rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

deprecate module name as first parameter of optional_policy()

This commit is contained in:
Chris PeBenito 2006-03-24 16:13:54 +00:00
parent 0db866cbf4
commit bb7170f673
178 changed files with 1194 additions and 1179 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
refpolicy/Changelog
View File

@ -1,3 +1,5 @@
- Deprecate module name as first parameter of optional_policy()
now that optionals are allowed everywhere.
- Enable optional blocks in base module and monolithic policy.
This requires checkpolicy 1.30.1.
- Fix vpn module declaration.

10
refpolicy/policy/modules/admin/acct.te
View File

@ -77,8 +77,8 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(acct_t)
')
optional_policy(`cron',`
optional_policy(`authlogin',`
optional_policy(`
optional_policy(`
# for monthly cron job
auth_log_filetrans_login_records(acct_t)
auth_manage_login_records(acct_t)
@ -87,15 +87,15 @@ optional_policy(`cron',`
cron_system_entry(acct_t,acct_exec_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(acct_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(acct_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(acct_t)
')

2
refpolicy/policy/modules/admin/alsa.te
View File

@ -46,6 +46,6 @@ miscfiles_read_localization(alsa_t)
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(alsa_t)
')

14
refpolicy/policy/modules/admin/amanda.te
View File

@ -77,7 +77,7 @@ role system_r types amanda_recover_t;
type amanda_recover_dir_t;
files_type(amanda_recover_dir_t)
optional_policy(`prelink',`
optional_policy(`
prelink_object_file(amanda_usr_lib_t)
')
@ -169,19 +169,19 @@ libs_use_shared_libs(amanda_t)
sysnet_read_config(amanda_t)
optional_policy(`authlogin',`
optional_policy(`
auth_read_shadow(amanda_t)
')
optional_policy(`logging',`
optional_policy(`
logging_send_syslog_msg(amanda_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(amanda_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(amanda_t)
')
@ -254,10 +254,10 @@ sysnet_read_config(amanda_recover_t)
userdom_search_sysadm_home_content_dirs(amanda_recover_t)
optional_policy(`mount',`
optional_policy(`
mount_send_nfs_client_request(amanda_recover_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(amanda_recover_t)
')

12
refpolicy/policy/modules/admin/anaconda.te
View File

@ -31,28 +31,28 @@ ifdef(`distro_redhat',`
bootloader_create_runtime_file(anaconda_t)
')
optional_policy(`dmesg',`
optional_policy(`
dmesg_domtrans(anaconda_t)
')
optional_policy(`kudzu',`
optional_policy(`
kudzu_domtrans(anaconda_t)
')
optional_policy(`rpm',`
optional_policy(`
rpm_domtrans(anaconda_t)
')
optional_policy(`udev',`
optional_policy(`
udev_domtrans(anaconda_t)
')
optional_policy(`usermanage',`
optional_policy(`
usermanage_domtrans_admin_passwd(anaconda_t)
')
ifdef(`TODO',`
optional_policy(`ssh',`
optional_policy(`
role system_r types sysadm_ssh_agent_t;
domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
')

8
refpolicy/policy/modules/admin/apt.te
View File

@ -115,22 +115,22 @@ ifdef(`targeted_policy',`
')
# with boolean, for cron-apt and such?
#optional_policy(`cron',`
#optional_policy(`
# cron_system_entry(apt_t,apt_exec_t)
#')
optional_policy(`dpkg',`
optional_policy(`
# dpkg interaction
dpkg_read_db(apt_t)
dpkg_domtrans(apt_t)
dpkg_lock_db(apt_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(apt_t)
')
optional_policy(`rpm',`
optional_policy(`
rpm_read_db(apt_t)
rpm_domtrans(apt_t)
')

12
refpolicy/policy/modules/admin/bootloader.te
View File

@ -175,18 +175,18 @@ ifdef(`targeted_policy',`
term_use_generic_ptys(bootloader_t)
')
optional_policy(`fstools',`
optional_policy(`
fstools_exec(bootloader_t)
')
optional_policy(`lvm',`
optional_policy(`
dev_rw_lvm_control(bootloader_t)
lvm_domtrans(bootloader_t)
lvm_read_config(bootloader_t)
')
optional_policy(`modutils',`
optional_policy(`
modutils_exec_insmod(bootloader_t)
modutils_read_module_deps(bootloader_t)
modutils_read_module_config(bootloader_t)
@ -195,15 +195,15 @@ optional_policy(`modutils',`
modutils_exec_update_mods(bootloader_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(bootloader_t)
')
optional_policy(`rpm',`
optional_policy(`
rpm_rw_pipes(bootloader_t)
')
optional_policy(`userdomain',`
optional_policy(`
userdom_dontaudit_search_staff_home_dirs(bootloader_t)
userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
')

2
refpolicy/policy/modules/admin/certwatch.te
View File

@ -29,6 +29,6 @@ miscfiles_read_localization(certwatch_t)
apache_exec_modules(certwatch_t)
optional_policy(`cron',`
optional_policy(`
cron_system_entry(certwatch_t,certwatch_exec_t)
')

24
refpolicy/policy/modules/admin/consoletype.te
View File

@ -67,60 +67,60 @@ ifdef(`distro_redhat',`
fs_rw_tmpfs_chr_files(consoletype_t)
')
optional_policy(`apm',`
optional_policy(`
apm_use_fds(consoletype_t)
apm_write_pipes(consoletype_t)
')
optional_policy(`authlogin', `
optional_policy(`
auth_read_pam_pid(consoletype_t)
')
optional_policy(`cron',`
optional_policy(`
cron_read_pipes(consoletype_t)
cron_use_system_job_fds(consoletype_t)
')
optional_policy(`firstboot',`
optional_policy(`
files_read_etc_files(consoletype_t)
firstboot_use_fds(consoletype_t)
firstboot_write_pipes(consoletype_t)
')
optional_policy(`logrotate',`
optional_policy(`
logrotate_dontaudit_use_fds(consoletype_t)
')
optional_policy(`lpd',`
optional_policy(`
lpd_read_config(consoletype_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(consoletype_t)
')
optional_policy(`rpm',`
optional_policy(`
# Commonly used from postinst scripts
rpm_read_pipes(consoletype_t)
')
optional_policy(`userdomain',`
optional_policy(`
userdom_use_unpriv_users_fds(consoletype_t)
')
ifdef(`TODO',`
optional_policy(`xdm', `
optional_policy(`
allow consoletype_t xdm_tmp_t:file rw_file_perms;
')
# this goes to xdm module
ifdef(`targeted_policy',`
optional_policy(`consoletype',`
optional_policy(`
consoletype_domtrans(xdm_t)
')
')
optional_policy(`lpd', `
optional_policy(`
allow consoletype_t printconf_t:file r_file_perms;
')

4
refpolicy/policy/modules/admin/dmesg.te
View File

@ -64,11 +64,11 @@ ifdef(`strict_policy',`
userdom_use_sysadm_terms(dmesg_t)
userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(dmesg_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(dmesg_t)
')
')

18
refpolicy/policy/modules/admin/dpkg.te
View File

@ -180,15 +180,15 @@ ifdef(`targeted_policy',`
')
# TODO: allow?
#optional_policy(`cron',`
#optional_policy(`
# cron_system_entry(dpkg_t,dpkg_exec_t)
#')
optional_policy(`mount',`
optional_policy(`
mount_send_nfs_client_request(dpkg_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(dpkg_t)
')
@ -204,10 +204,10 @@ modutils_domtrans_insmod(dpkg_t)
seutil_domtrans_loadpolicy(dpkg_t)
seutil_domtrans_restorecon(dpkg_t)
userdom_use_all_users_fds(dpkg_t)
optional_policy(`mta',`
optional_policy(`
mta_send_mail(dpkg_t)
')
optional_policy(`usermanage',`
optional_policy(`
usermanage_domtrans_groupadd(dpkg_t)
usermanage_domtrans_useradd(dpkg_t)
')
@ -325,7 +325,7 @@ ifdef(`distro_redhat',`
ifdef(`targeted_policy',`
unconfined_domain(dpkg_script_t)
',`
optional_policy(`bootloader',`
optional_policy(`
bootloader_domtrans(dpkg_script_t)
')
')
@ -334,15 +334,15 @@ tunable_policy(`allow_execmem',`
allow dpkg_script_t self:process execmem;
')
optional_policy(`mta',`
optional_policy(`
mta_send_mail(dpkg_script_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(dpkg_script_t)
')
optional_policy(`usermanage',`
optional_policy(`
usermanage_domtrans_groupadd(dpkg_script_t)
usermanage_domtrans_useradd(dpkg_script_t)
')

6
refpolicy/policy/modules/admin/firstboot.te
View File

@ -111,15 +111,15 @@ ifdef(`targeted_policy',`
unconfined_domtrans(firstboot_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(firstboot_t)
')
optional_policy(`samba',`
optional_policy(`
samba_rw_config(firstboot_t)
')
optional_policy(`usermanage',`
optional_policy(`
usermanage_domtrans_chfn(firstboot_t)
usermanage_domtrans_groupadd(firstboot_t)
usermanage_domtrans_passwd(firstboot_t)

