From 6ec59cc63d807919e69103f7ac009827b048cfc3 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Mon, 20 Sep 2010 19:34:45 +0200 Subject: [PATCH 01/18] Redundant: This is already allowed by included admin_pattern for mpd_var_lib_t. --- policy/modules/services/mpd.if | 1 - 1 file changed, 1 deletion(-) diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if index 733dc776..311aaed7 100644 --- a/policy/modules/services/mpd.if +++ b/policy/modules/services/mpd.if @@ -258,7 +258,6 @@ interface(`mpd_admin',` files_list_var_lib($1) admin_pattern($1, mpd_var_lib_t) - mpd_list_lib($1) admin_pattern($1, mpd_data_t) admin_pattern($1, mpd_log_t) From 30bbb6a533ed5fbf8b1781355a99f2692ef5de8a Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Mon, 20 Sep 2010 19:51:34 +0200 Subject: [PATCH 02/18] This is not a role capability. --- policy/modules/services/postgresql.if | 1 - 1 file changed, 1 deletion(-) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index fd75d3d2..f8924b61 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -304,7 +304,6 @@ interface(`postgresql_tcp_connect',` ## Domain allowed access. ## ## -## # interface(`postgresql_stream_connect',` gen_require(` From b46b3ad67f5649a4394fce79de900d08f46b603a Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Mon, 20 Sep 2010 19:50:51 +0200 Subject: [PATCH 03/18] Tunable, optional and if(n)def blocks go below. Tunable, optional and if(n)def blocks go below. --- policy/modules/services/postgresql.if | 30 +++++++++++++-------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index f8924b61..ac2d3e73 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -45,14 +45,6 @@ interface(`postgresql_role',` # Client local policy # - tunable_policy(`sepgsql_enable_users_ddl',` - allow $2 user_sepgsql_table_t:db_table { create drop setattr }; - allow $2 user_sepgsql_table_t:db_column { create drop setattr }; - - allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete }; - allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; - ') - allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock }; allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; @@ -69,6 +61,14 @@ interface(`postgresql_role',` allow $2 sepgsql_trusted_proc_t:process transition; type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; + + tunable_policy(`sepgsql_enable_users_ddl',` + allow $2 user_sepgsql_table_t:db_table { create drop setattr }; + allow $2 user_sepgsql_table_t:db_column { create drop setattr }; + + allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete }; + allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; + ') ') ######################################## @@ -358,13 +358,6 @@ interface(`postgresql_unpriv_client',` type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; allow $1 sepgsql_trusted_proc_t:process transition; - tunable_policy(`sepgsql_enable_users_ddl',` - allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; - allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr }; - allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete }; - allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr }; - ') - allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock }; allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert }; allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; @@ -378,6 +371,13 @@ interface(`postgresql_unpriv_client',` allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t; + + tunable_policy(`sepgsql_enable_users_ddl',` + allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; + allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr }; + allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete }; + allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr }; + ') ') ######################################## From 2528a2d701d35e8d074a720dc45142c3dcf958e8 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Mon, 20 Sep 2010 19:44:58 +0200 Subject: [PATCH 04/18] Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. --- policy/modules/services/postfixpolicyd.if | 3 +-- policy/modules/services/postgresql.if | 11 ++++------- policy/modules/services/postgrey.if | 3 +-- policy/modules/services/ppp.if | 6 ++---- policy/modules/services/prelude.if | 11 ++++------- policy/modules/services/privoxy.if | 3 +-- policy/modules/services/psad.if | 4 ++-- policy/modules/services/pyzor.if | 3 +-- policy/modules/services/qpidd.if | 6 +----- policy/modules/services/radvd.if | 4 ++-- policy/modules/services/rhcs.if | 10 +++------- policy/modules/services/samba.if | 5 ++--- policy/modules/services/setroubleshoot.if | 4 ++-- policy/modules/services/snmp.if | 3 +-- policy/modules/services/soundserver.if | 3 +-- policy/modules/services/xserver.if | 7 +++---- policy/modules/services/zebra.if | 3 +-- 17 files changed, 32 insertions(+), 57 deletions(-) diff --git a/policy/modules/services/postfixpolicyd.if b/policy/modules/services/postfixpolicyd.if index feae93b0..d960d3f2 100644 --- a/policy/modules/services/postfixpolicyd.if +++ b/policy/modules/services/postfixpolicyd.if @@ -20,8 +20,7 @@ interface(`postfixpolicyd_admin',` gen_require(` type postfix_policyd_t, postfix_policyd_conf_t; - type postfix_policyd_var_run_t; - type postfix_policyd_initrc_exec_t; + type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t; ') allow $1 postfix_policyd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index ac2d3e73..d78db2cc 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -417,13 +417,10 @@ interface(`postgresql_unconfined',` # interface(`postgresql_admin',` gen_require(` - attribute sepgsql_admin_type; - attribute sepgsql_client_type; - - type postgresql_t, postgresql_var_run_t; - type postgresql_tmp_t, postgresql_db_t; - type postgresql_etc_t, postgresql_log_t; - type postgresql_initrc_exec_t; + attribute sepgsql_admin_type, sepgsql_client_type; + type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t; + type postgresql_tmp_t, postgresql_db_t, postgresql_log_t; + type postgresql_etc_t; ') typeattribute $1 sepgsql_admin_type; diff --git a/policy/modules/services/postgrey.if b/policy/modules/services/postgrey.if index ad15fde7..70f97681 100644 --- a/policy/modules/services/postgrey.if +++ b/policy/modules/services/postgrey.if @@ -57,9 +57,8 @@ interface(`postgrey_search_spool',` # interface(`postgrey_admin',` gen_require(` - type postgrey_t, postgrey_etc_t; + type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t; type postgrey_var_lib_t, postgrey_var_run_t; - type postgrey_initrc_exec_t; ') allow $1 postgrey_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if index f916c76b..f66b8f2f 100644 --- a/policy/modules/services/ppp.if +++ b/policy/modules/services/ppp.if @@ -353,11 +353,9 @@ interface(`ppp_initrc_domtrans',` interface(`ppp_admin',` gen_require(` type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t; - type pppd_etc_t, pppd_secret_t; - type pppd_etc_rw_t, pppd_var_run_t; - + type pppd_etc_t, pppd_secret_t, pppd_var_run_t; type pptp_t, pptp_log_t, pptp_var_run_t; - type