misc fixes
This commit is contained in:
parent
84313262d7
commit
c3812748c3
@ -1,6 +1,6 @@
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Rules and Targets for building monolithic policies
|
# Rules and Targets for building modular policies
|
||||||
#
|
#
|
||||||
|
|
||||||
ALL_MODULES := $(filter $(BASE_MODS) $(MOD_MODS),$(DETECTED_MODS))
|
ALL_MODULES := $(filter $(BASE_MODS) $(MOD_MODS),$(DETECTED_MODS))
|
||||||
|
@ -314,6 +314,12 @@ seutil_domtrans_restorecon(rpm_script_t)
|
|||||||
|
|
||||||
userdom_use_all_user_fd(rpm_script_t)
|
userdom_use_all_user_fd(rpm_script_t)
|
||||||
|
|
||||||
|
ifdef(`distro_redhat',`
|
||||||
|
optional_policy(`mta.te',`
|
||||||
|
mta_send_mail(rpm_script_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
unconfined_domain_template(rpm_t)
|
unconfined_domain_template(rpm_t)
|
||||||
')
|
')
|
||||||
|
@ -156,6 +156,7 @@ allow kernel_t self:capability *;
|
|||||||
allow kernel_t unlabeled_t:dir mounton;
|
allow kernel_t unlabeled_t:dir mounton;
|
||||||
|
|
||||||
# old general_domain_access()
|
# old general_domain_access()
|
||||||
|
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow kernel_t self:shm create_shm_perms;
|
allow kernel_t self:shm create_shm_perms;
|
||||||
allow kernel_t self:sem create_sem_perms;
|
allow kernel_t self:sem create_sem_perms;
|
||||||
allow kernel_t self:msg { send receive };
|
allow kernel_t self:msg { send receive };
|
||||||
|
@ -56,6 +56,7 @@ type getty_t;
|
|||||||
type login_exec_t;
|
type login_exec_t;
|
||||||
type init_exec_t;
|
type init_exec_t;
|
||||||
type initrc_t;
|
type initrc_t;
|
||||||
|
type sshd_exec_t;
|
||||||
type su_exec_t;
|
type su_exec_t;
|
||||||
type udev_exec_t;
|
type udev_exec_t;
|
||||||
type unconfined_t;
|
type unconfined_t;
|
||||||
|
@ -32,7 +32,7 @@ files_pid_file(system_dbusd_var_run_t)
|
|||||||
# cjp: dac_override should probably go in a distro_debian
|
# cjp: dac_override should probably go in a distro_debian
|
||||||
allow system_dbusd_t self:capability { dac_override setgid setuid };
|
allow system_dbusd_t self:capability { dac_override setgid setuid };
|
||||||
dontaudit system_dbusd_t self:capability sys_tty_config;
|
dontaudit system_dbusd_t self:capability sys_tty_config;
|
||||||
allow system_dbusd_t self:process getattr;
|
allow system_dbusd_t self:process { getattr signal_perms };
|
||||||
allow system_dbusd_t self:fifo_file { read write };
|
allow system_dbusd_t self:fifo_file { read write };
|
||||||
allow system_dbusd_t self:dbus { send_msg acquire_svc };
|
allow system_dbusd_t self:dbus { send_msg acquire_svc };
|
||||||
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
|
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
|
||||||
|
@ -23,6 +23,7 @@ files_pid_file(privoxy_var_run_t)
|
|||||||
|
|
||||||
allow privoxy_t self:capability { setgid setuid };
|
allow privoxy_t self:capability { setgid setuid };
|
||||||
dontaudit privoxy_t self:capability sys_tty_config;
|
dontaudit privoxy_t self:capability sys_tty_config;
|
||||||
|
allow privoxy_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
|
||||||
allow privoxy_t privoxy_log_t:file create_file_perms;
|
allow privoxy_t privoxy_log_t:file create_file_perms;
|
||||||
allow privoxy_t privoxy_log_t:dir rw_dir_perms;
|
allow privoxy_t privoxy_log_t:dir rw_dir_perms;
|
||||||
@ -41,6 +42,8 @@ corenet_tcp_sendrecv_all_nodes(privoxy_t)
|
|||||||
corenet_raw_sendrecv_all_nodes(privoxy_t)