16
refpolicy/policy/modules/admin/kudzu.te
View File

@ -135,34 +135,34 @@ ifdef(`targeted_policy',`
unconfined_domain(kudzu_t)
')
optional_policy(`gpm',`
optional_policy(`
gpm_getattr_gpmctl(kudzu_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(kudzu_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(kudzu_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(kudzu_t)
')
ifdef(`TODO',`
allow kudzu_t modules_conf_t:file unlink;
optional_policy(`lpd',`
optional_policy(`
allow kudzu_t printconf_t:file { getattr read };
')
optional_policy(`xserver',`
optional_policy(`
allow kudzu_t xserver_exec_t:file getattr;
')
optional_policy(`rhgb',`
optional_policy(`
allow kudzu_t rhgb_t:unix_stream_socket connectto;
')
optional_policy(`userhelper',`
optional_policy(`
role system_r types sysadm_userhelper_t;
domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
')

24
refpolicy/policy/modules/admin/logrotate.te
View File

@ -135,59 +135,59 @@ ifdef(`targeted_policy',`
unconfined_domain(logrotate_t)
')
optional_policy(`acct',`
optional_policy(`
acct_domtrans(logrotate_t)
acct_manage_data(logrotate_t)
acct_exec_data(logrotate_t)
')
optional_policy(`apache',`
optional_policy(`
apache_read_config(logrotate_t)
apache_domtrans(logrotate_t)
apache_signull(logrotate_t)
')
optional_policy(`consoletype',`
optional_policy(`
consoletype_exec(logrotate_t)
')
optional_policy(`cups',`
optional_policy(`
cups_domtrans(logrotate_t)
')
optional_policy(`hostname',`
optional_policy(`
hostname_exec(logrotate_t)
')
optional_policy(`samba',`
optional_policy(`
samba_exec_log(logrotate_t)
')
optional_policy(`mailman',`
optional_policy(`
mailman_exec(logrotate_t)
mailman_search_data(logrotate_t)
mailman_manage_log(logrotate_t)
')
optional_policy(`mysql',`
optional_policy(`
mysql_read_config(logrotate_t)
mysql_search_db(logrotate_t)
mysql_stream_connect(logrotate_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(logrotate_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(logrotate_t)
')
optional_policy(`slrnpull',`
optional_policy(`
slrnpull_manage_spool(logrotate_t)
')
optional_policy(`squid',`
optional_policy(`
# cjp: why?
squid_domtrans(logrotate_t)
')

16
refpolicy/policy/modules/admin/logwatch.te
View File

@ -78,35 +78,35 @@ userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t)
mta_send_mail(logwatch_t)
optional_policy(`apache',`
optional_policy(`
apache_read_log(logwatch_t)
')
optional_policy(`bind',`
optional_policy(`
bind_read_config(logwatch_t)
bind_read_zone(logwatch_t)
')
optional_policy(`cron',`
optional_policy(`
cron_system_entry(logwatch_t, logwatch_exec_t)
')
optional_policy(`mta',`
optional_policy(`
mta_getattr_spool(logwatch_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(logwatch_t)
')
optional_policy(`ntp',`
optional_policy(`
ntp_domtrans(logwatch_t)
')
optional_policy(`rpc',`
optional_policy(`
rpc_search_nfs_state_data(logwatch_t)
')
optional_policy(`samba',`
optional_policy(`
samba_read_log(logwatch_t)
')

16
refpolicy/policy/modules/admin/mrtg.te
View File

@ -131,36 +131,36 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(mrtg_t)
')
optional_policy(`apache',`
optional_policy(`
apache_manage_sys_content(mrtg_t)
')
optional_policy(`cron',`
optional_policy(`
cron_system_entry(mrtg_t,mrtg_exec_t)
')
optional_policy(`hostname',`
optional_policy(`
hostname_exec(mrtg_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(mrtg_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(mrtg_t)
')
optional_policy(`quota',`
optional_policy(`
quota_dontaudit_getattr_db(mrtg_t)
')
optional_policy(`snmp',`
optional_policy(`
snmp_udp_chat(mrtg_t)
snmp_read_snmp_var_lib_files(mrtg_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(mrtg_t)
')

14
refpolicy/policy/modules/admin/netutils.te
View File

@ -83,7 +83,7 @@ ifdef(`targeted_policy',`
term_use_unallocated_ttys(netutils_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(netutils_t)
')
@ -146,19 +146,19 @@ ifdef(`targeted_policy',`
')
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(ping_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(ping_t)
')
optional_policy(`pcmcia',`
optional_policy(`
pcmcia_use_cardmgr_fds(ping_t)
')
optional_policy(`hotplug',`
optional_policy(`
hotplug_use_fds(ping_t)
')
@ -228,11 +228,11 @@ tunable_policy(`user_ping',`
term_use_all_user_ptys(traceroute_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(traceroute_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(traceroute_t)
')

2
refpolicy/policy/modules/admin/portage.if
View File

@ -201,7 +201,7 @@ template(`portage_compile_domain_template',`
ifdef(`TODO',`
# some gui ebuilds want to interact with X server, like xawtv
optional_policy(`xdm',`
optional_policy(`
allow $1_t xdm_xserver_tmp_t:dir { add_name remove_name write };
allow $1_t xdm_xserver_tmp_t:sock_file { create getattr unlink write };
')

6
refpolicy/policy/modules/admin/portage.te
View File

@ -85,17 +85,17 @@ init_exec(portage_t)
# run setfiles -r
seutil_domtrans_setfiles(portage_t)
optional_policy(`bootloader',`
optional_policy(`
bootloader_domtrans(portage_t)
')
optional_policy(`modutils',`
optional_policy(`
modutils_domtrans_depmod(portage_t)
modutils_domtrans_update_mods(portage_t)
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
')
optional_policy(`usermanage',`
optional_policy(`
usermanage_domtrans_groupadd(portage_t)
usermanage_domtrans_useradd(portage_t)
')

2
refpolicy/policy/modules/admin/prelink.te
View File

@ -78,6 +78,6 @@ libs_delete_lib_symlinks(prelink_t)
miscfiles_read_localization(prelink_t)
optional_policy(`cron',`
optional_policy(`
cron_system_entry(prelink_t, prelink_exec_t)
')

4
refpolicy/policy/modules/admin/quota.te
View File

@ -67,11 +67,11 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(quota_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(quota_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(quota_t)
')

2
refpolicy/policy/modules/admin/readahead.te
View File

@ -76,6 +76,6 @@ ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(readahead_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(readahead_t)
')

26
refpolicy/policy/modules/admin/rpm.te
View File

@ -187,15 +187,15 @@ ifdef(`targeted_policy',`
logging_log_filetrans(rpm_t,rpm_log_t,file)
')
optional_policy(`cron',`
optional_policy(`
cron_system_entry(rpm_t,rpm_exec_t)
')
optional_policy(`mount',`
optional_policy(`
mount_send_nfs_client_request(rpm_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(rpm_t)
')
@ -212,7 +212,7 @@ allow rpm_t mount_t:tcp_socket write;
allow rpm_t rpc_pipefs_t:dir search;
optional_policy(`gnome-pty-helper',`
optional_policy(`
allow rpm_t sysadm_gph_t:fd use;
')
') dnl endif TODO
@ -337,13 +337,13 @@ ifdef(`distro_redhat',`
ifdef(`targeted_policy',`
unconfined_domain(rpm_script_t)
',`
optional_policy(`bootloader',`
optional_policy(`
bootloader_domtrans(rpm_script_t)
')
')
ifdef(`distro_redhat',`
optional_policy(`mta',`
optional_policy(`
mta_send_mail(rpm_script_t)
')
')
@ -352,21 +352,21 @@ tunable_policy(`allow_execmem',`
allow rpm_script_t self:process execmem;
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(rpm_script_t)
')
optional_policy(`usermanage',`
optional_policy(`
usermanage_domtrans_groupadd(rpm_script_t)
usermanage_domtrans_useradd(rpm_script_t)
')
ifdef(`TODO',`
optional_policy(`lpd',`
optional_policy(`
can_exec(rpm_script_t,printconf_t)
')
optional_policy(`cups',`
optional_policy(`
allow cupsd_t rpm_var_lib_t:dir r_dir_perms;
allow cupsd_t rpm_var_lib_t:file r_file_perms;
allow cupsd_t rpb_var_lib_t:lnk_file r_file_perms;
@ -374,16 +374,16 @@ allow cupsd_t initrc_exec_t:file r_file_perms;
domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t)
')
optional_policy(`ssh-agent',`
optional_policy(`
domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
')
optional_policy(`prelink',`
optional_policy(`
domain_auto_trans(rpm_t, prelink_exec_t, prelink_t)
')
ifdef(`hide_broken_symptoms', `
optional_policy(`pamconsole',`
optional_policy(`
domain_trans(rpm_t, pam_console_exec_t, rpm_script_t)
')
')

14
refpolicy/policy/modules/admin/su.if
View File

@ -61,15 +61,15 @@ template(`su_restricted_domain_template', `
miscfiles_read_localization($1_su_t)
optional_policy(`cron',`
optional_policy(`
cron_read_pipes($1_su_t)
')
optional_policy(`kerberos',`
optional_policy(`
kerberos_use($1_su_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use($1_su_t)
')
@ -206,20 +206,20 @@ template(`su_per_userdomain_template',`
fs_search_cifs($1_su_t)
')
optional_policy(`cron',`
optional_policy(`
cron_read_pipes($1_su_t)
')
optional_policy(`kerberos',`
optional_policy(`
kerberos_use($1_su_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use($1_su_t)
')
# Modify .Xauthority file (via xauth program).
optional_policy(`xserver',`
optional_policy(`
# file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
# file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
# file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)

