start cleaning up node binding and raw if/node access
This commit is contained in:
Chris PeBenito
parent
165b42d230
commit
b516e80f24
@ -89,10 +89,6 @@ interface(`corenet_raw_send_generic_if',`
|
||||
')
|
||||
|
||||
allow $1 netif_t:netif rawip_send;
|
||||
|
||||
# cjp: comment out until raw access is
|
||||
# is fixed for network users
|
||||
#allow $1 self:capability net_raw;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -213,10 +209,6 @@ interface(`corenet_raw_send_all_if',`
|
||||
')
|
||||
|
||||
allow $1 netif_type:netif rawip_send;
|
||||
|
||||
# cjp: comment out until raw access is
|
||||
# is fixed for network users
|
||||
#allow $1 self:capability net_raw;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -102,10 +102,6 @@ interface(`corenet_raw_send_$1_if',`
|
||||
')
|
||||
|
||||
allow dollarsone $1_$2:netif rawip_send;
|
||||
|
||||
# cjp: comment out until raw access is
|
||||
# is fixed for network users
|
||||
#allow dollarsone self:capability net_raw;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corenetwork,1.1.7)
|
||||
policy_module(corenetwork,1.1.8)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(arpwatch,1.1.0)
|
||||
policy_module(arpwatch,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -49,6 +49,7 @@ kernel_read_kernel_sysctls(arpwatch_t)
|
||||
kernel_list_proc(arpwatch_t)
|
||||
kernel_read_proc_symlinks(arpwatch_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(arpwatch_t)
|
||||
corenet_tcp_sendrecv_all_if(arpwatch_t)
|
||||
corenet_udp_sendrecv_all_if(arpwatch_t)
|
||||
corenet_raw_sendrecv_all_if(arpwatch_t)
|
||||
@ -57,9 +58,6 @@ corenet_udp_sendrecv_all_nodes(arpwatch_t)
|
||||
corenet_raw_sendrecv_all_nodes(arpwatch_t)
|
||||
corenet_tcp_sendrecv_all_ports(arpwatch_t)
|
||||
corenet_udp_sendrecv_all_ports(arpwatch_t)
|
||||
corenet_non_ipsec_sendrecv(arpwatch_t)
|
||||
corenet_tcp_bind_all_nodes(arpwatch_t)
|
||||
corenet_udp_bind_all_nodes(arpwatch_t)
|
||||
|
||||
dev_read_sysfs(arpwatch_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(asterisk,1.0.0)
|
||||
policy_module(asterisk,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -89,10 +89,8 @@ corecmd_search_sbin(asterisk_t)
|
||||
corenet_non_ipsec_sendrecv(asterisk_t)
|
||||
corenet_tcp_sendrecv_generic_if(asterisk_t)
|
||||
corenet_udp_sendrecv_generic_if(asterisk_t)
|
||||
corenet_raw_sendrecv_generic_if(asterisk_t)
|
||||
corenet_tcp_sendrecv_all_nodes(asterisk_t)
|
||||
corenet_udp_sendrecv_all_nodes(asterisk_t)
|
||||
corenet_raw_sendrecv_all_nodes(asterisk_t)
|
||||
corenet_tcp_sendrecv_all_ports(asterisk_t)
|
||||
corenet_udp_sendrecv_all_ports(asterisk_t)
|
||||
corenet_tcp_bind_all_nodes(asterisk_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(automount,1.2.3)
|
||||
policy_module(automount,1.2.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -72,10 +72,8 @@ corecmd_exec_shell(automount_t)
|
||||
corenet_non_ipsec_sendrecv(automount_t)
|
||||
corenet_tcp_sendrecv_generic_if(automount_t)
|
||||
corenet_udp_sendrecv_generic_if(automount_t)
|
||||
corenet_raw_sendrecv_generic_if(automount_t)
|
||||
corenet_tcp_sendrecv_all_nodes(automount_t)
|
||||
corenet_udp_sendrecv_all_nodes(automount_t)
|
||||
corenet_raw_sendrecv_all_nodes(automount_t)
|
||||
corenet_tcp_sendrecv_all_ports(automount_t)
|
||||
corenet_udp_sendrecv_all_ports(automount_t)
|
||||
corenet_tcp_bind_all_nodes(automount_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(avahi,1.2.1)
|
||||
policy_module(avahi,1.2.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -38,15 +38,13 @@ kernel_list_proc(avahi_t)
|
||||
kernel_read_proc_symlinks(avahi_t)
|
||||
kernel_read_network_state(avahi_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(avahi_t)
|
||||
corenet_tcp_sendrecv_all_if(avahi_t)
|
||||
corenet_raw_sendrecv_all_if(avahi_t)
|
||||
corenet_udp_sendrecv_all_if(avahi_t)
|
||||
corenet_tcp_sendrecv_all_nodes(avahi_t)
|
||||
corenet_raw_sendrecv_all_nodes(avahi_t)
|
||||
corenet_udp_sendrecv_all_nodes(avahi_t)
|
||||
corenet_tcp_sendrecv_all_ports(avahi_t)
|
||||
corenet_udp_sendrecv_all_ports(avahi_t)
|
||||
corenet_non_ipsec_sendrecv(avahi_t)
|
||||
corenet_tcp_bind_all_nodes(avahi_t)
|
||||
corenet_udp_bind_all_nodes(avahi_t)
|
||||
