Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes.
This commit is contained in:
Dominick Grift
parent
8b858f2652
commit
aaf8a677ba
@ -6,10 +6,10 @@ policy_module(varnishd, 1.1.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow varnishd to connect to all ports,
|
||||
## not just HTTP.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow varnishd to connect to all ports,
|
||||
## not just HTTP.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(varnishd_connect_any, false)
|
||||
|
||||
|
||||
@ -4,54 +4,55 @@ policy_module(virt, 1.4.0)
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
attribute virsh_transition_domain;
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow virt to use serial/parallell communication ports
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow virt to use serial/parallell communication ports
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(virt_use_comm, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow virt to read fuse files
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow virt to read fuse files
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(virt_use_fusefs, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow virt to manage nfs files
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow virt to manage nfs files
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(virt_use_nfs, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow virt to manage cifs files
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow virt to manage cifs files
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(virt_use_samba, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow virt to manage device configuration, (pci)
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow virt to manage device configuration, (pci)
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(virt_use_sysfs, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow virtual machine to interact with the xserver
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow virtual machine to interact with the xserver
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(virt_use_xserver, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow virt to use usb devices
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow virt to use usb devices
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(virt_use_usb, true)
|
||||
|
||||
@ -205,7 +206,6 @@ optional_policy(`
|
||||
|
||||
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
|
||||
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
|
||||
|
||||
allow virtd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow virtd_t self:tcp_socket create_stream_socket_perms;
|
||||
@ -577,8 +577,6 @@ typealias virsh_exec_t alias xm_exec_t;
|
||||
|
||||
allow virsh_t self:capability { dac_override ipc_lock sys_tty_config };
|
||||
allow virsh_t self:process { getcap getsched setcap signal };
|
||||
|
||||
# internal communication is often done using fifo and unix sockets.
|
||||
allow virsh_t self:fifo_file rw_fifo_file_perms;
|
||||
allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow virsh_t self:tcp_socket create_stream_socket_perms;
|
||||
@ -646,7 +644,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
vhostmd_rw_tmpfs_files(virsh_t)
|
||||
vhostmd_stream_connect(virsh_t)
|
||||
vhostmd_stream_connect(virsh_t)
|
||||
vhostmd_dontaudit_rw_stream_connect(virsh_t)
|
||||
')
|
||||
|
||||
@ -671,4 +669,3 @@ optional_policy(`
|
||||
|
||||
userdom_search_admin_dir(virsh_ssh_t)
|
||||
')
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(vnstatd,1.0.0)
|
||||
policy_module(vnstatd, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -24,13 +24,12 @@ cron_system_entry(vnstat_t, vnstat_exec_t)
|
||||
# vnstatd local policy
|
||||
#
|
||||
allow vnstatd_t self:process { fork signal };
|
||||
|
||||
allow vnstatd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
|
||||
manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
|
||||
files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file } )
|
||||
files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
|
||||
|
||||
domain_use_interactive_fds(vnstatd_t)
|
||||
|
||||
@ -45,13 +44,12 @@ miscfiles_read_localization(vnstatd_t)
|
||||
# vnstat local policy
|
||||
#
|
||||
allow vnstat_t self:process { signal };
|
||||
|
||||
allow vnstat_t self:fifo_file rw_fifo_file_perms;
|
||||
allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
|
||||
manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
|
||||
files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file } )
|
||||
files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
|
||||
|
||||
kernel_read_network_state(vnstat_t)
|
||||
kernel_read_system_state(vnstat_t)
|
||||
@ -65,5 +63,3 @@ fs_getattr_xattr_fs(vnstat_t)
|
||||
logging_send_syslog_msg(vnstat_t)
|
||||
|
||||
miscfiles_read_localization(vnstat_t)
|
||||
|
||||
|
||||
|
||||
@ -26,44 +26,43 @@ gen_require(`
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allows clients to write to the X server shared
|
||||
## memory segments.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allows clients to write to the X server shared
|
||||
## memory segments.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_write_xshm, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allows XServer to execute writable memory
|
||||
## </p>
|
||||
## <p>
|
||||
## Allows XServer to execute writable memory
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_xserver_execmem, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow xdm logins as sysadm
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow xdm logins as sysadm
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(xdm_sysadm_login, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Support X userspace object manager
|
||||
## </p>
|
||||
## <p>
|
||||
## Support X userspace object manager
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(xserver_object_manager, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow regular users direct dri device access
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow regular users direct dri device access
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(user_direct_dri, false)
|
||||
|
||||
attribute xdmhomewriter;
|
||||
attribute x_userdomain;
|
||||
|
||||
attribute x_domain;
|
||||
|
||||
# X Events
|
||||
@ -121,12 +120,12 @@ typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xeven
|
||||
|
||||
type remote_t;
|
||||