4
refpolicy/policy/modules/admin/sudo.if
View File

@ -129,11 +129,11 @@ template(`sudo_per_userdomain_template',`
# for some PAM modules and for cwd
userdom_dontaudit_search_all_users_home_content($1_sudo_t)
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind($1_sudo_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use($1_sudo_t)
')

2
refpolicy/policy/modules/admin/tmpreaper.te
View File

@ -44,7 +44,7 @@ miscfiles_delete_man_pages(tmpreaper_t)
cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
optional_policy(`lpd',`
optional_policy(`
lpd_manage_spool(tmpreaper_t)
')

16
refpolicy/policy/modules/admin/updfstab.te
View File

@ -91,40 +91,40 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(updfstab_t)
')
optional_policy(`authlogin',`
optional_policy(`
auth_domtrans_pam_console(updfstab_t)
')
optional_policy(`dbus',`
optional_policy(`
init_dbus_chat_script(updfstab_t)
dbus_system_bus_client_template(updfstab,updfstab_t)
dbus_send_system_bus(updfstab_t)
')
optional_policy(`fstools',`
optional_policy(`
fstools_getattr_swap_files(updfstab_t)
')
optional_policy(`hal',`
optional_policy(`
hal_stream_connect(updfstab_t)
hal_dbus_chat(updfstab_t)
')
optional_policy(`modutils',`
optional_policy(`
modutils_read_module_config(updfstab_t)
modutils_exec_insmod(updfstab_t)
modutils_read_module_deps(updfstab_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(updfstab_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(updfstab_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(updfstab_t)
')

4
refpolicy/policy/modules/admin/usbmodules.te
View File

@ -39,10 +39,10 @@ libs_use_shared_libs(usbmodules_t)
modutils_read_module_deps(usbmodules_t)
optional_policy(`hotplug',`
optional_policy(`
hotplug_read_config(usbmodules_t)
')
optional_policy(`logging',`
optional_policy(`
logging_send_syslog_msg(usbmodules_t)
')

28
refpolicy/policy/modules/admin/usermanage.te
View File

@ -132,11 +132,11 @@ userdom_use_unpriv_users_fds(chfn_t)
# on user home dir
userdom_dontaudit_search_all_users_home_content(chfn_t)
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(chfn_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(chfn_t)
')
@ -178,7 +178,7 @@ logging_send_syslog_msg(crack_t)
userdom_dontaudit_search_sysadm_home_dirs(crack_t)
optional_policy(`cron',`
optional_policy(`
cron_system_entry(crack_t,crack_exec_t)
')
@ -248,20 +248,20 @@ userdom_use_unpriv_users_fds(groupadd_t)
# for when /root is the cwd
userdom_dontaudit_search_sysadm_home_dirs(groupadd_t)
optional_policy(`dpkg',`
optional_policy(`
dpkg_use_fds(groupadd_t)
dpkg_rw_pipes(groupadd_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(groupadd_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(groupadd_t)
')
optional_policy(`rpm',`
optional_policy(`
rpm_use_fds(groupadd_t)
rpm_rw_pipes(groupadd_t)
')
@ -346,11 +346,11 @@ userdom_read_all_users_state(passwd_t)
# on user home dir
userdom_dontaudit_search_all_users_home_content(passwd_t)
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(passwd_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(passwd_t)
')
@ -437,7 +437,7 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t)
# on user home dir
userdom_dontaudit_search_all_users_home_content(sysadm_passwd_t)
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(sysadm_passwd_t)
')
@ -516,20 +516,20 @@ userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notd
mta_manage_spool(useradd_t)
optional_policy(`dpkg',`
optional_policy(`
dpkg_use_fds(useradd_t)
dpkg_rw_pipes(useradd_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(useradd_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(useradd_t)
')
optional_policy(`rpm',`
optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')

2
refpolicy/policy/modules/admin/vbetool.te
View File

@ -30,6 +30,6 @@ libs_use_shared_libs(vbetool_t)
miscfiles_read_localization(vbetool_t)
optional_policy(`hal',`
optional_policy(`
hal_rw_pid_files(vbetool_t)
')

10
refpolicy/policy/modules/admin/vpn.te
View File

@ -106,22 +106,22 @@ sysnet_manage_config(vpnc_t)
userdom_use_all_users_fds(vpnc_t)
userdom_dontaudit_search_all_users_home_content(vpnc_t)
optional_policy(`dbus',`
optional_policy(`
dbus_system_bus_client_template(vpnc,vpnc_t)
dbus_send_system_bus(vpnc_t)
optional_policy(`networkmanager',`
optional_policy(`
networkmanager_dbus_chat(vpnc_t)
')
')
optional_policy(`mount',`
optional_policy(`
mount_send_nfs_client_request(vpnc_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(vpnc_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(vpnc_t)
')

10
refpolicy/policy/modules/apps/calamaris.te
View File

@ -76,22 +76,22 @@ userdom_dontaudit_list_sysadm_home_dirs(calamaris_t)
squid_read_log(calamaris_t)
optional_policy(`apache', `
optional_policy(`
apache_search_sys_content(calamaris_t)
')
optional_policy(`bind', `
optional_policy(`
bind_udp_chat_named(calamaris_t)
')
optional_policy(`cron', `
optional_policy(`
cron_system_entry(calamaris_t,calamaris_exec_t)
')
optional_policy(`mta',`
optional_policy(`
mta_send_mail(calamaris_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(calamaris_t)
')

8
refpolicy/policy/modules/apps/ethereal.if
View File

@ -143,24 +143,24 @@ template(`ethereal_per_userdomain_template',`
fs_manage_cifs_symlinks($1_ethereal_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use($1_ethereal_t)
')
# Manual transition from userhelper
optional_policy(`userhelper', `
optional_policy(`
userhelper_use_user_fd($1,$1_ethereal_t)
userhelper_sigchld_user($1,$1_ethereal_t)
')
optional_policy(`xserver',`
optional_policy(`
xserver_user_client_template($1,$1_ethereal_t,$1_ethereal_tmpfs_t)
xserver_create_xdm_tmp_sockets($1_ethereal_t)
')
ifdef(`TODO',`
# Why does it write this?
optional_policy(`snmpd.te', `
optional_policy(`
dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;
')
#TODO

2
refpolicy/policy/modules/apps/ethereal.te
View File

@ -52,6 +52,6 @@ seutil_use_newrole_fds(tethereal_t)
sysnet_dns_name_resolve(tethereal_t)
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(tethereal_t)
')

24
refpolicy/policy/modules/apps/evolution.if
View File

@ -376,16 +376,16 @@ template(`evolution_per_userdomain_template',`
#userdom_dontaudit_manage_user_home_subdirs($1,$1_evolution_t)
')
optional_policy(`automount',`
optional_policy(`
automount_read_state($1_evolution_t)
')
# Allow printing the mail
optional_policy(`cups',`
optional_policy(`
cups_read_rw_config($1_evolution_t)
')
optional_policy(`dbus',`
optional_policy(`
dbus_system_bus_client_template($1_evolution,$1_evolution_t)
dbus_send_system_bus($1_evolution_t)
dbus_user_bus_client_template($1,$1_evolution,$1_evolution_t)
@ -393,26 +393,26 @@ template(`evolution_per_userdomain_template',`
')
# Encrypt mail
optional_policy(`gpg',`
optional_policy(`
gpg_domtrans_user_gpg($1,$1_evolution_t)
gpg_signal_user_gpg($1,$1_evolution_t)
')
optional_policy(`lpd',`
optional_policy(`
lpd_domtrans_user_lpr($1,$1_evolution_t)
')
# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind($1_evolution_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use($1_evolution_exchange_t)
')
### Junk mail filtering (start spamd)
optional_policy(`spamassassin',`
optional_policy(`
spamassassin_exec_spamd($1_evolution_t)
spamassassin_domtrans_user_client($1,$1_evolution_t)
spamassassin_domtrans_user_local_client($1,$1_evolution_t)
@ -509,7 +509,7 @@ template(`evolution_per_userdomain_template',`
fs_manage_cifs_files($1_evolution_alarm_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use($1_evolution_alarm_t)
')
@ -590,7 +590,7 @@ template(`evolution_per_userdomain_template',`
fs_manage_cifs_files($1_evolution_exchange_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use($1_evolution_exchange_t)
')
@ -689,7 +689,7 @@ template(`evolution_per_userdomain_template',`
fs_manage_cifs_files($1_evolution_server_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use($1_evolution_server_t)
')
@ -740,7 +740,7 @@ template(`evolution_per_userdomain_template',`
xserver_user_client_template($1,$1_evolution_webcal_t,$1_evolution_webcal_tmpfs_t)
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use($1_evolution_webcal_t)
')

6
refpolicy/policy/modules/apps/games.if
View File

@ -148,11 +148,11 @@ template(`games_per_userdomain_template',`
allow $1_games_t self:process execmem;
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use($1_games_t)
')
optional_policy(`xserver',`
optional_policy(`
xserver_user_client_template($1,$1_games_t,$1_games_tmpfs_t)
xserver_create_xdm_tmp_sockets($1_games_t)
xserver_read_xdm_lib_files($1_games_t)
@ -167,7 +167,7 @@ template(`games_per_userdomain_template',`
allow $1_games_t $1_gnome_settings_t:file create_file_perms;
allow $1_games_t $1_gnome_settings_t:lnk_file create_lnk_perms;
#missing policy
optional_policy(`mozilla', `
optional_policy(`
dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
')
')