corenet_tcp_bind_howl_port(avahi_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(bind,1.1.2)
|
||||
policy_module(bind,1.1.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -99,15 +99,13 @@ kernel_read_system_state(named_t)
|
||||
kernel_read_network_state(named_t)
|
||||
kernel_tcp_recvfrom(named_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(named_t)
|
||||
corenet_tcp_sendrecv_all_if(named_t)
|
||||
corenet_raw_sendrecv_all_if(named_t)
|
||||
corenet_udp_sendrecv_all_if(named_t)
|
||||
corenet_tcp_sendrecv_all_nodes(named_t)
|
||||
corenet_udp_sendrecv_all_nodes(named_t)
|
||||
corenet_raw_sendrecv_all_nodes(named_t)
|
||||
corenet_tcp_sendrecv_all_ports(named_t)
|
||||
corenet_udp_sendrecv_all_ports(named_t)
|
||||
corenet_non_ipsec_sendrecv(named_t)
|
||||
corenet_tcp_bind_all_nodes(named_t)
|
||||
corenet_udp_bind_all_nodes(named_t)
|
||||
corenet_tcp_bind_dns_port(named_t)
|
||||
@ -238,13 +236,10 @@ allow ndc_t named_zone_t:dir search;
|
||||
kernel_read_kernel_sysctls(ndc_t)
|
||||
kernel_tcp_recvfrom(ndc_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(ndc_t)
|
||||
corenet_raw_sendrecv_all_if(ndc_t)
|
||||
corenet_tcp_sendrecv_all_nodes(ndc_t)
|
||||
corenet_raw_sendrecv_all_nodes(ndc_t)
|
||||
corenet_tcp_sendrecv_all_ports(ndc_t)
|
||||
corenet_non_ipsec_sendrecv(ndc_t)
|
||||
corenet_tcp_bind_all_nodes(ndc_t)
|
||||
corenet_tcp_sendrecv_all_if(ndc_t)
|
||||
corenet_tcp_sendrecv_all_nodes(ndc_t)
|
||||
corenet_tcp_sendrecv_all_ports(ndc_t)
|
||||
corenet_tcp_connect_rndc_port(ndc_t)
|
||||
|
||||
fs_getattr_xattr_fs(ndc_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(canna,1.2.0)
|
||||
policy_module(canna,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -48,12 +48,10 @@ files_pid_filetrans(canna_t, canna_var_run_t, { file sock_file })
|
||||
kernel_read_kernel_sysctls(canna_t)
|
||||
kernel_read_system_state(canna_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(canna_t)
|
||||
corenet_raw_sendrecv_all_if(canna_t)
|
||||
corenet_tcp_sendrecv_all_nodes(canna_t)
|
||||
corenet_raw_sendrecv_all_nodes(canna_t)
|
||||
corenet_tcp_sendrecv_all_ports(canna_t)
|
||||
corenet_non_ipsec_sendrecv(canna_t)
|
||||
corenet_tcp_sendrecv_all_if(canna_t)
|
||||
corenet_tcp_sendrecv_all_nodes(canna_t)
|
||||
corenet_tcp_sendrecv_all_ports(canna_t)
|
||||
corenet_tcp_bind_all_nodes(canna_t)
|
||||
corenet_tcp_connect_all_ports(canna_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cipe,1.0.0)
|
||||
policy_module(cipe,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -30,12 +30,10 @@ corecmd_exec_shell(ciped_t)
|
||||
corecmd_exec_bin(ciped_t)
|
||||
corecmd_exec_sbin(ciped_t)
|
||||
|
||||
corenet_udp_sendrecv_generic_if(ciped_t)
|
||||
corenet_raw_sendrecv_generic_if(ciped_t)
|
||||
corenet_udp_sendrecv_all_nodes(ciped_t)
|
||||
corenet_raw_sendrecv_all_nodes(ciped_t)
|
||||
corenet_udp_sendrecv_all_ports(ciped_t)
|
||||
corenet_non_ipsec_sendrecv(ciped_t)
|
||||
corenet_udp_sendrecv_generic_if(ciped_t)
|
||||
corenet_udp_sendrecv_all_nodes(ciped_t)
|
||||
corenet_udp_sendrecv_all_ports(ciped_t)
|
||||
corenet_udp_bind_all_nodes(ciped_t)
|
||||
# cipe uses the afs3-bos port (udp 7007)
|
||||
corenet_udp_bind_afs_bos_port(ciped_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(clamav,1.0.0)
|
||||
policy_module(clamav,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -95,11 +95,11 @@ files_pid_filetrans(clamd_t,clamd_var_run_t,file)
|
||||
|
||||
kernel_dontaudit_list_proc(clamd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(clamd_t)
|
||||
corenet_tcp_sendrecv_all_if(clamd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(clamd_t)
|
||||
corenet_tcp_sendrecv_all_ports(clamd_t)
|
||||
corenet_tcp_sendrecv_clamd_port(clamd_t)
|
||||
corenet_non_ipsec_sendrecv(clamd_t)
|
||||
corenet_tcp_bind_clamd_port(clamd_t)
|
||||
corenet_tcp_bind_all_nodes(clamd_t)
|
||||
|
||||
@ -165,14 +165,12 @@ allow freshclam_t freshclam_var_log_t:dir { rw_dir_perms setattr };
|
||||
allow freshclam_t clamd_var_log_t:dir search;
|
||||
logging_log_filetrans(freshclam_t,freshclam_var_log_t,file)
|
||||
|
||||
corenet_non_ipsec_sendrecv(freshclam_t)
|
||||
corenet_tcp_sendrecv_all_if(freshclam_t)
|
||||
corenet_tcp_sendrecv_all_nodes(freshclam_t)
|
||||
corenet_tcp_sendrecv_all_ports(freshclam_t)
|
||||
