add packets for apps
This commit is contained in:
Chris PeBenito
parent
35a4b349f0
commit
c0d8c41e37
@ -42,17 +42,13 @@ kernel_read_system_state(calamaris_t)
|
||||
|
||||
corecmd_exec_bin(calamaris_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(calamaris_t)
|
||||
corenet_tcp_sendrecv_generic_if(calamaris_t)
|
||||
corenet_udp_sendrecv_generic_if(calamaris_t)
|
||||
corenet_raw_sendrecv_generic_if(calamaris_t)
|
||||
corenet_tcp_sendrecv_all_nodes(calamaris_t)
|
||||
corenet_udp_sendrecv_all_nodes(calamaris_t)
|
||||
corenet_raw_sendrecv_all_nodes(calamaris_t)
|
||||
corenet_tcp_sendrecv_all_ports(calamaris_t)
|
||||
corenet_udp_sendrecv_all_ports(calamaris_t)
|
||||
corenet_non_ipsec_sendrecv(calamaris_t)
|
||||
corenet_tcp_bind_all_nodes(calamaris_t)
|
||||
corenet_udp_bind_all_nodes(calamaris_t)
|
||||
|
||||
dev_read_urand(calamaris_t)
|
||||
|
||||
|
||||
@ -188,31 +188,34 @@ template(`evolution_per_userdomain_template',`
|
||||
corecmd_exec_bin($1_evolution_t)
|
||||
corecmd_exec_sbin($1_evolution_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_evolution_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_evolution_t)
|
||||
corenet_udp_sendrecv_generic_if($1_evolution_t)
|
||||
corenet_raw_sendrecv_generic_if($1_evolution_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_evolution_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_evolution_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_evolution_t)
|
||||
corenet_tcp_sendrecv_pop_port($1_evolution_t)
|
||||
corenet_tcp_sendrecv_smtp_port($1_evolution_t)
|
||||
corenet_tcp_sendrecv_innd_port($1_evolution_t)
|
||||
corenet_tcp_sendrecv_ldap_port($1_evolution_t)
|
||||
###corenet_tcp_sendrecv_ipp($1_evolution_t)
|
||||
corenet_udp_sendrecv_pop_port($1_evolution_t)
|
||||
corenet_tcp_sendrecv_smtp_port($1_evolution_t)
|
||||
corenet_udp_sendrecv_smtp_port($1_evolution_t)
|
||||
corenet_tcp_sendrecv_innd_port($1_evolution_t)
|
||||
corenet_udp_sendrecv_innd_port($1_evolution_t)
|
||||
corenet_tcp_sendrecv_ldap_port($1_evolution_t)
|
||||
corenet_udp_sendrecv_ldap_port($1_evolution_t)
|
||||
###corenet_udp_sendrecv_ipp($1_evolution_t)
|
||||
corenet_non_ipsec_sendrecv($1_evolution_t)
|
||||
corenet_tcp_bind_all_nodes($1_evolution_t)
|
||||
corenet_udp_bind_all_nodes($1_evolution_t)
|
||||
corenet_tcp_sendrecv_ipp_port($1_evolution_t)
|
||||
corenet_udp_sendrecv_ipp_port($1_evolution_t)
|
||||
corenet_tcp_connect_pop_port($1_evolution_t)
|
||||
corenet_tcp_connect_smtp_port($1_evolution_t)
|
||||
corenet_tcp_connect_innd_port($1_evolution_t)
|
||||
corenet_tcp_connect_ldap_port($1_evolution_t)
|
||||
###corenet_tcp_connect_ipp_port($1_evolution_t)
|
||||
corenet_tcp_connect_ipp_port($1_evolution_t)
|
||||
corenet_sendrecv_pop_client_packets($1_evolution_t)
|
||||
corenet_sendrecv_smtp_client_packets($1_evolution_t)
|
||||
corenet_sendrecv_innd_client_packets($1_evolution_t)
|
||||
corenet_sendrecv_ldap_client_packets($1_evolution_t)
|
||||
corenet_sendrecv_ipp_client_packets($1_evolution_t)
|
||||
# not sure about this bind
|
||||
corenet_udp_bind_all_nodes($1_evolution_t)
|
||||
corenet_udp_bind_generic_port($1_evolution_t)
|
||||
|
||||
dev_read_urand($1_evolution_t)
|
||||
@ -635,25 +638,15 @@ template(`evolution_per_userdomain_template',`
|
||||
corecmd_exec_shell($1_evolution_server_t)
|
||||
|
||||
# Obtain weather data via http (read server name from xml file in /usr)
|
||||
corenet_non_ipsec_sendrecv($1_evolution_server_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_evolution_server_t)
|
||||
