From bb7170f673f337c9d427114b4fe82e89dc6e508f Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mar 24 2006 16:13:54 +0000 Subject: deprecate module name as first parameter of optional_policy() --- diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 8ad2aef..2aa3642 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,5 @@ +- Deprecate module name as first parameter of optional_policy() + now that optionals are allowed everywhere. - Enable optional blocks in base module and monolithic policy. This requires checkpolicy 1.30.1. - Fix vpn module declaration. diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te index 8716138..7d06f6b 100644 --- a/refpolicy/policy/modules/admin/acct.te +++ b/refpolicy/policy/modules/admin/acct.te @@ -77,8 +77,8 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(acct_t) ') -optional_policy(`cron',` - optional_policy(`authlogin',` +optional_policy(` + optional_policy(` # for monthly cron job auth_log_filetrans_login_records(acct_t) auth_manage_login_records(acct_t) @@ -87,15 +87,15 @@ optional_policy(`cron',` cron_system_entry(acct_t,acct_exec_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(acct_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(acct_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(acct_t) ') diff --git a/refpolicy/policy/modules/admin/alsa.te b/refpolicy/policy/modules/admin/alsa.te index 32f2f8e..e93af95 100644 --- a/refpolicy/policy/modules/admin/alsa.te +++ b/refpolicy/policy/modules/admin/alsa.te @@ -46,6 +46,6 @@ miscfiles_read_localization(alsa_t) userdom_manage_unpriv_user_semaphores(alsa_t) userdom_manage_unpriv_user_shared_mem(alsa_t) -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(alsa_t) ') diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te index ac48efa..dab8194 100644 --- a/refpolicy/policy/modules/admin/amanda.te +++ b/refpolicy/policy/modules/admin/amanda.te @@ -77,7 +77,7 @@ role system_r types amanda_recover_t; type amanda_recover_dir_t; files_type(amanda_recover_dir_t) -optional_policy(`prelink',` +optional_policy(` prelink_object_file(amanda_usr_lib_t) ') @@ -169,19 +169,19 @@ libs_use_shared_libs(amanda_t) sysnet_read_config(amanda_t) -optional_policy(`authlogin',` +optional_policy(` auth_read_shadow(amanda_t) ') -optional_policy(`logging',` +optional_policy(` logging_send_syslog_msg(amanda_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(amanda_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(amanda_t) ') @@ -254,10 +254,10 @@ sysnet_read_config(amanda_recover_t) userdom_search_sysadm_home_content_dirs(amanda_recover_t) -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(amanda_recover_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(amanda_recover_t) ') diff --git a/refpolicy/policy/modules/admin/anaconda.te b/refpolicy/policy/modules/admin/anaconda.te index 0e963bb..9ec5e44 100644 --- a/refpolicy/policy/modules/admin/anaconda.te +++ b/refpolicy/policy/modules/admin/anaconda.te @@ -31,28 +31,28 @@ ifdef(`distro_redhat',` bootloader_create_runtime_file(anaconda_t) ') -optional_policy(`dmesg',` +optional_policy(` dmesg_domtrans(anaconda_t) ') -optional_policy(`kudzu',` +optional_policy(` kudzu_domtrans(anaconda_t) ') -optional_policy(`rpm',` +optional_policy(` rpm_domtrans(anaconda_t) ') -optional_policy(`udev',` +optional_policy(` udev_domtrans(anaconda_t) ') -optional_policy(`usermanage',` +optional_policy(` usermanage_domtrans_admin_passwd(anaconda_t) ') ifdef(`TODO',` -optional_policy(`ssh',` +optional_policy(` role system_r types sysadm_ssh_agent_t; domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t) ') diff --git a/refpolicy/policy/modules/admin/apt.te b/refpolicy/policy/modules/admin/apt.te index 3a659b6..8797036 100644 --- a/refpolicy/policy/modules/admin/apt.te +++ b/refpolicy/policy/modules/admin/apt.te @@ -115,22 +115,22 @@ ifdef(`targeted_policy',` ') # with boolean, for cron-apt and such? -#optional_policy(`cron',` +#optional_policy(` # cron_system_entry(apt_t,apt_exec_t) #') -optional_policy(`dpkg',` +optional_policy(` # dpkg interaction dpkg_read_db(apt_t) dpkg_domtrans(apt_t) dpkg_lock_db(apt_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(apt_t) ') -optional_policy(`rpm',` +optional_policy(` rpm_read_db(apt_t) rpm_domtrans(apt_t) ') diff --git a/refpolicy/policy/modules/admin/bootloader.te b/refpolicy/policy/modules/admin/bootloader.te index b13756c..304a39a 100644 --- a/refpolicy/policy/modules/admin/bootloader.te +++ b/refpolicy/policy/modules/admin/bootloader.te @@ -175,18 +175,18 @@ ifdef(`targeted_policy',` term_use_generic_ptys(bootloader_t) ') -optional_policy(`fstools',` +optional_policy(` fstools_exec(bootloader_t) ') -optional_policy(`lvm',` +optional_policy(` dev_rw_lvm_control(bootloader_t) lvm_domtrans(bootloader_t) lvm_read_config(bootloader_t) ') -optional_policy(`modutils',` +optional_policy(` modutils_exec_insmod(bootloader_t) modutils_read_module_deps(bootloader_t) modutils_read_module_config(bootloader_t) @@ -195,15 +195,15 @@ optional_policy(`modutils',` modutils_exec_update_mods(bootloader_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(bootloader_t) ') -optional_policy(`rpm',` +optional_policy(` rpm_rw_pipes(bootloader_t) ') -optional_policy(`userdomain',` +optional_policy(` userdom_dontaudit_search_staff_home_dirs(bootloader_t) userdom_dontaudit_search_sysadm_home_dirs(bootloader_t) ') diff --git a/refpolicy/policy/modules/admin/certwatch.te b/refpolicy/policy/modules/admin/certwatch.te index 8087765..daca9e1 100644 --- a/refpolicy/policy/modules/admin/certwatch.te +++ b/refpolicy/policy/modules/admin/certwatch.te @@ -29,6 +29,6 @@ miscfiles_read_localization(certwatch_t) apache_exec_modules(certwatch_t) -optional_policy(`cron',` +optional_policy(` cron_system_entry(certwatch_t,certwatch_exec_t) ') diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index 7157fb4..e5df4c6 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -67,60 +67,60 @@ ifdef(`distro_redhat',` fs_rw_tmpfs_chr_files(consoletype_t) ') -optional_policy(`apm',` +optional_policy(` apm_use_fds(consoletype_t) apm_write_pipes(consoletype_t) ') -optional_policy(`authlogin', ` +optional_policy(` auth_read_pam_pid(consoletype_t) ') -optional_policy(`cron',` +optional_policy(` cron_read_pipes(consoletype_t) cron_use_system_job_fds(consoletype_t) ') -optional_policy(`firstboot',` +optional_policy(` files_read_etc_files(consoletype_t) firstboot_use_fds(consoletype_t) firstboot_write_pipes(consoletype_t) ') -optional_policy(`logrotate',` +optional_policy(` logrotate_dontaudit_use_fds(consoletype_t) ') -optional_policy(`lpd',` +optional_policy(` lpd_read_config(consoletype_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(consoletype_t) ') -optional_policy(`rpm',` +optional_policy(` # Commonly used from postinst scripts rpm_read_pipes(consoletype_t) ') -optional_policy(`userdomain',` +optional_policy(` userdom_use_unpriv_users_fds(consoletype_t) ') ifdef(`TODO',` -optional_policy(`xdm', ` +optional_policy(` allow consoletype_t xdm_tmp_t:file rw_file_perms; ') # this goes to xdm module ifdef(`targeted_policy',` - optional_policy(`consoletype',` + optional_policy(` consoletype_domtrans(xdm_t) ') ') -optional_policy(`lpd', ` +optional_policy(` allow consoletype_t printconf_t:file r_file_perms; ') diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te index 52413bd..150feec 100644 --- a/refpolicy/policy/modules/admin/dmesg.te +++ b/refpolicy/policy/modules/admin/dmesg.te @@ -64,11 +64,11 @@ ifdef(`strict_policy',` userdom_use_sysadm_terms(dmesg_t) userdom_dontaudit_use_unpriv_user_fds(dmesg_t) - optional_policy(`selinuxutil',` + optional_policy(` seutil_sigchld_newrole(dmesg_t) ') - optional_policy(`udev',` + optional_policy(` udev_read_db(dmesg_t) ') ') diff --git a/refpolicy/policy/modules/admin/dpkg.te b/refpolicy/policy/modules/admin/dpkg.te index 14cc4be..220ed1c 100644 --- a/refpolicy/policy/modules/admin/dpkg.te +++ b/refpolicy/policy/modules/admin/dpkg.te @@ -180,15 +180,15 @@ ifdef(`targeted_policy',` ') # TODO: allow? -#optional_policy(`cron',` +#optional_policy(` # cron_system_entry(dpkg_t,dpkg_exec_t) #') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(dpkg_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(dpkg_t) ') @@ -204,10 +204,10 @@ modutils_domtrans_insmod(dpkg_t) seutil_domtrans_loadpolicy(dpkg_t) seutil_domtrans_restorecon(dpkg_t) userdom_use_all_users_fds(dpkg_t) -optional_policy(`mta',` +optional_policy(` mta_send_mail(dpkg_t) ') -optional_policy(`usermanage',` +optional_policy(` usermanage_domtrans_groupadd(dpkg_t) usermanage_domtrans_useradd(dpkg_t) ') @@ -325,7 +325,7 @@ ifdef(`distro_redhat',` ifdef(`targeted_policy',` unconfined_domain(dpkg_script_t) ',` - optional_policy(`bootloader',` + optional_policy(` bootloader_domtrans(dpkg_script_t) ') ') @@ -334,15 +334,15 @@ tunable_policy(`allow_execmem',` allow dpkg_script_t self:process execmem; ') -optional_policy(`mta',` +optional_policy(` mta_send_mail(dpkg_script_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(dpkg_script_t) ') -optional_policy(`usermanage',` +optional_policy(` usermanage_domtrans_groupadd(dpkg_script_t) usermanage_domtrans_useradd(dpkg_script_t) ') diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te index 85984d5..e8b10b1 100644 --- a/refpolicy/policy/modules/admin/firstboot.te +++ b/refpolicy/policy/modules/admin/firstboot.te @@ -111,15 +111,15 @@ ifdef(`targeted_policy',` unconfined_domtrans(firstboot_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(firstboot_t) ') -optional_policy(`samba',` +optional_policy(` samba_rw_config(firstboot_t) ') -optional_policy(`usermanage',` +optional_policy(` usermanage_domtrans_chfn(firstboot_t) usermanage_domtrans_groupadd(firstboot_t) usermanage_domtrans_passwd(firstboot_t) diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te index 78589cd..303d6d1 100644 --- a/refpolicy/policy/modules/admin/kudzu.te +++ b/refpolicy/policy/modules/admin/kudzu.te @@ -135,34 +135,34 @@ ifdef(`targeted_policy',` unconfined_domain(kudzu_t) ') -optional_policy(`gpm',` +optional_policy(` gpm_getattr_gpmctl(kudzu_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(kudzu_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(kudzu_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(kudzu_t) ') ifdef(`TODO',` allow kudzu_t modules_conf_t:file unlink; -optional_policy(`lpd',` +optional_policy(` allow kudzu_t printconf_t:file { getattr read }; ') -optional_policy(`xserver',` +optional_policy(` allow kudzu_t xserver_exec_t:file getattr; ') -optional_policy(`rhgb',` +optional_policy(` allow kudzu_t rhgb_t:unix_stream_socket connectto; ') -optional_policy(`userhelper',` +optional_policy(` role system_r types sysadm_userhelper_t; domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t) ') diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index 61040ce..b312f66 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -135,59 +135,59 @@ ifdef(`targeted_policy',` unconfined_domain(logrotate_t) ') -optional_policy(`acct',` +optional_policy(` acct_domtrans(logrotate_t) acct_manage_data(logrotate_t) acct_exec_data(logrotate_t) ') -optional_policy(`apache',` +optional_policy(` apache_read_config(logrotate_t) apache_domtrans(logrotate_t) apache_signull(logrotate_t) ') -optional_policy(`consoletype',` +optional_policy(` consoletype_exec(logrotate_t) ') -optional_policy(`cups',` +optional_policy(` cups_domtrans(logrotate_t) ') -optional_policy(`hostname',` +optional_policy(` hostname_exec(logrotate_t) ') -optional_policy(`samba',` +optional_policy(` samba_exec_log(logrotate_t) ') -optional_policy(`mailman',` +optional_policy(` mailman_exec(logrotate_t) mailman_search_data(logrotate_t) mailman_manage_log(logrotate_t) ') -optional_policy(`mysql',` +optional_policy(` mysql_read_config(logrotate_t) mysql_search_db(logrotate_t) mysql_stream_connect(logrotate_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(logrotate_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(logrotate_t) ') -optional_policy(`slrnpull',` +optional_policy(` slrnpull_manage_spool(logrotate_t) ') -optional_policy(`squid',` +optional_policy(` # cjp: why? squid_domtrans(logrotate_t) ') diff --git a/refpolicy/policy/modules/admin/logwatch.te b/refpolicy/policy/modules/admin/logwatch.te index ad4bf1e..669df86 100644 --- a/refpolicy/policy/modules/admin/logwatch.te +++ b/refpolicy/policy/modules/admin/logwatch.te @@ -78,35 +78,35 @@ userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t) mta_send_mail(logwatch_t) -optional_policy(`apache',` +optional_policy(` apache_read_log(logwatch_t) ') -optional_policy(`bind',` +optional_policy(` bind_read_config(logwatch_t) bind_read_zone(logwatch_t) ') -optional_policy(`cron',` +optional_policy(` cron_system_entry(logwatch_t, logwatch_exec_t) ') -optional_policy(`mta',` +optional_policy(` mta_getattr_spool(logwatch_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(logwatch_t) ') -optional_policy(`ntp',` +optional_policy(` ntp_domtrans(logwatch_t) ') -optional_policy(`rpc',` +optional_policy(` rpc_search_nfs_state_data(logwatch_t) ') -optional_policy(`samba',` +optional_policy(` samba_read_log(logwatch_t) ') diff --git a/refpolicy/policy/modules/admin/mrtg.te b/refpolicy/policy/modules/admin/mrtg.te index dcf042b..ad531e1 100644 --- a/refpolicy/policy/modules/admin/mrtg.te +++ b/refpolicy/policy/modules/admin/mrtg.te @@ -131,36 +131,36 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(mrtg_t) ') -optional_policy(`apache',` +optional_policy(` apache_manage_sys_content(mrtg_t) ') -optional_policy(`cron',` +optional_policy(` cron_system_entry(mrtg_t,mrtg_exec_t) ') -optional_policy(`hostname',` +optional_policy(` hostname_exec(mrtg_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(mrtg_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(mrtg_t) ') -optional_policy(`quota',` +optional_policy(` quota_dontaudit_getattr_db(mrtg_t) ') -optional_policy(`snmp',` +optional_policy(` snmp_udp_chat(mrtg_t) snmp_read_snmp_var_lib_files(mrtg_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(mrtg_t) ') diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index aa1edd9..07d4544 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -83,7 +83,7 @@ ifdef(`targeted_policy',` term_use_unallocated_ttys(netutils_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(netutils_t) ') @@ -146,19 +146,19 @@ ifdef(`targeted_policy',` ') ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(ping_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(ping_t) ') -optional_policy(`pcmcia',` +optional_policy(` pcmcia_use_cardmgr_fds(ping_t) ') -optional_policy(`hotplug',` +optional_policy(` hotplug_use_fds(ping_t) ') @@ -228,11 +228,11 @@ tunable_policy(`user_ping',` term_use_all_user_ptys(traceroute_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(traceroute_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(traceroute_t) ') diff --git a/refpolicy/policy/modules/admin/portage.if b/refpolicy/policy/modules/admin/portage.if index 7b4229f..86f8567 100644 --- a/refpolicy/policy/modules/admin/portage.if +++ b/refpolicy/policy/modules/admin/portage.if @@ -201,7 +201,7 @@ template(`portage_compile_domain_template',` ifdef(`TODO',` # some gui ebuilds want to interact with X server, like xawtv - optional_policy(`xdm',` + optional_policy(` allow $1_t xdm_xserver_tmp_t:dir { add_name remove_name write }; allow $1_t xdm_xserver_tmp_t:sock_file { create getattr unlink write }; ') diff --git a/refpolicy/policy/modules/admin/portage.te b/refpolicy/policy/modules/admin/portage.te index e83d18d..4f6adbc 100644 --- a/refpolicy/policy/modules/admin/portage.te +++ b/refpolicy/policy/modules/admin/portage.te @@ -85,17 +85,17 @@ init_exec(portage_t) # run setfiles -r seutil_domtrans_setfiles(portage_t) -optional_policy(`bootloader',` +optional_policy(` bootloader_domtrans(portage_t) ') -optional_policy(`modutils',` +optional_policy(` modutils_domtrans_depmod(portage_t) modutils_domtrans_update_mods(portage_t) #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; ') -optional_policy(`usermanage',` +optional_policy(` usermanage_domtrans_groupadd(portage_t) usermanage_domtrans_useradd(portage_t) ') diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te index d50a943..267813e 100644 --- a/refpolicy/policy/modules/admin/prelink.te +++ b/refpolicy/policy/modules/admin/prelink.te @@ -78,6 +78,6 @@ libs_delete_lib_symlinks(prelink_t) miscfiles_read_localization(prelink_t) -optional_policy(`cron',` +optional_policy(` cron_system_entry(prelink_t, prelink_exec_t) ') diff --git a/refpolicy/policy/modules/admin/quota.te b/refpolicy/policy/modules/admin/quota.te index dcc02b2..4f188d2 100644 --- a/refpolicy/policy/modules/admin/quota.te +++ b/refpolicy/policy/modules/admin/quota.te @@ -67,11 +67,11 