4
refpolicy/policy/modules/apps/games.te
View File

@ -68,11 +68,11 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(games_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(games_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(games_t)
')

2
refpolicy/policy/modules/apps/gpg.if
View File

@ -131,7 +131,7 @@ template(`gpg_per_userdomain_template',`
userdom_use_user_terminals($1,$1_gpg_t)
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind($1_gpg_t)
')

4
refpolicy/policy/modules/apps/irc.if
View File

@ -160,12 +160,12 @@ template(`irc_per_userdomain_template',`
fs_manage_cifs_symlinks($1_irc_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind($1_irc_t)
')
ifdef(`TODO',`
optional_policy(`ircd.te', `
optional_policy(`
allow $1_irc_t ircd_t:tcp_socket { connectto recvfrom };
allow ircd_t $1_irc_t:tcp_socket { acceptfrom recvfrom };
kernel_tcp_recvfrom($1_irc_t)

6
refpolicy/policy/modules/apps/java.if
View File

@ -161,15 +161,15 @@ template(`java_per_userdomain_template',`
miscfiles_legacy_read_localization($1_javaplugin_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind($1_javaplugin_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use($1_javaplugin_t)
')
optional_policy(`xserver',`
optional_policy(`
xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
')
')

2
refpolicy/policy/modules/apps/lockdev.if
View File

@ -81,7 +81,7 @@ template(`lockdev_per_userdomain_template',`
userdom_use_user_terminals($1, $1_lockdev_t)
optional_policy(`logging',`
optional_policy(`
logging_send_syslog_msg($1_t)
')
')

20
refpolicy/policy/modules/apps/mozilla.if
View File

@ -331,40 +331,40 @@ template(`mozilla_per_userdomain_template',`
')
optional_policy(`apache',`
optional_policy(`
apache_read_user_scripts($1,$1_mozilla_t)
apache_read_user_content($1,$1_mozilla_t)
')
optional_policy(`cups',`
optional_policy(`
cups_read_rw_config($1_mozilla_t)
')
optional_policy(`dbus', `
optional_policy(`
dbus_system_bus_client_template($1_mozilla,$1_mozilla_t)
dbus_send_system_bus($1_mozilla_t)
ifdef(`TODO',`
optional_policy(`cups', `
optional_policy(`
allow cupsd_t $1_mozilla_t:dbus send_msg;
')
')
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use($1_mozilla_t)
')
optional_policy(`squid',`
optional_policy(`
squid_use($1_mozilla_t)
')
optional_policy(`lpd',`
optional_policy(`
lpd_domtrans_user_lpr($1,$1_mozilla_t)
')
ifdef(`TODO',`
# Java plugin
optional_policy(`java',`
optional_policy(`
#reh, these are hacked in types due to the use of the java_per_userdomain_template
type $1_mozilla_tmp_t;
files_tmp_file($1_mozilla_tmp_t)
@ -381,7 +381,7 @@ template(`mozilla_per_userdomain_template',`
')
######### Launch mplayer
optional_policy(`mplayer',`
optional_policy(`
domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t)
dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
@ -404,7 +404,7 @@ template(`mozilla_per_userdomain_template',`
# support (is this possible?).
# GNOME integration
optional_policy(`gnome',`
optional_policy(`
gnome_application($1_mozilla, $1)
gnome_file_dialog($1_mozilla, $1)
')

4
refpolicy/policy/modules/apps/mplayer.if
View File

@ -448,11 +448,11 @@ template(`mplayer_per_userdomain_template',`
userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mplayer_t)
')
optional_policy(`alsa',`
optional_policy(`
alsa_read_rw_config($1_mplayer_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use($1_mplayer_t)
')
')

6
refpolicy/policy/modules/apps/screen.if
View File

@ -186,17 +186,17 @@ template(`screen_per_userdomain_template',`
fs_read_nfs_symlinks($1_screen_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind($1_screen_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use($1_screen_t)
')
ifdef(`TODO',`
# Inherit and use descriptors from gnome-pty-helper.
optional_policy(`gnome-pty-helper.te',`
optional_policy(`
allow $1_screen_t $1_gph_t:fd use;
')
') dnl TODO

2
refpolicy/policy/modules/apps/slocate.te
View File

@ -51,6 +51,6 @@ libs_use_ld_so(locate_t)
miscfiles_read_localization(locate_t)
optional_policy(`cron',`
optional_policy(`
cron_system_entry(locate_t, locate_exec_t)
')

12
refpolicy/policy/modules/apps/thunderbird.if
View File

@ -301,26 +301,26 @@ template(`thunderbird_per_userdomain_template',`
userdom_dontaudit_manage_user_home_content_dirs($1,$1_thunderbird_t)
')
optional_policy(`dbus', `
optional_policy(`
dbus_system_bus_client_template($1_thunderbird,$1_thunderbird_t)
dbus_user_bus_client_template($1,$1_thunderbird,$1_thunderbird_t)
dbus_send_system_bus($1_thunderbird_t)
dbus_send_user_bus($1,$1_thunderbird_t)
')
optional_policy(`lpr',`
optional_policy(`
lpd_domtrans_user_lpr($1,$1_thunderbird_t)
')
optional_policy(`cups',`
optional_policy(`
cups_read_rw_config($1_thunderbird_t)
')
optional_policy(`gpg', `
optional_policy(`
gpg_domtrans_user_gpg($1,$1_thunderbird_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind($1_thunderbird_t)
')
@ -343,7 +343,7 @@ template(`thunderbird_per_userdomain_template',`
')
# GNOME support
optional_policy(`gnome', `
optional_policy(`
gnome_application($1_thunderbird, $1)
gnome_file_dialog($1_thunderbird, $1)
allow $1_thunderbird_t $1_gnome_settings_t:file { read write };

2
refpolicy/policy/modules/apps/tvtime.if
View File

@ -142,7 +142,7 @@ template(`tvtime_per_userdomain_template',`
fs_manage_cifs_symlinks($1_tvtime_t)
')
optional_policy(`xserver',`
optional_policy(`
xserver_user_client_template($1,$1_tvtime_t,$1_tvtime_tmpfs_t)
')
')

14
refpolicy/policy/modules/apps/uml.if
View File

@ -187,24 +187,24 @@ template(`uml_per_userdomain_template',`
userdom_use_user_terminals($1,$1_uml_t)
optional_policy(`mount',`
optional_policy(`
mount_send_nfs_client_request($1_uml_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind($1_uml_t)
')
optional_policy(`ssh',`
optional_policy(`
ssh_tcp_connect($1_uml_t)
')
ifdef(`TODO',`
# for X
optional_policy(`startx',`
optional_policy(`
ifelse($1, sysadm,`
',`
optional_policy(`xdm',`
optional_policy(`
allow $1_uml_t xdm_xserver_tmp_t:dir search;
')
allow $1_uml_t $1_xserver_tmp_t:sock_file write;
@ -212,7 +212,7 @@ template(`uml_per_userdomain_template',`
')
')
optional_policy(`uml_net.te',`
optional_policy(`
# for uml_net
domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t)
allow uml_net_t $1_uml_t:unix_stream_socket { read write };
@ -222,7 +222,7 @@ template(`uml_per_userdomain_template',`
dontaudit uml_net_t $1_uml_rw_t:dir { getattr search };
')
#TODO
optional_policy(`xauth',`
optional_policy(`
allow $1_uml_t $1_xauth_home_t:file { getattr read };
')
')

4
refpolicy/policy/modules/apps/uml.te
View File

@ -67,10 +67,10 @@ ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(uml_switch_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(uml_switch_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(uml_switch_t)
')

16
refpolicy/policy/modules/apps/userhelper.if
View File

@ -161,7 +161,7 @@ template(`userhelper_per_userdomain_template',`
userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
ifdef(`distro_redhat',`
optional_policy(`rpm',`
optional_policy(`
# Allow transitioning to rpm_t, for up2date
rpm_domtrans($1_userhelper_t)
')
@ -174,19 +174,19 @@ template(`userhelper_per_userdomain_template',`
userdom_entry_spec_domtrans_sysadm($1_userhelper_t)
')
optional_policy(`ethereal',`
optional_policy(`
ethereal_domtrans_user_ethereal($1,$1_userhelper_t)
')
optional_policy(`logging',`
optional_policy(`
logging_send_syslog_msg($1_userhelper_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind($1_userhelper_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use($1_userhelper_t)
')
@ -195,14 +195,14 @@ template(`userhelper_per_userdomain_template',`
allow $1_userhelper_t xdm_var_run_t:dir search;
allow $1_userhelper_t xdm_t:fifo_file { getattr read write ioctl };
optional_policy(`gnome-pty-helper.te',`
optional_policy(`
allow $1_userhelper_t gphdomain:fd use;
')
optional_policy(`xauth', `
optional_policy(`
domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
allow $1_userhelper_t $1_xauth_home_t:file { getattr read };
')
optional_policy(`mozilla', `
optional_policy(`
domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
')
# for when the network connection is killed

6
refpolicy/policy/modules/apps/usernetctl.if
View File

@ -60,15 +60,15 @@ interface(`usernetctl_run',`
sysnet_run_ifconfig(usernetctl_t,$2,$3)
sysnet_run_dhcpc(usernetctl_t,$2,$3)
optional_policy(`consoletype',`
optional_policy(`
consoletype_run(usernetctl_t,$2,$3)
')
optional_policy(`iptables',`
optional_policy(`
iptables_run(usernetctl_t,$2,$3)
')
optional_policy(`modutils',`
optional_policy(`
modutils_run_insmod(usernetctl_t,$2,$3)
')
')

