trunk: 3 patches from dan.
This commit is contained in:
Chris PeBenito
parent
45b975db5b
commit
bb88161284
@ -6,6 +6,7 @@
|
||||
/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
|
||||
|
||||
/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
|
||||
/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
@ -16,20 +17,23 @@
|
||||
/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
|
||||
|
||||
ifdef(`distro_debian', `
|
||||
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
|
||||
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
|
||||
/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
|
||||
/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
|
||||
')
|
||||
|
||||
#
|
||||
# /var
|
||||
#
|
||||
/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
|
||||
# this is a hard link to /var/lib/dovecot/ssl-parameters.dat
|
||||
/var/run/dovecot/login/ssl-parameters.dat gen_context(system_u:object_r:dovecot_var_lib_t,s0)
|
||||
/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
|
||||
|
||||
/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
|
||||
|
||||
/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
|
||||
|
||||
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
|
||||
|
||||
@ -1,5 +1,42 @@
|
||||
## <summary>Dovecot POP and IMAP mail server</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to dovecot auth unix domain stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`dovecot_stream_connect_auth',`
|
||||
gen_require(`
|
||||
type dovecot_auth_t, dovecot_var_run_t;
|
||||
')
|
||||
|
||||
stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute dovecot_deliver in the dovecot_deliver domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`dovecot_domtrans_deliver',`
|
||||
gen_require(`
|
||||
type dovecot_deliver_t, dovecot_deliver_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete the dovecot spool files.
|
||||
@ -36,3 +73,58 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
|
||||
|
||||
dontaudit $1 dovecot_var_lib_t:file unlink;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an dovecot environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the dovecot domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`dovecot_admin',`
|
||||
gen_require(`
|
||||
type dovecot_t, dovecot_etc_t, dovecot_log_t;
|
||||
type dovecot_spool_t, dovecot_var_lib_t;
|
||||
type dovecot_var_run_t;
|
||||
|
||||
type dovecot_cert_t, dovecot_passwd_t;
|
||||
type dovecot_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 dovecot_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, dovecot_t)
|
||||
|
||||
init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 dovecot_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, dovecot_etc_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, dovecot_log_t)
|
||||
|
||||
files_list_spool($1)
|
||||
admin_pattern($1, dovecot_spool_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, dovecot_var_lib_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, dovecot_var_run_t)
|
||||
|
||||
admin_pattern($1, dovecot_cert_t)
|
||||
|
||||
admin_pattern($1, dovecot_passwd_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dovecot, 1.10.2)
|
||||
policy_module(dovecot, 1.10.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -15,12 +15,24 @@ domain_type(dovecot_auth_t)
|
||||
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
|
||||
role system_r types dovecot_auth_t;
|
||||
|
||||
type dovecot_auth_tmp_t;
|
||||
files_tmp_file(dovecot_auth_tmp_t)
|
||||
|
||||
type dovecot_cert_t;
|
||||
files_type(dovecot_cert_t)
|
||||
|
||||
type dovecot_deliver_t;
|
||||
type dovecot_deliver_exec_t;
|
||||
domain_type(dovecot_deliver_t)
|
||||
domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
|
||||
role system_r types dovecot_deliver_t;
|
||||
|
||||
type dovecot_etc_t;
|
||||
files_config_file(dovecot_etc_t)
|
||||
|
||||
type dovecot_initrc_exec_t;
|
||||
init_script_file(dovecot_initrc_exec_t)
|
||||
|
||||
type dovecot_passwd_t;
|
||||
files_type(dovecot_passwd_t)
|
||||