pppd_initrc_exec_t; + type pppd_initrc_exec_t, pppd_etc_rw_t; ') allow $1 pppd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if index 1bf96b08..9638805e 100644 --- a/policy/modules/services/prelude.if +++ b/policy/modules/services/prelude.if @@ -112,13 +112,10 @@ interface(`prelude_manage_spool',` # interface(`prelude_admin',` gen_require(` - type prelude_t, prelude_spool_t; - type prelude_var_run_t, prelude_var_lib_t; - type prelude_audisp_t, prelude_audisp_var_run_t; - type prelude_initrc_exec_t; - - type prelude_lml_t, prelude_lml_tmp_t; - type prelude_lml_var_run_t; + type prelude_t, prelude_spool_t, prelude_initrc_exec_t; + type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t; + type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t; + type prelude_lml_t; ') allow $1 prelude_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if index c8f6cb52..72215262 100644 --- a/policy/modules/services/privoxy.if +++ b/policy/modules/services/privoxy.if @@ -19,9 +19,8 @@ # interface(`privoxy_admin',` gen_require(` - type privoxy_t, privoxy_log_t; + type privoxy_t, privoxy_log_t, privoxy_initrc_exec_t; type privoxy_etc_rw_t, privoxy_var_run_t; - type privoxy_initrc_exec_t; ') allow $1 privoxy_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if index 96440db9..3fc51637 100644 --- a/policy/modules/services/psad.if +++ b/policy/modules/services/psad.if @@ -253,8 +253,8 @@ interface(`psad_rw_tmp_files',` interface(`psad_admin',` gen_require(` type psad_t, psad_var_run_t, psad_var_log_t; - type psad_initrc_exec_t, psad_var_lib_t; - type psad_tmp_t, psad_etc_t; + type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t; + type psad_tmp_t; ') allow $1 psad_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if index 6443f306..748e7d33 100644 --- a/policy/modules/services/pyzor.if +++ b/policy/modules/services/pyzor.if @@ -109,8 +109,7 @@ interface(`pyzor_exec',` interface(`pyzor_admin',` gen_require(` type pyzord_t, pyzor_tmp_t, pyzord_log_t; - type pyzor_etc_t, pyzor_var_lib_t; - type pyzord_initrc_exec_t; + type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t; ') allow $1 pyzord_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/qpidd.if b/policy/modules/services/qpidd.if index 5dbca44f..f97e16cf 100644 --- a/policy/modules/services/qpidd.if +++ b/policy/modules/services/qpidd.if @@ -176,17 +176,13 @@ interface(`qpidd_manage_var_lib',` # interface(`qpidd_admin',` gen_require(` - type qpidd_t; + type qpidd_t, qpidd_initrc_exec_t; ') allow $1 qpidd_t:process { ptrace signal_perms }; ps_process_pattern($1, qpidd_t) - gen_require(` - type qpidd_initrc_exec_t; - ') - # Allow qpidd_t to restart the apache service qpidd_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if index be05bff5..2bd662a9 100644 --- a/policy/modules/services/radvd.if +++ b/policy/modules/services/radvd.if @@ -19,8 +19,8 @@ # interface(`radvd_admin',` gen_require(` - type radvd_t, radvd_etc_t; - type radvd_var_run_t, radvd_initrc_exec_t; + type radvd_t, radvd_etc_t, radvd_initrc_exec_t; + type radvd_var_run_t; ') allow $1 radvd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if index d8b97c2b..30c9aff9 100644 --- a/policy/modules/services/rhcs.if +++ b/policy/modules/services/rhcs.if @@ -13,9 +13,7 @@ # template(`rhcs_domain_template',` gen_require(` - attribute cluster_domain; - attribute cluster_tmpfs; - attribute cluster_pid; + attribute cluster_domain, cluster_tmpfs, cluster_pid; ') ############################## @@ -349,8 +347,7 @@ interface(`rhcs_rw_groupd_shm',` # interface(`rhcs_rw_cluster_shm',` gen_require(` - attribute cluster_domain; - attribute cluster_tmpfs; + attribute cluster_domain, cluster_tmpfs; ') allow $1 cluster_domain:shm { rw_shm_perms destroy }; @@ -390,8 +387,7 @@ interface(`rhcs_rw_cluster_semaphores',` # interface(`rhcs_stream_connect_cluster',` gen_require(` - attribute cluster_domain; - attribute cluster_pid; + attribute cluster_domain, cluster_pid; ') files_search_pids($1) diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if index 84732e51..aace2766 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -761,9 +761,8 @@ interface(`samba_admin',` type smbd_t, smbd_tmp_t, samba_secrets_t; type samba_initrc_exec_t, samba_log_t, samba_var_t; type samba_etc_t, samba_share_t, winbind_log_t; - type swat_var_run_t, swat_tmp_t; - type winbind_var_run_t, winbind_tmp_t; - type samba_unconfined_script_t, samba_unconfined_script_exec_t; + type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t; + type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t; ') allow $1 smbd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if index a7fbedc2..d9f5dbc2 100644 --- a/policy/modules/services/setroubleshoot.if +++ b/policy/modules/services/setroubleshoot.if @@ -136,8 +136,8 @@ interface(`setroubleshoot_fixit_dontaudit_leaks',` # interface(`setroubleshoot_admin',` gen_require(` - type setroubleshootd_t, setroubleshoot_var_log_t; - type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; + type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t; + type setroubleshoot_var_lib_t; ') allow $1 setroubleshootd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if index 6aa68d80..bfdf1973 100644 --- a/policy/modules/services/snmp.if +++ b/policy/modules/services/snmp.if @@ -125,9 +125,8 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',` # interface(`snmp_admin',` gen_require(` - type snmpd_t, snmpd_log_t; + type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t; type snmpd_var_lib_t, snmpd_var_run_t; - type snmpd_initrc_exec_t; ') allow $1 snmpd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/soundserver.if b/policy/modules/services/soundserver.if index 93fe7bf8..4a156336 100644 --- a/policy/modules/services/soundserver.if +++ b/policy/modules/services/soundserver.if @@ -33,9 +33,8 @@ interface(`soundserver_tcp_connect',` # interface(`soundserver_admin',` gen_require(` - type soundd_t, soundd_etc_t; + type soundd_t, soundd_etc_t, soundd_initrc_exec_t; type soundd_tmp_t, soundd_var_run_t; - type soundd_initrc_exec_t; ') allow $1 soundd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index f34a53f2..88b6040c 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -358,7 +358,7 @@ interface(`xserver_user_client',` # template(`xserver_common_x_domain_template',` gen_require(` - type root_xdrawable_t; + type root_xdrawable_t, xdm_t, xserver_t; type xproperty_t, $1_xproperty_t; type xevent_t, client_xevent_t; type input_xevent_t, $1_input_xevent_t; @@ -375,7 +375,6 @@ template(`xserver_common_x_domain_template',` class x_screen { saver_setattr saver_hide saver_show }; class x_pointer { get_property set_property manage }; class x_keyboard { read manage }; - type xdm_t, xserver_t; ') ############################## @@ -474,8 +473,8 @@ template(`xserver_object_types_template',` # template(`xserver_user_x_domain_template',` gen_require(` - type xdm_t, xdm_tmp_t; - type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; + type xdm_t, xdm_tmp_t, xserver_tmpfs_t; + type