4
refpolicy/policy/modules/apps/usernetctl.te
View File

@ -61,10 +61,10 @@ seutil_read_config(usernetctl_t)
sysnet_read_config(usernetctl_t)
optional_policy(`hostname',`
optional_policy(`
hostname_exec(usernetctl_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(usernetctl_t)
')

8
refpolicy/policy/modules/apps/webalizer.te
View File

@ -97,18 +97,18 @@ ifdef(`targeted_policy',`
term_use_unallocated_ttys(webalizer_t)
')
optional_policy(`ftp',`
optional_policy(`
ftp_read_log(webalizer_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(webalizer_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(webalizer_t)
')
optional_policy(`cron',`
optional_policy(`
cron_system_entry(webalizer_t,webalizer_exec_t)
')

10
refpolicy/policy/modules/kernel/domain.if
View File

@ -51,7 +51,7 @@ interface(`domain_type',`
')
# send init a sigchld and signull
optional_policy(`init',`
optional_policy(`
init_sigchld($1)
init_signull($1)
')
@ -59,20 +59,20 @@ interface(`domain_type',`
# these seem questionable:
# allow any domain to connect to the LDAP server
optional_policy(`ldap',`
optional_policy(`
ldap_use($1)
')
optional_policy(`rpm',`
optional_policy(`
rpm_use_fds($1)
rpm_read_pipes($1)
')
optional_policy(`selinux',`
optional_policy(`
selinux_dontaudit_read_fs($1)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_dontaudit_read_config($1)
')
')

2
refpolicy/policy/modules/kernel/files.if
View File

@ -411,7 +411,7 @@ interface(`files_read_all_files',`
allow $1 file_type:dir search;
allow $1 file_type:file r_file_perms;
optional_policy(`authlogin',`
optional_policy(`
auth_read_shadow($1)
')
')

18
refpolicy/policy/modules/kernel/kernel.te
View File

@ -247,32 +247,32 @@ tunable_policy(`read_default_t',`
files_read_default_pipes(kernel_t)
')
optional_policy(`hotplug',`
optional_policy(`
hotplug_search_config(kernel_t)
')
optional_policy(`init',`
optional_policy(`
init_sigchld(kernel_t)
')
optional_policy(`libraries',`
optional_policy(`
libs_use_ld_so(kernel_t)
libs_use_shared_libs(kernel_t)
')
optional_policy(`logging',`
optional_policy(`
logging_send_syslog_msg(kernel_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(kernel_t)
')
optional_policy(`portmap',`
optional_policy(`
portmap_udp_send(kernel_t)
')
optional_policy(`rpc',`
optional_policy(`
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
@ -317,7 +317,7 @@ optional_policy(`rpc',`
')
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_read_config(kernel_t)
seutil_read_bin_policy(kernel_t)
')
@ -331,7 +331,7 @@ ifdef(`targeted_policy',`
allow unlabeled_t self:filesystem associate;
')
optional_policy(`init',`
optional_policy(`
# If you load a new policy that removes active domains, processes can
# get stuck if you do not allow unlabeled processes to signal init.
# If you load an incompatible policy, you should probably reboot,

6
refpolicy/policy/modules/services/amavis.te
View File

@ -134,15 +134,15 @@ cron_rw_pipes(amavis_t)
mta_read_config(amavis_t)
optional_policy(`clamav',`
optional_policy(`
clamav_stream_connect(amavis_t)
')
optional_policy(`ldap',`
optional_policy(`
ldap_use(amavis_t)
')
optional_policy(`spamassassin',`
optional_policy(`
spamassassin_exec(amavis_t)
spamassassin_exec_client(amavis_t)
')

8
refpolicy/policy/modules/services/apache.if
View File

@ -217,24 +217,24 @@ template(`apache_content_template',`
sysnet_read_config(httpd_$1_script_t)
')
optional_policy(`mount',`
optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
mount_send_nfs_client_request(httpd_$1_script_t)
')
')
optional_policy(`mta',`
optional_policy(`
mta_send_mail(httpd_$1_script_t)
')
optional_policy(`nis',`
optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
')
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(httpd_$1_script_t)
')
')

40
refpolicy/policy/modules/services/apache.te
View File

@ -122,7 +122,7 @@ ifdef(`targeted_policy',`
typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
')
optional_policy(`prelink',`
optional_policy(`
prelink_object_file(httpd_modules_t)
')
@ -396,19 +396,19 @@ tunable_policy(`httpd_tty_comm',`
userdom_dontaudit_use_sysadm_terms(httpd_t)
')
optional_policy(`calamaris',`
optional_policy(`
calamaris_read_www_files(httpd_t)
')
optional_policy(`daemontools',`
optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
optional_policy(`kerberos',`
optional_policy(`
kerberos_use(httpd_t)
')
optional_policy(`mailman',`
optional_policy(`
mailman_signal_cgi(httpd_t)
mailman_domtrans_cgi(httpd_t)
# should have separate types for public and private archives
@ -416,25 +416,25 @@ optional_policy(`mailman',`
mailman_read_archive(httpd_t)
')
optional_policy(`mysql',`
optional_policy(`
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(httpd_t)
')
optional_policy(`postgresql',`
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(httpd_t)
')
optional_policy(`udev', `
optional_policy(`
udev_read_db(httpd_t)
')
@ -509,11 +509,11 @@ libs_use_shared_libs(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
optional_policy(`mysql',`
optional_policy(`
mysql_stream_connect(httpd_php_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(httpd_php_t)
')
@ -632,28 +632,28 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_exec_cifs_files(httpd_suexec_t)
')
optional_policy(`mailman',`
optional_policy(`
mailman_domtrans_cgi(httpd_suexec_t)
')
optional_policy(`mount',`
optional_policy(`
tunable_policy(`httpd_can_network_connect',`
mount_send_nfs_client_request(httpd_suexec_t)
')
')
optional_policy(`mta',`
optional_policy(`
mta_stub(httpd_suexec_t)
# apache should set close-on-exec
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(httpd_suexec_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(httpd_suexec_t)
')
@ -687,7 +687,7 @@ ifdef(`targeted_policy',`
')
')
optional_policy(`mysql',`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
')
@ -699,10 +699,10 @@ optional_policy(`mysql',`
unconfined_domain(httpd_unconfined_script_t)
optional_policy(`cron',`
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(httpd_unconfined_script_t)
')

30
refpolicy/policy/modules/services/apm.te
View File

@ -156,15 +156,15 @@ ifdef(`distro_redhat',`
can_exec(apmd_t, apmd_var_run_t)
# ifconfig_exec_t needs to be run in its own domain for Red Hat
optional_policy(`sysnetwork',`
optional_policy(`
sysnet_domtrans_ifconfig(apmd_t)
')
optional_policy(`iptables',`
optional_policy(`
iptables_domtrans(apmd_t)
')
optional_policy(`netutils',`
optional_policy(`
netutils_domtrans(apmd_t)
')
@ -186,50 +186,50 @@ ifdef(`targeted_policy',`
unconfined_domain(apmd_t)
')
optional_policy(`automount',`
optional_policy(`
automount_domtrans(apmd_t)
')
optional_policy(`clock',`
optional_policy(`
clock_domtrans(apmd_t)
clock_rw_adjtime(apmd_t)
')
optional_policy(`cron',`
optional_policy(`
cron_system_entry(apmd_t, apmd_exec_t)
cron_anacron_domtrans_system_job(apmd_t)
')
optional_policy(`dbus',`
optional_policy(`
dbus_stub(apmd_t)
optional_policy(`networkmanager',`
optional_policy(`
networkmanager_dbus_chat(apmd_t)
')
')
optional_policy(`logrotate',`
optional_policy(`
logrotate_use_fds(apmd_t)
')
optional_policy(`mta',`
optional_policy(`
mta_send_mail(apmd_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(apmd_t)
')
optional_policy(`pcmcia',`
optional_policy(`
pcmcia_domtrans_cardmgr(apmd_t)
pcmcia_domtrans_cardctl(apmd_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(apmd_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(apmd_t)
udev_read_state(apmd_t) #necessary?
')
@ -237,7 +237,7 @@ optional_policy(`udev',`
ifdef(`TODO',`
allow apmd_t proc_t:file write;
allow apmd_t user_tty_type:chr_file { ioctl read getattr lock write append };
optional_policy(`cron',`
optional_policy(`
allow apmd_t crond_t:fifo_file { getattr read write ioctl };
')
')

8
refpolicy/policy/modules/services/arpwatch.te
View File

@ -99,19 +99,19 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(arpwatch_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(arpwatch_t)
')
optional_policy(`qmail',`
optional_policy(`
corecmd_search_bin(arpwatch_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(arpwatch_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(arpwatch_t)
')

4
refpolicy/policy/modules/services/audioentropy.te
View File

@ -62,11 +62,11 @@ ifdef(`targeted_policy', `
term_dontaudit_use_generic_ptys(entropyd_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(entropyd_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(entropyd_t)
')

14
refpolicy/policy/modules/services/automount.te
View File

@ -140,30 +140,30 @@ ifdef(`targeted_policy', `
term_dontaudit_use_generic_ptys(automount_t)
')
optional_policy(`apm',`
optional_policy(`
corecmd_exec_bin(automount_t)
')
optional_policy(`bind',`
optional_policy(`
bind_search_cache(automount_t)
')
optional_policy(`fstools',`
optional_policy(`
fstools_domtrans(automount_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(automount_t)
')
optional_policy(`rpc',`
optional_policy(`
rpc_search_nfs_state_data(automount_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(automount_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(automount_t)
')