corenet_tcp_sendrecv_clamd_port(freshclam_t)
|
||||
corenet_non_ipsec_sendrecv(freshclam_t)
|
||||
corenet_tcp_connect_http_port(freshclam_t)
|
||||
corenet_tcp_bind_all_ports(freshclam_t)
|
||||
corenet_tcp_bind_all_nodes(freshclam_t)
|
||||
|
||||
dev_read_rand(freshclam_t)
|
||||
dev_read_urand(freshclam_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(comsat,1.1.0)
|
||||
policy_module(comsat,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -43,17 +43,12 @@ kernel_read_kernel_sysctls(comsat_t)
|
||||
kernel_read_network_state(comsat_t)
|
||||
kernel_read_system_state(comsat_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(comsat_t)
|
||||
corenet_tcp_sendrecv_all_if(comsat_t)
|
||||
corenet_udp_sendrecv_all_if(comsat_t)
|
||||
corenet_raw_sendrecv_all_if(comsat_t)
|
||||
corenet_tcp_sendrecv_all_nodes(comsat_t)
|
||||
corenet_udp_sendrecv_all_nodes(comsat_t)
|
||||
corenet_raw_sendrecv_all_nodes(comsat_t)
|
||||
corenet_tcp_sendrecv_all_ports(comsat_t)
|
||||
corenet_udp_sendrecv_all_ports(comsat_t)
|
||||
corenet_non_ipsec_sendrecv(comsat_t)
|
||||
corenet_tcp_bind_all_nodes(comsat_t)
|
||||
corenet_udp_bind_all_nodes(comsat_t)
|
||||
|
||||
dev_read_urand(comsat_t)
|
||||
|
||||
@ -91,5 +86,3 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
nscd_socket_use(comsat_t)
|
||||
')
|
||||
|
||||
|
||||
|
||||
@ -49,15 +49,13 @@ template(`courier_domain_template',`
|
||||
|
||||
corecmd_exec_bin(courier_$1_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(courier_$1_t)
|
||||
corenet_tcp_sendrecv_generic_if(courier_$1_t)
|
||||
corenet_udp_sendrecv_generic_if(courier_$1_t)
|
||||
corenet_raw_sendrecv_generic_if(courier_$1_t)
|
||||
corenet_tcp_sendrecv_all_nodes(courier_$1_t)
|
||||
corenet_udp_sendrecv_all_nodes(courier_$1_t)
|
||||
corenet_raw_sendrecv_all_nodes(courier_$1_t)
|
||||
corenet_tcp_sendrecv_all_ports(courier_$1_t)
|
||||
corenet_udp_sendrecv_all_ports(courier_$1_t)
|
||||
corenet_non_ipsec_sendrecv(courier_$1_t)
|
||||
corenet_tcp_bind_all_nodes(courier_$1_t)
|
||||
corenet_udp_bind_all_nodes(courier_$1_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(courier,1.0.0)
|
||||
policy_module(courier,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cron,1.3.5)
|
||||
policy_module(cron,1.3.6)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
@ -283,17 +283,13 @@ ifdef(`targeted_policy',`
|
||||
|
||||
corecmd_exec_all_executables(system_crond_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(system_crond_t)
|
||||
corenet_tcp_sendrecv_all_if(system_crond_t)
|
||||
corenet_raw_sendrecv_all_if(system_crond_t)
|
||||
corenet_udp_sendrecv_all_if(system_crond_t)
|
||||
corenet_tcp_sendrecv_all_nodes(system_crond_t)
|
||||
corenet_raw_sendrecv_all_nodes(system_crond_t)
|
||||
corenet_udp_sendrecv_all_nodes(system_crond_t)
|
||||
corenet_tcp_sendrecv_all_ports(system_crond_t)
|
||||
corenet_udp_sendrecv_all_ports(system_crond_t)
|
||||
corenet_non_ipsec_sendrecv(system_crond_t)
|
||||
corenet_tcp_bind_all_nodes(system_crond_t)
|
||||
corenet_udp_bind_all_nodes(system_crond_t)
|
||||
|
||||
dev_getattr_all_blk_files(system_crond_t)
|
||||
dev_getattr_all_chr_files(system_crond_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dovecot,1.2.1)
|
||||
policy_module(dovecot,1.2.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -70,12 +70,10 @@ files_pid_filetrans(dovecot_t,dovecot_var_run_t,file)
|
||||
kernel_read_kernel_sysctls(dovecot_t)
|
||||
kernel_read_system_state(dovecot_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(dovecot_t)
|
||||
corenet_raw_sendrecv_all_if(dovecot_t)
|
||||
corenet_tcp_sendrecv_all_nodes(dovecot_t)
|
||||
corenet_raw_sendrecv_all_nodes(dovecot_t)
|
||||
corenet_tcp_sendrecv_all_ports(dovecot_t)
|
||||
corenet_non_ipsec_sendrecv(dovecot_t)
|
||||
corenet_tcp_sendrecv_all_if(dovecot_t)
|
||||
corenet_tcp_sendrecv_all_nodes(dovecot_t)
|
||||
corenet_tcp_sendrecv_all_ports(dovecot_t)
|
||||
corenet_tcp_bind_all_nodes(dovecot_t)
|
||||
corenet_tcp_bind_pop_port(dovecot_t)
|
||||
corenet_tcp_connect_all_ports(dovecot_t)
|
||||
|
||||
@ -1,10 +1,11 @@
|
||||
|
||||
policy_module(fetchmail,1.1.0)
|
||||
policy_module(fetchmail,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type fetchmail_t;
|
||||
type fetchmail_exec_t;
|
||||