|
||||
@ -31,6 +43,9 @@ files_type(dovecot_spool_t)
|
||||
type dovecot_var_lib_t;
|
||||
files_type(dovecot_var_lib_t)
|
||||
|
||||
type dovecot_var_log_t;
|
||||
logging_log_file(dovecot_var_log_t)
|
||||
|
||||
type dovecot_var_run_t;
|
||||
files_pid_file(dovecot_var_run_t)
|
||||
|
||||
@ -58,6 +73,9 @@ files_search_etc(dovecot_t)
|
||||
|
||||
can_exec(dovecot_t, dovecot_exec_t)
|
||||
|
||||
manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
|
||||
logging_log_filetrans(dovecot_t, dovecot_var_log_t, file)
|
||||
|
||||
manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
|
||||
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
|
||||
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
|
||||
@ -98,7 +116,7 @@ files_search_tmp(dovecot_t)
|
||||
files_dontaudit_list_default(dovecot_t)
|
||||
# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
|
||||
files_read_etc_runtime_files(dovecot_t)
|
||||
files_getattr_all_mountpoints(dovecot_t)
|
||||
files_search_all_mountpoints(dovecot_t)
|
||||
|
||||
init_getattr_utmp(dovecot_t)
|
||||
|
||||
@ -120,7 +138,7 @@ userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file
|
||||
mta_manage_spool(dovecot_t)
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use(dovecot_t)
|
||||
kerberos_keytab_template(dovecot, dovecot_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -140,25 +158,35 @@ optional_policy(`
|
||||
# dovecot auth local policy
|
||||
#
|
||||
|
||||
allow dovecot_auth_t self:capability { setgid setuid };
|
||||
allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
|
||||
allow dovecot_auth_t self:process signal_perms;
|
||||
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
|
||||
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
|
||||
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
|
||||
allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
|
||||
|
||||
allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
|
||||
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
|
||||
|
||||
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
|
||||
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
|
||||
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
|
||||
|
||||
# Allow dovecot to create and read SSL parameters file
|
||||
manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
|
||||
files_search_var_lib(dovecot_t)
|
||||
files_read_var_symlinks(dovecot_t)
|
||||
|
||||
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
|
||||
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
|
||||
dovecot_stream_connect_auth(dovecot_auth_t)
|
||||
|
||||
kernel_read_all_sysctls(dovecot_auth_t)
|
||||
kernel_read_system_state(dovecot_auth_t)
|
||||
|
||||
logging_send_audit_msgs(dovecot_auth_t)
|
||||
logging_send_syslog_msg(dovecot_auth_t)
|
||||
|
||||
dev_read_urand(dovecot_auth_t)
|
||||
|
||||
auth_domtrans_chk_passwd(dovecot_auth_t)
|
||||
@ -167,6 +195,7 @@ auth_use_nsswitch(dovecot_auth_t)
|
||||
files_read_etc_files(dovecot_auth_t)
|
||||
files_read_etc_runtime_files(dovecot_auth_t)
|
||||
files_search_pids(dovecot_auth_t)
|
||||
files_read_usr_files(dovecot_auth_t)
|
||||
files_read_usr_symlinks(dovecot_auth_t)
|
||||
files_search_tmp(dovecot_auth_t)
|
||||
files_read_var_lib_files(dovecot_t)
|
||||
@ -182,5 +211,52 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
logging_send_syslog_msg(dovecot_auth_t)
|
||||
mysql_search_db(dovecot_auth_t)
|
||||
mysql_stream_connect(dovecot_auth_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_authenticate(dovecot_auth_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postfix_search_spool(dovecot_auth_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# dovecot deliver local policy
|
||||
#
|
||||
allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
|
||||
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
|
||||
|
||||
kernel_read_all_sysctls(dovecot_deliver_t)
|
||||
kernel_read_system_state(dovecot_deliver_t)
|
||||
|
||||
files_read_etc_files(dovecot_deliver_t)
|
||||
files_read_etc_runtime_files(dovecot_deliver_t)
