git_system_use_cifs', `
|
||||
tunable_policy(`git_system_use_cifs',`
|
||||
fs_list_cifs(git_system_t)
|
||||
fs_read_cifs_files(git_system_t)
|
||||
')
|
||||
|
||||
tunable_policy(`git_system_use_nfs', `
|
||||
tunable_policy(`git_system_use_nfs',`
|
||||
fs_list_nfs(git_system_t)
|
||||
fs_read_nfs_files(git_system_t)
|
||||
')
|
||||
@ -156,17 +156,17 @@ userdom_search_user_home_dirs(git_session_t)
|
||||
|
||||
userdom_use_user_terminals(git_session_t)
|
||||
|
||||
tunable_policy(`git_session_bind_all_unreserved_ports', `
|
||||
tunable_policy(`git_session_bind_all_unreserved_ports',`
|
||||
corenet_tcp_bind_all_unreserved_ports(git_session_t)
|
||||
corenet_sendrecv_generic_server_packets(git_session_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs', `
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_list_nfs(git_session_t)
|
||||
fs_read_nfs_files(git_session_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs', `
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_list_cifs(git_session_t)
|
||||
fs_read_cifs_files(git_session_t)
|
||||
')
|
||||
@ -189,4 +189,3 @@ optional_policy(`
|
||||
|
||||
git_role_template(git_shell)
|
||||
gen_user(git_shell_u, user, git_shell_r, s0, s0)
|
||||
|
||||
|
@ -46,4 +46,3 @@ storage_raw_read_fixed_disk(hddtemp_t)
|
||||
logging_send_syslog_msg(hddtemp_t)
|
||||
|
||||
miscfiles_read_localization(hddtemp_t)
|
||||
|
||||
|
@ -39,7 +39,7 @@ allow icecast_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
manage_dirs_pattern(icecast_t, icecast_log_t, icecast_log_t)
|
||||
manage_files_pattern(icecast_t, icecast_log_t, icecast_log_t)
|
||||
logging_log_filetrans(icecast_t, icecast_log_t, { file dir } )
|
||||
logging_log_filetrans(icecast_t, icecast_log_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
|
||||
manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
|
||||
|
@ -4,6 +4,7 @@ policy_module(inn, 1.9.0)
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type innd_t;
|
||||
type innd_exec_t;
|
||||
init_daemon_domain(innd_t, innd_exec_t)
|
||||
@ -30,6 +31,7 @@ files_mountpoint(news_spool_t)
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow innd_t self:capability { dac_override kill setgid setuid };
|
||||
dontaudit innd_t self:capability sys_tty_config;
|
||||
allow innd_t self:process { setsched signal_perms };
|
||||
|
@ -1,4 +1,3 @@
|
||||
|
||||
policy_module(jabber, 1.8.0)
|
||||
|
||||
########################################
|
||||
|
@ -49,4 +49,3 @@ mls_file_read_to_clearance(ksmtuned_t)
|
||||
term_use_all_terms(ksmtuned_t)
|
||||
|
||||
miscfiles_read_localization(ksmtuned_t)
|
||||
|
||||
|
@ -82,7 +82,7 @@ manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
|
||||
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
|
||||
|
||||
manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t)
|
||||
fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t,file)
|
||||
fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file)
|
||||
|
||||
manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
|
||||
manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
|
||||
|
@ -33,7 +33,6 @@ files_type(spamass_milter_state_t)
|
||||
#
|
||||
|
||||
allow dkim_milter_t self:capability { kill setgid setuid };
|
||||
|
||||
allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
|
||||
|
@ -27,6 +27,7 @@ files_type(mock_var_lib_t)
|
||||
#
|
||||
# mock local policy
|
||||
#
|
||||
|
||||
allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
|
||||
allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid sigkill };
|
||||
dontaudit mock_t self:process { siginh noatsecure rlimitinh };
|
||||
@ -40,14 +41,14 @@ files_var_filetrans(mock_t, mock_cache_t, { dir file } )
|
||||
|
||||
manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
|
||||
manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
|
||||
files_tmp_filetrans(mock_t, mock_tmp_t, { dir file } )
|
||||
files_tmp_filetrans(mock_t, mock_tmp_t, { dir file })
|
||||
can_exec(mock_t, mock_tmp_t)
|
||||
|
||||
manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
|
||||
manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
|
||||
manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
|
||||
manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
|
||||
files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file } )
|
||||
files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file })
|
||||
can_exec(mock_t, mock_var_lib_t)
|
||||
allow mock_t mock_var_lib_t:dir mounton;
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
policy_module(mpd,1.0.0)
|
||||
policy_module(mpd, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -41,7 +41,6 @@ files_type(mpd_var_lib_t)
|
||||
#cjp: dac_override bug in mpd relating to mpd.log file
|
||||
allow mpd_t self:capability { dac_override kill setgid setuid };
|
||||
allow mpd_t self:process { getsched setsched setrlimit signal signull };
|
||||
|
||||
allow mpd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
allow mpd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
@ -93,7 +93,7 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
arpwatch_manage_tmp_files(system_mail_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
|
||||
')
|
||||
')
|
||||
@ -194,7 +194,7 @@ optional_policy(`
|
||||
arpwatch_search_data(mailserver_delivery)
|
||||
arpwatch_manage_tmp_files(mta_user_agent)
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
|
||||
')
|
||||
|
||||
@ -314,8 +314,6 @@ kernel_read_system_state(user_mail_domain)
|
||||
kernel_read_network_state(user_mail_domain)
|
||||
kernel_request_load_module(user_mail_domain)
|
||||
|
||||
|
||||
|
||||
optional_policy(`
|
||||
# postfix needs this for newaliases
|
||||
files_getattr_tmp_dirs(user_mail_domain)
|
||||
|
@ -141,6 +141,7 @@ optional_policy(`
|
||||
#
|
||||
# Nagios CGI local policy
|
||||
#
|
||||
|
||||
optional_policy(`
|
||||
apache_content_template(nagios)
|
||||
typealias httpd_nagios_script_t alias nagios_cgi_t;
|
||||
@ -268,7 +269,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
|
||||
#
|
||||
|
||||
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
|
||||
|
||||
allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
|
||||
allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
|
||||
@ -321,7 +321,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
|
||||
|
||||
allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
|
||||
allow nagios_services_plugin_t self:process { signal sigkill };
|
||||
|
||||
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
|
||||
allow nagios_services_plugin_t self:udp_socket create_socket_perms;
|
||||
|
||||
|
@ -146,6 +146,7 @@ optional_policy(`
|
||||
samba_append_log(nscd_t)
|
||||
samba_dontaudit_use_fds(nscd_t)
|
||||
')
|
||||
|
||||
samba_read_config(nscd_t)
|
||||
samba_read_var_files(nscd_t)
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user