From 19b5555f77247b3142b8a38042e3d4279d01ee64 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Oct 24 2005 03:21:26 +0000 Subject: more fixes --- diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in index 4bbbca6..3d8c103 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.te.in +++ b/refpolicy/policy/modules/kernel/corenetwork.te.in @@ -46,9 +46,10 @@ network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0) network_port(auth, tcp,113,s0) -dnl network_port(biff) # no defined portcon in current strict +type biff_port_t, port_type; dnl network_port(biff) # no defined portcon in current strict network_port(clamd, tcp,3310,s0) network_port(clockspeed, udp,4041,s0) +network_port(comsat, udp,512,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(dcc, udp,6276,s0, udp,6277,s0) network_port(dbskkd, tcp,1178,s0) @@ -66,7 +67,7 @@ network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8 network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,50000,s0, tcp,50002,s0) -dnl network_port(i18n_input) # no defined portcon in current strict +type i18n_input_t, port_type; dnl network_port(i18n_input) # no defined portcon in current strict network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) network_port(innd, tcp,119,s0) @@ -109,7 +110,7 @@ network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) network_port(spamd, tcp,783,s0) network_port(ssh, tcp,22,s0) network_port(soundd, tcp,8000,s0, tcp,9433,s0) -dnl network_port(stunnel) # no defined portcon in current strict +type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict network_port(swat, tcp,901,s0) network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index 367b176..70f615d 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -48,6 +48,10 @@ type capifs_t, filesystem_type; allow capifs_t self:filesystem associate; genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) +type configfs_t, filesystem_type; +allow configfs_t self:filesystem associate; +genfscon configfs / gen_context(system_u:object_r:configfs_t,s0) + type eventpollfs_t, filesystem_type; genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0) diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 87f988e..e553590 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -254,9 +254,9 @@ optional_policy(`rpc.te',` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) - auth_read_all_dirs_except_shadow(kernel_t) - auth_read_all_files_except_shadow(kernel_t) - auth_read_all_symlinks_except_shadow(kernel_t) +# auth_read_all_dirs_except_shadow(kernel_t) +# auth_read_all_files_except_shadow(kernel_t) +# auth_read_all_symlinks_except_shadow(kernel_t) ') tunable_policy(`nfs_export_all_rw',` @@ -264,7 +264,7 @@ optional_policy(`rpc.te',` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) - auth_manage_all_files_except_shadow(kernel_t) +# auth_manage_all_files_except_shadow(kernel_t) ') ') diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te index 5ecf6cd..24ef269 100644 --- a/refpolicy/policy/modules/services/bluetooth.te +++ b/refpolicy/policy/modules/services/bluetooth.te @@ -21,6 +21,9 @@ domain_type(bluetooth_helper_t) domain_entry_file(bluetooth_helper_t,bluetooth_helper_exec_t) role system_r types bluetooth_helper_t; +type bluetooth_helper_tmp_t; +files_tmp_file(bluetooth_helper_tmp_t) + type bluetooth_lock_t; files_lock_file(bluetooth_lock_t) @@ -168,9 +171,15 @@ allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms co allow bluetooth_helper_t bluetooth_t:socket { read write }; +allow bluetooth_helper_t bluetooth_helper_tmp_t:dir create_dir_perms; +allow bluetooth_helper_t bluetooth_helper_tmp_t:file create_file_perms; +files_create_tmp_files(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir }) + kernel_read_system_state(bluetooth_helper_t) kernel_read_kernel_sysctl(bluetooth_helper_t) +dev_read_urand(bluetooth_helper_t) + term_dontaudit_use_all_user_ttys(bluetooth_helper_t) corecmd_exec_bin(bluetooth_helper_t) diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 37feaf2..5ca4305 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -204,214 +204,215 @@ allow crond_t user_home_dir_type:dir r_dir_perms; # # System cron process domain # +ifdef(`targeted_policy',`',` + allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid }; + allow system_crond_t self:process { signal_perms setsched }; + allow system_crond_t self:fifo_file rw_file_perms; + allow system_crond_t self:passwd rootok; + + # The entrypoint interface is not used as this is not + # a regular entrypoint. Since crontab files are + # not directly executed, crond must ensure that + # the crontab file has a type that is appropriate + # for the domain of the user cron job. It + # performs an entrypoint permission check + # for this purpose. + allow system_crond_t system_cron_spool_t:file entrypoint; + + allow system_crond_t system_cron_spool_t:file r_file_perms; + + # Permit a transition from the crond_t domain to this domain. + # The transition is requested explicitly by the modified crond + # via setexeccon. There is no way to set up an automatic + # transition, since crontabs are configuration files, not executables. + allow crond_t system_crond_t:process transition; + dontaudit crond_t system_crond_t:process { noatsecure siginh rlimitinh }; + allow crond_t system_crond_t:fd use; + allow system_crond_t crond_t:fd use; + allow system_crond_t crond_t:fifo_file rw_file_perms; + allow system_crond_t crond_t:process sigchld; + + # Write /var/lock/makewhatis.lock. + allow system_crond_t system_crond_lock_t:file create_file_perms; + files_create_lock(system_crond_t,system_crond_lock_t) + + # write temporary files + allow system_crond_t system_crond_tmp_t:file create_file_perms; + files_create_tmp_files(system_crond_t,system_crond_tmp_t) + + # write temporary files in crond tmp dir: + allow system_crond_t crond_tmp_t:dir rw_dir_perms; + type_transition system_crond_t crond_tmp_t:file system_crond_tmp_t; + + # Read from /var/spool/cron. + allow system_crond_t cron_spool_t:dir r_dir_perms; + allow system_crond_t cron_spool_t:file r_file_perms; + + kernel_read_kernel_sysctl(system_crond_t) + kernel_read_system_state(system_crond_t) + kernel_read_software_raid_state(system_crond_t) + + # ps does not need to access /boot when run from cron + bootloader_dontaudit_search_boot(system_crond_t) + + corenet_tcp_sendrecv_all_if(system_crond_t) + corenet_raw_sendrecv_all_if(system_crond_t) + corenet_udp_sendrecv_all_if(system_crond_t) + corenet_tcp_sendrecv_all_nodes(system_crond_t) + corenet_raw_sendrecv_all_nodes(system_crond_t) + corenet_udp_sendrecv_all_nodes(system_crond_t) + corenet_tcp_sendrecv_all_ports(system_crond_t) + corenet_udp_sendrecv_all_ports(system_crond_t) + corenet_tcp_bind_all_nodes(system_crond_t) + corenet_udp_bind_all_nodes(system_crond_t) + + dev_getattr_all_blk_files(system_crond_t) + dev_getattr_all_chr_files(system_crond_t) + dev_read_urand(system_crond_t) + + fs_getattr_all_fs(system_crond_t) + fs_getattr_all_files(system_crond_t) + fs_getattr_all_symlinks(system_crond_t) + fs_getattr_all_pipes(system_crond_t) + fs_getattr_all_sockets(system_crond_t) + + corecmd_exec_bin(system_crond_t) + corecmd_exec_sbin(system_crond_t) + + domain_exec_all_entry_files(system_crond_t) + # quiet other ps operations + domain_dontaudit_read_all_domains_state(system_crond_t) + + files_exec_etc_files(system_crond_t) + files_read_etc_files(system_crond_t) + files_read_etc_runtime_files(system_crond_t) + files_list_all_dirs(system_crond_t) + files_getattr_all_dirs(system_crond_t) + files_getattr_all_files(system_crond_t) + files_getattr_all_symlinks(system_crond_t) + files_getattr_all_pipes(system_crond_t) + files_getattr_all_sockets(system_crond_t) + files_read_usr_files(system_crond_t) + files_read_var_files(system_crond_t) + # for nscd: + files_dontaudit_search_pids(system_crond_t) + # Access other spool directories like + # /var/spool/anacron and /var/spool/slrnpull. + files_manage_generic_spools(system_crond_t) + + init_use_fd(system_crond_t) + init_use_script_fd(system_crond_t) + init_use_script_pty(system_crond_t) + init_read_script_pid(system_crond_t) + init_dontaudit_rw_script_pid(system_crond_t) + # prelink tells init to restart it self, we either need to allow or dontaudit + init_write_initctl(system_crond_t) + + libs_use_ld_so(system_crond_t) + libs_use_shared_libs(system_crond_t) + libs_exec_lib_files(system_crond_t) + libs_exec_ld_so(system_crond_t) + + logging_read_generic_logs(system_crond_t) + logging_send_syslog_msg(system_crond_t) + + miscfiles_read_localization(system_crond_t) + miscfiles_manage_man_pages(system_crond_t) + + seutil_read_config(system_crond_t) + + mta_send_mail(system_crond_t) + + ifdef(`distro_redhat', ` + # Run the rpm program in the rpm_t domain. Allow creation of RPM log files + # via redirection of standard out. + optional_policy(`rpm.te', ` + rpm_manage_log(system_crond_t) + ') + ') -allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid }; -allow system_crond_t self:process { signal_perms setsched }; -allow system_crond_t self:fifo_file rw_file_perms; -allow system_crond_t self:passwd rootok; - -# The entrypoint interface is not used as this is not -# a regular entrypoint. Since crontab files are -# not directly executed, crond must ensure that -# the crontab file has a type that is appropriate -# for the domain of the user cron job. It -# performs an entrypoint permission check -# for this purpose. -allow system_crond_t system_cron_spool_t:file entrypoint; - -allow system_crond_t system_cron_spool_t:file r_file_perms; - -# Permit a transition from the crond_t domain to this domain. -# The transition is requested explicitly by the modified crond -# via setexeccon. There is no way to set up an automatic -# transition, since crontabs are configuration files, not executables. -allow crond_t system_crond_t:process transition; -dontaudit crond_t system_crond_t:process { noatsecure siginh rlimitinh }; -allow crond_t system_crond_t:fd use; -allow system_crond_t crond_t:fd use; -allow system_crond_t crond_t:fifo_file rw_file_perms; -allow system_crond_t crond_t:process sigchld; - -# Write /var/lock/makewhatis.lock. -allow system_crond_t system_crond_lock_t:file create_file_perms; -files_create_lock(system_crond_t,system_crond_lock_t) - -# write temporary files -allow system_crond_t system_crond_tmp_t:file create_file_perms; -files_create_tmp_files(system_crond_t,system_crond_tmp_t) - -# write temporary files in crond tmp dir: -allow system_crond_t crond_tmp_t:dir rw_dir_perms; -type_transition system_crond_t crond_tmp_t:file system_crond_tmp_t; - -# Read from /var/spool/cron. -allow system_crond_t cron_spool_t:dir r_dir_perms; -allow system_crond_t cron_spool_t:file r_file_perms; - -kernel_read_kernel_sysctl(system_crond_t) -kernel_read_system_state(system_crond_t) -kernel_read_software_raid_state(system_crond_t) - -# ps does not need to access /boot when run from cron -bootloader_dontaudit_search_boot(system_crond_t) - -corenet_tcp_sendrecv_all_if(system_crond_t) -corenet_raw_sendrecv_all_if(system_crond_t) -corenet_udp_sendrecv_all_if(system_crond_t) -corenet_tcp_sendrecv_all_nodes(system_crond_t) -corenet_raw_sendrecv_all_nodes(system_crond_t) -corenet_udp_sendrecv_all_nodes(system_crond_t) -corenet_tcp_sendrecv_all_ports(system_crond_t) -corenet_udp_sendrecv_all_ports(system_crond_t) -corenet_tcp_bind_all_nodes(system_crond_t) -corenet_udp_bind_all_nodes(system_crond_t) - -dev_getattr_all_blk_files(system_crond_t) -dev_getattr_all_chr_files(system_crond_t) -dev_read_urand(system_crond_t) - -fs_getattr_all_fs(system_crond_t) -fs_getattr_all_files(system_crond_t) -fs_getattr_all_symlinks(system_crond_t) -fs_getattr_all_pipes(system_crond_t) -fs_getattr_all_sockets(system_crond_t) - -corecmd_exec_bin(system_crond_t) -corecmd_exec_sbin(system_crond_t) - -domain_exec_all_entry_files(system_crond_t) -# quiet other ps operations -domain_dontaudit_read_all_domains_state(system_crond_t) - -files_exec_etc_files(system_crond_t) -files_read_etc_files(system_crond_t) -files_read_etc_runtime_files(system_crond_t) -files_list_all_dirs(system_crond_t) -files_getattr_all_dirs(system_crond_t) -files_getattr_all_files(system_crond_t) -files_getattr_all_symlinks(system_crond_t) -files_getattr_all_pipes(system_crond_t) -files_getattr_all_sockets(system_crond_t) -files_read_usr_files(system_crond_t) -files_read_var_files(system_crond_t) -# for nscd: -files_dontaudit_search_pids(system_crond_t) -# Access other spool directories like -# /var/spool/anacron and /var/spool/slrnpull. -files_manage_generic_spools(system_crond_t) - -init_use_fd(system_crond_t) -init_use_script_fd(system_crond_t) -init_use_script_pty(system_crond_t) -init_read_script_pid(system_crond_t) -init_dontaudit_rw_script_pid(system_crond_t) -# prelink tells init to restart it self, we either need to allow or dontaudit -init_write_initctl(system_crond_t) - -libs_use_ld_so(system_crond_t) -libs_use_shared_libs(system_crond_t) -libs_exec_lib_files(system_crond_t) -libs_exec_ld_so(system_crond_t) - -logging_read_generic_logs(system_crond_t) -logging_send_syslog_msg(system_crond_t) - -miscfiles_read_localization(system_crond_t) -miscfiles_manage_man_pages(system_crond_t) - -seutil_read_config(system_crond_t) - -mta_send_mail(system_crond_t) + tunable_policy(`cron_can_relabel',` + seutil_domtrans_setfiles(system_crond_t) + ',` + selinux_get_fs_mount(system_crond_t) + selinux_validate_context(system_crond_t) + selinux_compute_access_vector(system_crond_t) + selinux_compute_create_context(system_crond_t) + selinux_compute_relabel_context(system_crond_t) + selinux_compute_user_contexts(system_crond_t) + seutil_read_file_contexts(system_crond_t) + ') -ifdef(`distro_redhat', ` - # Run the rpm program in the rpm_t domain. Allow creation of RPM log files - # via redirection of standard out. - optional_policy(`rpm.te', ` - rpm_manage_log(system_crond_t) + optional_policy(`ftp.te',` + ftp_read_log(system_crond_t) ') -') -tunable_policy(`cron_can_relabel',` - seutil_domtrans_setfiles(system_crond_t) -',` - selinux_get_fs_mount(system_crond_t) - selinux_validate_context(system_crond_t) - selinux_compute_access_vector(system_crond_t) - selinux_compute_create_context(system_crond_t) - selinux_compute_relabel_context(system_crond_t) - selinux_compute_user_contexts(system_crond_t) - seutil_read_file_contexts(system_crond_t) -') + optional_policy(`mysql.te',` + mysql_read_config(system_crond_t) + ') -optional_policy(`ftp.te',` - ftp_read_log(system_crond_t) -') + optional_policy(`nis.te',` + nis_use_ypbind(system_crond_t) + ') -optional_policy(`mysql.te',` - mysql_read_config(system_crond_t) -') + optional_policy(`nscd.te',` + nscd_use_socket(system_crond_t) + ') -optional_policy(`nis.te',` - nis_use_ypbind(system_crond_t) -') + optional_policy(`samba.te',` + samba_read_config(system_crond_t) + samba_read_log(system_crond_t) + #samba_read_secrets(system_crond_t) + ') -optional_policy(`nscd.te',` - nscd_use_socket(system_crond_t) -') + optional_policy(`squid.te',` + # cjp: why? + squid_domtrans(system_crond_t) + ') -optional_policy(`samba.te',` - samba_read_config(system_crond_t) - samba_read_log(system_crond_t) - #samba_read_secrets(system_crond_t) -') + ifdef(`TODO',` + dontaudit userdomain system_crond_t:fd use; -optional_policy(`squid.te',` - # cjp: why? - squid_domtrans(system_crond_t) -') + # Do not audit attempts to search unlabeled directories (e.g. slocate). + dontaudit system_crond_t unlabeled_t:dir r_dir_perms; + dontaudit system_crond_t unlabeled_t:file r_file_perms; -ifdef(`TODO',` -dontaudit userdomain system_crond_t:fd use; + allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr; -# Do not audit attempts to search unlabeled directories (e.g. slocate). -dontaudit system_crond_t unlabeled_t:dir r_dir_perms; -dontaudit system_crond_t unlabeled_t:file r_file_perms; + # Write to /var/lib/slocate.db. + allow system_crond_t var_lib_t:dir rw_dir_perms; + allow system_crond_t var_lib_t:file create_file_perms; -allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr; + # for if /var/mail is a symlink + allow system_crond_t mail_spool_t:lnk_file read; -# Write to /var/lib/slocate.db. -allow system_crond_t var_lib_t:dir rw_dir_perms; -allow system_crond_t var_lib_t:file create_file_perms; + # + # These rules are here to allow system cron jobs to su + # + ifdef(`su.te', ` + su_restricted_domain(system_crond,system) + role system_r types system_crond_su_t; + allow system_crond_su_t crond_t:fifo_file ioctl; + ') -# for if /var/mail is a symlink -allow system_crond_t mail_spool_t:lnk_file read; + # + # Required for webalizer + # + ifdef(`apache.te', ` + allow system_crond_t { httpd_log_t httpd_config_t }:file r_file_perms; + ') -# -# These