init_daemon_domain(fetchmail_t,fetchmail_exec_t)
|
||||
@ -27,9 +28,9 @@ dontaudit fetchmail_t self:capability sys_tty_config;
|
||||
allow fetchmail_t self:process { signal_perms setrlimit };
|
||||
allow fetchmail_t self:unix_dgram_socket create_socket_perms;
|
||||
allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow fetchmail_t self:tcp_socket create_socket_perms;
|
||||
allow fetchmail_t self:udp_socket create_socket_perms;
|
||||
allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow fetchmail_t fetchmail_etc_t:file r_file_perms;
|
||||
|
||||
@ -49,16 +50,12 @@ kernel_dontaudit_read_system_state(fetchmail_t)
|
||||
corenet_non_ipsec_sendrecv(fetchmail_t)
|
||||
corenet_tcp_sendrecv_generic_if(fetchmail_t)
|
||||
corenet_udp_sendrecv_generic_if(fetchmail_t)
|
||||
corenet_raw_sendrecv_generic_if(fetchmail_t)
|
||||
corenet_tcp_sendrecv_all_nodes(fetchmail_t)
|
||||
corenet_udp_sendrecv_all_nodes(fetchmail_t)
|
||||
corenet_raw_sendrecv_all_nodes(fetchmail_t)
|
||||
corenet_tcp_sendrecv_dns_port(fetchmail_t)
|
||||
corenet_udp_sendrecv_dns_port(fetchmail_t)
|
||||
corenet_tcp_sendrecv_pop_port(fetchmail_t)
|
||||
corenet_tcp_sendrecv_smtp_port(fetchmail_t)
|
||||
corenet_tcp_bind_all_nodes(fetchmail_t)
|
||||
corenet_udp_bind_all_nodes(fetchmail_t)
|
||||
corenet_tcp_connect_all_ports(fetchmail_t)
|
||||
|
||||
dev_read_sysfs(fetchmail_t)
|
||||
|
||||
@ -1,10 +1,11 @@
|
||||
|
||||
policy_module(finger,1.1.0)
|
||||
policy_module(finger,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type fingerd_t;
|
||||
type fingerd_exec_t;
|
||||
init_daemon_domain(fingerd_t,fingerd_exec_t)
|
||||
@ -23,6 +24,7 @@ files_pid_file(fingerd_var_run_t)
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow fingerd_t self:capability { setgid setuid };
|
||||
dontaudit fingerd_t self:capability { sys_tty_config fsetid };
|
||||
allow fingerd_t self:process signal_perms;
|
||||
@ -47,17 +49,14 @@ kernel_read_kernel_sysctls(fingerd_t)
|
||||
kernel_read_system_state(fingerd_t)
|
||||
kernel_tcp_recvfrom(fingerd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(fingerd_t)
|
||||
corenet_tcp_sendrecv_all_if(fingerd_t)
|
||||
corenet_udp_sendrecv_all_if(fingerd_t)
|
||||
corenet_raw_sendrecv_all_if(fingerd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(fingerd_t)
|
||||
corenet_udp_sendrecv_all_nodes(fingerd_t)
|
||||
corenet_raw_sendrecv_all_nodes(fingerd_t)
|
||||
corenet_tcp_sendrecv_all_ports(fingerd_t)
|
||||
corenet_udp_sendrecv_all_ports(fingerd_t)
|
||||
corenet_non_ipsec_sendrecv(fingerd_t)
|
||||
corenet_tcp_bind_all_nodes(fingerd_t)
|
||||
corenet_udp_bind_all_nodes(fingerd_t)
|
||||
corenet_tcp_bind_fingerd_port(fingerd_t)
|
||||
|
||||
dev_read_sysfs(fingerd_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ftp,1.2.2)
|
||||
policy_module(ftp,1.2.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -78,17 +78,14 @@ corecmd_exec_sbin(ftpd_t)
|
||||
# also may need rules to allow tar etc...
|
||||
corecmd_exec_ls(ftpd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(ftpd_t)
|
||||
corenet_tcp_sendrecv_all_if(ftpd_t)
|
||||
corenet_udp_sendrecv_all_if(ftpd_t)
|
||||
corenet_raw_sendrecv_all_if(ftpd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(ftpd_t)
|
||||
corenet_udp_sendrecv_all_nodes(ftpd_t)
|
||||
corenet_raw_sendrecv_all_nodes(ftpd_t)
|
||||
corenet_tcp_sendrecv_all_ports(ftpd_t)
|
||||
corenet_udp_sendrecv_all_ports(ftpd_t)
|
||||
corenet_non_ipsec_sendrecv(ftpd_t)
|
||||
corenet_tcp_bind_all_nodes(ftpd_t)
|
||||
corenet_udp_bind_all_nodes(ftpd_t)
|
||||
corenet_tcp_bind_ftp_data_port(ftpd_t)
|
||||
corenet_tcp_bind_generic_port(ftpd_t)
|
||||
corenet_tcp_connect_all_ports(ftpd_t)
|
||||
@ -205,10 +202,6 @@ optional_policy(`
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mount_send_nfs_client_request(ftpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(ftpd_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(gatekeeper,1.0.0)
|
||||
policy_module(gatekeeper,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -31,7 +31,6 @@ files_pid_file(gatekeeper_var_run_t)
|
||||
dontaudit gatekeeper_t self:capability sys_tty_config;
|
||||
allow gatekeeper_t self:process { setsched signal_perms };
|
||||
allow gatekeeper_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