8
refpolicy/policy/modules/services/avahi.te
View File

@ -88,20 +88,20 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(avahi_t)
')
optional_policy(`dbus',`
optional_policy(`
dbus_system_bus_client_template(avahi,avahi_t)
dbus_connect_system_bus(avahi_t)
dbus_send_system_bus(avahi_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(avahi_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(avahi_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(avahi_t)
')

22
refpolicy/policy/modules/services/bind.te
View File

@ -157,7 +157,7 @@ tunable_policy(`named_write_master_zones',`
allow named_t named_zone_t:lnk_file create_lnk_perms;
')
optional_policy(`dbus',`
optional_policy(`
gen_require(`
class dbus send_msg;
')
@ -172,16 +172,16 @@ optional_policy(`dbus',`
dbus_connect_system_bus(named_t)
dbus_send_system_bus(named_t)
optional_policy(`networkmanager',`
optional_policy(`
networkmanager_dbus_chat(named_t)
')
')
optional_policy(`mount',`
optional_policy(`
mount_send_nfs_client_request(named_t)
')
optional_policy(`networkmanager',`
optional_policy(`
# this seems like fds that arent being
# closed. these should probably be
# dontaudits instead.
@ -190,19 +190,19 @@ optional_policy(`networkmanager',`
networkmanager_rw_routing_sockets(named_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(named_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(named_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(named_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(named_t)
')
@ -280,14 +280,14 @@ ifdef(`targeted_policy',`
term_use_generic_ptys(ndc_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(ndc_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(ndc_t)
')
optional_policy(`ppp',`
optional_policy(`
ppp_dontaudit_use_fds(ndc_t)
')

16
refpolicy/policy/modules/services/bluetooth.te
View File

@ -144,21 +144,21 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(bluetooth_t)
')
optional_policy(`dbus',`
optional_policy(`
dbus_system_bus_client_template(bluetooth,bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
dbus_send_system_bus(bluetooth_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(bluetooth_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(bluetooth_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(bluetooth_t)
')
@ -205,17 +205,17 @@ logging_send_syslog_msg(bluetooth_helper_t)
miscfiles_read_localization(bluetooth_helper_t)
miscfiles_read_fonts(bluetooth_helper_t)
optional_policy(`dbus',`
optional_policy(`
dbus_system_bus_client_template(bluetooth_helper,bluetooth_helper_t)
dbus_connect_system_bus(bluetooth_helper_t)
dbus_send_system_bus(bluetooth_helper_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(bluetooth_helper_t)
')
optional_policy(`xserver',`
optional_policy(`
xserver_stream_connect_xdm(bluetooth_helper_t)
')
@ -235,7 +235,7 @@ ifdef(`targeted_policy',`
allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
userdom_read_all_users_home_content_files(bluetooth_helper_t)
optional_policy(`xserver',`
optional_policy(`
xserver_stream_connect_xdm(bluetooth_helper_t)
')
')

6
refpolicy/policy/modules/services/canna.te
View File

@ -93,14 +93,14 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(canna_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(canna_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(canna_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(canna_t)
')

2
refpolicy/policy/modules/services/clamav.te
View File

@ -121,7 +121,7 @@ cron_use_fds(clamd_t)
cron_use_system_job_fds(clamd_t)
cron_rw_pipes(clamd_t)
optional_policy(`amavis',`
optional_policy(`
amavis_read_lib_files(clamd_t)
')

6
refpolicy/policy/modules/services/comsat.te
View File

@ -80,15 +80,15 @@ userdom_dontaudit_getattr_sysadm_ttys(comsat_t)
mta_getattr_spool(comsat_t)
optional_policy(`kerberos',`
optional_policy(`
kerberos_use(comsat_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(comsat_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(comsat_t)
')

12
refpolicy/policy/modules/services/cpucontrol.te
View File

@ -61,15 +61,15 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(cpucontrol_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(cpucontrol_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(cpucontrol_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(cpucontrol_t)
')
@ -115,14 +115,14 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(cpuspeed_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(cpuspeed_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(cpuspeed_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(cpuspeed_t)
')

4
refpolicy/policy/modules/services/cron.if
View File

@ -154,12 +154,12 @@ template(`cron_per_userdomain_template',`
allow crond_t $1_cron_spool_t:file create_file_perms;
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind($1_crond_t)
')
ifdef(`TODO',`
optional_policy(`apache',`
optional_policy(`
create_dir_file($1_crond_t, httpd_$1_content_t)
')
allow $1_crond_t tmp_t:dir rw_dir_perms;

48
refpolicy/policy/modules/services/cron.te
View File

@ -141,7 +141,7 @@ userdom_list_all_users_home_dirs(crond_t)
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`rpm',`
optional_policy(`
rpm_manage_log(crond_t)
')
')
@ -167,7 +167,7 @@ ifdef(`targeted_policy',`
allow crond_t unconfined_t:dbus send_msg;
allow crond_t initrc_t:dbus send_msg;
optional_policy(`mono',`
optional_policy(`
mono_domtrans(crond_t)
')
',`
@ -182,33 +182,33 @@ tunable_policy(`fcron_crond', `
allow crond_t system_cron_spool_t:file create_file_perms;
')
optional_policy(`amavis',`
optional_policy(`
amavis_search_lib(crond_t)
')
optional_policy(`hal',`
optional_policy(`
hal_dbus_send(crond_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(crond_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(crond_t)
')
optional_policy(`rpm',`
optional_policy(`
# Commonly used from postinst scripts
rpm_read_pipes(crond_t)
')
optional_policy(`postgresql',`
optional_policy(`
# allow crond to find /usr/lib/postgresql/bin/do.maintenance
postgresql_search_db(crond_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(crond_t)
')
@ -217,7 +217,7 @@ optional_policy(`udev',`
# System cron process domain
#
optional_policy(`squid',`
optional_policy(`
# cjp: why?
squid_domtrans(system_crond_t)
')
@ -348,7 +348,7 @@ ifdef(`targeted_policy',`
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`rpm',`
optional_policy(`
rpm_manage_log(system_crond_t)
')
')
@ -365,7 +365,7 @@ ifdef(`targeted_policy',`
seutil_read_file_contexts(system_crond_t)
')
optional_policy(`apache',`
optional_policy(`
# Needed for certwatch
apache_exec_modules(system_crond_t)
apache_read_config(system_crond_t)
@ -373,57 +373,57 @@ ifdef(`targeted_policy',`
apache_read_sys_content(system_crond_t)
')
optional_policy(`cyrus',`
optional_policy(`
cyrus_manage_data(system_crond_t)
')
optional_policy(`ftp',`
optional_policy(`
ftp_read_log(system_crond_t)
')
optional_policy(`inn',`
optional_policy(`
inn_manage_log(system_crond_t)
inn_manage_pid(system_crond_t)
inn_read_config(system_crond_t)
')
optional_policy(`mrtg',`
optional_policy(`
mrtg_append_create_logs(system_crond_t)
')
optional_policy(`mysql',`
optional_policy(`
mysql_read_config(system_crond_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(system_crond_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(system_crond_t)
')
optional_policy(`postfix',`
optional_policy(`
postfix_read_config(system_crond_t)
')
optional_policy(`prelink',`
optional_policy(`
prelink_read_cache(system_crond_t)
prelink_manage_log(system_crond_t)
prelink_delete_cache(system_crond_t)
')
optional_policy(`samba',`
optional_policy(`
samba_read_config(system_crond_t)
samba_read_log(system_crond_t)
#samba_read_secrets(system_crond_t)
')
optional_policy(`slocate',`
optional_policy(`
slocate_create_append_log(system_crond_t)
')
optional_policy(`sysstat',`
optional_policy(`
sysstat_manage_log(system_crond_t)
')

