misc fixes
This commit is contained in:
Chris PeBenito
parent
84313262d7
commit
c3812748c3
@ -1,6 +1,6 @@
|
||||
########################################
|
||||
#
|
||||
# Rules and Targets for building monolithic policies
|
||||
# Rules and Targets for building modular policies
|
||||
#
|
||||
|
||||
ALL_MODULES := $(filter $(BASE_MODS) $(MOD_MODS),$(DETECTED_MODS))
|
||||
|
||||
@ -314,6 +314,12 @@ seutil_domtrans_restorecon(rpm_script_t)
|
||||
|
||||
userdom_use_all_user_fd(rpm_script_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
optional_policy(`mta.te',`
|
||||
mta_send_mail(rpm_script_t)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain_template(rpm_t)
|
||||
')
|
||||
|
||||
@ -156,6 +156,7 @@ allow kernel_t self:capability *;
|
||||
allow kernel_t unlabeled_t:dir mounton;
|
||||
|
||||
# old general_domain_access()
|
||||
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow kernel_t self:shm create_shm_perms;
|
||||
allow kernel_t self:sem create_sem_perms;
|
||||
allow kernel_t self:msg { send receive };
|
||||
|
||||
@ -56,6 +56,7 @@ type getty_t;
|
||||
type login_exec_t;
|
||||
type init_exec_t;
|
||||
type initrc_t;
|
||||
type sshd_exec_t;
|
||||
type su_exec_t;
|
||||
type udev_exec_t;
|
||||
type unconfined_t;
|
||||
|
||||
@ -32,7 +32,7 @@ files_pid_file(system_dbusd_var_run_t)
|
||||
# cjp: dac_override should probably go in a distro_debian
|
||||
allow system_dbusd_t self:capability { dac_override setgid setuid };
|
||||
dontaudit system_dbusd_t self:capability sys_tty_config;
|
||||
allow system_dbusd_t self:process getattr;
|
||||
allow system_dbusd_t self:process { getattr signal_perms };
|
||||
allow system_dbusd_t self:fifo_file { read write };
|
||||
allow system_dbusd_t self:dbus { send_msg acquire_svc };
|
||||
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
|
||||
|
||||
@ -23,6 +23,7 @@ files_pid_file(privoxy_var_run_t)
|
||||
|
||||
allow privoxy_t self:capability { setgid setuid };
|
||||
dontaudit privoxy_t self:capability sys_tty_config;
|
||||
allow privoxy_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
allow privoxy_t privoxy_log_t:file create_file_perms;
|
||||
allow privoxy_t privoxy_log_t:dir rw_dir_perms;
|
||||
@ -41,6 +42,8 @@ corenet_tcp_sendrecv_all_nodes(privoxy_t)
|
||||
corenet_raw_sendrecv_all_nodes(privoxy_t)
|
||||
corenet_tcp_sendrecv_all_ports(privoxy_t)
|
||||
corenet_tcp_bind_http_cache_port(privoxy_t)
|
||||
corenet_tcp_connect_http_port(privoxy_t)
|
||||
corenet_tcp_connect_ftp_port(privoxy_t)
|
||||
|
||||
dev_read_sysfs(privoxy_t)
|
||||
|
||||
|
||||
@ -130,15 +130,6 @@ optional_policy(`rhgb.te', `
|
||||
rhgb_domain(sendmail_t)
|
||||
')
|
||||
|
||||
#
|
||||
# Need this transition to create /etc/aliases.db
|
||||
#
|
||||
ifdef(`distro_redhat', `
|
||||
ifdef(`rpm.te', `
|
||||
domain_auto_trans(rpm_script_t, sendmail_exec_t, system_mail_t)
|
||||
')
|
||||
')
|
||||
|
||||
allow sendmail_t etc_mail_t:dir rw_dir_perms;
|
||||
allow sendmail_t etc_mail_t:file create_file_perms;
|
||||
# for the start script to run make -C /etc/mail
|
||||
|
||||
@ -528,7 +528,7 @@ template(`ssh_server_template', `
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(crond_t)
|
||||
nscd_use_socket($1_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
@ -24,7 +24,15 @@ role system_r types ssh_keygen_t;
|
||||
type ssh_keysign_exec_t;
|
||||
files_type(ssh_keysign_exec_t)
|
||||
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type sshd_exec_t;
|
||||
')
|
||||
files_type(sshd_exec_t)
|
||||
|
||||
ssh_server_template(sshd)
|
||||
ssh_server_template(sshd_extern)
|
||||
|
||||
# cjp: commenting this out until typeattribute works in a conditional
|
||||
#optional_policy(`inetd.te',`
|
||||
@ -39,11 +47,6 @@ ssh_server_template(sshd)
|
||||
init_daemon_domain(sshd_t,sshd_exec_t)
|
||||
#')
|
||||
|
||||
type sshd_exec_t;
|
||||
files_type(sshd_exec_t)
|
||||
|
||||
ssh_server_template(sshd_extern)
|
||||
|
||||
type sshd_key_t;
|
||||
files_type(sshd_key_t)
|
||||
|
||||
|
||||
@ -1,6 +1,10 @@
|
||||
|
||||
policy_module(init,1.0)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
@ -569,13 +573,7 @@ optional_policy(`squid.te',`
|
||||
')
|
||||
|
||||
optional_policy(`ssh.te',`
|
||||
optional_policy(`inetd.te',`
|
||||
tunable_policy(`run_ssh_inetd',`',`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
')
|
||||
',`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
')
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`sysnetwork.te',`
|
||||
|
||||
Loading…
Reference in New Issue
Block a user