|
||||
allow gatekeeper_t self:udp_socket create_socket_perms;
|
||||
|
||||
@ -59,10 +58,8 @@ corecmd_list_sbin(gatekeeper_t)
|
||||
corenet_non_ipsec_sendrecv(gatekeeper_t)
|
||||
corenet_tcp_sendrecv_generic_if(gatekeeper_t)
|
||||
corenet_udp_sendrecv_generic_if(gatekeeper_t)
|
||||
corenet_raw_sendrecv_generic_if(gatekeeper_t)
|
||||
corenet_tcp_sendrecv_all_nodes(gatekeeper_t)
|
||||
corenet_udp_sendrecv_all_nodes(gatekeeper_t)
|
||||
corenet_raw_sendrecv_all_nodes(gatekeeper_t)
|
||||
corenet_tcp_sendrecv_all_ports(gatekeeper_t)
|
||||
corenet_udp_sendrecv_all_ports(gatekeeper_t)
|
||||
corenet_tcp_bind_all_nodes(gatekeeper_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(howl,1.1.0)
|
||||
policy_module(howl,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -35,15 +35,13 @@ kernel_load_module(howl_t)
|
||||
kernel_list_proc(howl_t)
|
||||
kernel_read_proc_symlinks(howl_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(howl_t)
|
||||
corenet_tcp_sendrecv_all_if(howl_t)
|
||||
corenet_udp_sendrecv_all_if(howl_t)
|
||||
corenet_raw_sendrecv_all_if(howl_t)
|
||||
corenet_tcp_sendrecv_all_nodes(howl_t)
|
||||
corenet_udp_sendrecv_all_nodes(howl_t)
|
||||
corenet_raw_sendrecv_all_nodes(howl_t)
|
||||
corenet_tcp_sendrecv_all_ports(howl_t)
|
||||
corenet_udp_sendrecv_all_ports(howl_t)
|
||||
corenet_non_ipsec_sendrecv(howl_t)
|
||||
corenet_tcp_bind_all_nodes(howl_t)
|
||||
corenet_udp_bind_all_nodes(howl_t)
|
||||
corenet_tcp_bind_howl_port(howl_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(i18n_input,1.1.0)
|
||||
policy_module(i18n_input,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -38,17 +38,14 @@ kernel_read_kernel_sysctls(i18n_input_t)
|
||||
kernel_read_system_state(i18n_input_t)
|
||||
kernel_tcp_recvfrom(i18n_input_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(i18n_input_t)
|
||||
corenet_tcp_sendrecv_generic_if(i18n_input_t)
|
||||
corenet_udp_sendrecv_generic_if(i18n_input_t)
|
||||
corenet_raw_sendrecv_generic_if(i18n_input_t)
|
||||
corenet_tcp_sendrecv_all_nodes(i18n_input_t)
|
||||
corenet_udp_sendrecv_all_nodes(i18n_input_t)
|
||||
corenet_raw_sendrecv_all_nodes(i18n_input_t)
|
||||
corenet_tcp_sendrecv_all_ports(i18n_input_t)
|
||||
corenet_udp_sendrecv_all_ports(i18n_input_t)
|
||||
corenet_non_ipsec_sendrecv(i18n_input_t)
|
||||
corenet_tcp_bind_all_nodes(i18n_input_t)
|
||||
corenet_udp_bind_all_nodes(i18n_input_t)
|
||||
corenet_tcp_bind_i18n_input_port(i18n_input_t)
|
||||
corenet_tcp_connect_all_ports(i18n_input_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(imaze,1.0.0)
|
||||
policy_module(imaze,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -56,15 +56,13 @@ kernel_read_kernel_sysctls(imazesrv_t)
|
||||
kernel_list_proc(imazesrv_t)
|
||||
kernel_read_proc_symlinks(imazesrv_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(imazesrv_t)
|
||||
corenet_tcp_sendrecv_generic_if(imazesrv_t)
|
||||
corenet_udp_sendrecv_generic_if(imazesrv_t)
|
||||
corenet_raw_sendrecv_generic_if(imazesrv_t)
|
||||
corenet_tcp_sendrecv_all_nodes(imazesrv_t)
|
||||
corenet_udp_sendrecv_all_nodes(imazesrv_t)
|
||||
corenet_raw_sendrecv_all_nodes(imazesrv_t)
|
||||
corenet_tcp_sendrecv_all_ports(imazesrv_t)
|
||||
corenet_udp_sendrecv_all_ports(imazesrv_t)
|
||||
corenet_non_ipsec_sendrecv(imazesrv_t)
|
||||
corenet_tcp_bind_all_nodes(imazesrv_t)
|
||||
corenet_udp_bind_all_nodes(imazesrv_t)
|
||||
corenet_tcp_bind_imaze_port(imazesrv_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(inetd,1.1.1)
|
||||
policy_module(inetd,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -40,7 +40,7 @@ dontaudit inetd_t self:capability sys_tty_config;
|
||||
allow inetd_t self:process setsched;
|
||||
allow inetd_t self:fifo_file rw_file_perms;
|
||||
allow inetd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow inetd_t self:udp_socket { connect connected_socket_perms };
|
||||
allow inetd_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow inetd_t inetd_log_t:file create_file_perms;
|
||||
logging_log_filetrans(inetd_t,inetd_log_t,file)
|
||||
@ -58,15 +58,13 @@ kernel_read_proc_symlinks(inetd_t)
|
||||
kernel_tcp_recvfrom(inetd_t)
|
||||
|
||||
# networking:
|
||||
corenet_non_ipsec_sendrecv(inetd_t)
|
||||
corenet_tcp_sendrecv_all_if(inetd_t)