corenet_raw_sendrecv_generic_if($1_evolution_server_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_evolution_server_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_evolution_server_t)
|
||||
corenet_tcp_sendrecv_http_port($1_evolution_server_t)
|
||||
corenet_tcp_sendrecv_http_cache_port($1_evolution_server_t)
|
||||
corenet_non_ipsec_sendrecv($1_evolution_server_t)
|
||||
corenet_tcp_bind_all_nodes($1_evolution_server_t)
|
||||
corenet_tcp_connect_http_cache_port($1_evolution_server_t)
|
||||
corenet_tcp_connect_http_port($1_evolution_server_t)
|
||||
# Talk to ldap (address book)
|
||||
corenet_tcp_sendrecv_generic_if($1_evolution_server_t)
|
||||
corenet_raw_sendrecv_generic_if($1_evolution_server_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_evolution_server_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_evolution_server_t)
|
||||
corenet_tcp_sendrecv_ldap_port($1_evolution_server_t)
|
||||
corenet_non_ipsec_sendrecv($1_evolution_server_t)
|
||||
corenet_tcp_bind_all_nodes($1_evolution_server_t)
|
||||
corenet_tcp_connect_ldap_port($1_evolution_server_t)
|
||||
corenet_sendrecv_http_client_packets($1_evolution_server_t)
|
||||
corenet_sendrecv_http_cache_client_packets($1_evolution_server_t)
|
||||
|
||||
files_read_etc_files($1_evolution_server_t)
|
||||
# Obtain weather data via http (read server name from xml file in /usr)
|
||||
@ -668,9 +661,9 @@ template(`evolution_per_userdomain_template',`
|
||||
miscfiles_read_certs($1_evolution_server_t)
|
||||
|
||||
# Talk to ldap (address book)
|
||||
# Obtain weather data via http (read server name from xml file in /usr)
|
||||
sysnet_read_config($1_evolution_server_t)
|
||||
sysnet_dns_name_resolve($1_evolution_server_t)
|
||||
sysnet_use_ldap($1_evolution_server_t)
|
||||
|
||||
# Access evolution home
|
||||
userdom_search_user_home_dirs($1,$1_evolution_server_t)
|
||||
@ -720,16 +713,17 @@ template(`evolution_per_userdomain_template',`
|
||||
# Transition from user type
|
||||
domain_auto_trans($2, evolution_webcal_exec_t, $1_evolution_webcal_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_evolution_webcal_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_evolution_webcal_t)
|
||||
corenet_raw_sendrecv_generic_if($1_evolution_webcal_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_evolution_webcal_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_evolution_webcal_t)
|
||||
corenet_tcp_sendrecv_http_port($1_evolution_webcal_t)
|
||||
corenet_tcp_sendrecv_http_cache_port($1_evolution_webcal_t)
|
||||
corenet_non_ipsec_sendrecv($1_evolution_webcal_t)
|
||||
corenet_tcp_bind_all_nodes($1_evolution_webcal_t)
|
||||
corenet_tcp_connect_http_cache_port($1_evolution_webcal_t)
|
||||
corenet_tcp_connect_http_port($1_evolution_webcal_t)
|
||||
corenet_sendrecv_http_client_packets($1_evolution_webcal_t)
|
||||
corenet_sendrecv_http_cache_client_packets($1_evolution_webcal_t)
|
||||
|
||||
# Networking capability - connect to website and handle ics link
|
||||
sysnet_read_config($1_evolution_webcal_t)
|
||||
|
||||
@ -94,19 +94,18 @@ template(`games_per_userdomain_template',`
|
||||
corecmd_exec_bin($1_games_t)
|
||||
corecmd_exec_sbin($1_games_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_games_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_games_t)
|
||||
corenet_udp_sendrecv_generic_if($1_games_t)
|
||||
corenet_raw_sendrecv_generic_if($1_games_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_games_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_games_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_games_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_games_t)