64
refpolicy/policy/modules/services/cups.te
View File

@ -203,51 +203,51 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(cupsd_t)
')
optional_policy(`cron',`
optional_policy(`
cron_system_entry(cupsd_t, cupsd_exec_t)
')
optional_policy(`dbus',`
optional_policy(`
dbus_system_bus_client_template(cupsd,cupsd_t)
dbus_send_system_bus(cupsd_t)
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`hal',`
optional_policy(`
hal_dbus_chat(cupsd_t)
')
')
optional_policy(`hostname',`
optional_policy(`
hostname_exec(cupsd_t)
')
optional_policy(`inetd',`
optional_policy(`
inetd_core_service_domain(cupsd_t,cupsd_exec_t,cupsd_t)
')
optional_policy(`mount',`
optional_policy(`
mount_send_nfs_client_request(cupsd_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(cupsd_t)
')
optional_policy(`portmap',`
optional_policy(`
portmap_udp_chat(cupsd_t)
')
optional_policy(`samba',`
optional_policy(`
samba_rw_var_files(cupsd_t)
# cjp: rw_dir_perms was here, but doesnt make sense
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(cupsd_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(cupsd_t)
')
@ -355,11 +355,11 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(ptal_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(ptal_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(ptal_t)
')
@ -456,15 +456,15 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(hplip_t)
')
optional_policy(`mount',`
optional_policy(`
mount_send_nfs_client_request(hplip_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(hplip_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(hplip_t)
')
@ -572,7 +572,7 @@ userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t)
ifdef(`distro_redhat',`
init_getattr_script_files(cupsd_config_t)
optional_policy(`rpm',`
optional_policy(`
rpm_read_db(cupsd_config_t)
')
')
@ -583,49 +583,49 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(cupsd_config_t)
')
optional_policy(`cron',`
optional_policy(`
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
optional_policy(`dbus',`
optional_policy(`
dbus_system_bus_client_template(cupsd_config,cupsd_config_t)
dbus_connect_system_bus(cupsd_config_t)
dbus_send_system_bus(cupsd_config_t)
optional_policy(`hal',`
optional_policy(`
hal_dbus_chat(cupsd_config_t)
')
')
optional_policy(`hal',`
optional_policy(`
hal_domtrans(cupsd_config_t)
')
optional_policy(`hostname',`
optional_policy(`
hostname_exec(cupsd_config_t)
')
optional_policy(`logrotate',`
optional_policy(`
logrotate_use_fds(cupsd_config_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(cupsd_config_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(cupsd_config_t)
')
optional_policy(`rpm',`
optional_policy(`
rpm_read_db(cupsd_config_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(cupsd_config_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(cupsd_config_t)
')
@ -641,7 +641,7 @@ ifdef(`targeted_policy', `
unconfined_read_pipes(cupsd_t)
optional_policy(`dbus',`
optional_policy(`
init_dbus_chat_script(cupsd_t)
unconfined_dbus_send(cupsd_t)
@ -671,7 +671,7 @@ allow cupsd_lpd_t self:udp_socket create_socket_perms;
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t self:capability { setuid setgid };
files_search_home(cupsd_lpd_t)
optional_policy(`kerberos',`
optional_policy(`
kerberos_use(cupsd_lpd_t)
')
#end for identd
@ -724,10 +724,10 @@ miscfiles_read_localization(cupsd_lpd_t)
sysnet_read_config(cupsd_lpd_t)
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(cupsd_lpd_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(cupsd_lpd_t)
')

6
refpolicy/policy/modules/services/cvs.te
View File

@ -92,17 +92,17 @@ tunable_policy(`allow_cvs_read_shadow',`
auth_tunable_read_shadow(cvs_t)
')
optional_policy(`kerberos',`
optional_policy(`
kerberos_use(cvs_t)
kerberos_read_keytab(cvs_t)
kerberos_read_config(cvs_t)
kerberos_dontaudit_write_config(cvs_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(cvs_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(cvs_t)
')

12
refpolicy/policy/modules/services/cyrus.te
View File

@ -118,26 +118,26 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(cyrus_t)
')
optional_policy(`cron',`
optional_policy(`
cron_system_entry(cyrus_t,cyrus_exec_t)
')
optional_policy(`mount',`
optional_policy(`
mount_send_nfs_client_request(cyrus_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(cyrus_t)
')
optional_policy(`sasl',`
optional_policy(`
sasl_connect(cyrus_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(cyrus_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(cyrus_t)
')

6
refpolicy/policy/modules/services/dbskk.te
View File

@ -32,7 +32,7 @@ allow dbskkd_t self:udp_socket create_socket_perms;
allow dbskkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow dbskkd_t self:capability { setuid setgid };
files_search_home(dbskkd_t)
optional_policy(`kerberos',`
optional_policy(`
kerberos_use(dbskkd_t)
')
#end for identd
@ -76,10 +76,10 @@ miscfiles_read_localization(dbskkd_t)
sysnet_read_config(dbskkd_t)
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(dbskkd_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(dbskkd_t)
')

4
refpolicy/policy/modules/services/dbus.if
View File

@ -164,11 +164,11 @@ template(`dbus_per_userdomain_template',`
files_read_default_pipes($1_dbusd_t)
')
optional_policy(`authlogin',`
optional_policy(`
auth_read_pam_console_data($1_dbusd_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use($1_dbusd_t)
')

8
refpolicy/policy/modules/services/dbus.te
View File

@ -124,18 +124,18 @@ tunable_policy(`read_default_t',`
files_read_default_pipes(system_dbusd_t)
')
optional_policy(`bind',`
optional_policy(`
bind_domtrans(system_dbusd_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(system_dbusd_t)
')
optional_policy(`sysnetwork',`
optional_policy(`
sysnet_domtrans_dhcpc(system_dbusd_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(system_dbusd_t)
')

12
refpolicy/policy/modules/services/dhcp.te
View File

@ -115,27 +115,27 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(dhcpd_t)
')
optional_policy(`bind',`
optional_policy(`
# used for dynamic DNS
bind_read_dnssec_keys(dhcpd_t)
')
optional_policy(`mount',`
optional_policy(`
mount_send_nfs_client_request(dhcpd_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(dhcpd_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(dhcpd_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(dhcpd_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(dhcpd_t)
')

8
refpolicy/policy/modules/services/dictd.te
View File

@ -87,18 +87,18 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(dictd_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(dictd_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(dictd_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(dictd_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(dictd_t)
')

6
refpolicy/policy/modules/services/distcc.te
View File

@ -95,14 +95,14 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(distccd_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(distccd_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(distccd_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(distccd_t)
')

16
refpolicy/policy/modules/services/dovecot.te
View File

@ -124,19 +124,19 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(dovecot_t)
')
optional_policy(`kerberos',`
optional_policy(`
kerberos_use(dovecot_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(dovecot_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(dovecot_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(dovecot_t)
')
@ -180,18 +180,18 @@ seutil_dontaudit_search_config(dovecot_auth_t)
sysnet_dns_name_resolve(dovecot_auth_t)
optional_policy(`kerberos',`
optional_policy(`
kerberos_use(dovecot_auth_t)
')
optional_policy(`logging',`
optional_policy(`
logging_send_syslog_msg(dovecot_auth_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(dovecot_auth_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(dovecot_auth_t)
')

4
refpolicy/policy/modules/services/fetchmail.te
View File

@ -98,10 +98,10 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(fetchmail_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(fetchmail_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(fetchmail_t)
')

12
refpolicy/policy/modules/services/finger.te
View File

@ -110,26 +110,26 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(fingerd_t)
')
optional_policy(`cron',`
optional_policy(`
cron_system_entry(fingerd_t,fingerd_exec_t)
')
optional_policy(`logrotate',`
optional_policy(`
logrotate_exec(fingerd_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(fingerd_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(fingerd_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(fingerd_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(fingerd_t)
')

20
refpolicy/policy/modules/services/ftp.te
View File

@ -135,7 +135,7 @@ ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(ftpd_t)
term_dontaudit_use_unallocated_ttys(ftpd_t)
optional_policy(`ftp',`
optional_policy(`
tunable_policy(`ftpd_is_daemon',`
userdom_manage_generic_user_home_content_files(ftpd_t)
userdom_manage_generic_user_home_content_symlinks(ftpd_t)
@ -180,23 +180,23 @@ tunable_policy(`use_samba_home_dirs && ftp_home_dir',`
fs_read_cifs_symlinks(ftpd_t)
')
optional_policy(`cron',`
optional_policy(`
corecmd_exec_shell(ftpd_t)
files_read_usr_files(ftpd_t)
cron_system_entry(ftpd_t, ftpd_exec_t)
optional_policy(`logrotate',`
optional_policy(`
logrotate_exec(ftpd_t)
')
')
optional_policy(`daemontools',`
optional_policy(`
daemontools_service_domain(ftpd_t, ftpd_exec_t)
')
optional_policy(`inetd',`
optional_policy(`
#reh: typeattributes not allowed in conditionals yet.
#tunable_policy(`! ftpd_is_daemon',`
# inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
@ -204,25 +204,25 @@ optional_policy(`inetd',`
inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
optional_policy(`tcpd',`
optional_policy(`
tunable_policy(`! ftpd_is_daemon',`
tcpd_domtrans(tcpd_t)
')
')
')
optional_policy(`mount',`
optional_policy(`
mount_send_nfs_client_request(ftpd_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(ftpd_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(ftpd_t)
')
optional_policy(`udev', `
optional_policy(`
udev_read_db(ftpd_t)
')

4
refpolicy/policy/modules/services/gpm.te
View File

@ -84,11 +84,11 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(gpm_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(gpm_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(gpm_t)
')

38
refpolicy/policy/modules/services/hal.te
View File

@ -153,30 +153,30 @@ ifdef(`targeted_policy', `
files_dontaudit_getattr_home_dir(hald_t)
')
optional_policy(`apm',`
optional_policy(`
# For /usr/libexec/hald-addon-acpi
# writes to /var/run/acpid.socket
apm_stream_connect(hald_t)
')
optional_policy(`automount', `
optional_policy(`
automount_dontaudit_getattr_tmp_dirs(hald_t)
')
optional_policy(`bind',`
optional_policy(`
bind_search_cache(hald_t)
')
optional_policy(`clock',`
optional_policy(`
clock_domtrans(hald_t)
')
optional_policy(`cups',`
optional_policy(`
cups_domtrans_config(hald_t)
cups_signal_config(hald_t)
')
optional_policy(`dbus',`
optional_policy(`
dbus_system_bus_client_template(hald,hald_t)
dbus_send_system_bus(hald_t)
dbus_connect_system_bus(hald_t)
@ -184,58 +184,58 @@ optional_policy(`dbus',`
init_dbus_chat_script(hald_t)
optional_policy(`networkmanager',`
optional_policy(`
networkmanager_dbus_chat(hald_t)
')
')
optional_policy(`dmidecode',`
optional_policy(`
# For /usr/libexec/hald-probe-smbios
dmidecode_domtrans(hald_t)
')
optional_policy(`hotplug',`
optional_policy(`
hotplug_read_config(hald_t)
')
optional_policy(`lvm', `
optional_policy(`
lvm_domtrans(hald_t)
')
optional_policy(`mount',`
optional_policy(`
mount_domtrans(hald_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(hald_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(hald_t)
')
optional_policy(`pcmcia',`
optional_policy(`
pcmcia_manage_pid(hald_t)
pcmcia_manage_pid_chr_files(hald_t)
')
optional_policy(`rpc',`
optional_policy(`
rpc_search_nfs_state_data(hald_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(hald_t)
')
optional_policy(`udev', `
optional_policy(`
udev_domtrans(hald_t)
udev_read_db(hald_t)
')
optional_policy(`updfstab',`
optional_policy(`
updfstab_domtrans(hald_t)
')
optional_policy(`vbetool',`
optional_policy(`
vbetool_domtrans(hald_t)
')