xauth_home_t, iceauth_home_t, xserver_t; ') allow $2 self:shm create_shm_perms; diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if index 5860687f..347f754a 100644 --- a/policy/modules/services/zebra.if +++ b/policy/modules/services/zebra.if @@ -61,8 +61,7 @@ interface(`zebra_stream_connect',` interface(`zebra_admin',` gen_require(` type zebra_t, zebra_tmp_t, zebra_log_t; - type zebra_conf_t, zebra_var_run_t; - type zebra_initrc_exec_t; + type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t; ') allow $1 zebra_t:process { ptrace signal_perms }; From 3507be9506b105caede851e1873ec6ba66c4bb0e Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Mon, 20 Sep 2010 20:09:46 +0200 Subject: [PATCH 05/18] Move this to were the other is and where it should be. Move this to were the other is and where it should be. --- policy/modules/services/ppp.if | 6 +++--- policy/modules/services/prelude.if | 3 +-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if index f66b8f2f..0cb9b4e7 100644 --- a/policy/modules/services/ppp.if +++ b/policy/modules/services/ppp.if @@ -361,6 +361,9 @@ interface(`ppp_admin',` allow $1 pppd_t:process { ptrace signal_perms }; ps_process_pattern($1, pppd_t) + allow $1 pptp_t:process { ptrace signal_perms }; + ps_process_pattern($1, pptp_t) + ppp_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 pppd_initrc_exec_t system_r; @@ -384,9 +387,6 @@ interface(`ppp_admin',` files_list_pids($1) admin_pattern($1, pppd_var_run_t) - allow $1 pptp_t:process { ptrace signal_perms }; - ps_process_pattern($1, pptp_t) - admin_pattern($1, pptp_log_t) admin_pattern($1, pptp_var_run_t) diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if index 9638805e..737aa106 100644 --- a/policy/modules/services/prelude.if +++ b/policy/modules/services/prelude.if @@ -141,9 +141,8 @@ interface(`prelude_admin',` files_list_pids($1) admin_pattern($1, prelude_var_run_t) admin_pattern($1, prelude_audisp_var_run_t) + admin_pattern($1, prelude_lml_var_run_t) files_list_tmp($1) admin_pattern($1, prelude_lml_tmp_t) - - admin_pattern($1, prelude_lml_var_run_t) ') From 2a724571c9bfcc2b7af682f067ed4d1b03a4bfdc Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Mon, 20 Sep 2010 19:40:18 +0200 Subject: [PATCH 06/18] Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. --- policy/modules/services/postfix.if | 4 +- policy/modules/services/postgresql.if | 4 +- policy/modules/services/ppp.if | 2 +- policy/modules/services/prelude.if | 16 +++---- policy/modules/services/procmail.if | 3 +- policy/modules/services/psad.if | 1 - policy/modules/services/puppet.if | 2 +- policy/modules/services/pyzor.if | 4 +- policy/modules/services/qpidd.if | 58 +++++++++++------------- policy/modules/services/razor.if | 2 +- policy/modules/services/rgmanager.if | 26 +++++------ policy/modules/services/rhcs.if | 57 ++++++++++++------------ policy/modules/services/ricci.if | 64 +++++++++++++-------------- policy/modules/services/rpc.if | 2 +- policy/modules/services/rpcbind.if | 4 +- policy/modules/services/rsync.if | 12 ++--- policy/modules/services/rtkit.if | 4 +- policy/modules/services/rwho.if | 4 +- policy/modules/services/varnishd.if | 2 +- policy/modules/services/vnstatd.if | 21 ++++----- policy/modules/services/xserver.if | 2 +- 21 files changed, 139 insertions(+), 155 deletions(-) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if index aed37207..7391f7ed 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -710,8 +710,8 @@ interface(`postfix_admin',` allow $1 postfix_smtpd_t:process { ptrace signal_perms }; ps_process_pattern($1, postfix_smtpd_t) - postfix_run_map($1,$2) - postfix_run_postdrop($1,$2) + postfix_run_map($1, $2) + postfix_run_postdrop($1, $2) postfix_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index d78db2cc..9284534b 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -10,7 +10,7 @@ ## ## ## -## +## ## The type of the user domain. ## ## @@ -312,7 +312,7 @@ interface(`postgresql_stream_connect',` files_search_pids($1) files_search_tmp($1) - stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t}, { postgresql_var_run_t postgresql_tmp_t}, postgresql_t) + stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t) ') ######################################## diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if index 0cb9b4e7..19d9b593 100644 --- a/policy/modules/services/ppp.if +++ b/policy/modules/services/ppp.if @@ -355,7 +355,7 @@ interface(`ppp_admin',` type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t; type pppd_etc_t, pppd_secret_t, pppd_var_run_t; type pptp_t, pptp_log_t, pptp_var_run_t; - type pppd_initrc_exec_t, pppd_etc_rw_t; + type pppd_initrc_exec_t, pppd_etc_rw_t; ') allow $1 pppd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if index 737aa106..77ef7686 100644 --- a/policy/modules/services/prelude.if +++ b/policy/modules/services/prelude.if @@ -5,9 +5,9 @@ ## Execute a domain transition to run prelude. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`prelude_domtrans',` @@ -23,9 +23,9 @@ interface(`prelude_domtrans',` ## Execute a domain transition to run prelude_audisp. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`prelude_domtrans_audisp',` @@ -41,9 +41,9 @@ interface(`prelude_domtrans_audisp',` ## Signal the prelude_audisp domain. ## ## -## +## ## Domain allowed acccess. -## +## ## # interface(`prelude_signal_audisp',` @@ -78,9 +78,9 @@ interface(`prelude_read_spool',` ## Manage to prelude-manager spool files. ## ## -## +## ## Domain allowed access. -## +## ## # interface(`prelude_manage_spool',` diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if index 5bfbd7b6..166e9c33 100644 --- a/policy/modules/services/procmail.if +++ b/policy/modules/services/procmail.if @@ -93,7 +93,6 @@ interface(`procmail_read_home_files',` type procmail_home_t; ') - userdom_search_user_home_dirs($1) + userdom_search_user_home_dirs($1) read_files_pattern($1, procmail_home_t, procmail_home_t) ') - diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if index 3fc51637..a45fc223 100644 --- a/policy/modules/services/psad.if +++ b/policy/modules/services/psad.if @@ -91,7 +91,6 @@ interface(`psad_manage_config',` files_search_etc($1) manage_dirs_pattern($1, psad_etc_t, psad_etc_t) manage_files_pattern($1, psad_etc_t, psad_etc_t) - ') ######################################## diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if index 2855a443..0456b110 100644 --- a/policy/modules/services/puppet.if +++ b/policy/modules/services/puppet.if @@ -21,7 +21,7 @@ ## ## # -interface(`puppet_rw_tmp', ` +interface(`puppet_rw_tmp',` gen_require(` type puppet_tmp_t; ') diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if index 748e7d33..0059cc7d 100644 --- a/policy/modules/services/pyzor.if +++ b/policy/modules/services/pyzor.if @@ -114,7 +114,7 @@ interface(`pyzor_admin',` allow $1 pyzord_t:process { ptrace signal_perms }; ps_process_pattern($1, pyzord_t) - + init_labeled_script_domtrans($1, pyzord_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 pyzord_initrc_exec_t system_r; @@ -132,5 +132,3 @@ interface(`pyzor_admin',` files_list_var_lib($1) admin_pattern($1, pyzor_var_lib_t) ') - - diff --git a/policy/modules/services/qpidd.if b/policy/modules/services/qpidd.if index f97e16cf..3102e242 100644 --- a/policy/modules/services/qpidd.if +++ b/policy/modules/services/qpidd.if @@ -1,4 +1,3 @@ - ## policy for qpidd ######################################## @@ -6,9 +5,9 @@ ## Execute a domain transition to run qpidd. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`qpidd_domtrans',` @@ -19,7 +18,6 @@ interface(`qpidd_domtrans',` domtrans_pattern($1, qpidd_exec_t, qpidd_t) ') - ######################################## ## ## Execute qpidd server in the qpidd domain. @@ -72,12 +70,11 @@ interface(`qpidd_manage_var_run',` type qpidd_var_run_t; ') - manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t) - manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) - manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) + manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t) + manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) + manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) ') - ######################################## ## ## Search qpidd lib directories. @@ -113,7 +110,7 @@ interface(`qpidd_read_lib_files',` ') files_search_var_lib($1) - read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) + read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) ') ######################################## @@ -133,7 +130,7 @@ interface(`qpidd_manage_lib_files',` ') files_search_var_lib($1) - manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) + manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) ') ######################################## @@ -151,12 +148,11 @@ interface(`qpidd_manage_var_lib',` type qpidd_var_lib_t; ') - manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) - manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) - manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) + manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) + manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) + manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) ') - ######################################## ## ## All of the rules required to administrate @@ -181,7 +177,6 @@ interface(`qpidd_admin',` allow $1 qpidd_t:process { ptrace signal_perms }; ps_process_pattern($1, qpidd_t) - # Allow qpidd_t to restart the apache service qpidd_initrc_domtrans($1) @@ -192,41 +187,40 @@ interface(`qpidd_admin',` qpidd_manage_var_run($1) qpidd_manage_var_lib($1) - ') ##################################### ## -## Allow read and write access to qpidd semaphores. +## Allow read and write access to qpidd semaphores. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`qpidd_rw_semaphores',` - gen_require(` - type qpidd_t; - ') + gen_require(` + type qpidd_t; + ') - allow $1 qpidd_t:sem rw_sem_perms; + allow $1 qpidd_t:sem rw_sem_perms; ') ######################################## ## -## Read and write to qpidd shared memory. +## Read and write to qpidd shared memory. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`qpidd_rw_shm',` - gen_require(` - type qpidd_t; - ') + gen_require(` + type qpidd_t; + ') - allow $1 qpidd_t:shm rw_shm_perms; + allow $1 qpidd_t:shm rw_shm_perms; ') diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if index 13ad2fe0..353bcae9 100644 --- a/policy/modules/services/razor.if +++ b/policy/modules/services/razor.if @@ -26,6 +26,7 @@ template(`razor_common_domain_template',` gen_require(` type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t; ') + type $1_t; domain_type($1_t) domain_entry_file($1_t, razor_exec_t) @@ -197,4 +198,3 @@ interface(`razor_read_lib_files',` files_search_var_lib($1) read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) ') - diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if index 7ef312ea..c8b7eec1 100644 --- a/policy/modules/services/rgmanager.if +++ b/policy/modules/services/rgmanager.if @@ -5,9 +5,9 @@ ## Execute a domain transition to run rgmanager. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`rgmanager_domtrans',` @@ -78,20 +78,20 @@ interface(`rgmanager_manage_tmpfs_files',` ####################################### ## -## Allow read and write access to rgmanager semaphores. +## Allow read and write access to rgmanager semaphores. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`rgmanager_rw_semaphores',` - gen_require(` - type rgmanager_t; - ') + gen_require(` + type rgmanager_t; + ') - allow $1 rgmanager_t:sem { unix_read unix_write associate read write }; + allow $1 rgmanager_t:sem { unix_read unix_write associate read write }; ') ###################################### @@ -100,9 +100,9 @@ interface(`rgmanager_rw_semaphores',` ## an rgmanager environment ## ## -## +## ## Domain allowed access. -## +## ## ## ## @@ -115,7 +115,7 @@ interface(`rgmanager_admin',` gen_require(` type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t; type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t; - ') + ') allow $1 rgmanager_t:process { ptrace signal_perms }; ps_process_pattern($1, rgmanager_t) diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if index 30c9aff9..fc1a9457 100644 --- a/policy/modules/services/rhcs.if +++ b/policy/modules/services/rhcs.if @@ -51,7 +51,6 @@ template(`rhcs_domain_template',` manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file }) - ') ###################################### @@ -59,9 +58,9 @@ template(`rhcs_domain_template',` ## Execute a domain transition to run dlm_controld. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`rhcs_domtrans_dlm_controld',` @@ -358,40 +357,40 @@ interface(`rhcs_rw_cluster_shm',` #################################### ## -## Read and write access to cluster domains semaphores. +## Read and write access to cluster domains semaphores. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`rhcs_rw_cluster_semaphores',` - gen_require(` + gen_require(` attribute cluster_domain; - ') + ') - allow $1 cluster_domain:sem { rw_sem_perms destroy }; + allow $1 cluster_domain:sem { rw_sem_perms destroy }; ') #################################### ## -## Connect to cluster domains over a unix domain -## stream socket. +## Connect to cluster domains over a unix domain +## stream socket. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`rhcs_stream_connect_cluster',` - gen_require(` - attribute cluster_domain, cluster_pid; - ') + gen_require(` + attribute cluster_domain, cluster_pid; + ') - files_search_pids($1) - stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) + files_search_pids($1) + stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) ') ###################################### @@ -433,19 +432,19 @@ interface(`rhcs_read_qdiskd_tmpfs_files',` ###################################### ## -## Allow domain to read cluster lib files +## Allow domain to read cluster lib files ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`rhcs_read_cluster_lib_files',` - gen_require(` - type cluster_var_lib_t; - ') + gen_require(` + type cluster_var_lib_t; + ') - files_search_var_lib($1) - read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) + files_search_var_lib($1) + read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) ') diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if index 8a28c318..236fd6d3 100644 --- a/policy/modules/services/ricci.if +++ b/policy/modules/services/ricci.if @@ -5,9 +5,9 @@ ## Execute a domain transition to run ricci. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`ricci_domtrans',` @@ -20,20 +20,20 @@ interface(`ricci_domtrans',` ####################################### ## -## Execute ricci server in the ricci domain. +## Execute ricci server in the ricci domain. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # -interface(`ricci_initrc_domtrans', ` - gen_require(` - type ricci_initrc_exec_t; - ') +interface(`ricci_initrc_domtrans',` + gen_require(` + type ricci_initrc_exec_t; + ') - init_labeled_script_domtrans($1, ricci_initrc_exec_t) + init_labeled_script_domtrans($1, ricci_initrc_exec_t) ') ######################################## @@ -41,9 +41,9 @@ interface(`ricci_initrc_domtrans', ` ## Execute a domain transition to run ricci_modcluster. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`ricci_domtrans_modcluster',` @@ -134,9 +134,9 @@ interface(`ricci_rw_modclusterd_tmpfs_files',` ## Execute a domain transition to run ricci_modlog. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`ricci_domtrans_modlog',` @@ -152,9 +152,9 @@ interface(`ricci_domtrans_modlog',` ## Execute a domain transition to run ricci_modrpm. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`ricci_domtrans_modrpm',` @@ -170,9 +170,9 @@ interface(`ricci_domtrans_modrpm',` ## Execute a domain transition to run ricci_modservice. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`ricci_domtrans_modservice',` @@ -188,9 +188,9 @@ interface(`ricci_domtrans_modservice',` ## Execute a domain transition to run ricci_modstorage. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`ricci_domtrans_modstorage',` @@ -203,22 +203,22 @@ interface(`ricci_domtrans_modstorage',` #################################### ## -## Allow the specified domain to manage ricci's lib files. +## Allow the specified domain to manage ricci's lib files. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`ricci_manage_lib_files',` - gen_require(` - type ricci_var_lib_t; - ') + gen_require(` + type ricci_var_lib_t; + ') - files_search_var_lib($1) - manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t) - manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t) + files_search_var_lib($1) + manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t) + manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t) ') ######################################## @@ -254,7 +254,7 @@ interface(`ricci_admin',` files_list_tmp($1) admin_pattern($1, ricci_tmp_t) - + files_list_var_lib($1) admin_pattern($1, ricci_var_lib_t) diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if index b65be0cc..1de66f7e 100644 --- a/policy/modules/services/rpc.if +++ b/policy/modules/services/rpc.if @@ -32,7 +32,7 @@ interface(`rpc_stub',` ## ## # -template(`rpc_domain_template', ` +template(`rpc_domain_template',` ######################################## # # Declarations diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if index 14173f7e..0458ba73 100644 --- a/policy/modules/services/rpcbind.if +++ b/policy/modules/services/rpcbind.if @@ -5,9 +5,9 @@ ## Execute a domain transition to run rpcbind. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`rpcbind_domtrans',` diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if index eefa3298..a4fddce4 100644 --- a/policy/modules/services/rsync.if +++ b/policy/modules/services/rsync.if @@ -109,9 +109,9 @@ interface(`rsync_exec',` ## Read rsync config files. ## ## -## +## ## Domain allowed access. -## +## ## # interface(`rsync_read_config',` @@ -128,9 +128,9 @@ interface(`rsync_read_config',` ## Write to rsync config files. ## ## -## +## ## Domain allowed access. -## +## ## # interface(`rsync_write_config',` @@ -147,9 +147,9 @@ interface(`rsync_write_config',` ## Manage rsync config files. ## ## -## +## ## Domain allowed. -## +## ## # interface(`rsync_manage_config',` diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if index 21079f8f..62d2628b 100644 --- a/policy/modules/services/rtkit.if +++ b/policy/modules/services/rtkit.if @@ -5,9 +5,9 @@ ## Execute a domain transition to run rtkit_daemon. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`rtkit_daemon_domtrans',` diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if index 71ea0eab..664e68e7 100644 --- a/policy/modules/services/rwho.if +++ b/policy/modules/services/rwho.if @@ -5,9 +5,9 @@ ## Execute a domain transition to run rwho. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`rwho_domtrans',` diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if index 0f8e2138..b6121a6e 100644 --- a/policy/modules/services/varnishd.if +++ b/policy/modules/services/varnishd.if @@ -58,7 +58,7 @@ interface(`varnishd_read_config',` ##################################### ## -## Read varnish lib files. +## Read varnish lib files. ## ## ## diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if index 6144fb1f..8780a8ac 100644 --- a/policy/modules/services/vnstatd.if +++ b/policy/modules/services/vnstatd.if @@ -1,15 +1,13 @@ - ## policy for vnstatd - ######################################## ## ## Execute a domain transition to run vnstatd. ## ## -## +## ## Domain allowed access. -## +## ## # interface(`vnstatd_domtrans',` @@ -20,16 +18,14 @@ interface(`vnstatd_domtrans',` domtrans_pattern($1, vnstatd_exec_t, vnstatd_t) ') - - ######################################## ## ## Execute a domain transition to run vnstat. ## ## -## +## ## Domain allowed access. -## +## ## # interface(`vnstatd_domtrans_vnstat',` @@ -75,7 +71,7 @@ interface(`vnstatd_read_lib_files',` ') files_search_var_lib($1) - read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) + read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) ') ######################################## @@ -95,7 +91,7 @@ interface(`vnstatd_manage_lib_files',` ') files_search_var_lib($1) - manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) + manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) ') ######################################## @@ -114,7 +110,7 @@ interface(`vnstatd_manage_lib_dirs',` ') files_search_var_lib($1) - manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) + manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) ') @@ -138,7 +134,7 @@ interface(`vnstatd_manage_lib_dirs',` interface(`vnstatd_admin',` gen_require(` type vnstatd_t; - type vnstatd_var_lib_t; + type vnstatd_var_lib_t; ') allow $1 vnstatd_t:process { ptrace signal_perms }; @@ -146,5 +142,4 @@ interface(`vnstatd_admin',` files_list_var_lib($1) admin_pattern($1, vnstatd_var_lib_t) - ') diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 