|
corenet_raw_sendrecv_all_nodes(privoxy_t)
|
||||||
corenet_tcp_sendrecv_all_ports(privoxy_t)
|
corenet_tcp_sendrecv_all_ports(privoxy_t)
|
||||||
corenet_tcp_bind_http_cache_port(privoxy_t)
|
corenet_tcp_bind_http_cache_port(privoxy_t)
|
||||||
|
corenet_tcp_connect_http_port(privoxy_t)
|
||||||
|
corenet_tcp_connect_ftp_port(privoxy_t)
|
||||||
|
|
||||||
dev_read_sysfs(privoxy_t)
|
dev_read_sysfs(privoxy_t)
|
||||||
|
|
||||||
|
@ -130,15 +130,6 @@ optional_policy(`rhgb.te', `
|
|||||||
rhgb_domain(sendmail_t)
|
rhgb_domain(sendmail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
#
|
|
||||||
# Need this transition to create /etc/aliases.db
|
|
||||||
#
|
|
||||||
ifdef(`distro_redhat', `
|
|
||||||
ifdef(`rpm.te', `
|
|
||||||
domain_auto_trans(rpm_script_t, sendmail_exec_t, system_mail_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
allow sendmail_t etc_mail_t:dir rw_dir_perms;
|
allow sendmail_t etc_mail_t:dir rw_dir_perms;
|
||||||
allow sendmail_t etc_mail_t:file create_file_perms;
|
allow sendmail_t etc_mail_t:file create_file_perms;
|
||||||
# for the start script to run make -C /etc/mail
|
# for the start script to run make -C /etc/mail
|
||||||
|
@ -528,7 +528,7 @@ template(`ssh_server_template', `
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`nscd.te',`
|
optional_policy(`nscd.te',`
|
||||||
nscd_use_socket(crond_t)
|
nscd_use_socket($1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
@ -24,7 +24,15 @@ role system_r types ssh_keygen_t;
|
|||||||
type ssh_keysign_exec_t;
|
type ssh_keysign_exec_t;
|
||||||
files_type(ssh_keysign_exec_t)
|
files_type(ssh_keysign_exec_t)
|
||||||
|
|
||||||
|
# real declaration moved to mls until
|
||||||
|
# range_transition works in loadable modules
|
||||||
|
gen_require(`
|
||||||
|
type sshd_exec_t;
|
||||||
|
')
|
||||||
|
files_type(sshd_exec_t)
|
||||||
|
|
||||||
ssh_server_template(sshd)
|
ssh_server_template(sshd)
|
||||||
|
ssh_server_template(sshd_extern)
|
||||||
|
|
||||||
# cjp: commenting this out until typeattribute works in a conditional
|
# cjp: commenting this out until typeattribute works in a conditional
|
||||||
#optional_policy(`inetd.te',`
|
#optional_policy(`inetd.te',`
|
||||||
@ -39,11 +47,6 @@ ssh_server_template(sshd)
|
|||||||
init_daemon_domain(sshd_t,sshd_exec_t)
|
init_daemon_domain(sshd_t,sshd_exec_t)
|
||||||
#')
|
#')
|
||||||
|
|
||||||
type sshd_exec_t;
|
|
||||||
files_type(sshd_exec_t)
|
|
||||||
|
|
||||||
ssh_server_template(sshd_extern)
|
|
||||||
|
|
||||||
type sshd_key_t;
|
type sshd_key_t;
|
||||||
files_type(sshd_key_t)
|
files_type(sshd_key_t)
|
||||||
|
|
||||||
|
@ -1,6 +1,10 @@
|
|||||||
|
|
||||||
policy_module(init,1.0)
|
policy_module(init,1.0)
|
||||||
|
|
||||||
|
gen_require(`
|
||||||
|
class passwd rootok;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
@ -569,13 +573,7 @@ optional_policy(`squid.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`ssh.te',`
|
optional_policy(`ssh.te',`
|
||||||
optional_policy(`inetd.te',`
|
|
||||||
tunable_policy(`run_ssh_inetd',`',`
|
|
||||||
ssh_dontaudit_read_server_keys(initrc_t)
|
ssh_dontaudit_read_server_keys(initrc_t)
|
||||||
')
|
|
||||||
',`
|
|
||||||
ssh_dontaudit_read_server_keys(initrc_t)
|
|
||||||
')
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`sysnetwork.te',`
|
optional_policy(`sysnetwork.te',`
|
||||||
|
Loading…
Reference in New Issue
Block a user