Remove duplicate/redundant rules, from Russell Coker.
This commit is contained in:
Chris PeBenito
parent
1db1836ab9
commit
bca0cdb86e
@ -1,3 +1,4 @@
|
||||
- Remove duplicate/redundant rules, from Russell Coker.
|
||||
- Increased default number of categories to 1024, from Russell Coker.
|
||||
- Added modules:
|
||||
cgroup (Dominick Grift)
|
||||
|
||||
@ -78,8 +78,6 @@ kernel_read_kernel_sysctls(ethereal_t)
|
||||
kernel_read_system_state(ethereal_t)
|
||||
kernel_read_sysctl(ethereal_t)
|
||||
|
||||
corecmd_search_bin(ethereal_t)
|
||||
|
||||
corenet_tcp_connect_generic_port(ethereal_t)
|
||||
corenet_tcp_sendrecv_generic_if(ethereal_t)
|
||||
|
||||
|
||||
@ -53,7 +53,7 @@ userdom_user_home_dir_filetrans(gift_t, gift_home_t, dir)
|
||||
domtrans_pattern(gift_t, giftd_exec_t, giftd_t)
|
||||
|
||||
# Read /proc/meminfo
|
||||
kernel_read_system_state(giftd_t)
|
||||
kernel_read_system_state(gift_t)
|
||||
|
||||
# Connect to gift daemon
|
||||
corenet_all_recvfrom_unlabeled(gift_t)
|
||||
|
||||
@ -82,7 +82,6 @@ dev_read_urand(java_t)
|
||||
dev_read_rand(java_t)
|
||||
dev_dontaudit_append_rand(java_t)
|
||||
|
||||
files_read_etc_files(java_t)
|
||||
files_read_usr_files(java_t)
|
||||
files_search_home(java_t)
|
||||
files_search_var_lib(java_t)
|
||||
@ -144,8 +143,6 @@ optional_policy(`
|
||||
# execheap is needed for itanium/BEA jrocket
|
||||
allow unconfined_java_t self:process { execstack execmem execheap };
|
||||
|
||||
init_dbus_chat_script(unconfined_java_t)
|
||||
|
||||
files_execmod_all_files(unconfined_java_t)
|
||||
|
||||
init_dbus_chat_script(unconfined_java_t)
|
||||
|
||||
@ -71,8 +71,6 @@ kernel_read_kernel_sysctls(wireshark_t)
|
||||
kernel_read_system_state(wireshark_t)
|
||||
kernel_read_sysctl(wireshark_t)
|
||||
|
||||
corecmd_search_bin(wireshark_t)
|
||||
|
||||
corenet_tcp_connect_generic_port(wireshark_t)
|
||||
corenet_tcp_sendrecv_generic_if(wireshark_t)
|
||||
|
||||
|
||||
@ -89,7 +89,6 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
|
||||
logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
|
||||
|
||||
# pid file
|
||||
manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
|
||||
manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
|
||||
manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
|
||||
files_pid_filetrans(clamd_t, clamd_var_run_t, { file dir })
|
||||
|
||||
@ -48,7 +48,6 @@ allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms;
|
||||
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
|
||||
allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
|
||||
allow courier_authdaemon_t courier_tcpd_t:process sigchld;
|
||||
allow courier_authdaemon_t courier_tcpd_t:fd use;
|
||||
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
|
||||
allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
|
||||
|
||||
|
||||
@ -22,8 +22,6 @@ djbdns_daemontools_domain_template(tinydns)
|
||||
# Local policy for axfrdns component
|
||||
#
|
||||
|
||||
files_config_file(djbdns_axfrdns_conf_t)
|
||||
|
||||
daemontools_ipc_domain(djbdns_axfrdns_t)
|
||||
daemontools_read_svc(djbdns_axfrdns_t)
|
||||
|
||||
|
||||
@ -308,14 +308,12 @@ tunable_policy(`use_lpd_server',`
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
files_list_home(lpr_t)
|
||||
fs_list_auto_mountpoints(lpr_t)
|
||||
fs_read_nfs_files(lpr_t)
|
||||
fs_read_nfs_symlinks(lpr_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
files_list_home(lpr_t)
|
||||
fs_list_auto_mountpoints(lpr_t)
|
||||
fs_read_cifs_files(lpr_t)
|
||||
fs_read_cifs_symlinks(lpr_t)
|
||||
|
||||
@ -98,7 +98,6 @@ files_read_etc_files(prelude_t)
|
||||
files_read_etc_runtime_files(prelude_t)
|
||||
files_read_usr_files(prelude_t)
|
||||
files_search_tmp(prelude_t)
|
||||
files_search_tmp(prelude_t)
|
||||
|
||||
fs_rw_anon_inodefs_files(prelude_t)
|
||||
|
||||
|
||||
@ -240,10 +240,6 @@ optional_policy(`
|
||||
oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rgmanager_stream_connect(ricci_modclusterd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# XXX This has got to go.