88b6040c..cd2798a9 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -243,7 +243,7 @@ interface(`xserver_rw_session',` type xserver_t, xserver_tmpfs_t; ') - xserver_ro_session($1,$2) + xserver_ro_session($1, $2) allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file rw_file_perms; ') From 6cd6ed35bd76307bd12e7f8c6e802ac2b807550f Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Mon, 20 Sep 2010 21:07:33 +0200 Subject: [PATCH 07/18] Use ps_process_pattern to read state. --- policy/modules/system/init.if | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 447aaec3..666a58f3 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1207,12 +1207,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) - read_files_pattern($1, initrc_t, initrc_t) - read_lnk_files_pattern($1, initrc_t, initrc_t) - list_dirs_pattern($1, initrc_t, initrc_t) - - # should move this to separate interface - allow $1 initrc_t:process getattr; + ps_process_pattern($1, initrc_t) ') ######################################## From b85c14f0b0daadfabc56ffc3d2750ad754dc2d96 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Mon, 20 Sep 2010 20:24:49 +0200 Subject: [PATCH 08/18] Allow users to ptrace and send any signal to their pyzor agent. Allow users to ptrace and send any signal to their razor agent. --- policy/modules/services/pyzor.if | 2 +- policy/modules/services/razor.if | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if index 0059cc7d..7135cbea 100644 --- a/policy/modules/services/pyzor.if +++ b/policy/modules/services/pyzor.if @@ -28,7 +28,7 @@ interface(`pyzor_role',` # allow ps to show pyzor and allow the user to kill it ps_process_pattern($2, pyzor_t) - allow $2 pyzor_t:process signal; + allow $2 pyzor_t:process { ptrace signal_perms }; ') ######################################## diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if index 353bcae9..c4e778f0 100644 --- a/policy/modules/services/razor.if +++ b/policy/modules/services/razor.if @@ -131,7 +131,7 @@ interface(`razor_role',` # allow ps to show razor and allow the user to kill it ps_process_pattern($2, razor_t) - allow $2 razor_t:process signal; + allow $2 razor_t:process { ptrace signal_perms }; manage_dirs_pattern($2, razor_home_t, razor_home_t) manage_files_pattern($2, razor_home_t, razor_home_t) From d696185c234eedab440c2a48bf60959a87d31ac8 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Tue, 21 Sep 2010 11:47:34 +0200 Subject: [PATCH 09/18] Use stream connect pattern. --- policy/modules/services/rhcs.if | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if index fc1a9457..b506c5b0 100644 --- a/policy/modules/services/rhcs.if +++ b/policy/modules/services/rhcs.if @@ -168,9 +168,8 @@ interface(`rhcs_stream_connect_fenced',` type fenced_var_run_t, fenced_t; ') - allow $1 fenced_t:unix_stream_socket connectto; - allow $1 fenced_var_run_t:sock_file { getattr write }; files_search_pids($1) + stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t) ') ##################################### From 5a98a53adea08298c12dc3c247697a960c755fb6 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Tue, 21 Sep 2010 12:03:10 +0200 Subject: [PATCH 10/18] Missing required type. --- policy/modules/services/rpc.if | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if index 1de66f7e..a324444e 100644 --- a/policy/modules/services/rpc.if +++ b/policy/modules/services/rpc.if @@ -33,6 +33,10 @@ interface(`rpc_stub',` ## # template(`rpc_domain_template',` + gen_require(` + type var_lib_nfs_t; + ') + ######################################## # # Declarations From ddbd71a506260384a083bcfdd84993907c6e33ba Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Mon, 20 Sep 2010 19:48:08 +0200 Subject: [PATCH 11/18] Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. --- policy/modules/services/postgresql.if | 2 ++ policy/modules/services/postgrey.if | 5 +++-- policy/modules/services/ppp.if | 3 +++ policy/modules/services/qpidd.if | 2 ++ policy/modules/services/rhcs.if | 1 + policy/modules/services/rhgb.if | 1 + policy/modules/services/ricci.if | 1 + policy/modules/services/rtkit.if | 1 + 8 files changed, 14 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 9284534b..846518b8 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -433,6 +433,7 @@ interface(`postgresql_admin',` role_transition $2 postgresql_initrc_exec_t system_r; allow $2 system_r; + files_list_pids($1) admin_pattern($1, postgresql_var_run_t) files_list_var_lib($1) @@ -444,6 +445,7 @@ interface(`postgresql_admin',` logging_list_logs($1) admin_pattern($1, postgresql_log_t) + files_list_tmp($1) admin_pattern($1, postgresql_tmp_t) postgresql_tcp_connect($1) diff --git a/policy/modules/services/postgrey.if b/policy/modules/services/postgrey.if index 70f97681..6f554454 100644 --- a/policy/modules/services/postgrey.if +++ b/policy/modules/services/postgrey.if @@ -15,9 +15,9 @@ interface(`postgrey_stream_connect',` type postgrey_var_run_t, postgrey_t, postgrey_spool_t; ') - stream_connect_pattern($1, postgrey_var_run_t, postgrey_var_run_t, postgrey_t) - stream_connect_pattern($1, postgrey_spool_t, postgrey_spool_t, postgrey_t) + stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t) files_search_pids($1) + files_search_spool($1) ') ######################################## @@ -35,6 +35,7 @@ interface(`postgrey_search_spool',` type postgrey_spool_t; ') + files_search_spool($1) allow $1 postgrey_spool_t:dir search_dir_perms; ') diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if index 19d9b593..f88387ab 100644 --- a/policy/modules/services/ppp.if +++ b/policy/modules/services/ppp.if @@ -281,6 +281,7 @@ interface(`ppp_read_pid_files',` type pppd_var_run_t; ') + files_search_pids($1) allow $1 pppd_var_run_t:file read_file_perms; ') @@ -299,6 +300,7 @@ interface(`ppp_manage_pid_files',` type pppd_var_run_t; ') + files_search_pids($1) allow $1 pppd_var_run_t:file manage_file_perms; ') @@ -375,6 +377,7 @@ interface(`ppp_admin',` logging_list_logs($1) admin_pattern($1, pppd_log_t) + files_list_locks($1) admin_pattern($1, pppd_lock_t) files_list_etc($1) diff --git a/policy/modules/services/qpidd.if b/policy/modules/services/qpidd.if index 3102e242..c403abc1 100644 --- a/policy/modules/services/qpidd.if +++ b/policy/modules/services/qpidd.if @@ -70,6 +70,7 @@ interface(`qpidd_manage_var_run',` type qpidd_var_run_t; ') + files_search_pids($1) manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t) manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) @@ -148,6 +149,7 @@ interface(`qpidd_manage_var_lib',` type qpidd_var_lib_t; ') + files_search_var_lib($1) manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if index b506c5b0..229a3c74 100644 --- a/policy/modules/services/rhcs.if +++ b/policy/modules/services/rhcs.if @@ -426,6 +426,7 @@ interface(`rhcs_read_qdiskd_tmpfs_files',` type qdiskd_tmpfs_t; ') + fs_search_tmpfs($1) allow $1 qdiskd_tmpfs_t:file read_file_perms; ') diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if