|
||||
corenet_udp_sendrecv_all_ports($1_games_t)
|
||||
corenet_non_ipsec_sendrecv($1_games_t)
|
||||
corenet_tcp_bind_all_nodes($1_games_t)
|
||||
corenet_udp_bind_all_nodes($1_games_t)
|
||||
corenet_tcp_bind_generic_port($1_games_t)
|
||||
corenet_tcp_connect_generic_port($1_games_t)
|
||||
corenet_sendrecv_generic_client_packets($1_games_t)
|
||||
corenet_sendrecv_generic_server_packets($1_games_t)
|
||||
|
||||
dev_read_sound($1_games_t)
|
||||
dev_write_sound($1_games_t)
|
||||
|
||||
@ -104,12 +104,10 @@ template(`gift_per_userdomain_template',`
|
||||
# Connect to gift daemon
|
||||
corenet_non_ipsec_sendrecv($1_gift_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_gift_t)
|
||||
corenet_raw_sendrecv_generic_if($1_gift_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_gift_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_gift_t)
|
||||
corenet_tcp_sendrecv_giftd_port($1_gift_t)
|
||||
corenet_tcp_bind_all_nodes($1_gift_t)
|
||||
corenet_tcp_connect_giftd_port($1_gift_t)
|
||||
corenet_sendrecv_giftd_client_packets($1_gift_t)
|
||||
|
||||
fs_search_auto_mountpoints($1_gift_t)
|
||||
|
||||
@ -169,10 +167,8 @@ template(`gift_per_userdomain_template',`
|
||||
corenet_non_ipsec_sendrecv($1_giftd_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_giftd_t)
|
||||
corenet_udp_sendrecv_generic_if($1_giftd_t)
|
||||
corenet_raw_sendrecv_generic_if($1_giftd_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_giftd_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_giftd_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_giftd_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_giftd_t)
|
||||
corenet_udp_sendrecv_all_ports($1_giftd_t)
|
||||
corenet_tcp_bind_all_nodes($1_giftd_t)
|
||||
@ -180,6 +176,7 @@ template(`gift_per_userdomain_template',`
|
||||
corenet_tcp_bind_all_ports($1_giftd_t)
|
||||
corenet_udp_bind_all_ports($1_giftd_t)
|
||||
corenet_tcp_connect_all_ports($1_giftd_t)
|
||||
corenet_sendrecv_all_client_packets($1_giftd_t)
|
||||
|
||||
files_read_usr_files($1_giftd_t)
|
||||
# Read /etc/mtab
|
||||
|
||||
@ -96,18 +96,15 @@ template(`gpg_per_userdomain_template',`
|
||||
allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
|
||||
allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_gpg_t)
|
||||
corenet_tcp_sendrecv_all_if($1_gpg_t)
|
||||
corenet_raw_sendrecv_all_if($1_gpg_t)
|
||||
corenet_udp_sendrecv_all_if($1_gpg_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_gpg_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_gpg_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_gpg_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_gpg_t)
|
||||
corenet_udp_sendrecv_all_ports($1_gpg_t)
|
||||
corenet_non_ipsec_sendrecv($1_gpg_t)
|
||||
corenet_tcp_bind_all_nodes($1_gpg_t)
|
||||
corenet_udp_bind_all_nodes($1_gpg_t)
|
||||
corenet_tcp_connect_all_ports($1_gpg_t)
|
||||
corenet_sendrecv_all_client_packets($1_gpg_t)
|
||||
|
||||
dev_read_rand($1_gpg_t)
|
||||
dev_read_urand($1_gpg_t)
|
||||
|
||||
@ -107,16 +107,14 @@ template(`irc_per_userdomain_template',`
|
||||
corenet_non_ipsec_sendrecv($1_irc_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_irc_t)
|
||||
corenet_udp_sendrecv_generic_if($1_irc_t)
|
||||
corenet_raw_sendrecv_generic_if($1_irc_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_irc_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_irc_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_irc_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_irc_t)
