misc fixes

This commit is contained in:
Chris PeBenito 2005-10-18 15:07:11 +00:00
parent 84313262d7
commit c3812748c3
10 changed files with 27 additions and 24 deletions

View File

@ -1,6 +1,6 @@
######################################## ########################################
# #
# Rules and Targets for building monolithic policies # Rules and Targets for building modular policies
# #
ALL_MODULES := $(filter $(BASE_MODS) $(MOD_MODS),$(DETECTED_MODS)) ALL_MODULES := $(filter $(BASE_MODS) $(MOD_MODS),$(DETECTED_MODS))

View File

@ -314,6 +314,12 @@ seutil_domtrans_restorecon(rpm_script_t)
userdom_use_all_user_fd(rpm_script_t) userdom_use_all_user_fd(rpm_script_t)
ifdef(`distro_redhat',`
optional_policy(`mta.te',`
mta_send_mail(rpm_script_t)
')
')
ifdef(`targeted_policy',` ifdef(`targeted_policy',`
unconfined_domain_template(rpm_t) unconfined_domain_template(rpm_t)
') ')

View File

@ -156,6 +156,7 @@ allow kernel_t self:capability *;
allow kernel_t unlabeled_t:dir mounton; allow kernel_t unlabeled_t:dir mounton;
# old general_domain_access() # old general_domain_access()
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow kernel_t self:shm create_shm_perms; allow kernel_t self:shm create_shm_perms;
allow kernel_t self:sem create_sem_perms; allow kernel_t self:sem create_sem_perms;
allow kernel_t self:msg { send receive }; allow kernel_t self:msg { send receive };

View File

@ -56,6 +56,7 @@ type getty_t;
type login_exec_t; type login_exec_t;
type init_exec_t; type init_exec_t;
type initrc_t; type initrc_t;
type sshd_exec_t;
type su_exec_t; type su_exec_t;
type udev_exec_t; type udev_exec_t;
type unconfined_t; type unconfined_t;

View File

@ -32,7 +32,7 @@ files_pid_file(system_dbusd_var_run_t)
# cjp: dac_override should probably go in a distro_debian # cjp: dac_override should probably go in a distro_debian
allow system_dbusd_t self:capability { dac_override setgid setuid }; allow system_dbusd_t self:capability { dac_override setgid setuid };
dontaudit system_dbusd_t self:capability sys_tty_config; dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process getattr; allow system_dbusd_t self:process { getattr signal_perms };
allow system_dbusd_t self:fifo_file { read write }; allow system_dbusd_t self:fifo_file { read write };
allow system_dbusd_t self:dbus { send_msg acquire_svc }; allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };

View File

@ -23,6 +23,7 @@ files_pid_file(privoxy_var_run_t)
allow privoxy_t self:capability { setgid setuid }; allow privoxy_t self:capability { setgid setuid };
dontaudit privoxy_t self:capability sys_tty_config; dontaudit privoxy_t self:capability sys_tty_config;
allow privoxy_t self:tcp_socket create_stream_socket_perms;
allow privoxy_t privoxy_log_t:file create_file_perms; allow privoxy_t privoxy_log_t:file create_file_perms;
allow privoxy_t privoxy_log_t:dir rw_dir_perms; allow privoxy_t privoxy_log_t:dir rw_dir_perms;
@ -41,6 +42,8 @@ corenet_tcp_sendrecv_all_nodes(privoxy_t)
corenet_raw_sendrecv_all_nodes(privoxy_t) corenet_raw_sendrecv_all_nodes(privoxy_t)
corenet_tcp_sendrecv_all_ports(privoxy_t) corenet_tcp_sendrecv_all_ports(privoxy_t)
corenet_tcp_bind_http_cache_port(privoxy_t) corenet_tcp_bind_http_cache_port(privoxy_t)
corenet_tcp_connect_http_port(privoxy_t)
corenet_tcp_connect_ftp_port(privoxy_t)
dev_read_sysfs(privoxy_t) dev_read_sysfs(privoxy_t)

View File

@ -130,15 +130,6 @@ optional_policy(`rhgb.te', `
rhgb_domain(sendmail_t) rhgb_domain(sendmail_t)
') ')
#
# Need this transition to create /etc/aliases.db
#
ifdef(`distro_redhat', `
ifdef(`rpm.te', `
domain_auto_trans(rpm_script_t, sendmail_exec_t, system_mail_t)
')
')
allow sendmail_t etc_mail_t:dir rw_dir_perms; allow sendmail_t etc_mail_t:dir rw_dir_perms;
allow sendmail_t etc_mail_t:file create_file_perms; allow sendmail_t etc_mail_t:file create_file_perms;
# for the start script to run make -C /etc/mail # for the start script to run make -C /etc/mail

View File

@ -528,7 +528,7 @@ template(`ssh_server_template', `
') ')
optional_policy(`nscd.te',` optional_policy(`nscd.te',`
nscd_use_socket(crond_t) nscd_use_socket($1_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`

View File

@ -24,7 +24,15 @@ role system_r types ssh_keygen_t;
type ssh_keysign_exec_t; type ssh_keysign_exec_t;
files_type(ssh_keysign_exec_t) files_type(ssh_keysign_exec_t)
# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
type sshd_exec_t;
')
files_type(sshd_exec_t)
ssh_server_template(sshd) ssh_server_template(sshd)
ssh_server_template(sshd_extern)
# cjp: commenting this out until typeattribute works in a conditional # cjp: commenting this out until typeattribute works in a conditional
#optional_policy(`inetd.te',` #optional_policy(`inetd.te',`
@ -39,11 +47,6 @@ ssh_server_template(sshd)
init_daemon_domain(sshd_t,sshd_exec_t) init_daemon_domain(sshd_t,sshd_exec_t)
#') #')
type sshd_exec_t;
files_type(sshd_exec_t)
ssh_server_template(sshd_extern)
type sshd_key_t; type sshd_key_t;
files_type(sshd_key_t) files_type(sshd_key_t)

View File

@ -1,6 +1,10 @@
policy_module(init,1.0) policy_module(init,1.0)
gen_require(`
class passwd rootok;
')
######################################## ########################################
# #
# Declarations # Declarations
@ -569,13 +573,7 @@ optional_policy(`squid.te',`
') ')
optional_policy(`ssh.te',` optional_policy(`ssh.te',`
optional_policy(`inetd.te',`
tunable_policy(`run_ssh_inetd',`',`
ssh_dontaudit_read_server_keys(initrc_t) ssh_dontaudit_read_server_keys(initrc_t)
')
',`
ssh_dontaudit_read_server_keys(initrc_t)
')
') ')
optional_policy(`sysnetwork.te',` optional_policy(`sysnetwork.te',`