rules are here to allow system cron jobs to su -# -ifdef(`su.te', ` -su_restricted_domain(system_crond,system) -role system_r types system_crond_su_t; -allow system_crond_su_t crond_t:fifo_file ioctl; -') + ifdef(`mta.te', ` + mta_send_mail_transition(system_crond_t) -# -# Required for webalizer -# -ifdef(`apache.te', ` -allow system_crond_t { httpd_log_t httpd_config_t }:file r_file_perms; -') + # system_mail_t should only be reading from the cron fifo not needing to write + dontaudit system_mail_t crond_t:fifo_file write; + allow mta_user_agent system_crond_t:fd use; + r_dir_file(system_mail_t, crond_tmp_t) + ') -ifdef(`mta.te', ` -mta_send_mail_transition(system_crond_t) + # for daemon re-start + allow system_crond_t syslogd_t:lnk_file read; -# system_mail_t should only be reading from the cron fifo not needing to write -dontaudit system_mail_t crond_t:fifo_file write; -allow mta_user_agent system_crond_t:fd use; -r_dir_file(system_mail_t, crond_tmp_t) + ') dnl end TODO ') - -# for daemon re-start -allow system_crond_t syslogd_t:lnk_file read; - -') dnl end TODO diff --git a/refpolicy/policy/modules/services/rpc.fc b/refpolicy/policy/modules/services/rpc.fc index ac3475e..2c54b0f 100644 --- a/refpolicy/policy/modules/services/rpc.fc +++ b/refpolicy/policy/modules/services/rpc.fc @@ -6,13 +6,13 @@ # # /sbin # -/sbin/rpc\..* -- gen_context(system_u:object_r:rpc_exec_t,s0) +/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) # # /usr # /usr/sbin/exportfs -- gen_context(system_u:object_r:nfsd_exec_t,s0) -/usr/sbin/rpc.idmapd -- gen_context(system_u:object_r:rpc_exec_t,s0) +/usr/sbin/rpc.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0) /usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0) /usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0) /usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) @@ -21,5 +21,5 @@ # # /var # -/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpc_var_run_t,s0) -/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpc_var_run_t,s0) +/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) +/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te index 19e8aab..6b20ad5 100644 --- a/refpolicy/policy/modules/services/rpc.te +++ b/refpolicy/policy/modules/services/rpc.te @@ -14,12 +14,12 @@ rpc_domain_template(gssd) type gssd_tmp_t; files_tmp_file(gssd_tmp_t) -type rpc_var_run_t; -files_pid_file(rpc_var_run_t) +type rpcd_var_run_t; +files_pid_file(rpcd_var_run_t) -# rpc_t is the domain of rpc daemons. +# rpcd_t is the domain of rpc daemons. # rpc_exec_t is the type of rpc daemon programs. -rpc_domain_template(rpc) +rpc_domain_template(rpcd) rpc_domain_template(nfsd) @@ -37,32 +37,32 @@ files_type(var_lib_nfs_t) # RPC local policy # -allow rpc_t self:fifo_file rw_file_perms; -allow rpc_t self:file { getattr read }; +allow rpcd_t self:fifo_file rw_file_perms; +allow rpcd_t self:file { getattr read }; dontaudit userdomain exports_t:file getattr; -allow rpc_t rpc_var_run_t:file create_file_perms; -allow rpc_t rpc_var_run_t:dir create_dir_perms; -allow rpc_t rpc_var_run_t:dir setattr; -files_create_pid(rpc_t,rpc_var_run_t) +allow rpcd_t rpcd_var_run_t:file create_file_perms; +allow rpcd_t rpcd_var_run_t:dir create_dir_perms; +allow rpcd_t rpcd_var_run_t:dir setattr; +files_create_pid(rpcd_t,rpcd_var_run_t) -kernel_search_network_state(rpc_t) +kernel_search_network_state(rpcd_t) # for rpc.rquotad -kernel_read_sysctl(rpc_t) +kernel_read_sysctl(rpcd_t) -fs_read_rpc_dirs(rpc_t) -fs_read_rpc_files(rpc_t) -fs_read_rpc_symlinks(rpc_t) -fs_read_rpc_sockets(rpc_t) -term_use_controlling_term(rpc_t) +fs_read_rpc_dirs(rpcd_t) +fs_read_rpc_files(rpcd_t) +fs_read_rpc_symlinks(rpcd_t) +fs_read_rpc_sockets(rpcd_t) +term_use_controlling_term(rpcd_t) -seutil_dontaudit_search_config(rpc_t) +seutil_dontaudit_search_config(rpcd_t) -# rpc_t needs to talk to the portmap_t domain -portmap_udp_sendrecv(rpc_t) +# rpcd_t needs to talk to the portmap_t domain +portmap_udp_sendrecv(rpcd_t) ifdef(`distro_redhat', ` - allow rpc_t self:capability { chown dac_override setgid setuid }; + allow rpcd_t self:capability { chown dac_override setgid setuid }; ') ########################################