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(quota_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(quota_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(quota_t) ') diff --git a/refpolicy/policy/modules/admin/readahead.te b/refpolicy/policy/modules/admin/readahead.te index 1bbcff8..7f91460 100644 --- a/refpolicy/policy/modules/admin/readahead.te +++ b/refpolicy/policy/modules/admin/readahead.te @@ -76,6 +76,6 @@ ifdef(`targeted_policy',` term_dontaudit_use_generic_ptys(readahead_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(readahead_t) ') diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index c83a0a9..502e1ed 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -187,15 +187,15 @@ ifdef(`targeted_policy',` logging_log_filetrans(rpm_t,rpm_log_t,file) ') -optional_policy(`cron',` +optional_policy(` cron_system_entry(rpm_t,rpm_exec_t) ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(rpm_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(rpm_t) ') @@ -212,7 +212,7 @@ allow rpm_t mount_t:tcp_socket write; allow rpm_t rpc_pipefs_t:dir search; -optional_policy(`gnome-pty-helper',` +optional_policy(` allow rpm_t sysadm_gph_t:fd use; ') ') dnl endif TODO @@ -337,13 +337,13 @@ ifdef(`distro_redhat',` ifdef(`targeted_policy',` unconfined_domain(rpm_script_t) ',` - optional_policy(`bootloader',` + optional_policy(` bootloader_domtrans(rpm_script_t) ') ') ifdef(`distro_redhat',` - optional_policy(`mta',` + optional_policy(` mta_send_mail(rpm_script_t) ') ') @@ -352,21 +352,21 @@ tunable_policy(`allow_execmem',` allow rpm_script_t self:process execmem; ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(rpm_script_t) ') -optional_policy(`usermanage',` +optional_policy(` usermanage_domtrans_groupadd(rpm_script_t) usermanage_domtrans_useradd(rpm_script_t) ') ifdef(`TODO',` -optional_policy(`lpd',` +optional_policy(` can_exec(rpm_script_t,printconf_t) ') -optional_policy(`cups',` +optional_policy(` allow cupsd_t rpm_var_lib_t:dir r_dir_perms; allow cupsd_t rpm_var_lib_t:file r_file_perms; allow cupsd_t rpb_var_lib_t:lnk_file r_file_perms; @@ -374,16 +374,16 @@ allow cupsd_t initrc_exec_t:file r_file_perms; domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t) ') -optional_policy(`ssh-agent',` +optional_policy(` domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t) ') -optional_policy(`prelink',` +optional_policy(` domain_auto_trans(rpm_t, prelink_exec_t, prelink_t) ') ifdef(`hide_broken_symptoms', ` - optional_policy(`pamconsole',` + optional_policy(` domain_trans(rpm_t, pam_console_exec_t, rpm_script_t) ') ') diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index 80f4d81..b248a9a 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -61,15 +61,15 @@ template(`su_restricted_domain_template', ` miscfiles_read_localization($1_su_t) - optional_policy(`cron',` + optional_policy(` cron_read_pipes($1_su_t) ') - optional_policy(`kerberos',` + optional_policy(` kerberos_use($1_su_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_su_t) ') @@ -206,20 +206,20 @@ template(`su_per_userdomain_template',` fs_search_cifs($1_su_t) ') - optional_policy(`cron',` + optional_policy(` cron_read_pipes($1_su_t) ') - optional_policy(`kerberos',` + optional_policy(` kerberos_use($1_su_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_su_t) ') # Modify .Xauthority file (via xauth program). - optional_policy(`xserver',` + optional_policy(` # file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file) # file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file) # file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file) diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if index 73fa50e..0cf001e 100644 --- a/refpolicy/policy/modules/admin/sudo.if +++ b/refpolicy/policy/modules/admin/sudo.if @@ -129,11 +129,11 @@ template(`sudo_per_userdomain_template',` # for some PAM modules and for cwd userdom_dontaudit_search_all_users_home_content($1_sudo_t) - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1_sudo_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_sudo_t) ') diff --git a/refpolicy/policy/modules/admin/tmpreaper.te b/refpolicy/policy/modules/admin/tmpreaper.te index 480aa04..ca46e5c 100644 --- a/refpolicy/policy/modules/admin/tmpreaper.te +++ b/refpolicy/policy/modules/admin/tmpreaper.te @@ -44,7 +44,7 @@ miscfiles_delete_man_pages(tmpreaper_t) cron_system_entry(tmpreaper_t,tmpreaper_exec_t) -optional_policy(`lpd',` +optional_policy(` lpd_manage_spool(tmpreaper_t) ') diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te index 7a9fdc7..9bc2278 100644 --- a/refpolicy/policy/modules/admin/updfstab.te +++ b/refpolicy/policy/modules/admin/updfstab.te @@ -91,40 +91,40 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(updfstab_t) ') -optional_policy(`authlogin',` +optional_policy(` auth_domtrans_pam_console(updfstab_t) ') -optional_policy(`dbus',` +optional_policy(` init_dbus_chat_script(updfstab_t) dbus_system_bus_client_template(updfstab,updfstab_t) dbus_send_system_bus(updfstab_t) ') -optional_policy(`fstools',` +optional_policy(` fstools_getattr_swap_files(updfstab_t) ') -optional_policy(`hal',` +optional_policy(` hal_stream_connect(updfstab_t) hal_dbus_chat(updfstab_t) ') -optional_policy(`modutils',` +optional_policy(` modutils_read_module_config(updfstab_t) modutils_exec_insmod(updfstab_t) modutils_read_module_deps(updfstab_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(updfstab_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(updfstab_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(updfstab_t) ') diff --git a/refpolicy/policy/modules/admin/usbmodules.te b/refpolicy/policy/modules/admin/usbmodules.te index 50a298d..76d5c5b 100644 --- a/refpolicy/policy/modules/admin/usbmodules.te +++ b/refpolicy/policy/modules/admin/usbmodules.te @@ -39,10 +39,10 @@ libs_use_shared_libs(usbmodules_t) modutils_read_module_deps(usbmodules_t) -optional_policy(`hotplug',` +optional_policy(` hotplug_read_config(usbmodules_t) ') -optional_policy(`logging',` +optional_policy(` logging_send_syslog_msg(usbmodules_t) ') diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 6d90b56..c66e420 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -132,11 +132,11 @@ userdom_use_unpriv_users_fds(chfn_t) # on user home dir userdom_dontaudit_search_all_users_home_content(chfn_t) -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(chfn_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(chfn_t) ') @@ -178,7 +178,7 @@ logging_send_syslog_msg(crack_t) userdom_dontaudit_search_sysadm_home_dirs(crack_t) -optional_policy(`cron',` +optional_policy(` cron_system_entry(crack_t,crack_exec_t) ') @@ -248,20 +248,20 @@ userdom_use_unpriv_users_fds(groupadd_t) # for when /root is the cwd userdom_dontaudit_search_sysadm_home_dirs(groupadd_t) -optional_policy(`dpkg',` +optional_policy(` dpkg_use_fds(groupadd_t) dpkg_rw_pipes(groupadd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(groupadd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(groupadd_t) ') -optional_policy(`rpm',` +optional_policy(` rpm_use_fds(groupadd_t) rpm_rw_pipes(groupadd_t) ') @@ -346,11 +346,11 @@ userdom_read_all_users_state(passwd_t) # on user home dir userdom_dontaudit_search_all_users_home_content(passwd_t) -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(passwd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(passwd_t) ') @@ -437,7 +437,7 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t) # on user home dir userdom_dontaudit_search_all_users_home_content(sysadm_passwd_t) -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(sysadm_passwd_t) ') @@ -516,20 +516,20 @@ userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notd mta_manage_spool(useradd_t) -optional_policy(`dpkg',` +optional_policy(` dpkg_use_fds(useradd_t) dpkg_rw_pipes(useradd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(useradd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(useradd_t) ') -optional_policy(`rpm',` +optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') diff --git a/refpolicy/policy/modules/admin/vbetool.te b/refpolicy/policy/modules/admin/vbetool.te index 88456a7..bdeef88 100644 --- a/refpolicy/policy/modules/admin/vbetool.te +++ b/refpolicy/policy/modules/admin/vbetool.te @@ -30,6 +30,6 @@ libs_use_shared_libs(vbetool_t) miscfiles_read_localization(vbetool_t) -optional_policy(`hal',` +optional_policy(` hal_rw_pid_files(vbetool_t) ') diff --git