From b516e80f24b7a037683d7d09b3ec6a60faf2f2c9 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: May 17 2006 20:55:12 +0000 Subject: start cleaning up node binding and raw if/node access --- diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in index a458c00..249e5e7 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if.in +++ b/refpolicy/policy/modules/kernel/corenetwork.if.in @@ -89,10 +89,6 @@ interface(`corenet_raw_send_generic_if',` ') allow $1 netif_t:netif rawip_send; - - # cjp: comment out until raw access is - # is fixed for network users - #allow $1 self:capability net_raw; ') ######################################## @@ -213,10 +209,6 @@ interface(`corenet_raw_send_all_if',` ') allow $1 netif_type:netif rawip_send; - - # cjp: comment out until raw access is - # is fixed for network users - #allow $1 self:capability net_raw; ') ######################################## diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.m4 b/refpolicy/policy/modules/kernel/corenetwork.if.m4 index e540789..0e6608a 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if.m4 +++ b/refpolicy/policy/modules/kernel/corenetwork.if.m4 @@ -102,10 +102,6 @@ interface(`corenet_raw_send_$1_if',` ') allow dollarsone $1_$2:netif rawip_send; - - # cjp: comment out until raw access is - # is fixed for network users - #allow dollarsone self:capability net_raw; ') ######################################## diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in index 781e884..21094d1 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.te.in +++ b/refpolicy/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork,1.1.7) +policy_module(corenetwork,1.1.8) ######################################## # diff --git a/refpolicy/policy/modules/services/arpwatch.te b/refpolicy/policy/modules/services/arpwatch.te index f54f5f0..b4173a2 100644 --- a/refpolicy/policy/modules/services/arpwatch.te +++ b/refpolicy/policy/modules/services/arpwatch.te @@ -1,5 +1,5 @@ -policy_module(arpwatch,1.1.0) +policy_module(arpwatch,1.1.1) ######################################## # @@ -49,6 +49,7 @@ kernel_read_kernel_sysctls(arpwatch_t) kernel_list_proc(arpwatch_t) kernel_read_proc_symlinks(arpwatch_t) +corenet_non_ipsec_sendrecv(arpwatch_t) corenet_tcp_sendrecv_all_if(arpwatch_t) corenet_udp_sendrecv_all_if(arpwatch_t) corenet_raw_sendrecv_all_if(arpwatch_t) @@ -57,9 +58,6 @@ corenet_udp_sendrecv_all_nodes(arpwatch_t) corenet_raw_sendrecv_all_nodes(arpwatch_t) corenet_tcp_sendrecv_all_ports(arpwatch_t) corenet_udp_sendrecv_all_ports(arpwatch_t) -corenet_non_ipsec_sendrecv(arpwatch_t) -corenet_tcp_bind_all_nodes(arpwatch_t) -corenet_udp_bind_all_nodes(arpwatch_t) dev_read_sysfs(arpwatch_t) diff --git a/refpolicy/policy/modules/services/asterisk.te b/refpolicy/policy/modules/services/asterisk.te index e49ec12..5f4eaa4 100644 --- a/refpolicy/policy/modules/services/asterisk.te +++ b/refpolicy/policy/modules/services/asterisk.te @@ -1,5 +1,5 @@ -policy_module(asterisk,1.0.0) +policy_module(asterisk,1.0.1) ######################################## # @@ -89,10 +89,8 @@ corecmd_search_sbin(asterisk_t) corenet_non_ipsec_sendrecv(asterisk_t) corenet_tcp_sendrecv_generic_if(asterisk_t) corenet_udp_sendrecv_generic_if(asterisk_t) -corenet_raw_sendrecv_generic_if(asterisk_t) corenet_tcp_sendrecv_all_nodes(asterisk_t) corenet_udp_sendrecv_all_nodes(asterisk_t) -corenet_raw_sendrecv_all_nodes(asterisk_t) corenet_tcp_sendrecv_all_ports(asterisk_t) corenet_udp_sendrecv_all_ports(asterisk_t) corenet_tcp_bind_all_nodes(asterisk_t) diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te index 65fc610..eebbb1d 100644 --- a/refpolicy/policy/modules/services/automount.te +++ b/refpolicy/policy/modules/services/automount.te @@ -1,5 +1,5 @@ -policy_module(automount,1.2.3) +policy_module(automount,1.2.4) ######################################## # @@ -72,10 +72,8 @@ corecmd_exec_shell(automount_t) corenet_non_ipsec_sendrecv(automount_t) corenet_tcp_sendrecv_generic_if(automount_t) corenet_udp_sendrecv_generic_if(automount_t) -corenet_raw_sendrecv_generic_if(automount_t) corenet_tcp_sendrecv_all_nodes(automount_t) corenet_udp_sendrecv_all_nodes(automount_t) -corenet_raw_sendrecv_all_nodes(automount_t) corenet_tcp_sendrecv_all_ports(automount_t) corenet_udp_sendrecv_all_ports(automount_t) corenet_tcp_bind_all_nodes(automount_t) diff --git a/refpolicy/policy/modules/services/avahi.te b/refpolicy/policy/modules/services/avahi.te index 7fc37cb..90aa110 100644 --- a/refpolicy/policy/modules/services/avahi.te +++ b/refpolicy/policy/modules/services/avahi.te @@ -1,5 +1,5 @@ -policy_module(avahi,1.2.1) +policy_module(avahi,1.2.2) ######################################## # @@ -38,15 +38,13 @@ kernel_list_proc(avahi_t) kernel_read_proc_symlinks(avahi_t) kernel_read_network_state(avahi_t) +corenet_non_ipsec_sendrecv(avahi_t) corenet_tcp_sendrecv_all_if(avahi_t) -corenet_raw_sendrecv_all_if(avahi_t) corenet_udp_sendrecv_all_if(avahi_t) corenet_tcp_sendrecv_all_nodes(avahi_t) -corenet_raw_sendrecv_all_nodes(avahi_t) corenet_udp_sendrecv_all_nodes(avahi_t) corenet_tcp_sendrecv_all_ports(avahi_t) corenet_udp_sendrecv_all_ports(avahi_t) -corenet_non_ipsec_sendrecv(avahi_t) corenet_tcp_bind_all_nodes(avahi_t) corenet_udp_bind_all_nodes(avahi_t) corenet_tcp_bind_howl_port(avahi_t) diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te index 3543172..ba9721d 100644 --- a/refpolicy/policy/modules/services/bind.te +++ b/refpolicy/policy/modules/services/bind.te @@ -1,5 +1,5 @@ -policy_module(bind,1.1.2) +policy_module(bind,1.1.3) ######################################## # @@ -99,15 +99,13 @@ kernel_read_system_state(named_t) kernel_read_network_state(named_t) kernel_tcp_recvfrom(named_t) +corenet_non_ipsec_sendrecv(named_t) corenet_tcp_sendrecv_all_if(named_t) -corenet_raw_sendrecv_all_if(named_t) corenet_udp_sendrecv_all_if(named_t) corenet_tcp_sendrecv_all_nodes(named_t) corenet_udp_sendrecv_all_nodes(named_t) -corenet_raw_sendrecv_all_nodes(named_t) corenet_tcp_sendrecv_all_ports(named_t) corenet_udp_sendrecv_all_ports(named_t) -corenet_non_ipsec_sendrecv(named_t) corenet_tcp_bind_all_nodes(named_t) corenet_udp_bind_all_nodes(named_t) corenet_tcp_bind_dns_port(named_t) @@ -238,13 +236,10 @@ allow ndc_t named_zone_t:dir search; kernel_read_kernel_sysctls(ndc_t) kernel_tcp_recvfrom(ndc_t) +corenet_non_ipsec_sendrecv(ndc_t) corenet_tcp_sendrecv_all_if(ndc_t) -corenet_raw_sendrecv_all_if(ndc_t) corenet_tcp_sendrecv_all_nodes(ndc_t) -corenet_raw_sendrecv_all_nodes(ndc_t) corenet_tcp_sendrecv_all_ports(ndc_t) -corenet_non_ipsec_sendrecv(ndc_t) -corenet_tcp_bind_all_nodes(ndc_t) corenet_tcp_connect_rndc_port(ndc_t) fs_getattr_xattr_fs(ndc_t) diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te index 670e3d6..a2dad48 100644 --- a/refpolicy/policy/modules/services/canna.te +++ b/refpolicy/policy/modules/services/canna.te @@ -1,5 +1,5 @@ -policy_module(canna,1.2.0) +policy_module(canna,1.2.1) ######################################## # @@ -48,12 +48,10 @@ files_pid_filetrans(canna_t, canna_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(canna_t) kernel_read_system_state(canna_t) +corenet_non_ipsec_sendrecv(canna_t) corenet_tcp_sendrecv_all_if(canna_t) -corenet_raw_sendrecv_all_if(canna_t) corenet_tcp_sendrecv_all_nodes(canna_t) -corenet_raw_sendrecv_all_nodes(canna_t) corenet_tcp_sendrecv_all_ports(canna_t) -corenet_non_ipsec_sendrecv(canna_t) corenet_tcp_bind_all_nodes(canna_t) corenet_tcp_connect_all_ports(canna_t) diff --git a/refpolicy/policy/modules/services/cipe.te b/refpolicy/policy/modules/services/cipe.te index 70fe0ae..697fa66 100644 --- a/refpolicy/policy/modules/services/cipe.te +++ b/refpolicy/policy/modules/services/cipe.te @@ -1,5 +1,5 @@ -policy_module(cipe,1.0.0) +policy_module(cipe,1.0.1) ######################################## # @@ -30,12 +30,10 @@ corecmd_exec_shell(ciped_t) corecmd_exec_bin(ciped_t) corecmd_exec_sbin(ciped_t) +corenet_non_ipsec_sendrecv(ciped_t) corenet_udp_sendrecv_generic_if(ciped_t) -corenet_raw_sendrecv_generic_if(ciped_t) corenet_udp_sendrecv_all_nodes(ciped_t) -corenet_raw_sendrecv_all_nodes(ciped_t) corenet_udp_sendrecv_all_ports(ciped_t) -corenet_non_ipsec_sendrecv(ciped_t) corenet_udp_bind_all_nodes(ciped_t) # cipe uses the afs3-bos port (udp 7007) corenet_udp_bind_afs_bos_port(ciped_t) diff --git a/refpolicy/policy/modules/services/clamav.te b/refpolicy/policy/modules/services/clamav.te index 03a916b..a662e6c 100644 --- a/refpolicy/policy/modules/services/clamav.te +++ b/refpolicy/policy/modules/services/clamav.te @@ -1,5 +1,5 @@ -policy_module(clamav,1.0.0) +policy_module(clamav,1.0.1) ######################################## # @@ -95,11 +95,11 @@ files_pid_filetrans(clamd_t,clamd_var_run_t,file) kernel_dontaudit_list_proc(clamd_t) +corenet_non_ipsec_sendrecv(clamd_t) corenet_tcp_sendrecv_all_if(clamd_t) corenet_tcp_sendrecv_all_nodes(clamd_t) corenet_tcp_sendrecv_all_ports(clamd_t) corenet_tcp_sendrecv_clamd_port(clamd_t) -corenet_non_ipsec_sendrecv(clamd_t) corenet_tcp_bind_clamd_port(clamd_t) corenet_tcp_bind_all_nodes(clamd_t) @@ -165,14 +165,12 @@ allow freshclam_t freshclam_var_log_t:dir { rw_dir_perms setattr }; allow freshclam_t clamd_var_log_t:dir search; logging_log_filetrans(freshclam_t,freshclam_var_log_t,file) +corenet_non_ipsec_sendrecv(freshclam_t) corenet_tcp_sendrecv_all_if(freshclam_t) corenet_tcp_sendrecv_all_nodes(freshclam_t) corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) -corenet_non_ipsec_sendrecv(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) -corenet_tcp_bind_all_ports(freshclam_t) -corenet_tcp_bind_all_nodes(freshclam_t) dev_read_rand(freshclam_t) dev_read_urand(freshclam_t) diff --git a/refpolicy/policy/modules/services/comsat.te b/refpolicy/policy/modules/services/comsat.te index 1445d07..9e2e9cb 100644 --- a/refpolicy/policy/modules/services/comsat.te +++ b/refpolicy/policy/modules/services/comsat.te @@ -1,5 +1,5 @@ -policy_module(comsat,1.1.0) +policy_module(comsat,1.1.1) ######################################## # @@ -43,17 +43,12 @@ kernel_read_kernel_sysctls(comsat_t) kernel_read_network_state(comsat_t) kernel_read_system_state(comsat_t) +corenet_non_ipsec_sendrecv(comsat_t) corenet_tcp_sendrecv_all_if(comsat_t) corenet_udp_sendrecv_all_if(comsat_t) -corenet_raw_sendrecv_all_if(comsat_t) corenet_tcp_sendrecv_all_nodes(comsat_t) corenet_udp_sendrecv_all_nodes(comsat_t) -corenet_raw_sendrecv_all_nodes(comsat_t) -corenet_tcp_sendrecv_all_ports(comsat_t) corenet_udp_sendrecv_all_ports(comsat_t) -corenet_non_ipsec_sendrecv(comsat_t) -corenet_tcp_bind_all_nodes(comsat_t) -corenet_udp_bind_all_nodes(comsat_t) dev_read_urand(comsat_t) @@ -91,5 +86,3 @@ optional_policy(` optional_policy(` nscd_socket_use(comsat_t) ') - - diff --git a/refpolicy/policy/modules/services/courier.if b/refpolicy/policy/modules/services/courier.if index d16c3f8..c69b60a 100644 --- a/refpolicy/policy/modules/services/courier.if +++ b/refpolicy/policy/modules/services/courier.if @@ -49,15 +49,13 @@ template(`courier_domain_template',` corecmd_exec_bin(courier_$1_t) + corenet_non_ipsec_sendrecv(courier_$1_t) corenet_tcp_sendrecv_generic_if(courier_$1_t) corenet_udp_sendrecv_generic_if(courier_$1_t) - corenet_raw_sendrecv_generic_if(courier_$1_t) corenet_tcp_sendrecv_all_nodes(courier_$1_t) corenet_udp_sendrecv_all_nodes(courier_$1_t) - corenet_raw_sendrecv_all_nodes(courier_$1_t) corenet_tcp_sendrecv_all_ports(courier_$1_t) corenet_udp_sendrecv_all_ports(courier_$1_t) - corenet_non_ipsec_sendrecv(courier_$1_t) corenet_tcp_bind_all_nodes(courier_$1_t) corenet_udp_bind_all_nodes(courier_$1_t) diff --git a/refpolicy/policy/modules/services/courier.te b/refpolicy/policy/modules/services/courier.te index 2aa0cc0..9e0b787 100644 --- a/refpolicy/policy/modules/services/courier.te +++ b/refpolicy/policy/modules/services/courier.te @@ -1,5 +1,5 @@ -policy_module(courier,1.0.0) +policy_module(courier,1.0.1) ######################################## # diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index d4601e5..dca68e0 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron,1.3.5) +policy_module(cron,1.3.6) gen_require(` class passwd rootok; @@ -283,17 +283,13 @@ ifdef(`targeted_policy',` corecmd_exec_all_executables(system_crond_t) + corenet_non_ipsec_sendrecv(system_crond_t) corenet_tcp_sendrecv_all_if(system_crond_t) - corenet_raw_sendrecv_all_if(system_crond_t) corenet_udp_sendrecv_all_if(system_crond_t) corenet_tcp_sendrecv_all_nodes(system_crond_t) - corenet_raw_sendrecv_all_nodes(system_crond_t) corenet_udp_sendrecv_all_nodes(system_crond_t) corenet_tcp_sendrecv_all_ports(system_crond_t) corenet_udp_sendrecv_all_ports(system_crond_t) - corenet_non_ipsec_sendrecv(system_crond_t) - corenet_tcp_bind_all_nodes(system_crond_t) - corenet_udp_bind_all_nodes(system_crond_t) dev_getattr_all_blk_files(system_crond_t) dev_getattr_all_chr_files(system_crond_t) diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te index f932ad0..f3b47a6 100644 --- a/refpolicy/policy/modules/services/dovecot.te +++ b/refpolicy/policy/modules/services/dovecot.te @@ -1,5 +1,5 @@ -policy_module(dovecot,1.2.1) +policy_module(dovecot,1.2.2) ######################################## # @@ -70,12 +70,10 @@ files_pid_filetrans(dovecot_t,dovecot_var_run_t,file) kernel_read_kernel_sysctls(dovecot_t) kernel_read_system_state(dovecot_t) +corenet_non_ipsec_sendrecv(dovecot_t) corenet_tcp_sendrecv_all_if(dovecot_t) -corenet_raw_sendrecv_all_if(dovecot_t) corenet_tcp_sendrecv_all_nodes(dovecot_t) -corenet_raw_sendrecv_all_nodes(dovecot_t) corenet_tcp_sendrecv_all_ports(dovecot_t) -corenet_non_ipsec_sendrecv(dovecot_t) corenet_tcp_bind_all_nodes(dovecot_t) corenet_tcp_bind_pop_port(dovecot_t) corenet_tcp_connect_all_ports(dovecot_t) diff --git a/refpolicy/policy/modules/services/fetchmail.te b/refpolicy/policy/modules/services/fetchmail.te index b4c2276..2ef238f 100644 --- a/refpolicy/policy/modules/services/fetchmail.te +++ b/refpolicy/policy/modules/services/fetchmail.te @@ -1,10 +1,11 @@ -policy_module(fetchmail,1.1.0) +policy_module(fetchmail,1.1.1) ######################################## # # Declarations # + type fetchmail_t; type fetchmail_exec_t; init_daemon_domain(fetchmail_t,fetchmail_exec_t) @@ -27,9 +28,9 @@ dontaudit fetchmail_t self:capability sys_tty_config; allow fetchmail_t self:process { signal_perms setrlimit }; allow fetchmail_t self:unix_dgram_socket create_socket_perms; allow fetchmail_t self:unix_stream_socket create_stream_socket_perms; +allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms; allow fetchmail_t self:tcp_socket create_socket_perms; allow fetchmail_t self:udp_socket create_socket_perms; -allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms; allow fetchmail_t fetchmail_etc_t:file r_file_perms; @@ -49,16 +50,12 @@ kernel_dontaudit_read_system_state(fetchmail_t) corenet_non_ipsec_sendrecv(fetchmail_t) corenet_tcp_sendrecv_generic_if(fetchmail_t) corenet_udp_sendrecv_generic_if(fetchmail_t) -corenet_raw_sendrecv_generic_if(fetchmail_t) corenet_tcp_sendrecv_all_nodes(fetchmail_t) corenet_udp_sendrecv_all_nodes(fetchmail_t) -corenet_raw_sendrecv_all_nodes(fetchmail_t) corenet_tcp_sendrecv_dns_port(fetchmail_t) corenet_udp_sendrecv_dns_port(fetchmail_t) corenet_tcp_sendrecv_pop_port(fetchmail_t) corenet_tcp_sendrecv_smtp_port(fetchmail_t) -corenet_tcp_bind_all_nodes(fetchmail_t) -corenet_udp_bind_all_nodes(fetchmail_t) corenet_tcp_connect_all_ports(fetchmail_t) dev_read_sysfs(fetchmail_t) diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te index b6a591d..1647e64 100644 --- a/refpolicy/policy/modules/services/finger.te +++ b/refpolicy/policy/modules/services/finger.te @@ -1,10 +1,11 @@ -policy_module(finger,1.1.0) +policy_module(finger,1.1.1) ######################################## # # Declarations # + type fingerd_t; type fingerd_exec_t; init_daemon_domain(fingerd_t,fingerd_exec_t) @@ -23,6 +24,7 @@ files_pid_file(fingerd_var_run_t) # # Local policy # + allow fingerd_t self:capability { setgid setuid }; dontaudit fingerd_t self:capability { sys_tty_config fsetid }; allow fingerd_t self:process signal_perms; @@ -47,17 +49,14 @@ kernel_read_kernel_sysctls(fingerd_t) kernel_read_system_state(fingerd_t) kernel_tcp_recvfrom(fingerd_t) +corenet_non_ipsec_sendrecv(fingerd_t) corenet_tcp_sendrecv_all_if(fingerd_t) corenet_udp_sendrecv_all_if(fingerd_t) -corenet_raw_sendrecv_all_if(fingerd_t) corenet_tcp_sendrecv_all_nodes(fingerd_t) corenet_udp_sendrecv_all_nodes(fingerd_t) -corenet_raw_sendrecv_all_nodes(fingerd_t) corenet_tcp_sendrecv_all_ports(fingerd_t) corenet_udp_sendrecv_all_ports(fingerd_t) -corenet_non_ipsec_sendrecv(fingerd_t) corenet_tcp_bind_all_nodes(fingerd_t) -corenet_udp_bind_all_nodes(fingerd_t) corenet_tcp_bind_fingerd_port(fingerd_t) dev_read_sysfs(fingerd_t) diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te index fd59766..79044fe 100644 --- a/refpolicy/policy/modules/services/ftp.te +++ b/refpolicy/policy/modules/services/ftp.te @@ -1,5 +1,5 @@ -policy_module(ftp,1.2.2) +policy_module(ftp,1.2.3) ######################################## # @@ -78,17 +78,14 @@ corecmd_exec_sbin(ftpd_t) # also may need rules to allow tar etc... corecmd_exec_ls(ftpd_t) +corenet_non_ipsec_sendrecv(ftpd_t) corenet_tcp_sendrecv_all_if(ftpd_t) corenet_udp_sendrecv_all_if(ftpd_t) -corenet_raw_sendrecv_all_if(ftpd_t) corenet_tcp_sendrecv_all_nodes(ftpd_t) corenet_udp_sendrecv_all_nodes(ftpd_t) -corenet_raw_sendrecv_all_nodes(ftpd_t) corenet_tcp_sendrecv_all_ports(ftpd_t) corenet_udp_sendrecv_all_ports(ftpd_t) -corenet_non_ipsec_sendrecv(ftpd_t) corenet_tcp_bind_all_nodes(ftpd_t) -corenet_udp_bind_all_nodes(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t) corenet_tcp_bind_generic_port(ftpd_t) corenet_tcp_connect_all_ports(ftpd_t) @@ -206,10 +203,6 @@ optional_policy(` ') optional_policy(` - mount_send_nfs_client_request(ftpd_t) -') - -optional_policy(` nscd_socket_use(ftpd_t) ') diff --git a/refpolicy/policy/modules/services/gatekeeper.te b/refpolicy/policy/modules/services/gatekeeper.te