|
||||
corenet_udp_sendrecv_all_if(inetd_t)
|
||||
corenet_raw_sendrecv_all_if(inetd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(inetd_t)
|
||||
corenet_udp_sendrecv_all_nodes(inetd_t)
|
||||
corenet_raw_sendrecv_all_nodes(inetd_t)
|
||||
corenet_tcp_sendrecv_all_ports(inetd_t)
|
||||
corenet_udp_sendrecv_all_ports(inetd_t)
|
||||
corenet_non_ipsec_sendrecv(inetd_t)
|
||||
corenet_tcp_bind_all_nodes(inetd_t)
|
||||
corenet_udp_bind_all_nodes(inetd_t)
|
||||
corenet_tcp_connect_all_ports(inetd_t)
|
||||
@ -185,17 +183,13 @@ kernel_read_kernel_sysctls(inetd_child_t)
|
||||
kernel_read_system_state(inetd_child_t)
|
||||
kernel_read_network_state(inetd_child_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(inetd_child_t)
|
||||
corenet_tcp_sendrecv_all_if(inetd_child_t)
|
||||
corenet_udp_sendrecv_all_if(inetd_child_t)
|
||||
corenet_raw_sendrecv_all_if(inetd_child_t)
|
||||
corenet_tcp_sendrecv_all_nodes(inetd_child_t)
|
||||
corenet_udp_sendrecv_all_nodes(inetd_child_t)
|
||||
corenet_raw_sendrecv_all_nodes(inetd_child_t)
|
||||
corenet_tcp_sendrecv_all_ports(inetd_child_t)
|
||||
corenet_udp_sendrecv_all_ports(inetd_child_t)
|
||||
corenet_non_ipsec_sendrecv(inetd_child_t)
|
||||
corenet_tcp_bind_all_nodes(inetd_child_t)
|
||||
corenet_udp_bind_all_nodes(inetd_child_t)
|
||||
|
||||
dev_read_urand(inetd_child_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(inn,1.1.0)
|
||||
policy_module(inn,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -32,10 +32,10 @@ allow innd_t self:capability { dac_override kill setgid setuid };
|
||||
dontaudit innd_t self:capability sys_tty_config;
|
||||
allow innd_t self:process { setsched signal_perms };
|
||||
allow innd_t self:fifo_file rw_file_perms;
|
||||
allow innd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow innd_t self:udp_socket create_socket_perms;
|
||||
allow innd_t self:unix_dgram_socket { sendto create_socket_perms };
|
||||
allow innd_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
allow innd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow innd_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow innd_t innd_etc_t:file r_file_perms;
|
||||
allow innd_t innd_etc_t:dir r_dir_perms;
|
||||
@ -63,17 +63,14 @@ allow innd_t news_spool_t:lnk_file create_lnk_perms;
|
||||
kernel_read_kernel_sysctls(innd_t)
|
||||
kernel_read_system_state(innd_t)
|
||||
|
||||
corenet_raw_sendrecv_all_if(innd_t)
|
||||
corenet_non_ipsec_sendrecv(innd_t)
|
||||
corenet_tcp_sendrecv_all_if(innd_t)
|
||||
corenet_udp_sendrecv_all_if(innd_t)
|
||||
corenet_raw_sendrecv_all_nodes(innd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(innd_t)
|
||||
corenet_udp_sendrecv_all_nodes(innd_t)
|
||||
corenet_tcp_sendrecv_all_ports(innd_t)
|
||||
corenet_udp_sendrecv_all_ports(innd_t)
|
||||
corenet_non_ipsec_sendrecv(innd_t)
|
||||
corenet_tcp_bind_all_nodes(innd_t)
|
||||
corenet_udp_bind_all_nodes(innd_t)
|
||||
corenet_tcp_bind_innd_port(innd_t)
|
||||
corenet_tcp_connect_all_ports(innd_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ircd,1.0.0)
|
||||
policy_module(ircd,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -54,17 +54,14 @@ kernel_read_kernel_sysctls(ircd_t)
|
||||
|
||||
corecmd_search_sbin(ircd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(ircd_t)
|
||||
corenet_tcp_sendrecv_generic_if(ircd_t)
|
||||
corenet_udp_sendrecv_generic_if(ircd_t)
|
||||
corenet_raw_sendrecv_generic_if(ircd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(ircd_t)
|
||||
corenet_udp_sendrecv_all_nodes(ircd_t)
|
||||
corenet_raw_sendrecv_all_nodes(ircd_t)
|
||||
corenet_tcp_sendrecv_all_ports(ircd_t)
|
||||
corenet_udp_sendrecv_all_ports(ircd_t)
|
||||
corenet_non_ipsec_sendrecv(ircd_t)
|
||||
corenet_tcp_bind_all_nodes(ircd_t)
|
||||
corenet_udp_bind_all_nodes(ircd_t)
|
||||
corenet_tcp_bind_ircd_port(ircd_t)
|
||||
|
||||
dev_read_sysfs(ircd_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(jabber,1.0.0)
|
||||
policy_module(jabber,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -48,17 +48,14 @@ kernel_list_proc(jabberd_t)
|
||||
kernel_read_proc_symlinks(jabberd_t)
|
||||
kernel_tcp_recvfrom(jabberd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(jabberd_t)
|
||||
corenet_tcp_sendrecv_generic_if(jabberd_t)