xserver_object_types_template(remote)
|
||||
xserver_common_x_domain_template(remote,remote_t)
|
||||
xserver_common_x_domain_template(remote, remote_t)
|
||||
|
||||
type user_fonts_t;
|
||||
typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
|
||||
typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
|
||||
typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t };
|
||||
typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t };
|
||||
userdom_user_home_content(user_fonts_t)
|
||||
|
||||
type user_fonts_cache_t;
|
||||
@ -153,7 +152,7 @@ ubac_constrained(iceauth_t)
|
||||
type iceauth_home_t;
|
||||
typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
|
||||
typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
|
||||
typealias iceauth_home_t alias { xguest_iceauth_home_t };
|
||||
typealias iceauth_home_t alias { xguest_iceauth_home_t };
|
||||
files_poly_member(iceauth_home_t)
|
||||
userdom_user_home_content(iceauth_home_t)
|
||||
|
||||
@ -292,13 +291,13 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_files(iceauth_t)
|
||||
')
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dev_dontaudit_read_urand(iceauth_t)
|
||||
dev_dontaudit_rw_dri(iceauth_t)
|
||||
dev_dontaudit_rw_generic_dev_nodes(iceauth_t)
|
||||
fs_dontaudit_list_inotifyfs(iceauth_t)
|
||||
fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
|
||||
term_dontaudit_use_unallocated_ttys(iceauth_t)
|
||||
term_dontaudit_use_unallocated_ttys(iceauth_t)
|
||||
|
||||
userdom_dontaudit_read_user_home_content_files(iceauth_t)
|
||||
userdom_dontaudit_write_user_home_content_files(iceauth_t)
|
||||
@ -362,13 +361,13 @@ userdom_use_user_terminals(xauth_t)
|
||||
userdom_read_user_tmp_files(xauth_t)
|
||||
userdom_read_all_users_state(xauth_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
fs_dontaudit_rw_anon_inodefs_files(xauth_t)
|
||||
fs_dontaudit_list_inotifyfs(xauth_t)
|
||||
userdom_manage_user_home_content_files(xauth_t)
|
||||
userdom_manage_user_tmp_files(xauth_t)
|
||||
dev_dontaudit_rw_generic_dev_nodes(xauth_t)
|
||||
miscfiles_read_fonts(xauth_t)
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
fs_dontaudit_rw_anon_inodefs_files(xauth_t)
|
||||
fs_dontaudit_list_inotifyfs(xauth_t)
|
||||
userdom_manage_user_home_content_files(xauth_t)
|
||||
userdom_manage_user_tmp_files(xauth_t)
|
||||
dev_dontaudit_rw_generic_dev_nodes(xauth_t)
|
||||
miscfiles_read_fonts(xauth_t)
|
||||
')
|
||||
|
||||
xserver_rw_xdm_tmp_files(xauth_t)
|
||||
@ -382,8 +381,8 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_files(xauth_t)
|
||||
')
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
term_dontaudit_use_unallocated_ttys(xauth_t)
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
term_dontaudit_use_unallocated_ttys(xauth_t)
|
||||
dev_dontaudit_rw_dri(xauth_t)
|
||||
')
|
||||
|
||||
@ -470,7 +469,7 @@ manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
|
||||
manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
|
||||
files_spool_filetrans(xdm_t, xdm_spool_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
|
||||
manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
|
||||
manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
|
||||
manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
|
||||
manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
|
||||
@ -728,10 +727,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
networkmanager_dbus_chat(xdm_t)
|
||||
')
|
||||
|
||||
')
|
||||
|
||||
|
||||
optional_policy(`
|
||||
# Talk to the console mouse server.
|
||||
gpm_stream_connect(xdm_t)
|
||||
@ -763,7 +760,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
policykit_dbus_chat(xdm_t)
|
||||
policykit_dbus_chat(xdm_t)
|
||||
policykit_domtrans_auth(xdm_t)
|
||||
policykit_read_lib(xdm_t)
|
||||
policykit_read_reload(xdm_t)
|
||||
@ -822,13 +819,13 @@ optional_policy(`
|
||||
unconfined_signal(xdm_t)
|
||||
')
|
||||
|
||||
ifndef(`distro_redhat',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
')
|
||||
ifndef(`distro_redhat',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
')
|
||||
|
||||
ifdef(`distro_rhel4',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
')
|
||||
ifdef(`distro_rhel4',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
userhelper_dontaudit_search_config(xdm_t)
|
||||
@ -912,11 +909,11 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xserver_t)
|
||||
|
||||
manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
|
||||
manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
|
||||
manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
|
||||
files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir)
|
||||
|
||||
manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
|
||||
manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
|
||||
manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
|
||||
manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
|
||||
files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir })
|
||||
|
||||
@ -47,7 +47,7 @@ files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
|
||||
# zarafa_server local policy
|
||||
#
|
||||
|
||||
allow zarafa_server_t self:capability { chown kill net_bind_service};
|
||||
allow zarafa_server_t self:capability { chown kill net_bind_service };
|
||||
allow zarafa_server_t self:process { setrlimit signal };
|
||||
|
||||
corenet_tcp_bind_zarafa_port(zarafa_server_t)
|
||||
@ -73,7 +73,7 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow zarafa_spooler_t self:capability { chown kill };
|
||||
allow zarafa_spooler_t self:process { signal };
|
||||
allow zarafa_spooler_t self:process { signal };
|
||||
|
||||
corenet_tcp_connect_smtp_port(zarafa_spooler_t)
|
||||
|
||||
@ -110,7 +110,6 @@ allow zarafa_monitor_t self:capability chown;
|
||||
|
||||
# bad permission on /etc/zarafa
|
||||
allow zarafa_domain self:capability { dac_override setgid setuid };
|
||||
|
||||
allow zarafa_domain self:fifo_file rw_fifo_file_perms;
|
||||
allow zarafa_domain self:tcp_socket create_stream_socket_perms;
|
||||
allow zarafa_domain self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
@ -6,9 +6,9 @@ policy_module(zebra, 1.11.1)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow zebra daemon to write it configuration files
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow zebra daemon to write it configuration files
|
||||
## </p>
|
||||
## </desc>
|
||||
#
|
||||
gen_tunable(allow_zebra_write_config, false)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user