index 4090032..08cb0d5 100644 --- a/refpolicy/policy/modules/services/gatekeeper.te +++ b/refpolicy/policy/modules/services/gatekeeper.te @@ -1,5 +1,5 @@ -policy_module(gatekeeper,1.0.0) +policy_module(gatekeeper,1.0.1) ######################################## # @@ -31,7 +31,6 @@ files_pid_file(gatekeeper_var_run_t) dontaudit gatekeeper_t self:capability sys_tty_config; allow gatekeeper_t self:process { setsched signal_perms }; allow gatekeeper_t self:fifo_file rw_file_perms; - allow gatekeeper_t self:tcp_socket create_stream_socket_perms; allow gatekeeper_t self:udp_socket create_socket_perms; @@ -59,10 +58,8 @@ corecmd_list_sbin(gatekeeper_t) corenet_non_ipsec_sendrecv(gatekeeper_t) corenet_tcp_sendrecv_generic_if(gatekeeper_t) corenet_udp_sendrecv_generic_if(gatekeeper_t) -corenet_raw_sendrecv_generic_if(gatekeeper_t) corenet_tcp_sendrecv_all_nodes(gatekeeper_t) corenet_udp_sendrecv_all_nodes(gatekeeper_t) -corenet_raw_sendrecv_all_nodes(gatekeeper_t) corenet_tcp_sendrecv_all_ports(gatekeeper_t) corenet_udp_sendrecv_all_ports(gatekeeper_t) corenet_tcp_bind_all_nodes(gatekeeper_t) diff --git a/refpolicy/policy/modules/services/howl.te b/refpolicy/policy/modules/services/howl.te index 64e7ec8..c72d602 100644 --- a/refpolicy/policy/modules/services/howl.te +++ b/refpolicy/policy/modules/services/howl.te @@ -1,5 +1,5 @@ -policy_module(howl,1.1.0) +policy_module(howl,1.1.1) ######################################## # @@ -35,15 +35,13 @@ kernel_load_module(howl_t) kernel_list_proc(howl_t) kernel_read_proc_symlinks(howl_t) +corenet_non_ipsec_sendrecv(howl_t) corenet_tcp_sendrecv_all_if(howl_t) corenet_udp_sendrecv_all_if(howl_t) -corenet_raw_sendrecv_all_if(howl_t) corenet_tcp_sendrecv_all_nodes(howl_t) corenet_udp_sendrecv_all_nodes(howl_t) -corenet_raw_sendrecv_all_nodes(howl_t) corenet_tcp_sendrecv_all_ports(howl_t) corenet_udp_sendrecv_all_ports(howl_t) -corenet_non_ipsec_sendrecv(howl_t) corenet_tcp_bind_all_nodes(howl_t) corenet_udp_bind_all_nodes(howl_t) corenet_tcp_bind_howl_port(howl_t) diff --git a/refpolicy/policy/modules/services/i18n_input.te b/refpolicy/policy/modules/services/i18n_input.te index 3be7c8f..20ec0fb 100644 --- a/refpolicy/policy/modules/services/i18n_input.te +++ b/refpolicy/policy/modules/services/i18n_input.te @@ -1,5 +1,5 @@ -policy_module(i18n_input,1.1.0) +policy_module(i18n_input,1.1.1) ######################################## # @@ -38,17 +38,14 @@ kernel_read_kernel_sysctls(i18n_input_t) kernel_read_system_state(i18n_input_t) kernel_tcp_recvfrom(i18n_input_t) +corenet_non_ipsec_sendrecv(i18n_input_t) corenet_tcp_sendrecv_generic_if(i18n_input_t) corenet_udp_sendrecv_generic_if(i18n_input_t) -corenet_raw_sendrecv_generic_if(i18n_input_t) corenet_tcp_sendrecv_all_nodes(i18n_input_t) corenet_udp_sendrecv_all_nodes(i18n_input_t) -corenet_raw_sendrecv_all_nodes(i18n_input_t) corenet_tcp_sendrecv_all_ports(i18n_input_t) corenet_udp_sendrecv_all_ports(i18n_input_t) -corenet_non_ipsec_sendrecv(i18n_input_t) corenet_tcp_bind_all_nodes(i18n_input_t) -corenet_udp_bind_all_nodes(i18n_input_t) corenet_tcp_bind_i18n_input_port(i18n_input_t) corenet_tcp_connect_all_ports(i18n_input_t) diff --git a/refpolicy/policy/modules/services/imaze.te b/refpolicy/policy/modules/services/imaze.te index 9612209..6dfe38a 100644 --- a/refpolicy/policy/modules/services/imaze.te +++ b/refpolicy/policy/modules/services/imaze.te @@ -1,5 +1,5 @@ -policy_module(imaze,1.0.0) +policy_module(imaze,1.0.1) ######################################## # @@ -56,15 +56,13 @@ kernel_read_kernel_sysctls(imazesrv_t) kernel_list_proc(imazesrv_t) kernel_read_proc_symlinks(imazesrv_t) +corenet_non_ipsec_sendrecv(imazesrv_t) corenet_tcp_sendrecv_generic_if(imazesrv_t) corenet_udp_sendrecv_generic_if(imazesrv_t) -corenet_raw_sendrecv_generic_if(imazesrv_t) corenet_tcp_sendrecv_all_nodes(imazesrv_t) corenet_udp_sendrecv_all_nodes(imazesrv_t) -corenet_raw_sendrecv_all_nodes(imazesrv_t) corenet_tcp_sendrecv_all_ports(imazesrv_t) corenet_udp_sendrecv_all_ports(imazesrv_t) -corenet_non_ipsec_sendrecv(imazesrv_t) corenet_tcp_bind_all_nodes(imazesrv_t) corenet_udp_bind_all_nodes(imazesrv_t) corenet_tcp_bind_imaze_port(imazesrv_t) diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index 7c035f5..ea12d39 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -1,5 +1,5 @@ -policy_module(inetd,1.1.1) +policy_module(inetd,1.1.2) ######################################## # @@ -40,7 +40,7 @@ dontaudit inetd_t self:capability sys_tty_config; allow