6
refpolicy/policy/modules/services/howl.te
View File

@ -82,14 +82,14 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(howl_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(howl_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(howl_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(howl_t)
')

10
refpolicy/policy/modules/services/i18n_input.te
View File

@ -102,22 +102,22 @@ tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_symlinks(i18n_input_t)
')
optional_policy(`canna',`
optional_policy(`
canna_stream_connect(i18n_input_t)
')
optional_policy(`mount',`
optional_policy(`
mount_send_nfs_client_request(i18n_input_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(i18n_input_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(i18n_input_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(i18n_input_t)
')

20
refpolicy/policy/modules/services/inetd.te
View File

@ -127,31 +127,31 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(inetd_t)
')
optional_policy(`amanda',`
optional_policy(`
amanda_search_lib(inetd_t)
')
optional_policy(`mount',`
optional_policy(`
mount_send_nfs_client_request(inetd_t)
')
# Communicate with the portmapper.
optional_policy(`portmap',`
optional_policy(`
portmap_udp_send(inetd_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(inetd_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(inetd_t)
')
ifdef(`targeted_policy',`
unconfined_domain(inetd_t)
',`
optional_policy(`unconfined',`
optional_policy(`
unconfined_domtrans(inetd_t)
')
')
@ -216,21 +216,21 @@ tunable_policy(`run_ssh_inetd',`
corenet_tcp_bind_ssh_port(inetd_t)
')
optional_policy(`ftp',`
optional_policy(`
tunable_policy(`ftpd_is_daemon',`
# Allows it to check exec privs on daemon
ftp_check_exec(inetd_t)
')
')
optional_policy(`kerberos',`
optional_policy(`
kerberos_use(inetd_child_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(inetd_child_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(inetd_child_t)
')

12
refpolicy/policy/modules/services/inn.te
View File

@ -122,26 +122,26 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(innd_t)
')
optional_policy(`cron',`
optional_policy(`
cron_system_entry(innd_t, innd_exec_t)
')
optional_policy(`hostname',`
optional_policy(`
hostname_exec(innd_t)
')
optional_policy(`mount',`
optional_policy(`
mount_send_nfs_client_request(innd_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(innd_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(innd_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(innd_t)
')

4
refpolicy/policy/modules/services/irqbalance.te
View File

@ -60,10 +60,10 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(irqbalance_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(irqbalance_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(irqbalance_t)
')

12
refpolicy/policy/modules/services/kerberos.te
View File

@ -137,15 +137,15 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(kadmind_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(kadmind_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(kadmind_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(kadmind_t)
')
@ -237,14 +237,14 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(krb5kdc_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(krb5kdc_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(krb5kdc_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(krb5kdc_t)
')

6
refpolicy/policy/modules/services/ktalk.te
View File

@ -36,7 +36,7 @@ allow ktalkd_t self:capability { setuid setgid };
allow ktalkd_t self:dir search;
allow ktalkd_t self:{ lnk_file file } { getattr read };
files_search_home(ktalkd_t)
optional_policy(`kerberos',`
optional_policy(`
kerberos_use(ktalkd_t)
')
#end for identd
@ -84,10 +84,10 @@ miscfiles_read_localization(ktalkd_t)
sysnet_read_config(ktalkd_t)
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(ktalkd_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(ktalkd_t)
')

8
refpolicy/policy/modules/services/ldap.te
View File

@ -138,18 +138,18 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(slapd_t)
')
optional_policy(`kerberos',`
optional_policy(`
kerberos_use(slapd_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(slapd_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(slapd_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(slapd_t)
')

10
refpolicy/policy/modules/services/lpd.if
View File

@ -184,27 +184,27 @@ template(`lpd_per_userdomain_template',`
fs_read_cifs_symlinks($1_lpr_t)
')
optional_policy(`cups',`
optional_policy(`
cups_read_config($1_lpr_t)
cups_tcp_connect($1_lpr_t)
cups_read_config($2)
cups_tcp_connect($2)
')
optional_policy(`logging',`
optional_policy(`
logging_send_syslog_msg($1_lpr_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use($1_lpr_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind($1_lpr_t)
')
ifdef(`TODO',`
optional_policy(`xdm', `
optional_policy(`
allow $1_lpr_t xdm_t:fd use;
allow $1_lpr_t xdm_var_run_t:dir search;
allow $1_lpr_t xdm_t:fifo_file { getattr read write ioctl };

14
refpolicy/policy/modules/services/lpd.te
View File

@ -104,15 +104,15 @@ ifdef(`targeted_policy',`
term_use_unallocated_ttys(checkpc_t)
')
optional_policy(`cron',`
optional_policy(`
cron_system_entry(checkpc_t,checkpc_exec_t)
')
optional_policy(`logging',`
optional_policy(`
logging_send_syslog_msg(checkpc_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(checkpc_t)
')
@ -223,19 +223,19 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(lpd_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(lpd_t)
nis_tcp_connect_ypbind(lpd_t)
')
optional_policy(`portmap',`
optional_policy(`
portmap_udp_send(lpd_t)
')
optional_policy(`selinuxutil',`
optional_policy(`
seutil_sigchld_newrole(lpd_t)
')
optional_policy(`udev',`
optional_policy(`
udev_read_db(lpd_t)
')

4
refpolicy/policy/modules/services/mailman.if
View File

@ -88,11 +88,11 @@ template(`mailman_domain_template', `
sysnet_read_config(mailman_$1_t)
optional_policy(`mount',`
optional_policy(`
mount_send_nfs_client_request(mailman_$1_t)
')
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind(mailman_$1_t)
')
')

8
refpolicy/policy/modules/services/mailman.te
View File

@ -35,7 +35,7 @@ mailman_domain_template(queue)
# optionals for file contexts yet, so it is promoted
# to global scope until such facilities exist.
optional_policy(`apache',`
optional_policy(`
allow mailman_cgi_t mailman_archive_t:dir create_dir_perms;
allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
allow mailman_cgi_t mailman_archive_t:file create_file_perms;
@ -64,7 +64,7 @@ allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
ifdef(`TODO',`
optional_policy(`qmail',`
optional_policy(`
allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
# do we really need this?
allow mailman_mail_t qmail_lspawn_t:fifo_file write;
@ -105,10 +105,10 @@ mta_tcp_connect_all_mailservers(mailman_queue_t)
su_exec(mailman_queue_t)
optional_policy(`cron',`
optional_policy(`
cron_system_entry(mailman_queue_t,mailman_queue_exec_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use(mailman_queue_t)
')

20
refpolicy/policy/modules/services/mta.if
View File

@ -95,23 +95,23 @@ template(`mta_base_mail_template',`
sysnet_read_config($1_mail_t)
sysnet_dns_name_resolve($1_mail_t)
optional_policy(`nis',`
optional_policy(`
nis_use_ypbind($1_mail_t)
')
optional_policy(`nscd',`
optional_policy(`
nscd_socket_use($1_mail_t)
')
optional_policy(`postfix',`
optional_policy(`
postfix_domtrans_user_mail_handler($1_mail_t)
')
optional_policy(`procmail',`
optional_policy(`
procmail_exec($1_mail_t)
')
optional_policy(`sendmail',`
optional_policy(`
gen_require(`
type etc_mail_t, mail_spool_t, mqueue_spool_t;
')
@ -236,7 +236,7 @@ template(`mta_per_userdomain_template',`
fs_manage_cifs_symlinks($1_mail_t)
')
optional_policy(`postfix',`
optional_policy(`
allow $1_mail_t self:capability dac_override;
# Read user temporary files.
@ -282,7 +282,7 @@ template(`mta_admin_template',`
userdom_read_unpriv_users_home_content_files($1_mail_t)
')
optional_policy(`postfix',`
optional_policy(`
gen_require(`
attribute mta_user_agent;
type etc_aliases_t;
@ -409,11 +409,11 @@ interface(`mta_mailserver_delivery',`
allow $1 mail_spool_t:file { create ioctl read getattr lock append };
allow $1 mail_spool_t:lnk_file { create read getattr };
optional_policy(`dovecot',`
optional_policy(`
dovecot_manage_spool($1)
')
optional_policy(`mailman',`
optional_policy(`
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib($1)
@ -441,7 +441,7 @@ interface(`mta_mailserver_user_agent',`
typeattribute $1 mta_user_agent;
optional_policy(`apache',`
optional_policy(`
# apache should set close-on-exec
apache_dontaudit_rw_stream_sockets($1)
apache_dontaudit_rw_sys_script_stream_sockets($1)

Some files were not shown because too many files have changed in this diff Show More