|
||||
|
||||
auth_use_nsswitch(dovecot_deliver_t)
|
||||
|
||||
logging_send_syslog_msg(dovecot_deliver_t)
|
||||
|
||||
miscfiles_read_localization(dovecot_deliver_t)
|
||||
|
||||
dovecot_stream_connect_auth(dovecot_deliver_t)
|
||||
|
||||
files_search_tmp(dovecot_deliver_t)
|
||||
|
||||
fs_getattr_all_fs(dovecot_deliver_t)
|
||||
|
||||
userdom_manage_user_home_content_dirs(dovecot_deliver_t)
|
||||
userdom_manage_user_home_content_files(dovecot_deliver_t)
|
||||
userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
|
||||
userdom_manage_user_home_content_pipes(dovecot_deliver_t)
|
||||
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
|
||||
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
|
||||
|
||||
optional_policy(`
|
||||
mta_manage_spool(dovecot_deliver_t)
|
||||
')
|
||||
|
||||
@ -61,6 +61,25 @@ interface(`kerneloops_dontaudit_dbus_chat',`
|
||||
dontaudit kerneloops_t $1:dbus send_msg;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow domain to manage kerneloops tmp files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kerneloops_manage_tmp_files',`
|
||||
gen_require(`
|
||||
type kerneloops_tmp_t;
|
||||
')
|
||||
|
||||
manage_files_pattern($1, kerneloops_tmp_t, kerneloops_tmp_t)
|
||||
files_search_tmp($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
@ -81,6 +100,7 @@ interface(`kerneloops_dontaudit_dbus_chat',`
|
||||
interface(`kerneloops_admin',`
|
||||
gen_require(`
|
||||
type kerneloops_t, kerneloops_initrc_exec_t;
|
||||
type kerneloops_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 kerneloops_t:process { ptrace signal_perms };
|
||||
@ -90,4 +110,6 @@ interface(`kerneloops_admin',`
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 kerneloops_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
admin_pattern($1, kerneloops_tmp_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kerneloops, 1.2.2)
|
||||
policy_module(kerneloops, 1.2.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -13,6 +13,9 @@ init_daemon_domain(kerneloops_t, kerneloops_exec_t)
|
||||
type kerneloops_initrc_exec_t;
|
||||
init_script_file(kerneloops_initrc_exec_t)
|
||||
|
||||
type kerneloops_tmp_t;
|
||||
files_tmp_file(kerneloops_tmp_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# kerneloops local policy
|
||||
@ -21,7 +24,9 @@ init_script_file(kerneloops_initrc_exec_t)
|
||||
allow kerneloops_t self:capability sys_nice;
|
||||
allow kerneloops_t self:process { setsched getsched signal };
|
||||
allow kerneloops_t self:fifo_file rw_file_perms;
|
||||
allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t)
|
||||
files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file)
|
||||
|
||||
kernel_read_ring_buffer(kerneloops_t)
|
||||
|
||||
@ -38,13 +43,13 @@ corenet_tcp_connect_http_port(kerneloops_t)
|
||||
|
||||
files_read_etc_files(kerneloops_t)
|
||||
|
||||
auth_use_nsswitch(kerneloops_t)
|
||||
|
||||
logging_send_syslog_msg(kerneloops_t)
|
||||
logging_read_generic_logs(kerneloops_t)
|
||||
|
||||
miscfiles_read_localization(kerneloops_t)
|
||||
|
||||
sysnet_dns_name_resolve(kerneloops_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(kerneloops_t)
|
||||
dbus_connect_system_bus(kerneloops_t)
|
||||
|
||||
@ -1,3 +1,4 @@
|
||||
/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
|
||||
|
||||
/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
|
||||
|
||||
|
||||
@ -18,6 +18,42 @@ interface(`nscd_signal',`
|
||||
allow $1 nscd_t:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send NSCD the kill signal.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`nscd_kill',`
|
||||
gen_require(`
|
||||
type nscd_t;
|
||||
')
|
||||
|
||||
allow $1 nscd_t:process sigkill;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send signulls to NSCD.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`nscd_signull',`
|
||||
gen_require(`
|
||||
type nscd_t;
|
||||
')
|
||||
|
||||
allow $1 nscd_t:process signull;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute NSCD in the nscd domain.