|
||||
corenet_udp_sendrecv_all_ports($1_irc_t)
|
||||
corenet_tcp_bind_all_nodes($1_irc_t)
|
||||
corenet_udp_bind_all_nodes($1_irc_t)
|
||||
corenet_sendrecv_ircd_client_packets($1_irc_t)
|
||||
# cjp: this seems excessive:
|
||||
corenet_tcp_connect_all_ports($1_irc_t)
|
||||
corenet_sendrecv_all_client_packets($1_irc_t)
|
||||
|
||||
domain_use_interactive_fds($1_irc_t)
|
||||
|
||||
|
||||
@ -103,15 +103,12 @@ template(`java_per_userdomain_template',`
|
||||
corenet_non_ipsec_sendrecv($1_javaplugin_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_javaplugin_t)
|
||||
corenet_udp_sendrecv_generic_if($1_javaplugin_t)
|
||||
corenet_raw_sendrecv_generic_if($1_javaplugin_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_javaplugin_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_javaplugin_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_javaplugin_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_javaplugin_t)
|
||||
corenet_udp_sendrecv_all_ports($1_javaplugin_t)
|
||||
corenet_tcp_bind_all_nodes($1_javaplugin_t)
|
||||
corenet_udp_bind_all_nodes($1_javaplugin_t)
|
||||
corenet_tcp_connect_all_ports($1_javaplugin_t)
|
||||
corenet_sendrecv_all_client_packets($1_javaplugin_t)
|
||||
|
||||
dev_read_sound($1_javaplugin_t)
|
||||
dev_write_sound($1_javaplugin_t)
|
||||
|
||||
@ -128,6 +128,7 @@ template(`mozilla_per_userdomain_template',`
|
||||
corecmd_exec_bin($1_mozilla_t)
|
||||
|
||||
# Browse the web, connect to printer
|
||||
corenet_non_ipsec_sendrecv($1_mozilla_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_mozilla_t)
|
||||
corenet_raw_sendrecv_generic_if($1_mozilla_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_mozilla_t)
|
||||
@ -136,13 +137,16 @@ template(`mozilla_per_userdomain_template',`
|
||||
corenet_tcp_sendrecv_http_cache_port($1_mozilla_t)
|
||||
corenet_tcp_sendrecv_ftp_port($1_mozilla_t)
|
||||
corenet_tcp_sendrecv_ipp_port($1_mozilla_t)
|
||||
corenet_non_ipsec_sendrecv($1_mozilla_t)
|
||||
corenet_tcp_bind_all_nodes($1_mozilla_t)
|
||||
corenet_tcp_connect_http_port($1_mozilla_t)
|
||||
corenet_tcp_connect_http_cache_port($1_mozilla_t)
|
||||
corenet_tcp_connect_ftp_port($1_mozilla_t)
|
||||
corenet_tcp_connect_ipp_port($1_mozilla_t)
|
||||
corenet_tcp_connect_generic_port($1_mozilla_t)
|
||||
corenet_sendrecv_http_client_packets($1_mozilla_t)
|
||||
corenet_sendrecv_http_cache_client_packets($1_mozilla_t)
|
||||
corenet_sendrecv_ftp_client_packets($1_mozilla_t)
|
||||
corenet_sendrecv_ipp_client_packets($1_mozilla_t)
|
||||
corenet_sendrecv_generic_client_packets($1_mozilla_t)
|
||||
# Should not need other ports
|
||||
corenet_dontaudit_tcp_sendrecv_generic_port($1_mozilla_t)
|
||||
corenet_dontaudit_tcp_bind_generic_port($1_mozilla_t)
|
||||
|
||||
@ -116,16 +116,13 @@ template(`screen_per_userdomain_template',`
|
||||
corecmd_shell_domtrans($1_screen_t,$2)
|
||||
corecmd_bin_domtrans($1_screen_t,$2)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_screen_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_screen_t)
|
||||
corenet_udp_sendrecv_generic_if($1_screen_t)
|
||||
corenet_raw_sendrecv_generic_if($1_screen_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_screen_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_screen_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_screen_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_screen_t)
|
||||
corenet_udp_sendrecv_all_ports($1_screen_t)
|
||||
corenet_tcp_bind_all_nodes($1_screen_t)
|
||||
corenet_udp_bind_all_nodes($1_screen_t)