index 96efae7f..793a29f8 100644 --- a/policy/modules/services/rhgb.if +++ b/policy/modules/services/rhgb.if @@ -194,5 +194,6 @@ interface(`rhgb_rw_tmpfs_files',` type rhgb_tmpfs_t; ') + fs_search_tmpfs($1) allow $1 rhgb_tmpfs_t:file rw_file_perms; ') diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if index 236fd6d3..53e3ac12 100644 --- a/policy/modules/services/ricci.if +++ b/policy/modules/services/ricci.if @@ -126,6 +126,7 @@ interface(`ricci_rw_modclusterd_tmpfs_files',` type ricci_modcluserd_tmpfs_t; ') + fs_search_tmpfs($1) allow $1 ricci_modcluserd_tmpfs_t:file rw_file_perms; ') diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if index 62d2628b..f59cac52 100644 --- a/policy/modules/services/rtkit.if +++ b/policy/modules/services/rtkit.if @@ -75,6 +75,7 @@ interface(`rtkit_scheduled',` type rtkit_daemon_t; ') + kernel_search_proc($1) ps_process_pattern(rtkit_daemon_t, $1) allow rtkit_daemon_t $1:process { getsched setsched }; rtkit_daemon_dbus_chat($1) From 7bc4e83ea90e256c8f1d673c6e460280bee75e80 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Tue, 21 Sep 2010 12:22:50 +0200 Subject: [PATCH 12/18] Redundant: Included files_search_var_lib already permits access to list generic var directories. --- policy/modules/services/samba.if | 4 ---- 1 file changed, 4 deletions(-) diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if index aace2766..24d46afa 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -391,7 +391,6 @@ interface(`samba_search_var',` type samba_var_t; ') - files_search_var($1) files_search_var_lib($1) allow $1 samba_var_t:dir search_dir_perms; ') @@ -412,7 +411,6 @@ interface(`samba_read_var_files',` type samba_var_t; ') - files_search_var($1) files_search_var_lib($1) read_files_pattern($1, samba_var_t, samba_var_t) ') @@ -452,7 +450,6 @@ interface(`samba_rw_var_files',` type samba_var_t; ') - files_search_var($1) files_search_var_lib($1) rw_files_pattern($1, samba_var_t, samba_var_t) ') @@ -473,7 +470,6 @@ interface(`samba_manage_var_files',` type samba_var_t; ') - files_search_var($1) files_search_var_lib($1) manage_files_pattern($1, samba_var_t, samba_var_t) manage_lnk_files_pattern($1, samba_var_t, samba_var_t) From e130679fa0ef7ee85e54ea28dda6c3171f18b3cb Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Mon, 20 Sep 2010 20:22:28 +0200 Subject: [PATCH 13/18] This is a role capability. This is a role capability. This is a role capability. --- policy/modules/services/pyzor.if | 1 + policy/modules/services/razor.if | 1 + policy/modules/services/zosremote.if | 1 + 3 files changed, 3 insertions(+) diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if index 7135cbea..aa3d0b4c 100644 --- a/policy/modules/services/pyzor.if +++ b/policy/modules/services/pyzor.if @@ -14,6 +14,7 @@ ## User domain for the role ## ## +## # interface(`pyzor_role',` gen_require(` diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if index c4e778f0..58504492 100644 --- a/policy/modules/services/razor.if +++ b/policy/modules/services/razor.if @@ -118,6 +118,7 @@ template(`razor_common_domain_template',` ## User domain for the role ## ## +## # interface(`razor_role',` gen_require(` diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if index 1d24e1ed..13f0eef1 100644 --- a/policy/modules/services/zosremote.if +++ b/policy/modules/services/zosremote.if @@ -34,6 +34,7 @@ interface(`zosremote_domtrans',` ## Role allowed access. ## ## +## # interface(`zosremote_run',` gen_require(` From 5ce19e398002f0eeff2de66e9681643568c9de28 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Tue, 21 Sep 2010 12:36:50 +0200 Subject: [PATCH 14/18] Type zarafa_server_t is not a file type. --- policy/modules/services/zarafa.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if index 78fc1043..4f2dde84 100644 --- a/policy/modules/services/zarafa.if +++ b/policy/modules/services/zarafa.if @@ -98,5 +98,5 @@ interface(`zarafa_stream_connect_server',` ') files_search_var_lib($1) - stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t) + stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) ') From 69d1431276125ac650ed7139869be8ad322b3d81 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Mon, 20 Sep 2010 19:53:44 +0200 Subject: [PATCH 15/18] Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. --- policy/modules/services/postgresql.if | 4 ++-- policy/modules/services/razor.if | 2 +- policy/modules/services/rgmanager.if | 2 +- policy/modules/services/ricci.if | 2 +- policy/modules/services/rpc.if | 8 ++++---- policy/modules/services/xserver.if | 6 +++--- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 846518b8..f824074f 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -195,7 +195,7 @@ interface(`postgresql_search_db',` type postgresql_db_t; ') - allow $1 postgresql_db_t:dir search; + allow $1 postgresql_db_t:dir search_dir_perms; ') ######################################## @@ -214,7 +214,7 @@ interface(`postgresql_manage_db',` allow $1 postgresql_db_t:dir rw_dir_perms; allow $1 postgresql_db_t:file rw_file_perms; - allow $1 postgresql_db_t:lnk_file { getattr read }; + allow $1 postgresql_db_t:lnk_file read_lnk_file_perms; ') ######################################## diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if index 58504492..6be90123 100644 --- a/policy/modules/services/razor.if +++ b/policy/modules/services/razor.if @@ -47,7 +47,7 @@ template(`razor_common_domain_template',` # Read system config file allow $1_t razor_etc_t:dir list_dir_perms; allow $1_t razor_etc_t:file read_file_perms; - allow $1_t razor_etc_t:lnk_file { getattr read }; + allow $1_t razor_etc_t:lnk_file read_lnk_file_perms; manage_dirs_pattern($1_t, razor_log_t, razor_log_t) manage_files_pattern($1_t, razor_log_t, razor_log_t) diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if index c8b7eec1..9c2c9635 100644 --- a/policy/modules/services/rgmanager.if +++ b/policy/modules/services/rgmanager.if @@ -91,7 +91,7 @@ interface(`rgmanager_rw_semaphores',` type rgmanager_t; ') - allow $1 rgmanager_t:sem { unix_read unix_write associate read write }; + allow $1 rgmanager_t:sem rw_sem_perms; ') ###################################### diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if index 53e3ac12..3128dd8d 100644 --- a/policy/modules/services/ricci.if +++ b/policy/modules/services/ricci.if @@ -89,7 +89,7 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',` type ricci_modcluster_t; ') - dontaudit $1 ricci_modcluster_t:fifo_file { read write }; + dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if index a324444e..28e75762 100644 --- a/policy/modules/services/rpc.if +++ b/policy/modules/services/rpc.if @@ -156,7 +156,7 @@ interface(`rpc_dontaudit_getattr_exports',` type exports_t; ') - dontaudit $1 exports_t:file getattr; + dontaudit $1 exports_t:file getattr_file_perms; ') ######################################## @@ -192,7 +192,7 @@ interface(`rpc_write_exports',` type exports_t; ') - allow $1 exports_t:file write; + allow $1 exports_t:file