six patches from dan

This commit is contained in:
Chris PeBenito 2007-04-10 13:10:58 +00:00
parent f4e2b1983a
commit 9af48eef6e
10 changed files with 131 additions and 11 deletions

View File

@ -124,3 +124,21 @@ interface(`firstboot_rw_pipes',`
allow $1 firstboot_t:fifo_file { read write };
')
########################################
## <summary>
## Do not audit attemps to read and write to a firstboot unnamed pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`firstboot_dontaudit_rw_pipes',`
gen_require(`
type firstboot_t;
')
dontaudit $1 firstboot_t:fifo_file { read write };
')

View File

@ -1,5 +1,5 @@
policy_module(firstboot,1.3.0)
policy_module(firstboot,1.3.1)
gen_require(`
class passwd rootok;

View File

@ -1,5 +1,5 @@
policy_module(kudzu,1.3.1)
policy_module(kudzu,1.3.2)
########################################
#
@ -22,7 +22,7 @@ files_pid_file(kudzu_var_run_t)
#
allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
dontaudit kudzu_t self:capability sys_tty_config;
dontaudit kudzu_t self:capability { sys_ptrace sys_tty_config };
allow kudzu_t self:process { signal_perms execmem };
allow kudzu_t self:fifo_file rw_fifo_file_perms;
allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };

View File

@ -1,5 +1,5 @@
policy_module(logwatch,1.3.1)
policy_module(logwatch,1.3.2)
#################################
#
@ -30,6 +30,7 @@ allow logwatch_t self:capability { dac_override dac_read_search setgid };
allow logwatch_t self:process signal;
allow logwatch_t self:fifo_file rw_file_perms;
allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
allow logwatch_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
manage_files_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
@ -76,6 +77,7 @@ libs_use_shared_libs(logwatch_t)
libs_read_lib_files(logwatch_t)
logging_read_all_logs(logwatch_t)
logging_send_syslog_msg(logwatch_t)
miscfiles_read_localization(logwatch_t)

View File

@ -3,6 +3,90 @@
## Contains the initial SIDs for network objects.
## </required>
########################################
## <summary>
## Define type to be a network port type
## </summary>
## <desc>
## <p>
## Define type to be a network port type
## </p>
## <p>
## This is a template to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Type to be used for network ports.
## </summary>
## </param>
#
interface(`corenet_port',`
gen_require(`
attribute port_type;
')
typeattribute $1 port_type;
')
########################################
## <summary>
## Define network type to be a reserved port (lt 1024)
## </summary>
## <desc>
## <p>
## Define network type to be a reserved port (lt 1024)
## </p>
## <p>
## This is a template to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Type to be used for network ports.
## </summary>
## </param>
#
interface(`corenet_reserved_port',`
gen_require(`
attribute reserved_port_type;
')
typeattribute $1 reserved_port_type;
')
########################################
## <summary>
## Define network type to be a rpc port ( 512 lt PORT lt 1024)
## </summary>
## <desc>
## <p>
## Define network type to be a rpc port ( 512 lt PORT lt 1024)
## </p>
## <p>
## This is a template to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Type to be used for network ports.
## </summary>
## </param>
#
interface(`corenet_rpc_port',`
gen_require(`
attribute rpc_port_type;
')
typeattribute $1 rpc_port_type;
')
########################################
## <summary>
## Send and receive TCP network traffic on the generic interfaces.

View File

@ -1,5 +1,5 @@
policy_module(corenetwork,1.2.4)
policy_module(corenetwork,1.2.5)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(ccs,1.0.3)
policy_module(ccs,1.0.4)
########################################
#
@ -10,10 +10,14 @@ type ccs_t;
type ccs_exec_t;
init_daemon_domain(ccs_t, ccs_exec_t)
# pid files
# conf files
type cluster_conf_t;
files_type(cluster_conf_t)
# tmp files
type ccs_tmp_t;
files_tmp_file(ccs_tmp_t)
# log files
type ccs_var_log_t;
logging_log_file(ccs_var_log_t)
@ -45,6 +49,12 @@ allow ccs_t self:socket create_socket_perms;
manage_files_pattern(ccs_t,cluster_conf_t,cluster_conf_t)
# tmp file
allow ccs_t ccs_tmp_t:dir manage_dir_perms;
manage_dirs_pattern(ccs_t,ccs_tmp_t,ccs_tmp_t)
manage_files_pattern(ccs_t,ccs_tmp_t,ccs_tmp_t)
files_tmp_filetrans(ccs_t, ccs_tmp_t, { file dir })
# log files
manage_files_pattern(ccs_t,ccs_var_log_t,ccs_var_log_t)
manage_sock_files_pattern(ccs_t,ccs_var_log_t,ccs_var_log_t)

View File

@ -1,5 +1,5 @@
policy_module(cyrus,1.2.1)
policy_module(cyrus,1.2.2)
########################################
#
@ -111,6 +111,7 @@ userdom_use_unpriv_users_fds(cyrus_t)
userdom_use_sysadm_ptys(cyrus_t)
mta_manage_spool(cyrus_t)
mta_send_mail(cyrus_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(cyrus_t)
@ -122,6 +123,10 @@ optional_policy(`
cron_system_entry(cyrus_t,cyrus_exec_t)
')
optional_policy(`
kerberos_use(cyrus_t)
')
optional_policy(`
ldap_stream_connect(cyrus_t)
')

View File

@ -1,5 +1,5 @@
policy_module(networkmanager,1.5.3)
policy_module(networkmanager,1.5.4)
########################################
#
@ -22,7 +22,7 @@ files_pid_file(NetworkManager_var_run_t)
# and it receives a unexpected signal (rh bug #204161)
allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
allow NetworkManager_t self:process { ptrace setcap getsched signal_perms };
allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;

View File

@ -1,5 +1,5 @@
policy_module(ntp,1.2.1)
policy_module(ntp,1.2.2)
########################################
#
@ -129,6 +129,7 @@ optional_policy(`
optional_policy(`
firstboot_dontaudit_use_fds(ntpd_t)
firstboot_dontaudit_rw_pipes(ntpd_t)
')
optional_policy(`