|
||||
corenet_tcp_connect_all_ports($1_screen_t)
|
||||
|
||||
dev_dontaudit_getattr_all_chr_files($1_screen_t)
|
||||
|
||||
@ -106,24 +106,27 @@ template(`thunderbird_per_userdomain_template',`
|
||||
# Startup shellscript
|
||||
corecmd_exec_bin($1_thunderbird_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_thunderbird_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_thunderbird_t)
|
||||
corenet_raw_sendrecv_generic_if($1_thunderbird_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_thunderbird_t)
|
||||
corenet_tcp_sendrecv_ipp_port($1_thunderbird_t)
|
||||
corenet_tcp_sendrecv_ldap_port($1_thunderbird_t)
|
||||
corenet_tcp_sendrecv_innd_port($1_thunderbird_t)
|
||||
corenet_tcp_sendrecv_smtp_port($1_thunderbird_t)
|
||||
corenet_tcp_sendrecv_pop_port($1_thunderbird_t)
|
||||
corenet_tcp_sendrecv_http_port($1_thunderbird_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_thunderbird_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_thunderbird_t)
|
||||
corenet_non_ipsec_sendrecv($1_thunderbird_t)
|
||||
corenet_tcp_bind_all_nodes($1_thunderbird_t)
|
||||
corenet_tcp_connect_ipp_port($1_thunderbird_t)
|
||||
corenet_tcp_connect_ldap_port($1_thunderbird_t)
|
||||
corenet_tcp_connect_innd_port($1_thunderbird_t)
|
||||
corenet_tcp_connect_smtp_port($1_thunderbird_t)
|
||||
corenet_tcp_connect_pop_port($1_thunderbird_t)
|
||||
corenet_tcp_connect_http_port($1_thunderbird_t)
|
||||
corenet_sendrecv_ipp_client_packets($1_thunderbird_t)
|
||||
corenet_sendrecv_ldap_client_packets($1_thunderbird_t)
|
||||
corenet_sendrecv_innd_client_packets($1_thunderbird_t)
|
||||
corenet_sendrecv_smtp_client_packets($1_thunderbird_t)
|
||||
corenet_sendrecv_pop_client_packets($1_thunderbird_t)
|
||||
corenet_sendrecv_http_client_packets($1_thunderbird_t)
|
||||
|
||||
files_list_tmp($1_thunderbird_t)
|
||||
files_read_usr_files($1_thunderbird_t)
|
||||
|
||||
@ -65,7 +65,7 @@ template(`uml_per_userdomain_template',`
|
||||
# Local policy
|
||||
#
|
||||
allow $1_uml_t self:fifo_file rw_file_perms;
|
||||
allow $1_uml_t self:process { fork signal_perms ptrace };
|
||||
allow $1_uml_t self:process { signal_perms ptrace };
|
||||
allow $1_uml_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow $1_uml_t self:unix_dgram_socket create_socket_perms;
|
||||
# Use the network.
|
||||
@ -147,18 +147,15 @@ template(`uml_per_userdomain_template',`
|
||||
corecmd_exec_bin($1_uml_t)
|
||||
corecmd_exec_sbin($1_uml_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_uml_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_uml_t)
|
||||
corenet_udp_sendrecv_generic_if($1_uml_t)
|
||||
corenet_raw_sendrecv_generic_if($1_uml_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_uml_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_uml_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_uml_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_uml_t)
|
||||
corenet_udp_sendrecv_all_ports($1_uml_t)
|
||||
corenet_non_ipsec_sendrecv($1_uml_t)
|
||||
corenet_tcp_bind_all_nodes($1_uml_t)
|
||||
corenet_udp_bind_all_nodes($1_uml_t)
|
||||
corenet_tcp_connect_all_ports($1_uml_t)
|
||||
corenet_sendrecv_all_client_packets($1_uml_t)
|
||||
corenet_rw_tun_tap_dev($1_uml_t)
|
||||
|
||||
domain_use_interactive_fds($1_uml_t)
|
||||
|
||||
@ -51,6 +51,9 @@ corenet_non_ipsec_sendrecv(vmware_host_t)
|
||||
corenet_raw_sendrecv_generic_if(vmware_host_t)
|
||||
corenet_raw_sendrecv_all_nodes(vmware_host_t)
|
||||
corenet_raw_bind_all_nodes(vmware_host_t)
|
||||
corenet_tcp_sendrecv_all_ports(vmware_host_t)