write_file_perms; ') ######################################## @@ -306,7 +306,7 @@ interface(`rpc_read_nfs_content',` allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms; allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms; - allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read }; + allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms; ') ######################################## @@ -399,7 +399,7 @@ interface(`rpc_search_nfs_state_data',` ') files_search_var_lib($1) - allow $1 var_lib_nfs_t:dir search; + allow $1 var_lib_nfs_t:dir search_dir_perms; ') ######################################## diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index cd2798a9..1cc3a1e2 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -47,7 +47,7 @@ interface(`xserver_restricted_role',` manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) - allow $2 xserver_tmp_t:sock_file unlink; + allow $2 xserver_tmp_t:sock_file delete_sock_file_perms; files_search_tmp($2) # Communicate via System V shared memory. @@ -271,7 +271,7 @@ interface(`xserver_non_drawing_client',` allow $1 self:x_gc { create setattr }; - allow $1 xdm_var_run_t:dir search; + allow $1 xdm_var_run_t:dir search_dir_perms; allow $1 xserver_t:unix_stream_socket connectto; allow $1 xextension_t:x_extension { query use }; @@ -313,7 +313,7 @@ interface(`xserver_user_client',` # for when /tmp/.X11-unix is created by the system allow $1 xdm_t:fd use; allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; - allow $1 xdm_tmp_t:dir search; + allow $1 xdm_tmp_t:dir search_dir_perms; allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; From 0eef2ca0f7dfeca57b7dfd5bfaeb736a15095fbd Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Mon, 20 Sep 2010 20:03:48 +0200 Subject: [PATCH 16/18] Use brace extension where possible. Use brace extension where possible. --- policy/modules/services/ppp.if | 3 +-- policy/modules/services/xserver.if | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if index f88387ab..fbb6d26a 100644 --- a/policy/modules/services/ppp.if +++ b/policy/modules/services/ppp.if @@ -180,8 +180,7 @@ interface(`ppp_run',` ') ppp_domtrans($1) - role $2 types pppd_t; - role $2 types pptp_t; + role $2 types { pppd_t pptp_t }; optional_policy(` ddclient_run(pppd_t, $2) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 1cc3a1e2..6d2425d2 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -786,8 +786,7 @@ interface(`xserver_stream_connect_xdm',` files_search_tmp($1) files_search_pids($1) - stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) - stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t) + stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t) ') ######################################## From 612346475ba9b7f81d791628e7e636ed6d30805e Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Mon, 20 Sep 2010 19:54:05 +0200 Subject: [PATCH 17/18] XML summary fixes. XML summary fixes. XML summary fixes. XML summary fixes. XML summary fixes. XML summary fixes. XML summary fixes. --- policy/modules/services/postgresql.if | 1 + policy/modules/services/ppp.if | 1 - policy/modules/services/psad.if | 2 +- policy/modules/services/rsync.if | 2 +- policy/modules/services/rtkit.if | 2 +- policy/modules/services/samba.if | 4 ++-- policy/modules/services/virt.if | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index f824074f..4782bdbe 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -207,6 +207,7 @@ interface(`postgresql_search_db',` ## Domain allowed access. ## ## +# interface(`postgresql_manage_db',` gen_require(` type postgresql_db_t; diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if index fbb6d26a..09699d12 100644 --- a/policy/modules/services/ppp.if +++ b/policy/modules/services/ppp.if @@ -66,7 +66,6 @@ interface(`ppp_sigchld',` ## ## # -# interface(`ppp_kill',` gen_require(` type pppd_t; diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if index a45fc223..d1a3745d 100644 --- a/policy/modules/services/psad.if +++ b/policy/modules/services/psad.if @@ -114,7 +114,7 @@ interface(`psad_read_pid_files',` ######################################## ## -## Read psad PID files. +## Read and write psad PID files. ## ## ## diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if index a4fddce4..b28cae51 100644 --- a/policy/modules/services/rsync.if +++ b/policy/modules/services/rsync.if @@ -148,7 +148,7 @@ interface(`rsync_write_config',` ## ## ## -## Domain allowed. +## Domain allowed access. ## ## # diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if index f59cac52..d632bc0b 100644 --- a/policy/modules/services/rtkit.if +++ b/policy/modules/services/rtkit.if @@ -46,7 +46,7 @@ interface(`rtkit_daemon_dbus_chat',` ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if index 24d46afa..645da613 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -83,7 +83,7 @@ interface(`samba_domtrans_net',` ## ## ## -## Domain allowed access. +## Domain allowed to transition. ## ## # @@ -148,7 +148,7 @@ template(`samba_role_notrans',` ## ## ## -## Domain allowed access. +## Domain allowed to transition. ## ## ## diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if index e584e21c..f98efcbc 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -596,7 +596,7 @@ interface(`virt_transition_svirt',` ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # From f262674898d6494062d0309279cd4966b3bdd998 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Tue, 21 Sep 2010 13:02:21 +0200 Subject: [PATCH 18/18] Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. --- policy/modules/services/squid.if | 3 +-- policy/modules/services/varnishd.if | 4 ++-- policy/modules/services/vnstatd.if | 3 +-- 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if index dc4f590c..1d0c078e 100644 --- a/policy/modules/services/squid.if +++ b/policy/modules/services/squid.if @@ -206,8 +206,7 @@ interface(`squid_use',` interface(`squid_admin',` gen_require(` type squid_t, squid_cache_t, squid_conf_t; - type squid_log_t, squid_var_run_t; - type squid_initrc_exec_t; + type squid_log_t, squid_var_run_t, squid_initrc_exec_t; ') allow $1 squid_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if index b6121a6e..fe5ce10a 100644 --- a/policy/modules/services/varnishd.if +++ b/policy/modules/services/varnishd.if @@ -151,8 +151,8 @@ interface(`varnishd_manage_log',` # interface(`varnishd_admin_varnishlog',` gen_require(` - type varnishlog_t, varnishlog_initrc_exec_t; - type varnishlog_var_run_t, varnishlog_log_t; + type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t; + type varnishlog_var_run_t; ') allow $1 varnishlog_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if index 8780a8ac..14f89062 100644 --- a/policy/modules/services/vnstatd.if +++ b/policy/modules/services/vnstatd.if @@ -133,8 +133,7 @@ interface(`vnstatd_manage_lib_dirs',` # interface(`vnstatd_admin',` gen_require(` - type vnstatd_t; - type vnstatd_var_lib_t; + type vnstatd_t, vnstatd_var_lib_t; ') allow $1 vnstatd_t:process { ptrace signal_perms };