|
||||
unconfined_domain(ricci_modcluster_t)
|
||||
|
||||
@ -200,54 +200,6 @@ optional_policy(`
|
||||
xserver_domtrans_xauth(ssh_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# ssh_keygen local policy
|
||||
#
|
||||
|
||||
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
|
||||
# and by sysadm_t
|
||||
|
||||
dontaudit ssh_keygen_t self:capability sys_tty_config;
|
||||
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
|
||||
|
||||
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
|
||||
files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
|
||||
|
||||
kernel_read_kernel_sysctls(ssh_keygen_t)
|
||||
|
||||
fs_search_auto_mountpoints(ssh_keygen_t)
|
||||
|
||||
dev_read_sysfs(ssh_keygen_t)
|
||||
dev_read_urand(ssh_keygen_t)
|
||||
|
||||
term_dontaudit_use_console(ssh_keygen_t)
|
||||
|
||||
domain_use_interactive_fds(ssh_keygen_t)
|
||||
|
||||
files_read_etc_files(ssh_keygen_t)
|
||||
|
||||
init_use_fds(ssh_keygen_t)
|
||||
init_use_script_ptys(ssh_keygen_t)
|
||||
|
||||
logging_send_syslog_msg(ssh_keygen_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(ssh_keygen_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(ssh_keygen_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(ssh_keygen_t)
|
||||
')
|
||||
|
||||
##############################
|
||||
#
|
||||
# ssh_keysign_t local policy
|
||||
@ -400,6 +352,10 @@ logging_send_syslog_msg(ssh_keygen_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(ssh_keygen_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(ssh_keygen_t)
|
||||
')
|
||||
|
||||
@ -168,10 +168,6 @@ optional_policy(`
|
||||
xen_rw_image_files(svirt_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
xen_rw_image_files(svirt_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# virtd local policy
|
||||
|
||||
@ -166,7 +166,6 @@ init_domain(xdm_t, xdm_exec_t)
|
||||
init_daemon_domain(xdm_t, xdm_exec_t)
|
||||
xserver_object_types_template(xdm)
|
||||
xserver_common_x_domain_template(xdm, xdm_t)
|
||||
xserver_unconfined(xdm_t)
|
||||
|
||||
type xdm_lock_t;
|
||||
files_lock_file(xdm_lock_t)
|
||||
@ -832,8 +831,6 @@ init_use_fds(xserver_t)
|
||||
# (xauth?)
|
||||
userdom_read_user_home_content_files(xserver_t)
|
||||
|
||||
xserver_use_user_fonts(xserver_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xserver_t)
|
||||
fs_manage_nfs_files(xserver_t)
|
||||
|
||||
@ -126,7 +126,6 @@ domain_kill_all_domains(init_t)
|
||||
domain_signal_all_domains(init_t)
|
||||
domain_signull_all_domains(init_t)
|
||||
domain_sigstop_all_domains(init_t)
|
||||
domain_sigstop_all_domains(init_t)
|
||||
domain_sigchld_all_domains(init_t)
|
||||
|
||||
files_read_etc_files(init_t)
|
||||
@ -299,13 +298,10 @@ dev_delete_generic_symlinks(initrc_t)
|
||||
dev_getattr_all_blk_files(initrc_t)
|
||||
dev_getattr_all_chr_files(initrc_t)
|
||||
|
||||
corecmd_exec_all_executables(initrc_t)
|
||||
|
||||
domain_kill_all_domains(initrc_t)
|
||||
domain_signal_all_domains(initrc_t)
|
||||
domain_signull_all_domains(initrc_t)
|
||||
domain_sigstop_all_domains(initrc_t)
|
||||
domain_sigstop_all_domains(initrc_t)
|
||||
domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getattr_all_domains(initrc_t)
|
||||
|
||||
@ -372,9 +372,6 @@ files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
|
||||
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
|
||||
files_search_var_lib(syslogd_t)
|
||||
|
||||
allow syslogd_t syslogd_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
|
||||
|
||||
# manage pid file
|
||||
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
||||
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
|
||||
|
||||
@ -211,7 +211,6 @@ files_etc_filetrans(lvm_t, lvm_metadata_t, file)
|
||||
files_search_mnt(lvm_t)
|
||||
|
||||
kernel_read_system_state(lvm_t)
|
||||
kernel_read_kernel_sysctls(lvm_t)
|
||||
# Read system variables in /proc/sys
|
||||
kernel_read_kernel_sysctls(lvm_t)
|
||||
# it has no reason to need this
|
||||
|
||||
@ -333,10 +333,6 @@ optional_policy(`
|
||||
ipsec_write_pid(ifconfig_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
netutils_domtrans(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(ifconfig_t)
|
||||
')
|
||||
|
||||
@ -353,7 +353,6 @@ storage_raw_write_fixed_disk(xenstored_t)
|
||||
storage_raw_read_removable_device(xenstored_t)
|
||||
|
||||
term_use_generic_ptys(xenstored_t)
|
||||
term_use_console(xenconsoled_t)
|
||||
|
||||
init_use_fds(xenstored_t)
|
||||
init_use_script_ptys(xenstored_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user