|
||||
corenet_tcp_connect_all_ports(vmware_host_t)
|
||||
corenet_sendrecv_all_client_packets(vmware_host_t)
|
||||
|
||||
dev_read_sysfs(vmware_host_t)
|
||||
dev_rw_vmware(vmware_host_t)
|
||||
|
||||
@ -44,7 +44,6 @@ allow webalizer_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow webalizer_t self:unix_dgram_socket sendto;
|
||||
allow webalizer_t self:unix_stream_socket connectto;
|
||||
allow webalizer_t self:tcp_socket connected_stream_socket_perms;
|
||||
allow webalizer_t self:udp_socket { connect connected_socket_perms };
|
||||
|
||||
allow webalizer_t webalizer_etc_t:file { getattr read };
|
||||
|
||||
@ -59,17 +58,10 @@ files_var_lib_filetrans(webalizer_t,webalizer_var_lib_t,file)
|
||||
kernel_read_kernel_sysctls(webalizer_t)
|
||||
kernel_read_system_state(webalizer_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(webalizer_t)
|
||||
corenet_udp_sendrecv_all_if(webalizer_t)
|
||||
corenet_raw_sendrecv_all_if(webalizer_t)
|
||||
corenet_udp_sendrecv_all_nodes(webalizer_t)
|
||||
corenet_tcp_sendrecv_all_nodes(webalizer_t)
|
||||
corenet_raw_sendrecv_all_nodes(webalizer_t)
|
||||
corenet_tcp_sendrecv_all_ports(webalizer_t)
|
||||
corenet_udp_sendrecv_all_ports(webalizer_t)
|
||||
corenet_non_ipsec_sendrecv(webalizer_t)
|
||||
corenet_tcp_bind_all_nodes(webalizer_t)
|
||||
corenet_udp_bind_all_nodes(webalizer_t)
|
||||
corenet_tcp_sendrecv_all_if(webalizer_t)
|
||||
corenet_tcp_sendrecv_all_nodes(webalizer_t)
|
||||
corenet_tcp_sendrecv_all_ports(webalizer_t)
|
||||
|
||||
fs_search_auto_mountpoints(webalizer_t)
|
||||
|
||||
@ -84,6 +76,7 @@ logging_send_syslog_msg(webalizer_t)
|
||||
|
||||
miscfiles_read_localization(webalizer_t)
|
||||
|
||||
sysnet_dns_name_resolve(webalizer_t)
|
||||
sysnet_read_config(webalizer_t)
|
||||
|
||||
userdom_use_unpriv_users_fds(webalizer_t)
|
||||
|
||||
@ -37,7 +37,6 @@ allow yam_t self:sem create_sem_perms;
|
||||
allow yam_t self:msgq create_msgq_perms;
|
||||
allow yam_t self:msg { send receive };
|
||||
allow yam_t self:tcp_socket create_socket_perms;
|
||||
allow yam_t self:udp_socket create_socket_perms;
|
||||
|
||||
# Update the content being managed by yam.
|
||||
allow yam_t yam_content_t:dir create_dir_perms;
|
||||
@ -61,19 +60,14 @@ corecmd_exec_bin(yam_t)
|
||||
|
||||
# Rsync and lftp need to network. They also set files attributes to
|
||||
# match whats on the remote server.
|
||||
corenet_tcp_sendrecv_generic_if(yam_t)
|
||||
corenet_udp_sendrecv_generic_if(yam_t)
|
||||
corenet_raw_sendrecv_generic_if(yam_t)
|
||||
corenet_tcp_sendrecv_all_nodes(yam_t)
|
||||
corenet_udp_sendrecv_all_nodes(yam_t)
|
||||
corenet_raw_sendrecv_all_nodes(yam_t)
|
||||
corenet_tcp_sendrecv_all_ports(yam_t)
|
||||
corenet_udp_sendrecv_all_ports(yam_t)
|
||||
corenet_non_ipsec_sendrecv(yam_t)
|
||||
corenet_tcp_bind_all_nodes(yam_t)
|
||||
corenet_udp_bind_all_nodes(yam_t)
|
||||
corenet_tcp_sendrecv_generic_if(yam_t)
|
||||
corenet_tcp_sendrecv_all_nodes(yam_t)
|
||||
corenet_tcp_sendrecv_all_ports(yam_t)
|
||||
corenet_tcp_connect_http_port(yam_t)
|
||||
corenet_tcp_connect_rsync_port(yam_t)
|
||||
corenet_sendrecv_http_client_packets(yam_t)
|
||||
corenet_sendrecv_rsync_client_packets(yam_t)
|
||||
|
||||
# mktemp
|
||||
dev_read_urand(yam_t)
|
||||
@ -101,6 +95,7 @@ miscfiles_read_localization(yam_t)
|
||||
|
||||
seutil_read_config(yam_t)
|
||||
|
||||
sysnet_dns_name_resolve(yam_t)
|
||||
sysnet_read_config(yam_t)
|
||||
|
||||
userdom_use_unpriv_users_fds(yam_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user