inetd_t self:process setsched; allow inetd_t self:fifo_file rw_file_perms; allow inetd_t self:tcp_socket create_stream_socket_perms; -allow inetd_t self:udp_socket { connect connected_socket_perms }; +allow inetd_t self:udp_socket create_socket_perms; allow inetd_t inetd_log_t:file create_file_perms; logging_log_filetrans(inetd_t,inetd_log_t,file) @@ -58,15 +58,13 @@ kernel_read_proc_symlinks(inetd_t) kernel_tcp_recvfrom(inetd_t) # networking: +corenet_non_ipsec_sendrecv(inetd_t) corenet_tcp_sendrecv_all_if(inetd_t) corenet_udp_sendrecv_all_if(inetd_t) -corenet_raw_sendrecv_all_if(inetd_t) corenet_tcp_sendrecv_all_nodes(inetd_t) corenet_udp_sendrecv_all_nodes(inetd_t) -corenet_raw_sendrecv_all_nodes(inetd_t) corenet_tcp_sendrecv_all_ports(inetd_t) corenet_udp_sendrecv_all_ports(inetd_t) -corenet_non_ipsec_sendrecv(inetd_t) corenet_tcp_bind_all_nodes(inetd_t) corenet_udp_bind_all_nodes(inetd_t) corenet_tcp_connect_all_ports(inetd_t) @@ -185,17 +183,13 @@ kernel_read_kernel_sysctls(inetd_child_t) kernel_read_system_state(inetd_child_t) kernel_read_network_state(inetd_child_t) +corenet_non_ipsec_sendrecv(inetd_child_t) corenet_tcp_sendrecv_all_if(inetd_child_t) corenet_udp_sendrecv_all_if(inetd_child_t) -corenet_raw_sendrecv_all_if(inetd_child_t) corenet_tcp_sendrecv_all_nodes(inetd_child_t) corenet_udp_sendrecv_all_nodes(inetd_child_t) -corenet_raw_sendrecv_all_nodes(inetd_child_t) corenet_tcp_sendrecv_all_ports(inetd_child_t) corenet_udp_sendrecv_all_ports(inetd_child_t) -corenet_non_ipsec_sendrecv(inetd_child_t) -corenet_tcp_bind_all_nodes(inetd_child_t) -corenet_udp_bind_all_nodes(inetd_child_t) dev_read_urand(inetd_child_t) diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te index ec28063..37911ad 100644 --- a/refpolicy/policy/modules/services/inn.te +++ b/refpolicy/policy/modules/services/inn.te @@ -1,5 +1,5 @@ -policy_module(inn,1.1.0) +policy_module(inn,1.1.1) ######################################## # @@ -32,10 +32,10 @@ allow innd_t self:capability { dac_override kill setgid setuid }; dontaudit innd_t self:capability sys_tty_config; allow innd_t self:process { setsched signal_perms }; allow innd_t self:fifo_file rw_file_perms; -allow innd_t self:tcp_socket create_stream_socket_perms; -allow innd_t self:udp_socket create_socket_perms; allow innd_t self:unix_dgram_socket { sendto create_socket_perms }; allow innd_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow innd_t self:tcp_socket create_stream_socket_perms; +allow innd_t self:udp_socket create_socket_perms; allow innd_t innd_etc_t:file r_file_perms; allow innd_t innd_etc_t:dir r_dir_perms; @@ -63,17 +63,14 @@ allow innd_t news_spool_t:lnk_file create_lnk_perms; kernel_read_kernel_sysctls(innd_t) kernel_read_system_state(innd_t) -corenet_raw_sendrecv_all_if(innd_t) +corenet_non_ipsec_sendrecv(innd_t) corenet_tcp_sendrecv_all_if(innd_t) corenet_udp_sendrecv_all_if(innd_t) -corenet_raw_sendrecv_all_nodes(innd_t) corenet_tcp_sendrecv_all_nodes(innd_t) corenet_udp_sendrecv_all_nodes(innd_t) corenet_tcp_sendrecv_all_ports(innd_t) corenet_udp_sendrecv_all_ports(innd_t) -corenet_non_ipsec_sendrecv(innd_t) corenet_tcp_bind_all_nodes(innd_t) -corenet_udp_bind_all_nodes(innd_t) corenet_tcp_bind_innd_port(innd_t) corenet_tcp_connect_all_ports(innd_t) diff --git a/refpolicy/policy/modules/services/ircd.te b/refpolicy/policy/modules/services/ircd.te index cdd2911..5e543b9 100644 --- a/refpolicy/policy/modules/services/ircd.te +++ b/refpolicy/policy/modules/services/ircd.te @@ -1,5 +1,5 @@ -policy_module(ircd,1.0.0) +policy_module(ircd,1.0.1) ######################################## # @@ -54,17 +54,14 @@ kernel_read_kernel_sysctls(ircd_t) corecmd_search_sbin(ircd_t) +corenet_non_ipsec_sendrecv(ircd_t) corenet_tcp_sendrecv_generic_if(ircd_t) corenet_udp_sendrecv_generic_if(ircd_t) -corenet_raw_sendrecv_generic_if(ircd_t) corenet_tcp_sendrecv_all_nodes(ircd_t) corenet_udp_sendrecv_all_nodes(ircd_t) -corenet_raw_sendrecv_all_nodes(ircd_t) corenet_tcp_sendrecv_all_ports(ircd_t) corenet_udp_sendrecv_all_ports(ircd_t) -corenet_non_ipsec_sendrecv(ircd_t) corenet_tcp_bind_all_nodes(ircd_t) -corenet_udp_bind_all_nodes(ircd_t) corenet_tcp_bind_ircd_port(ircd_t) dev_read_sysfs(ircd_t) diff --git a/refpolicy/policy/modules/services/jabber.te b/refpolicy/policy/modules/services/jabber.te index a07e1e6..3c5159d 100644 --- a/refpolicy/policy/modules/services/jabber.te +++ b/refpolicy/policy/modules/services/jabber.te @@ -1,5 +1,5 @@ -policy_module(jabber,1.0.0) +policy_module(jabber,1.0.1) ######################################## # @@ -48,17 +48,14 @@ kernel_list_proc(jabberd_t) kernel_read_proc_symlinks(jabberd_t) kernel_tcp_recvfrom(jabberd_t) +corenet_non_ipsec_sendrecv(jabberd_t) corenet_tcp_sendrecv_generic_if(jabberd_t) corenet_udp_sendrecv_generic_if(jabberd_t) -corenet_raw_sendrecv_generic_if(jabberd_t) corenet_tcp_sendrecv_all_nodes(jabberd_t) corenet_udp_sendrecv_all_nodes(jabberd_t) -corenet_raw_sendrecv_all_nodes(jabberd_t) corenet_tcp_sendrecv_all_ports(jabberd_t) corenet_udp_sendrecv_all_ports(jabberd_t) -corenet_non_ipsec_sendrecv(jabberd_t) corenet_tcp_bind_all_nodes(jabberd_t) -corenet_udp_bind_all_nodes(jabberd_t) corenet_tcp_bind_jabber_client_port(jabberd_t) corenet_tcp_bind_jabber_interserver_port(jabberd_t) diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te index 89e3d43..a72532e 100644 --- a/refpolicy/policy/modules/services/kerberos.te +++ b/refpolicy/policy/modules/services/kerberos.te @@ -1,5 +1,5 @@ -policy_module(kerberos,1.1.0) +policy_module(kerberos,1.1.1) ######################################## # @@ -87,15 +87,13 @@ kernel_read_kernel_sysctls(kadmind_t) kernel_list_proc(kadmind_t) kernel_read_proc_symlinks(kadmind_t) +corenet_non_ipsec_sendrecv(kadmind_t) corenet_tcp_sendrecv_all_if(kadmind_t) corenet_udp_sendrecv_all_if(kadmind_t) -corenet_raw_sendrecv_all_if(kadmind_t) corenet_tcp_sendrecv_all_nodes(kadmind_t) corenet_udp_sendrecv_all_nodes(kadmind_t) -corenet_raw_sendrecv_all_nodes(kadmind_t) corenet_tcp_sendrecv_all_ports(kadmind_t) corenet_udp_sendrecv_all_ports(kadmind_t) -corenet_non_ipsec_sendrecv(kadmind_t) corenet_tcp_bind_all_nodes(kadmind_t) corenet_udp_bind_all_nodes(kadmind_t) corenet_tcp_bind_kerberos_admin_port(kadmind_t) @@ -190,15 +188,13 @@ kernel_read_kernel_sysctls(krb5kdc_t) kernel_list_proc(krb5kdc_t) kernel_read_proc_symlinks(krb5kdc_t) +corenet_non_ipsec_sendrecv(krb5kdc_t) corenet_tcp_sendrecv_all_if(krb5kdc_t) corenet_udp_sendrecv_all_if(krb5kdc_t) -corenet_raw_sendrecv_all_if(krb5kdc_t) corenet_tcp_sendrecv_all_nodes(krb5kdc_t) corenet_udp_sendrecv_all_nodes(krb5kdc_t) -corenet_raw_sendrecv_all_nodes(krb5kdc_t) corenet_tcp_sendrecv_all_ports(krb5kdc_t) corenet_udp_sendrecv_all_ports(krb5kdc_t) -corenet_non_ipsec_sendrecv(krb5kdc_t) corenet_tcp_bind_all_nodes(krb5kdc_t) corenet_udp_bind_all_nodes(krb5kdc_t) corenet_tcp_bind_kerberos_port(krb5kdc_t) diff --git a/refpolicy/policy/modules/services/ktalk.te b/refpolicy/policy/modules/services/ktalk.te index 9f2cbb8..d4139c9 100644 --- a/refpolicy/policy/modules/services/ktalk.te +++ b/refpolicy/policy/modules/services/ktalk.te @@ -1,5 +1,5 @@ -policy_module(ktalk,1.2.1) +policy_module(ktalk,1.2.2) ######################################## # @@ -56,17 +56,13 @@ kernel_read_kernel_sysctls(ktalkd_t) kernel_read_system_state(ktalkd_t) kernel_read_network_state(ktalkd_t) +corenet_non_ipsec_sendrecv(ktalkd_t) corenet_tcp_sendrecv_all_if(ktalkd_t) corenet_udp_sendrecv_all_if(ktalkd_t) -corenet_raw_sendrecv_all_if(ktalkd_t) corenet_tcp_sendrecv_all_nodes(ktalkd_t) corenet_udp_sendrecv_all_nodes(ktalkd_t) -corenet_raw_sendrecv_all_nodes(ktalkd_t) corenet_tcp_sendrecv_all_ports(ktalkd_t) corenet_udp_sendrecv_all_ports(ktalkd_t) -corenet_non_ipsec_sendrecv(ktalkd_t) -corenet_tcp_bind_all_nodes(ktalkd_t) -corenet_udp_bind_all_nodes(ktalkd_t) dev_read_urand(ktalkd_t) diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te index 5cb2797..8d9594a 100644 --- a/refpolicy/policy/modules/services/ldap.te +++ b/refpolicy/policy/modules/services/ldap.te @@ -1,5 +1,5 @@ -policy_module(ldap,1.2.0) +policy_module(ldap,1.2.1) ######################################## # @@ -78,6 +78,7 @@ kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) kernel_tcp_recvfrom(slapd_t) +corenet_non_ipsec_sendrecv(slapd_t) corenet_tcp_sendrecv_all_if(slapd_t) corenet_udp_sendrecv_all_if(slapd_t) corenet_raw_sendrecv_all_if(slapd_t) @@ -86,9 +87,7 @@ corenet_udp_sendrecv_all_nodes(slapd_t) corenet_raw_sendrecv_all_nodes(slapd_t) corenet_tcp_sendrecv_all_ports(slapd_t) corenet_udp_sendrecv_all_ports(slapd_t) -corenet_non_ipsec_sendrecv(slapd_t) corenet_tcp_bind_all_nodes(slapd_t) -corenet_udp_bind_all_nodes(slapd_t) corenet_tcp_bind_ldap_port(slapd_t) corenet_tcp_connect_all_ports(slapd_t) diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te index 6139501..9e0071c 100644 --- a/refpolicy/policy/modules/services/lpd.te +++ b/refpolicy/policy/modules/services/lpd.te @@ -1,5 +1,5 @@ -policy_module(lpd,1.2.2) +policy_module(lpd,1.2.3) ######################################## # @@ -45,8 +45,10 @@ files_type(printconf_t) # This requires that /usr/sbin/checkpc have type checkpc_t. allow checkpc_t self:capability { setgid setuid dac_override }; -allow checkpc_t self:process { fork signal_perms }; +allow checkpc_t self:process signal_perms; allow checkpc_t self:unix_stream_socket create_socket_perms; +allow checkpc_t self:tcp_socket create_socket_perms; +allow checkpc_t self:udp_socket create_socket_perms; allow checkpc_t checkpc_log_t:file create_file_perms; logging_log_filetrans(checkpc_t,checkpc_log_t,file) @@ -63,19 +65,13 @@ allow checkpc_t printconf_t:dir { getattr search read }; kernel_read_system_state(checkpc_t) -allow checkpc_t self:tcp_socket create_socket_perms; -allow checkpc_t self:udp_socket create_socket_perms; +corenet_non_ipsec_sendrecv(checkpc_t) corenet_tcp_sendrecv_all_if(checkpc_t) corenet_udp_sendrecv_all_if(checkpc_t) -corenet_raw_sendrecv_all_if(checkpc_t) corenet_tcp_sendrecv_all_nodes(checkpc_t) corenet_udp_sendrecv_all_nodes(checkpc_t) -corenet_raw_sendrecv_all_nodes(checkpc_t) corenet_tcp_sendrecv_all_ports(checkpc_t) corenet_udp_sendrecv_all_ports(checkpc_t) -corenet_non_ipsec_sendrecv(checkpc_t) -corenet_tcp_bind_all_nodes(checkpc_t) -corenet_udp_bind_all_nodes(checkpc_t) corenet_tcp_connect_all_ports(checkpc_t) dev_append_printer(checkpc_t) @@ -127,6 +123,8 @@ allow lpd_t self:process signal_perms; allow lpd_t self:fifo_file rw_file_perms; allow lpd_t self:unix_stream_socket create_stream_socket_perms; allow lpd_t self:unix_dgram_socket create_socket_perms; +allow lpd_t self:tcp_socket create_stream_socket_perms; +allow lpd_t self:udp_socket create_stream_socket_perms; allow lpd_t lpd_tmp_t:dir create_dir_perms; allow lpd_t lpd_tmp_t:file create_file_perms; @@ -159,19 +157,14 @@ kernel_tcp_recvfrom(lpd_t) # bash wants access to /proc/meminfo kernel_read_system_state(lpd_t) -allow lpd_t self:tcp_socket create_stream_socket_perms; -allow lpd_t self:udp_socket create_stream_socket_perms; +corenet_non_ipsec_sendrecv(lpd_t) corenet_tcp_sendrecv_all_if(lpd_t) corenet_udp_sendrecv_all_if(lpd_t) -corenet_raw_sendrecv_all_if(lpd_t) corenet_tcp_sendrecv_all_nodes(lpd_t) corenet_udp_sendrecv_all_nodes(lpd_t) -corenet_raw_sendrecv_all_nodes(lpd_t) corenet_tcp_sendrecv_all_ports(lpd_t) corenet_udp_sendrecv_all_ports(lpd_t) -corenet_non_ipsec_sendrecv(lpd_t) corenet_tcp_bind_all_nodes(lpd_t) -corenet_udp_bind_all_nodes(lpd_t) corenet_tcp_bind_printer_port(lpd_t) dev_read_sysfs(lpd_t) diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index 91809a5..a4c4fef 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -486,17 +486,14 @@ interface(`sysnet_dns_name_resolve',` allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; + + corenet_non_ipsec_sendrecv($1) corenet_tcp_sendrecv_all_if($1) corenet_udp_sendrecv_all_if($1) - corenet_raw_sendrecv_all_if($1) corenet_tcp_sendrecv_all_nodes($1) corenet_udp_sendrecv_all_nodes($1) - corenet_raw_sendrecv_all_nodes($1) corenet_tcp_sendrecv_dns_port($1) corenet_udp_sendrecv_dns_port($1) - corenet_non_ipsec_sendrecv($1) - corenet_tcp_bind_all_nodes($1) - corenet_udp_bind_all_nodes($1) corenet_tcp_connect_dns_port($1) files_search_etc($1) @@ -520,13 +517,10 @@ interface(`sysnet_use_ldap',` allow $1 self:tcp_socket create_socket_perms; + corenet_non_ipsec_sendrecv($1) corenet_tcp_sendrecv_all_if($1) - corenet_raw_sendrecv_all_if($1) corenet_tcp_sendrecv_all_nodes($1) - corenet_raw_sendrecv_all_nodes($1) corenet_tcp_sendrecv_ldap_port($1) - corenet_non_ipsec_sendrecv($1) - corenet_tcp_bind_all_nodes($1) corenet_tcp_connect_ldap_port($1) files_search_etc($1) @@ -551,17 +545,13 @@ interface(`sysnet_use_portmap',` allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; + corenet_non_ipsec_sendrecv($1) corenet_tcp_sendrecv_all_if($1) corenet_udp_sendrecv_all_if($1) - corenet_raw_sendrecv_all_if($1) corenet_tcp_sendrecv_all_nodes($1) corenet_udp_sendrecv_all_nodes($1) - corenet_raw_sendrecv_all_nodes($1) corenet_tcp_sendrecv_portmap_port($1) corenet_udp_sendrecv_portmap_port($1) - corenet_non_ipsec_sendrecv($1) - corenet_tcp_bind_all_nodes($1) - corenet_udp_bind_all_nodes($1) corenet_tcp_connect_portmap_port($1) files_search_etc($1) diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 4260837..a988732 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -1,5 +1,5 @@ -policy_module(sysnetwork,1.1.3) +policy_module(sysnetwork,1.1.4) ######################################## #