|
||||
corenet_udp_sendrecv_generic_if(jabberd_t)
|
||||
corenet_raw_sendrecv_generic_if(jabberd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(jabberd_t)
|
||||
corenet_udp_sendrecv_all_nodes(jabberd_t)
|
||||
corenet_raw_sendrecv_all_nodes(jabberd_t)
|
||||
corenet_tcp_sendrecv_all_ports(jabberd_t)
|
||||
corenet_udp_sendrecv_all_ports(jabberd_t)
|
||||
corenet_non_ipsec_sendrecv(jabberd_t)
|
||||
corenet_tcp_bind_all_nodes(jabberd_t)
|
||||
corenet_udp_bind_all_nodes(jabberd_t)
|
||||
corenet_tcp_bind_jabber_client_port(jabberd_t)
|
||||
corenet_tcp_bind_jabber_interserver_port(jabberd_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kerberos,1.1.0)
|
||||
policy_module(kerberos,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -87,15 +87,13 @@ kernel_read_kernel_sysctls(kadmind_t)
|
||||
kernel_list_proc(kadmind_t)
|
||||
kernel_read_proc_symlinks(kadmind_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(kadmind_t)
|
||||
corenet_tcp_sendrecv_all_if(kadmind_t)
|
||||
corenet_udp_sendrecv_all_if(kadmind_t)
|
||||
corenet_raw_sendrecv_all_if(kadmind_t)
|
||||
corenet_tcp_sendrecv_all_nodes(kadmind_t)
|
||||
corenet_udp_sendrecv_all_nodes(kadmind_t)
|
||||
corenet_raw_sendrecv_all_nodes(kadmind_t)
|
||||
corenet_tcp_sendrecv_all_ports(kadmind_t)
|
||||
corenet_udp_sendrecv_all_ports(kadmind_t)
|
||||
corenet_non_ipsec_sendrecv(kadmind_t)
|
||||
corenet_tcp_bind_all_nodes(kadmind_t)
|
||||
corenet_udp_bind_all_nodes(kadmind_t)
|
||||
corenet_tcp_bind_kerberos_admin_port(kadmind_t)
|
||||
@ -190,15 +188,13 @@ kernel_read_kernel_sysctls(krb5kdc_t)
|
||||
kernel_list_proc(krb5kdc_t)
|
||||
kernel_read_proc_symlinks(krb5kdc_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(krb5kdc_t)
|
||||
corenet_tcp_sendrecv_all_if(krb5kdc_t)
|
||||
corenet_udp_sendrecv_all_if(krb5kdc_t)
|
||||
corenet_raw_sendrecv_all_if(krb5kdc_t)
|
||||
corenet_tcp_sendrecv_all_nodes(krb5kdc_t)
|
||||
corenet_udp_sendrecv_all_nodes(krb5kdc_t)
|
||||
corenet_raw_sendrecv_all_nodes(krb5kdc_t)
|
||||
corenet_tcp_sendrecv_all_ports(krb5kdc_t)
|
||||
corenet_udp_sendrecv_all_ports(krb5kdc_t)
|
||||
corenet_non_ipsec_sendrecv(krb5kdc_t)
|
||||
corenet_tcp_bind_all_nodes(krb5kdc_t)
|
||||
corenet_udp_bind_all_nodes(krb5kdc_t)
|
||||
corenet_tcp_bind_kerberos_port(krb5kdc_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ktalk,1.2.1)
|
||||
policy_module(ktalk,1.2.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -56,17 +56,13 @@ kernel_read_kernel_sysctls(ktalkd_t)
|
||||
kernel_read_system_state(ktalkd_t)
|
||||
kernel_read_network_state(ktalkd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(ktalkd_t)
|
||||
corenet_tcp_sendrecv_all_if(ktalkd_t)
|
||||
corenet_udp_sendrecv_all_if(ktalkd_t)
|
||||
corenet_raw_sendrecv_all_if(ktalkd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(ktalkd_t)
|
||||
corenet_udp_sendrecv_all_nodes(ktalkd_t)
|
||||
corenet_raw_sendrecv_all_nodes(ktalkd_t)
|
||||
corenet_tcp_sendrecv_all_ports(ktalkd_t)
|
||||
corenet_udp_sendrecv_all_ports(ktalkd_t)
|
||||
corenet_non_ipsec_sendrecv(ktalkd_t)
|
||||
corenet_tcp_bind_all_nodes(ktalkd_t)
|
||||
corenet_udp_bind_all_nodes(ktalkd_t)
|
||||
|
||||
dev_read_urand(ktalkd_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ldap,1.2.0)
|
||||
policy_module(ldap,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -78,6 +78,7 @@ kernel_read_system_state(slapd_t)
|
||||
kernel_read_kernel_sysctls(slapd_t)
|
||||
kernel_tcp_recvfrom(slapd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(slapd_t)
|
||||
corenet_tcp_sendrecv_all_if(slapd_t)
|
||||
corenet_udp_sendrecv_all_if(slapd_t)
|
||||
corenet_raw_sendrecv_all_if(slapd_t)
|
||||
@ -86,9 +87,7 @@ corenet_udp_sendrecv_all_nodes(slapd_t)
|
||||
corenet_raw_sendrecv_all_nodes(slapd_t)
|
||||
corenet_tcp_sendrecv_all_ports(slapd_t)
|
||||
corenet_udp_sendrecv_all_ports(slapd_t)
|
||||
corenet_non_ipsec_sendrecv(slapd_t)
|
||||
corenet_tcp_bind_all_nodes(slapd_t)
|
||||
corenet_udp_bind_all_nodes(slapd_t)
|
||||
corenet_tcp_bind_ldap_port(slapd_t)
|
||||
corenet_tcp_connect_all_ports(slapd_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(lpd,1.2.2)
|
||||
policy_module(lpd,1.2.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -45,8 +45,10 @@ files_type(printconf_t)
