diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te index 0216eb4d..e18dc0b2 100644 --- a/policy/modules/services/cvs.te +++ b/policy/modules/services/cvs.te @@ -35,12 +35,12 @@ files_pid_file(cvs_var_run_t) # Local policy # +allow cvs_t self:capability { setuid setgid }; allow cvs_t self:process signal_perms; allow cvs_t self:fifo_file rw_fifo_file_perms; allow cvs_t self:tcp_socket connected_stream_socket_perms; # for identd; cjp: this should probably only be inetd_child rules? allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow cvs_t self:capability { setuid setgid }; manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t) manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t) diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te index 0c6a4736..5fd29a5c 100644 --- a/policy/modules/services/djbdns.te +++ b/policy/modules/services/djbdns.te @@ -23,11 +23,11 @@ djbdns_daemontools_domain_template(tinydns) # Local policy for axfrdns component # +allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot }; + daemontools_ipc_domain(djbdns_axfrdns_t) daemontools_read_svc(djbdns_axfrdns_t) -allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot }; - allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms; allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file read_file_perms; diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te index ac97ed9d..96e3c804 100644 --- a/policy/modules/services/mailman.te +++ b/policy/modules/services/mailman.te @@ -61,9 +61,9 @@ optional_policy(` # Mailman mail local policy # -allow mailman_mail_t self:unix_dgram_socket create_socket_perms; -allow mailman_mail_t self:process { signal signull }; allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; +allow mailman_mail_t self:process { signal signull }; +allow mailman_mail_t self:unix_dgram_socket create_socket_perms; manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te index ac63be99..13c0555e 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -157,8 +157,8 @@ optional_policy(` allow mysqld_safe_t self:capability { chown dac_override fowner kill }; dontaudit mysqld_safe_t self:capability sys_ptrace; -allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; allow mysqld_safe_t self:process { setsched getsched setrlimit }; +allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te index 4876caec..3bd04d98 100644 --- a/policy/modules/services/nis.te +++ b/policy/modules/services/nis.te @@ -57,8 +57,8 @@ files_pid_file(ypxfr_var_run_t) # ypbind local policy dontaudit ypbind_t self:capability { net_admin sys_tty_config }; -allow ypbind_t self:fifo_file rw_fifo_file_perms; allow ypbind_t self:process signal_perms; +allow ypbind_t self:fifo_file rw_fifo_file_perms; allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; allow ypbind_t self:tcp_socket create_stream_socket_perms; @@ -142,8 +142,8 @@ optional_policy(` allow yppasswdd_t self:capability dac_override; dontaudit yppasswdd_t self:capability sys_tty_config; -allow yppasswdd_t self:fifo_file rw_fifo_file_perms; allow yppasswdd_t self:process { getsched setfscreate signal_perms }; +allow yppasswdd_t self:fifo_file rw_fifo_file_perms; allow yppasswdd_t self:unix_dgram_socket create_socket_perms; allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms; allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; @@ -224,8 +224,8 @@ optional_policy(` # dontaudit ypserv_t self:capability sys_tty_config; -allow ypserv_t self:fifo_file rw_fifo_file_perms; allow ypserv_t self:process signal_perms; +allow ypserv_t self:fifo_file rw_fifo_file_perms; allow ypserv_t self:unix_dgram_socket create_socket_perms; allow ypserv_t self:unix_stream_socket create_stream_socket_perms; allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;