|
||||
@ -70,15 +106,14 @@ interface(`nscd_exec',`
|
||||
interface(`nscd_socket_use',`
|
||||
gen_require(`
|
||||
type nscd_t, nscd_var_run_t;
|
||||
class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
|
||||
class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
|
||||
')
|
||||
|
||||
allow $1 self:unix_stream_socket create_socket_perms;
|
||||
|
||||
allow $1 nscd_t:nscd { getpwd getgrp gethost };
|
||||
dontaudit $1 nscd_t:fd use;
|
||||
dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
|
||||
|
||||
dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
|
||||
dontaudit $1 nscd_var_run_t:file { getattr read };
|
||||
@ -198,3 +233,41 @@ interface(`nscd_run',`
|
||||
nscd_domtrans($1)
|
||||
role $2 types nscd_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an nscd environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the nscd domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`nscd_admin',`
|
||||
gen_require(`
|
||||
type nscd_t, nscd_log_t, nscd_var_run_t;
|
||||
type nscd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 nscd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, nscd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, nscd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 nscd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, nscd_log_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, nscd_var_run_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(nscd, 1.8.2)
|
||||
policy_module(nscd, 1.8.3)
|
||||
|
||||
gen_require(`
|
||||
class nscd all_nscd_perms;
|
||||
@ -20,6 +20,9 @@ type nscd_t;
|
||||
type nscd_exec_t;
|
||||
init_daemon_domain(nscd_t, nscd_exec_t)
|
||||
|
||||
type nscd_initrc_exec_t;
|
||||
init_script_file(nscd_initrc_exec_t)
|
||||
|
||||
type nscd_log_t;
|
||||
logging_log_file(nscd_log_t)
|
||||
|
||||
@ -28,14 +31,13 @@ logging_log_file(nscd_log_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow nscd_t self:capability { kill setgid setuid audit_write };
|
||||
allow nscd_t self:capability { kill setgid setuid };
|
||||
dontaudit nscd_t self:capability sys_tty_config;
|
||||
allow nscd_t self:process { getattr setsched signal_perms };
|
||||
allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
|
||||
allow nscd_t self:fifo_file read_fifo_file_perms;
|
||||
allow nscd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow nscd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow nscd_t self:netlink_selinux_socket create_socket_perms;
|
||||
allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
allow nscd_t self:tcp_socket create_socket_perms;
|
||||
allow nscd_t self:udp_socket create_socket_perms;
|
||||
|
||||
@ -50,6 +52,9 @@ manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
|
||||
manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
|
||||
files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file })
|
||||
|
||||
corecmd_search_bin(nscd_t)
|
||||
can_exec(nscd_t, nscd_exec_t)
|
||||
|
||||
kernel_read_kernel_sysctls(nscd_t)
|
||||
kernel_list_proc(nscd_t)
|
||||
kernel_read_proc_symlinks(nscd_t)
|
||||
@ -73,6 +78,7 @@ corenet_tcp_sendrecv_generic_node(nscd_t)
|
||||
corenet_udp_sendrecv_generic_node(nscd_t)
|
||||
corenet_tcp_sendrecv_all_ports(nscd_t)
|
||||
corenet_udp_sendrecv_all_ports(nscd_t)
|
||||
corenet_udp_bind_generic_node(nscd_t)
|
||||
corenet_tcp_connect_all_ports(nscd_t)
|
||||
corenet_sendrecv_all_client_packets(nscd_t)
|
||||
corenet_rw_tun_tap_dev(nscd_t)
|
||||
@ -90,6 +96,7 @@ files_read_generic_tmp_symlinks(nscd_t)
|
||||
# Needed to read files created by firstboot "/etc/hesiod.conf"
|
||||
files_read_etc_runtime_files(nscd_t)
|
||||
|
||||
logging_send_audit_msgs(nscd_t)
|
||||
logging_send_syslog_msg(nscd_t)
|
||||
|
||||
miscfiles_read_localization(nscd_t)
|
||||
@ -104,6 +111,14 @@ userdom_dontaudit_use_user_terminals(nscd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
|
||||
userdom_dontaudit_search_user_home_dirs(nscd_t)
|
||||
|
||||
optional_policy(`
|
||||
cron_read_system_job_tmp_files(nscd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use(nscd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(nscd_t)
|
||||
')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user