|
||||
# This requires that /usr/sbin/checkpc have type checkpc_t.
|
||||
|
||||
allow checkpc_t self:capability { setgid setuid dac_override };
|
||||
allow checkpc_t self:process { fork signal_perms };
|
||||
allow checkpc_t self:process signal_perms;
|
||||
allow checkpc_t self:unix_stream_socket create_socket_perms;
|
||||
allow checkpc_t self:tcp_socket create_socket_perms;
|
||||
allow checkpc_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow checkpc_t checkpc_log_t:file create_file_perms;
|
||||
logging_log_filetrans(checkpc_t,checkpc_log_t,file)
|
||||
@ -63,19 +65,13 @@ allow checkpc_t printconf_t:dir { getattr search read };
|
||||
|
||||
kernel_read_system_state(checkpc_t)
|
||||
|
||||
allow checkpc_t self:tcp_socket create_socket_perms;
|
||||
allow checkpc_t self:udp_socket create_socket_perms;
|
||||
corenet_non_ipsec_sendrecv(checkpc_t)
|
||||
corenet_tcp_sendrecv_all_if(checkpc_t)
|
||||
corenet_udp_sendrecv_all_if(checkpc_t)
|
||||
corenet_raw_sendrecv_all_if(checkpc_t)
|
||||
corenet_tcp_sendrecv_all_nodes(checkpc_t)
|
||||
corenet_udp_sendrecv_all_nodes(checkpc_t)
|
||||
corenet_raw_sendrecv_all_nodes(checkpc_t)
|
||||
corenet_tcp_sendrecv_all_ports(checkpc_t)
|
||||
corenet_udp_sendrecv_all_ports(checkpc_t)
|
||||
corenet_non_ipsec_sendrecv(checkpc_t)
|
||||
corenet_tcp_bind_all_nodes(checkpc_t)
|
||||
corenet_udp_bind_all_nodes(checkpc_t)
|
||||
corenet_tcp_connect_all_ports(checkpc_t)
|
||||
|
||||
dev_append_printer(checkpc_t)
|
||||
@ -127,6 +123,8 @@ allow lpd_t self:process signal_perms;
|
||||
allow lpd_t self:fifo_file rw_file_perms;
|
||||
allow lpd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow lpd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow lpd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow lpd_t self:udp_socket create_stream_socket_perms;
|
||||
|
||||
allow lpd_t lpd_tmp_t:dir create_dir_perms;
|
||||
allow lpd_t lpd_tmp_t:file create_file_perms;
|
||||
@ -159,19 +157,14 @@ kernel_tcp_recvfrom(lpd_t)
|
||||
# bash wants access to /proc/meminfo
|
||||
kernel_read_system_state(lpd_t)
|
||||
|
||||
allow lpd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow lpd_t self:udp_socket create_stream_socket_perms;
|
||||
corenet_non_ipsec_sendrecv(lpd_t)
|
||||
corenet_tcp_sendrecv_all_if(lpd_t)
|
||||
corenet_udp_sendrecv_all_if(lpd_t)
|
||||
corenet_raw_sendrecv_all_if(lpd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(lpd_t)
|
||||
corenet_udp_sendrecv_all_nodes(lpd_t)
|
||||
corenet_raw_sendrecv_all_nodes(lpd_t)
|
||||
corenet_tcp_sendrecv_all_ports(lpd_t)
|
||||
corenet_udp_sendrecv_all_ports(lpd_t)
|
||||
corenet_non_ipsec_sendrecv(lpd_t)
|
||||
corenet_tcp_bind_all_nodes(lpd_t)
|
||||
corenet_udp_bind_all_nodes(lpd_t)
|
||||
corenet_tcp_bind_printer_port(lpd_t)
|
||||
|
||||
dev_read_sysfs(lpd_t)
|
||||
|
||||
@ -486,17 +486,14 @@ interface(`sysnet_dns_name_resolve',`
|
||||
|
||||
allow $1 self:tcp_socket create_socket_perms;
|
||||
allow $1 self:udp_socket create_socket_perms;
|
||||
|
||||
corenet_non_ipsec_sendrecv($1)
|
||||
corenet_tcp_sendrecv_all_if($1)
|
||||
corenet_udp_sendrecv_all_if($1)
|
||||
corenet_raw_sendrecv_all_if($1)
|
||||
corenet_tcp_sendrecv_all_nodes($1)
|
||||
corenet_udp_sendrecv_all_nodes($1)
|
||||
corenet_raw_sendrecv_all_nodes($1)
|
||||
corenet_tcp_sendrecv_dns_port($1)
|
||||
corenet_udp_sendrecv_dns_port($1)
|
||||
corenet_non_ipsec_sendrecv($1)
|
||||
corenet_tcp_bind_all_nodes($1)
|
||||
corenet_udp_bind_all_nodes($1)
|
||||
corenet_tcp_connect_dns_port($1)
|
||||
|
||||
files_search_etc($1)
|
||||
@ -520,13 +517,10 @@ interface(`sysnet_use_ldap',`
|
||||
|
||||
allow $1 self:tcp_socket create_socket_perms;
|
||||
|
||||
corenet_tcp_sendrecv_all_if($1)
|
||||
corenet_raw_sendrecv_all_if($1)
|
||||
corenet_tcp_sendrecv_all_nodes($1)
|
||||
corenet_raw_sendrecv_all_nodes($1)
|
||||
corenet_tcp_sendrecv_ldap_port($1)
|
||||
corenet_non_ipsec_sendrecv($1)
|
||||
corenet_tcp_bind_all_nodes($1)
|
||||
corenet_tcp_sendrecv_all_if($1)
|
||||
corenet_tcp_sendrecv_all_nodes($1)
|
||||
corenet_tcp_sendrecv_ldap_port($1)
|
||||
corenet_tcp_connect_ldap_port($1)
|
||||
|
||||
files_search_etc($1)
|
||||
@ -551,17 +545,13 @@ interface(`sysnet_use_portmap',`
|
||||
allow $1 self:tcp_socket create_socket_perms;
|
||||
allow $1 self:udp_socket create_socket_perms;
|
||||
|
||||
corenet_non_ipsec_sendrecv($1)
|
||||
corenet_tcp_sendrecv_all_if($1)
|
||||
corenet_udp_sendrecv_all_if($1)
|
||||
corenet_raw_sendrecv_all_if($1)
|
||||
corenet_tcp_sendrecv_all_nodes($1)
|
||||
corenet_udp_sendrecv_all_nodes($1)
|
||||
corenet_raw_sendrecv_all_nodes($1)
|
||||
corenet_tcp_sendrecv_portmap_port($1)
|
||||
corenet_udp_sendrecv_portmap_port($1)
|
||||
corenet_non_ipsec_sendrecv($1)
|
||||
corenet_tcp_bind_all_nodes($1)
|
||||
corenet_udp_bind_all_nodes($1)
|
||||
corenet_tcp_connect_portmap_port($1)
|
||||
|
||||
files_search_etc($1)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(sysnetwork,1.1.3)
|
||||
policy_module(sysnetwork,1.1.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
Loading…
Reference in New Issue
Block a user