remove raw network, make mta optional, and a little cleanup.

This commit is contained in:
Chris PeBenito 2006-06-16 19:54:21 +00:00
parent e586ecc752
commit cc0c00d044

View File

@ -165,10 +165,8 @@ template(`base_user_template',`
corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_raw_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
corenet_raw_sendrecv_all_nodes($1_t)
corenet_udp_sendrecv_all_nodes($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_udp_sendrecv_all_ports($1_t)
@ -256,8 +254,6 @@ template(`base_user_template',`
seutil_read_default_contexts($1_t)
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
mta_rw_spool($1_t)
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
allow $1_t self:process execmem;
@ -384,6 +380,10 @@ template(`base_user_template',`
jabber_tcp_connect($1_t)
')
optional_policy(`
mta_rw_spool($1_t)
')
optional_policy(`
nis_use_ypbind($1_t)
')
@ -643,7 +643,7 @@ template(`unpriv_user_template', `
')
ifdef(`TODO',`
ifdef(`enable_mls',`',`
ifndef(`enable_mls',`
fs_exec_noxattr($1_t)
tunable_policy(`user_rw_noexattrfile',`
@ -654,8 +654,8 @@ template(`unpriv_user_template', `
# cjp: what does this have to do with removable devices?
allow $1_t usbtty_device_t:chr_file write;
',`
fs_read_noxattr_files($1_t)
r_dir_file($1_t, noexattrfile)
r_dir_file($1_t, removable_t)
allow $1_t removable_device_t:blk_file r_file_perms;
')
')
@ -703,14 +703,6 @@ template(`unpriv_user_template', `
dontaudit $1_t sysadm_home_t:file { read append };
ifdef(`syslogd.te', `
# Some programs that are left in $1_t will try to connect
# to syslogd, but we do not want to let them generate log messages.
# Do not audit.
dontaudit $1_t devlog_t:sock_file { read write };
dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
')
allow $1_t initrc_t:fifo_file write;
') dnl end TODO
')
@ -923,12 +915,6 @@ template(`admin_user_template',`
can_pipe_xdm($1_t)
')
# Connect data port to ftpd.
ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
# Connect second port to rshd.
ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
# Allow MAKEDEV to work
allow $1_t device_t:dir rw_dir_perms;
allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
@ -960,11 +946,8 @@ template(`admin_user_template',`
allow $1_t usbtty_device_t:chr_file write;
',`
r_dir_file($1_t, noexattrfile)
r_dir_file($1_t, removable_t)
allow $1_t removable_device_t:blk_file r_file_perms;
storage_raw_read_removable_device($1_t)
')
allow $1 removable_t:filesystem getattr;
') dnl endif TODO
')