a/refpolicy/policy/modules/admin/vpn.te b/refpolicy/policy/modules/admin/vpn.te index b82662a..865b0b2 100644 --- a/refpolicy/policy/modules/admin/vpn.te +++ b/refpolicy/policy/modules/admin/vpn.te @@ -106,22 +106,22 @@ sysnet_manage_config(vpnc_t) userdom_use_all_users_fds(vpnc_t) userdom_dontaudit_search_all_users_home_content(vpnc_t) -optional_policy(`dbus',` +optional_policy(` dbus_system_bus_client_template(vpnc,vpnc_t) dbus_send_system_bus(vpnc_t) - optional_policy(`networkmanager',` + optional_policy(` networkmanager_dbus_chat(vpnc_t) ') ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(vpnc_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(vpnc_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(vpnc_t) ') diff --git a/refpolicy/policy/modules/apps/calamaris.te b/refpolicy/policy/modules/apps/calamaris.te index ab87bf2..b73221e 100644 --- a/refpolicy/policy/modules/apps/calamaris.te +++ b/refpolicy/policy/modules/apps/calamaris.te @@ -76,22 +76,22 @@ userdom_dontaudit_list_sysadm_home_dirs(calamaris_t) squid_read_log(calamaris_t) -optional_policy(`apache', ` +optional_policy(` apache_search_sys_content(calamaris_t) ') -optional_policy(`bind', ` +optional_policy(` bind_udp_chat_named(calamaris_t) ') -optional_policy(`cron', ` +optional_policy(` cron_system_entry(calamaris_t,calamaris_exec_t) ') -optional_policy(`mta',` +optional_policy(` mta_send_mail(calamaris_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(calamaris_t) ') diff --git a/refpolicy/policy/modules/apps/ethereal.if b/refpolicy/policy/modules/apps/ethereal.if index 1d06a9b..6215059 100644 --- a/refpolicy/policy/modules/apps/ethereal.if +++ b/refpolicy/policy/modules/apps/ethereal.if @@ -143,24 +143,24 @@ template(`ethereal_per_userdomain_template',` fs_manage_cifs_symlinks($1_ethereal_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_ethereal_t) ') # Manual transition from userhelper - optional_policy(`userhelper', ` + optional_policy(` userhelper_use_user_fd($1,$1_ethereal_t) userhelper_sigchld_user($1,$1_ethereal_t) ') - optional_policy(`xserver',` + optional_policy(` xserver_user_client_template($1,$1_ethereal_t,$1_ethereal_tmpfs_t) xserver_create_xdm_tmp_sockets($1_ethereal_t) ') ifdef(`TODO',` # Why does it write this? - optional_policy(`snmpd.te', ` + optional_policy(` dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write; ') #TODO diff --git a/refpolicy/policy/modules/apps/ethereal.te b/refpolicy/policy/modules/apps/ethereal.te index 5d9c713..8451069 100644 --- a/refpolicy/policy/modules/apps/ethereal.te +++ b/refpolicy/policy/modules/apps/ethereal.te @@ -52,6 +52,6 @@ seutil_use_newrole_fds(tethereal_t) sysnet_dns_name_resolve(tethereal_t) -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(tethereal_t) ') diff --git a/refpolicy/policy/modules/apps/evolution.if b/refpolicy/policy/modules/apps/evolution.if index 44d1418..497deb0 100644 --- a/refpolicy/policy/modules/apps/evolution.if +++ b/refpolicy/policy/modules/apps/evolution.if @@ -376,16 +376,16 @@ template(`evolution_per_userdomain_template',` #userdom_dontaudit_manage_user_home_subdirs($1,$1_evolution_t) ') - optional_policy(`automount',` + optional_policy(` automount_read_state($1_evolution_t) ') # Allow printing the mail - optional_policy(`cups',` + optional_policy(` cups_read_rw_config($1_evolution_t) ') - optional_policy(`dbus',` + optional_policy(` dbus_system_bus_client_template($1_evolution,$1_evolution_t) dbus_send_system_bus($1_evolution_t) dbus_user_bus_client_template($1,$1_evolution,$1_evolution_t) @@ -393,26 +393,26 @@ template(`evolution_per_userdomain_template',` ') # Encrypt mail - optional_policy(`gpg',` + optional_policy(` gpg_domtrans_user_gpg($1,$1_evolution_t) gpg_signal_user_gpg($1,$1_evolution_t) ') - optional_policy(`lpd',` + optional_policy(` lpd_domtrans_user_lpr($1,$1_evolution_t) ') # Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing) - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1_evolution_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_evolution_exchange_t) ') ### Junk mail filtering (start spamd) - optional_policy(`spamassassin',` + optional_policy(` spamassassin_exec_spamd($1_evolution_t) spamassassin_domtrans_user_client($1,$1_evolution_t) spamassassin_domtrans_user_local_client($1,$1_evolution_t) @@ -509,7 +509,7 @@ template(`evolution_per_userdomain_template',` fs_manage_cifs_files($1_evolution_alarm_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_evolution_alarm_t) ') @@ -590,7 +590,7 @@ template(`evolution_per_userdomain_template',` fs_manage_cifs_files($1_evolution_exchange_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_evolution_exchange_t) ') @@ -689,7 +689,7 @@ template(`evolution_per_userdomain_template',` fs_manage_cifs_files($1_evolution_server_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_evolution_server_t) ') @@ -740,7 +740,7 @@ template(`evolution_per_userdomain_template',` xserver_user_client_template($1,$1_evolution_webcal_t,$1_evolution_webcal_tmpfs_t) - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_evolution_webcal_t) ') diff --git a/refpolicy/policy/modules/apps/games.if b/refpolicy/policy/modules/apps/games.if index 03310d0..1e88bbd 100644 --- a/refpolicy/policy/modules/apps/games.if +++ b/refpolicy/policy/modules/apps/games.if @@ -148,11 +148,11 @@ template(`games_per_userdomain_template',` allow $1_games_t self:process execmem; ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_games_t) ') - optional_policy(`xserver',` + optional_policy(` xserver_user_client_template($1,$1_games_t,$1_games_tmpfs_t) xserver_create_xdm_tmp_sockets($1_games_t) xserver_read_xdm_lib_files($1_games_t) @@ -167,7 +167,7 @@ template(`games_per_userdomain_template',` allow $1_games_t $1_gnome_settings_t:file create_file_perms; allow $1_games_t $1_gnome_settings_t:lnk_file create_lnk_perms; #missing policy - optional_policy(`mozilla', ` + optional_policy(` dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto; ') ') diff --git a/refpolicy/policy/modules/apps/games.te b/refpolicy/policy/modules/apps/games.te index d1a8a34..786c5d1 100644 --- a/refpolicy/policy/modules/apps/games.te +++ b/refpolicy/policy/modules/apps/games.te @@ -68,11 +68,11 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(games_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(games_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(games_t) ') diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index 0d9786b..7732182 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -131,7 +131,7 @@ template(`gpg_per_userdomain_template',` userdom_use_user_terminals($1,$1_gpg_t) - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1_gpg_t) ') diff --git a/refpolicy/policy/modules/apps/irc.if b/refpolicy/policy/modules/apps/irc.if index 6dda6fd..67ab3ba 100644 --- a/refpolicy/policy/modules/apps/irc.if +++ b/refpolicy/policy/modules/apps/irc.if @@ -160,12 +160,12 @@ template(`irc_per_userdomain_template',` fs_manage_cifs_symlinks($1_irc_t) ') - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1_irc_t) ') ifdef(`TODO',` - optional_policy(`ircd.te', ` + optional_policy(` allow $1_irc_t ircd_t:tcp_socket { connectto recvfrom }; allow ircd_t $1_irc_t:tcp_socket { acceptfrom recvfrom }; kernel_tcp_recvfrom($1_irc_t) diff --git a/refpolicy/policy/modules/apps/java.if b/refpolicy/policy/modules/apps/java.if index 015f28d..0c950ec 100644 --- a/refpolicy/policy/modules/apps/java.if +++ b/refpolicy/policy/modules/apps/java.if @@ -161,15 +161,15 @@ template(`java_per_userdomain_template',` miscfiles_legacy_read_localization($1_javaplugin_t) ') - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1_javaplugin_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_javaplugin_t) ') - optional_policy(`xserver',` + optional_policy(` xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t) ') ') diff --git a/refpolicy/policy/modules/apps/lockdev.if b/refpolicy/policy/modules/apps/lockdev.if index d0c4e73..ddf08c4 100644 --- a/refpolicy/policy/modules/apps/lockdev.if +++ b/refpolicy/policy/modules/apps/lockdev.if @@ -81,7 +81,7 @@ template(`lockdev_per_userdomain_template',` userdom_use_user_terminals($1, $1_lockdev_t) - optional_policy(`logging',` + optional_policy(` logging_send_syslog_msg($1_t) ') ') diff --git a/refpolicy/policy/modules/apps/mozilla.if b/refpolicy/policy/modules/apps/mozilla.if index 70f04e4..3fc2844 100644 --- a/refpolicy/policy/modules/apps/mozilla.if +++ b/refpolicy/policy/modules/apps/mozilla.if @@ -331,40 +331,40 @@ template(`mozilla_per_userdomain_template',` ') - optional_policy(`apache',` + optional_policy(` apache_read_user_scripts($1,$1_mozilla_t) apache_read_user_content($1,$1_mozilla_t) ') - optional_policy(`cups',` + optional_policy(` cups_read_rw_config($1_mozilla_t) ') - optional_policy(`dbus', ` + optional_policy(` dbus_system_bus_client_template($1_mozilla,$1_mozilla_t) dbus_send_system_bus($1_mozilla_t) ifdef(`TODO',` - optional_policy(`cups', ` + optional_policy(` allow cupsd_t $1_mozilla_t:dbus send_msg; ') ') ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_mozilla_t) ') - optional_policy(`squid',` + optional_policy(` squid_use($1_mozilla_t) ') - optional_policy(`lpd',` + optional_policy(` lpd_domtrans_user_lpr($1,$1_mozilla_t) ') ifdef(`TODO',` # Java plugin - optional_policy(`java',` + optional_policy(` #reh, these are hacked in types due to the use of the java_per_userdomain_template type $1_mozilla_tmp_t; files_tmp_file($1_mozilla_tmp_t) @@ -381,7 +381,7 @@ template(`mozilla_per_userdomain_template',` ') ######### Launch mplayer - optional_policy(`mplayer',` + optional_policy(` domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t) dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write }; dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write }; @@ -404,7 +404,7 @@ template(`mozilla_per_userdomain_template',` # support (is this possible?). # GNOME integration - optional_policy(`gnome',` + optional_policy(` gnome_application($1_mozilla, $1) gnome_file_dialog($1_mozilla, $1) ') diff --git a/refpolicy/policy/modules/apps/mplayer.if b/refpolicy/policy/modules/apps/mplayer.if index 6a41c55..5ebf68f 100644 --- a/refpolicy/policy/modules/apps/mplayer.if +++ b/refpolicy/policy/modules/apps/mplayer.if @@ -448,11 +448,11 @@ template(`mplayer_per_userdomain_template',` userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mplayer_t) ') - optional_policy(`alsa',` + optional_policy(` alsa_read_rw_config($1_mplayer_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_mplayer_t) ') ') diff --git a/refpolicy/policy/modules/apps/screen.if b/refpolicy/policy/modules/apps/screen.if index 4478c4d..111b585 100644 --- a/refpolicy/policy/modules/apps/screen.if +++ b/refpolicy/policy/modules/apps/screen.if @@ -186,17 +186,17 @@ template(`screen_per_userdomain_template',` fs_read_nfs_symlinks($1_screen_t) ') - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1_screen_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_screen_t) ') ifdef(`TODO',` # Inherit and use descriptors from gnome-pty-helper. - optional_policy(`gnome-pty-helper.te',` + optional_policy(` allow $1_screen_t $1_gph_t:fd use; ') ') dnl TODO diff --git a/refpolicy/policy/modules/apps/slocate.te b/refpolicy/policy/modules/apps/slocate.te index 54894bd..f5f337d 100644 --- a/refpolicy/policy/modules/apps/slocate.te +++ b/refpolicy/policy/modules/apps/slocate.te @@ -51,6 +51,6 @@ libs_use_ld_so(locate_t) miscfiles_read_localization(locate_t) -optional_policy(`cron',` +optional_policy(` cron_system_entry(locate_t, locate_exec_t) ') diff --git a/refpolicy/policy/modules/apps/thunderbird.if b/refpolicy/policy/modules/apps/thunderbird.if index b11bc8d..2d2080c 100644 --- a/refpolicy/policy/modules/apps/thunderbird.if +++ b/refpolicy/policy/modules/apps/thunderbird.if @@ -301,26 +301,26 @@ template(`thunderbird_per_userdomain_template',` userdom_dontaudit_manage_user_home_content_dirs($1,$1_thunderbird_t) ') - optional_policy(`dbus', ` + optional_policy(` dbus_system_bus_client_template($1_thunderbird,$1_thunderbird_t) dbus_user_bus_client_template($1,$1_thunderbird,$1_thunderbird_t) dbus_send_system_bus($1_thunderbird_t) dbus_send_user_bus($1,$1_thunderbird_t) ') - optional_policy(`lpr',` + optional_policy(` lpd_domtrans_user_lpr($1,$1_thunderbird_t) ') - optional_policy(`cups',` + optional_policy(` cups_read_rw_config($1_thunderbird_t) ') - optional_policy(`gpg', ` + optional_policy(` gpg_domtrans_user_gpg($1,$1_thunderbird_t) ') - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1_thunderbird_t) ') @@ -343,7 +343,7 @@ template(`thunderbird_per_userdomain_template',` ') # GNOME support - optional_policy(`gnome', ` + optional_policy(` gnome_application($1_thunderbird, $1) gnome_file_dialog($1_thunderbird, $1) allow $1_thunderbird_t $1_gnome_settings_t:file { read write }; diff --git a/refpolicy/policy/modules/apps/tvtime.if b/refpolicy/policy/modules/apps/tvtime.if index 1bf5022..4a6899b 100644 --- a/refpolicy/policy/modules/apps/tvtime.if +++ b/refpolicy/policy/modules/apps/tvtime.if @@ -142,7 +142,7 @@ template(`tvtime_per_userdomain_template',` fs_manage_cifs_symlinks($1_tvtime_t) ') - optional_policy(`xserver',` + optional_policy(` xserver_user_client_template($1,$1_tvtime_t,$1_tvtime_tmpfs_t) ') ') diff --git a/refpolicy/policy/modules/apps/uml.if b/refpolicy/policy/modules/apps/uml.if index 3e2fbc1..caf26dd 100644 --- a/refpolicy/policy/modules/apps/uml.if +++ b/refpolicy/policy/modules/apps/uml.if @@ -187,24 +187,24 @@ template(`uml_per_userdomain_template',` userdom_use_user_terminals($1,$1_uml_t) - optional_policy(`mount',` + optional_policy(` mount_send_nfs_client_request($1_uml_t) ') - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1_uml_t) ') - optional_policy(`ssh',` + optional_policy(` ssh_tcp_connect($1_uml_t) ') ifdef(`TODO',` # for X - optional_policy(`startx',` + optional_policy(` ifelse($1, sysadm,` ',` - optional_policy(`xdm',` + optional_policy(` allow $1_uml_t xdm_xserver_tmp_t:dir search; ') allow $1_uml_t $1_xserver_tmp_t:sock_file write; @@ -212,7 +212,7 @@ template(`uml_per_userdomain_template',` ') ') - optional_policy(`uml_net.te',` + optional_policy(` # for uml_net domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t) allow uml_net_t $1_uml_t:unix_stream_socket { read write }; @@ -222,7 +222,7 @@ template(`uml_per_userdomain_template',` dontaudit uml_net_t $1_uml_rw_t:dir { getattr search }; ') #TODO - optional_policy(`xauth',` + optional_policy(` allow $1_uml_t $1_xauth_home_t:file { getattr read }; ') ') diff --git a/refpolicy/policy/modules/apps/uml.te b/refpolicy/policy/modules/apps/uml.te index bd99059..e04c6b1 100644 --- a/refpolicy/policy/modules/apps/uml.te +++ b/refpolicy/policy/modules/apps/uml.te @@ -67,10 +67,10 @@ ifdef(`targeted_policy',` term_dontaudit_use_generic_ptys(uml_switch_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(uml_switch_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(uml_switch_t) ') diff --git a/refpolicy/policy/modules/apps/userhelper.if b/refpolicy/policy/modules/apps/userhelper.if index a8bda8c..7447019 100644 --- a/refpolicy/policy/modules/apps/userhelper.if +++ b/refpolicy/policy/modules/apps/userhelper.if @@ -161,7 +161,7 @@ template(`userhelper_per_userdomain_template',` userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t) ifdef(`distro_redhat',` - optional_policy(`rpm',` + optional_policy(` # Allow transitioning to rpm_t, for up2date rpm_domtrans($1_userhelper_t) ') @@ -174,19 +174,19 @@ template(`userhelper_per_userdomain_template',` userdom_entry_spec_domtrans_sysadm($1_userhelper_t) ') - optional_policy(`ethereal',` + optional_policy(` ethereal_domtrans_user_ethereal($1,$1_userhelper_t) ') - optional_policy(`logging',` + optional_policy(` logging_send_syslog_msg($1_userhelper_t) ') - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1_userhelper_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_userhelper_t) ') @@ -195,14 +195,14 @@ template(`userhelper_per_userdomain_template',` allow $1_userhelper_t xdm_var_run_t:dir search; allow $1_userhelper_t xdm_t:fifo_file { getattr read write ioctl }; - optional_policy(`gnome-pty-helper.te',` + optional_policy(` allow $1_userhelper_t gphdomain:fd use; ') - optional_policy(`xauth', ` + optional_policy(` domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t) allow $1_userhelper_t $1_xauth_home_t:file { getattr read }; ') - optional_policy(`mozilla', ` + optional_policy(` domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t) ') # for when the network connection is killed diff --git a/refpolicy/policy/modules/apps/usernetctl.if b/refpolicy/policy/modules/apps/usernetctl.if index dc2ebb9..06d73e3 100644 --- a/refpolicy/policy/modules/apps/usernetctl.if +++ b/refpolicy/policy/modules/apps/usernetctl.if @@ -60,15 +60,15 @@ interface(`usernetctl_run',` sysnet_run_ifconfig(usernetctl_t,$2,$3) sysnet_run_dhcpc(usernetctl_t,$2,$3) - optional_policy(`consoletype',` + optional_policy(` consoletype_run(usernetctl_t,$2,$3) ') - optional_policy(`iptables',` + optional_policy(` iptables_run(usernetctl_t,$2,$3) ') - optional_policy(`modutils',` + optional_policy(` modutils_run_insmod(usernetctl_t,$2,$3) ') ') diff --git a/refpolicy/policy/modules/apps/usernetctl.te b/refpolicy/policy/modules/apps/usernetctl.te index 6eb5ad7..8a51e3f 100644 --- a/refpolicy/policy/modules/apps/usernetctl.te +++ b/refpolicy/policy/modules/apps/usernetctl.te @@ -61,10 +61,10 @@ seutil_read_config(usernetctl_t) sysnet_read_config(usernetctl_t) -optional_policy(`hostname',` +optional_policy(` hostname_exec(usernetctl_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(usernetctl_t) ') diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te index a0aab80..0800b1a 100644 --- a/refpolicy/policy/modules/apps/webalizer.te +++ b/refpolicy/policy/modules/apps/webalizer.te @@ -97,18 +97,18 @@ ifdef(`targeted_policy',` term_use_unallocated_ttys(webalizer_t) ') -optional_policy(`ftp',` +optional_policy(` ftp_read_log(webalizer_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(webalizer_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(webalizer_t) ') -optional_policy(`cron',` +optional_policy(` cron_system_entry(webalizer_t,webalizer_exec_t) ') diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if index e67dd9d..da70fa0 100644 --- a/refpolicy/policy/modules/kernel/domain.if +++ b/refpolicy/policy/modules/kernel/domain.if @@ -51,7 +51,7 @@ interface(`domain_type',` ') # send init a sigchld and signull - optional_policy(`init',` + optional_policy(` init_sigchld($1) init_signull($1) ') @@ -59,20 +59,20 @@ interface(`domain_type',` # these seem questionable: # allow any domain to connect to the LDAP server - optional_policy(`ldap',` + optional_policy(` ldap_use($1) ') - optional_policy(`rpm',` + optional_policy(` rpm_use_fds($1) rpm_read_pipes($1) ') - optional_policy(`selinux',` + optional_policy(` selinux_dontaudit_read_fs($1) ') - optional_policy(`selinuxutil',` + optional_policy(` seutil_dontaudit_read_config($1) ') ') diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if index eb63505..9474c11 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if @@ -411,7 +411,7 @@ interface(`files_read_all_files',` allow $1 file_type:dir search; allow $1 file_type:file r_file_perms; - optional_policy(`authlogin',` + optional_policy(` auth_read_shadow($1) ') ') diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 58780de..5d9124f 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -247,32 +247,32 @@ tunable_policy(`read_default_t',` files_read_default_pipes(kernel_t) ') -optional_policy(`hotplug',` +optional_policy(` hotplug_search_config(kernel_t) ') -optional_policy(`init',` +optional_policy(` init_sigchld(kernel_t) ') -optional_policy(`libraries',` +optional_policy(` libs_use_ld_so(kernel_t) libs_use_shared_libs(kernel_t) ') -optional_policy(`logging',` +optional_policy(` logging_send_syslog_msg(kernel_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(kernel_t) ') -optional_policy(`portmap',` +optional_policy(` portmap_udp_send(kernel_t) ') -optional_policy(`rpc',` +optional_policy(` # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. allow kernel_t self:tcp_socket create_stream_socket_perms; @@ -317,7 +317,7 @@ optional_policy(`rpc',` ') ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_read_config(kernel_t) seutil_read_bin_policy(kernel_t) ') @@ -331,7 +331,7 @@ ifdef(`targeted_policy',` allow unlabeled_t self:filesystem associate; ') -optional_policy(`init',` +optional_policy(` # If you load a new policy that removes active domains, processes can # get stuck if you do not allow unlabeled processes to signal init. # If you load an incompatible policy, you should probably reboot, diff --git a/refpolicy/policy/modules/services/amavis.te b/refpolicy/policy/modules/services/amavis.te index 6455fd6..c084736 100644 --- a/refpolicy/policy/modules/services/amavis.te +++ b/refpolicy/policy/modules/services/amavis.te @@ -134,15 +134,15 @@ cron_rw_pipes(amavis_t) mta_read_config(amavis_t) -optional_policy(`clamav',` +optional_policy(` clamav_stream_connect(amavis_t) ') -optional_policy(`ldap',` +optional_policy(` ldap_use(amavis_t) ') -optional_policy(`spamassassin',` +optional_policy(` spamassassin_exec(amavis_t) spamassassin_exec_client(amavis_t) ') diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if index 8d07704..4fb4c86 100644 --- a/refpolicy/policy/modules/services/apache.if +++ b/refpolicy/policy/modules/services/apache.if @@ -217,24 +217,24 @@ template(`apache_content_template',` sysnet_read_config(httpd_$1_script_t) ') - optional_policy(`mount',` + optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` mount_send_nfs_client_request(httpd_$1_script_t) ') ') - optional_policy(`mta',` + optional_policy(` mta_send_mail(httpd_$1_script_t) ') - optional_policy(`nis',` + optional_policy(` tunable_policy(`httpd_enable_cgi && allow_ypbind',` nis_use_ypbind_uncond(httpd_$1_script_t) ') ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use(httpd_$1_script_t) ') ') diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index 1309042..d7b1cce 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -122,7 +122,7 @@ ifdef(`targeted_policy',` typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t; ') -optional_policy(`prelink',` +optional_policy(` prelink_object_file(httpd_modules_t) ') @@ -396,19 +396,19 @@ tunable_policy(`httpd_tty_comm',` userdom_dontaudit_use_sysadm_terms(httpd_t) ') -optional_policy(`calamaris',` +optional_policy(` calamaris_read_www_files(httpd_t) ') -optional_policy(`daemontools',` +optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') -optional_policy(`kerberos',` +optional_policy(` kerberos_use(httpd_t) ') -optional_policy(`mailman',` +optional_policy(` mailman_signal_cgi(httpd_t) mailman_domtrans_cgi(httpd_t) # should have separate types for public and private archives @@ -416,25 +416,25 @@ optional_policy(`mailman',` mailman_read_archive(httpd_t) ') -optional_policy(`mysql',` +optional_policy(` mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(httpd_t) ') -optional_policy(`postgresql',` +optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(httpd_t) ') -optional_policy(`udev', ` +optional_policy(` udev_read_db(httpd_t) ') @@ -509,11 +509,11 @@ libs_use_shared_libs(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) -optional_policy(`mysql',` +optional_policy(` mysql_stream_connect(httpd_php_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(httpd_php_t) ') @@ -632,28 +632,28 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_exec_cifs_files(httpd_suexec_t) ') -optional_policy(`mailman',` +optional_policy(` mailman_domtrans_cgi(httpd_suexec_t) ') -optional_policy(`mount',` +optional_policy(` tunable_policy(`httpd_can_network_connect',` mount_send_nfs_client_request(httpd_suexec_t) ') ') -optional_policy(`mta',` +optional_policy(` mta_stub(httpd_suexec_t) # apache should set close-on-exec dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(httpd_suexec_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(httpd_suexec_t) ') @@ -687,7 +687,7 @@ ifdef(`targeted_policy',` ') ') -optional_policy(`mysql',` +optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) ') @@ -699,10 +699,10 @@ optional_policy(`mysql',` unconfined_domain(httpd_unconfined_script_t) -optional_policy(`cron',` +optional_policy(` cron_system_entry(httpd_t, httpd_exec_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(httpd_unconfined_script_t) ') diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te index 48761d2..c01e916 100644 --- a/refpolicy/policy/modules/services/apm.te +++ b/refpolicy/policy/modules/services/apm.te @@ -156,15 +156,15 @@ ifdef(`distro_redhat',` can_exec(apmd_t, apmd_var_run_t) # ifconfig_exec_t needs to be run in its own domain for Red Hat - optional_policy(`sysnetwork',` + optional_policy(` sysnet_domtrans_ifconfig(apmd_t) ') - optional_policy(`iptables',` + optional_policy(` iptables_domtrans(apmd_t) ') - optional_policy(`netutils',` + optional_policy(` netutils_domtrans(apmd_t) ') @@ -186,50 +186,50 @@ ifdef(`targeted_policy',` unconfined_domain(apmd_t) ') -optional_policy(`automount',` +optional_policy(` automount_domtrans(apmd_t) ') -optional_policy(`clock',` +optional_policy(` clock_domtrans(apmd_t) clock_rw_adjtime(apmd_t) ') -optional_policy(`cron',` +optional_policy(` cron_system_entry(apmd_t, apmd_exec_t) cron_anacron_domtrans_system_job(apmd_t) ') -optional_policy(`dbus',` +optional_policy(` dbus_stub(apmd_t) - optional_policy(`networkmanager',` + optional_policy(` networkmanager_dbus_chat(apmd_t) ') ') -optional_policy(`logrotate',` +optional_policy(` logrotate_use_fds(apmd_t) ') -optional_policy(`mta',` +optional_policy(` mta_send_mail(apmd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(apmd_t) ') -optional_policy(`pcmcia',` +optional_policy(` pcmcia_domtrans_cardmgr(apmd_t) pcmcia_domtrans_cardctl(apmd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(apmd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(apmd_t) udev_read_state(apmd_t) #necessary? ') @@ -237,7 +237,7 @@ optional_policy(`udev',` ifdef(`TODO',` allow apmd_t proc_t:file write; allow apmd_t user_tty_type:chr_file { ioctl read getattr lock write append }; -optional_policy(`cron',` +optional_policy(` allow apmd_t crond_t:fifo_file { getattr read write ioctl }; ') ') diff --git a/refpolicy/policy/modules/services/arpwatch.te b/refpolicy/policy/modules/services/arpwatch.te index a53702c..f54f5f0 100644 --- a/refpolicy/policy/modules/services/arpwatch.te +++ b/refpolicy/policy/modules/services/arpwatch.te @@ -99,19 +99,19 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(arpwatch_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(arpwatch_t) ') -optional_policy(`qmail',` +optional_policy(` corecmd_search_bin(arpwatch_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(arpwatch_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(arpwatch_t) ') diff --git a/refpolicy/policy/modules/services/audioentropy.te b/refpolicy/policy/modules/services/audioentropy.te index c01456c..17e3572 100644 --- a/refpolicy/policy/modules/services/audioentropy.te +++ b/refpolicy/policy/modules/services/audioentropy.te @@ -62,11 +62,11 @@ ifdef(`targeted_policy', ` term_dontaudit_use_generic_ptys(entropyd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(entropyd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(entropyd_t) ') diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te index 990cd01..c0dd711 100644 --- a/refpolicy/policy/modules/services/automount.te +++ b/refpolicy/policy/modules/services/automount.te @@ -140,30 +140,30 @@ ifdef(`targeted_policy', ` term_dontaudit_use_generic_ptys(automount_t) ') -optional_policy(`apm',` +optional_policy(` corecmd_exec_bin(automount_t) ') -optional_policy(`bind',` +optional_policy(` bind_search_cache(automount_t) ') -optional_policy(`fstools',` +optional_policy(` fstools_domtrans(automount_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(automount_t) ') -optional_policy(`rpc',` +optional_policy(` rpc_search_nfs_state_data(automount_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(automount_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(automount_t) ') diff --git a/refpolicy/policy/modules/services/avahi.te b/refpolicy/policy/modules/services/avahi.te index 63623d4..876e499 100644 --- a/refpolicy/policy/modules/services/avahi.te +++ b/refpolicy/policy/modules/services/avahi.te @@ -88,20 +88,20 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(avahi_t) ') -optional_policy(`dbus',` +optional_policy(` dbus_system_bus_client_template(avahi,avahi_t) dbus_connect_system_bus(avahi_t) dbus_send_system_bus(avahi_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(avahi_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(avahi_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(avahi_t) ') diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te index c660545..2e26d01 100644 --- a/refpolicy/policy/modules/services/bind.te +++ b/refpolicy/policy/modules/services/bind.te @@ -157,7 +157,7 @@ tunable_policy(`named_write_master_zones',` allow named_t named_zone_t:lnk_file create_lnk_perms; ') -optional_policy(`dbus',` +optional_policy(` gen_require(` class dbus send_msg; ') @@ -172,16 +172,16 @@ optional_policy(`dbus',` dbus_connect_system_bus(named_t) dbus_send_system_bus(named_t) - optional_policy(`networkmanager',` + optional_policy(` networkmanager_dbus_chat(named_t) ') ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(named_t) ') -optional_policy(`networkmanager',` +optional_policy(` # this seems like fds that arent being # closed. these should probably be # dontaudits instead. @@ -190,19 +190,19 @@ optional_policy(`networkmanager',` networkmanager_rw_routing_sockets(named_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(named_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(named_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(named_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(named_t) ') @@ -280,14 +280,14 @@ ifdef(`targeted_policy',` term_use_generic_ptys(ndc_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(ndc_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(ndc_t) ') -optional_policy(`ppp',` +optional_policy(` ppp_dontaudit_use_fds(ndc_t) ') diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te index 225b82a..6576760 100644 --- a/refpolicy/policy/modules/services/bluetooth.te +++ b/refpolicy/policy/modules/services/bluetooth.te @@ -144,21 +144,21 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(bluetooth_t) ') -optional_policy(`dbus',` +optional_policy(` dbus_system_bus_client_template(bluetooth,bluetooth_t) dbus_connect_system_bus(bluetooth_t) dbus_send_system_bus(bluetooth_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(bluetooth_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(bluetooth_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(bluetooth_t) ') @@ -205,17 +205,17 @@ logging_send_syslog_msg(bluetooth_helper_t) miscfiles_read_localization(bluetooth_helper_t) miscfiles_read_fonts(bluetooth_helper_t) -optional_policy(`dbus',` +optional_policy(` dbus_system_bus_client_template(bluetooth_helper,bluetooth_helper_t) dbus_connect_system_bus(bluetooth_helper_t) dbus_send_system_bus(bluetooth_helper_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(bluetooth_helper_t) ') -optional_policy(`xserver',` +optional_policy(` xserver_stream_connect_xdm(bluetooth_helper_t) ') @@ -235,7 +235,7 @@ ifdef(`targeted_policy',` allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto; userdom_read_all_users_home_content_files(bluetooth_helper_t) - optional_policy(`xserver',` + optional_policy(` xserver_stream_connect_xdm(bluetooth_helper_t) ') ') diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te index acac47b..670e3d6 100644 --- a/refpolicy/policy/modules/services/canna.te +++ b/refpolicy/policy/modules/services/canna.te @@ -93,14 +93,14 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(canna_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(canna_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(canna_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(canna_t) ') diff --git a/refpolicy/policy/modules/services/clamav.te b/refpolicy/policy/modules/services/clamav.te index b02af07..3c68646 100644 --- a/refpolicy/policy/modules/services/clamav.te +++ b/refpolicy/policy/modules/services/clamav.te @@ -121,7 +121,7 @@ cron_use_fds(clamd_t) cron_use_system_job_fds(clamd_t) cron_rw_pipes(clamd_t) -optional_policy(`amavis',` +optional_policy(` amavis_read_lib_files(clamd_t) ') diff --git a/refpolicy/policy/modules/services/comsat.te b/refpolicy/policy/modules/services/comsat.te index 77512c8..1445d07 100644 --- a/refpolicy/policy/modules/services/comsat.te +++ b/refpolicy/policy/modules/services/comsat.te @@ -80,15 +80,15 @@ userdom_dontaudit_getattr_sysadm_ttys(comsat_t) mta_getattr_spool(comsat_t) -optional_policy(`kerberos',` +optional_policy(` kerberos_use(comsat_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(comsat_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(comsat_t) ') diff --git a/refpolicy/policy/modules/services/cpucontrol.te b/refpolicy/policy/modules/services/cpucontrol.te index adf69e3..d2891df 100644 --- a/refpolicy/policy/modules/services/cpucontrol.te +++ b/refpolicy/policy/modules/services/cpucontrol.te @@ -61,15 +61,15 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(cpucontrol_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(cpucontrol_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(cpucontrol_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(cpucontrol_t) ') @@ -115,14 +115,14 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(cpuspeed_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(cpuspeed_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(cpuspeed_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(cpuspeed_t) ') diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index dd65944..e5825e0 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -154,12 +154,12 @@ template(`cron_per_userdomain_template',` allow crond_t $1_cron_spool_t:file create_file_perms; ') - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1_crond_t) ') ifdef(`TODO',` - optional_policy(`apache',` + optional_policy(` create_dir_file($1_crond_t, httpd_$1_content_t) ') allow $1_crond_t tmp_t:dir rw_dir_perms; diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index f5d0c40..78acdb5 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -141,7 +141,7 @@ userdom_list_all_users_home_dirs(crond_t) ifdef(`distro_redhat', ` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. - optional_policy(`rpm',` + optional_policy(` rpm_manage_log(crond_t) ') ') @@ -167,7 +167,7 @@ ifdef(`targeted_policy',` allow crond_t unconfined_t:dbus send_msg; allow crond_t initrc_t:dbus send_msg; - optional_policy(`mono',` + optional_policy(` mono_domtrans(crond_t) ') ',` @@ -182,33 +182,33 @@ tunable_policy(`fcron_crond', ` allow crond_t system_cron_spool_t:file create_file_perms; ') -optional_policy(`amavis',` +optional_policy(` amavis_search_lib(crond_t) ') -optional_policy(`hal',` +optional_policy(` hal_dbus_send(crond_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(crond_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(crond_t) ') -optional_policy(`rpm',` +optional_policy(` # Commonly used from postinst scripts rpm_read_pipes(crond_t) ') -optional_policy(`postgresql',` +optional_policy(` # allow crond to find /usr/lib/postgresql/bin/do.maintenance postgresql_search_db(crond_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(crond_t) ') @@ -217,7 +217,7 @@ optional_policy(`udev',` # System cron process domain # -optional_policy(`squid',` +optional_policy(` # cjp: why? squid_domtrans(system_crond_t) ') @@ -348,7 +348,7 @@ ifdef(`targeted_policy',` ifdef(`distro_redhat', ` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. - optional_policy(`rpm',` + optional_policy(` rpm_manage_log(system_crond_t) ') ') @@ -365,7 +365,7 @@ ifdef(`targeted_policy',` seutil_read_file_contexts(system_crond_t) ') - optional_policy(`apache',` + optional_policy(` # Needed for certwatch apache_exec_modules(system_crond_t) apache_read_config(system_crond_t) @@ -373,57 +373,57 @@ ifdef(`targeted_policy',` apache_read_sys_content(system_crond_t) ') - optional_policy(`cyrus',` + optional_policy(` cyrus_manage_data(system_crond_t) ') - optional_policy(`ftp',` + optional_policy(` ftp_read_log(system_crond_t) ') - optional_policy(`inn',` + optional_policy(` inn_manage_log(system_crond_t) inn_manage_pid(system_crond_t) inn_read_config(system_crond_t) ') - optional_policy(`mrtg',` + optional_policy(` mrtg_append_create_logs(system_crond_t) ') - optional_policy(`mysql',` + optional_policy(` mysql_read_config(system_crond_t) ') - optional_policy(`nis',` + optional_policy(` nis_use_ypbind(system_crond_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use(system_crond_t) ') - optional_policy(`postfix',` + optional_policy(` postfix_read_config(system_crond_t) ') - optional_policy(`prelink',` + optional_policy(` prelink_read_cache(system_crond_t) prelink_manage_log(system_crond_t) prelink_delete_cache(system_crond_t) ') - optional_policy(`samba',` + optional_policy(` samba_read_config(system_crond_t) samba_read_log(system_crond_t) #samba_read_secrets(system_crond_t) ') - optional_policy(`slocate',` + optional_policy(` slocate_create_append_log(system_crond_t) ') - optional_policy(`sysstat',` + optional_policy(` sysstat_manage_log(system_crond_t) ') diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te index 3b130c9..cc38a0c 100644 --- a/refpolicy/policy/modules/services/cups.te +++ b/refpolicy/policy/modules/services/cups.te @@ -203,51 +203,51 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(cupsd_t) ') -optional_policy(`cron',` +optional_policy(` cron_system_entry(cupsd_t, cupsd_exec_t) ') -optional_policy(`dbus',` +optional_policy(` dbus_system_bus_client_template(cupsd,cupsd_t) dbus_send_system_bus(cupsd_t) userdom_dbus_send_all_users(cupsd_t) - optional_policy(`hal',` + optional_policy(` hal_dbus_chat(cupsd_t) ') ') -optional_policy(`hostname',` +optional_policy(` hostname_exec(cupsd_t) ') -optional_policy(`inetd',` +optional_policy(` inetd_core_service_domain(cupsd_t,cupsd_exec_t,cupsd_t) ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(cupsd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(cupsd_t) ') -optional_policy(`portmap',` +optional_policy(` portmap_udp_chat(cupsd_t) ') -optional_policy(`samba',` +optional_policy(` samba_rw_var_files(cupsd_t) # cjp: rw_dir_perms was here, but doesnt make sense ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(cupsd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(cupsd_t) ') @@ -355,11 +355,11 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(ptal_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(ptal_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(ptal_t) ') @@ -456,15 +456,15 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(hplip_t) ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(hplip_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(hplip_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(hplip_t) ') @@ -572,7 +572,7 @@ userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t) ifdef(`distro_redhat',` init_getattr_script_files(cupsd_config_t) - optional_policy(`rpm',` + optional_policy(` rpm_read_db(cupsd_config_t) ') ') @@ -583,49 +583,49 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(cupsd_config_t) ') -optional_policy(`cron',` +optional_policy(` cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -optional_policy(`dbus',` +optional_policy(` dbus_system_bus_client_template(cupsd_config,cupsd_config_t) dbus_connect_system_bus(cupsd_config_t) dbus_send_system_bus(cupsd_config_t) - optional_policy(`hal',` + optional_policy(` hal_dbus_chat(cupsd_config_t) ') ') -optional_policy(`hal',` +optional_policy(` hal_domtrans(cupsd_config_t) ') -optional_policy(`hostname',` +optional_policy(` hostname_exec(cupsd_config_t) ') -optional_policy(`logrotate',` +optional_policy(` logrotate_use_fds(cupsd_config_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(cupsd_config_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(cupsd_config_t) ') -optional_policy(`rpm',` +optional_policy(` rpm_read_db(cupsd_config_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(cupsd_config_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(cupsd_config_t) ') @@ -641,7 +641,7 @@ ifdef(`targeted_policy', ` unconfined_read_pipes(cupsd_t) - optional_policy(`dbus',` + optional_policy(` init_dbus_chat_script(cupsd_t) unconfined_dbus_send(cupsd_t) @@ -671,7 +671,7 @@ allow cupsd_lpd_t self:udp_socket create_socket_perms; allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t self:capability { setuid setgid }; files_search_home(cupsd_lpd_t) -optional_policy(`kerberos',` +optional_policy(` kerberos_use(cupsd_lpd_t) ') #end for identd @@ -724,10 +724,10 @@ miscfiles_read_localization(cupsd_lpd_t) sysnet_read_config(cupsd_lpd_t) -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(cupsd_lpd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(cupsd_lpd_t) ') diff --git a/refpolicy/policy/modules/services/cvs.te b/refpolicy/policy/modules/services/cvs.te index 2519663..ef87fb9 100644 --- a/refpolicy/policy/modules/services/cvs.te +++ b/refpolicy/policy/modules/services/cvs.te @@ -92,17 +92,17 @@ tunable_policy(`allow_cvs_read_shadow',` auth_tunable_read_shadow(cvs_t) ') -optional_policy(`kerberos',` +optional_policy(` kerberos_use(cvs_t) kerberos_read_keytab(cvs_t) kerberos_read_config(cvs_t) kerberos_dontaudit_write_config(cvs_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(cvs_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(cvs_t) ') diff --git a/refpolicy/policy/modules/services/cyrus.te b/refpolicy/policy/modules/services/cyrus.te index 171a7e7..08ff84e 100644 --- a/refpolicy/policy/modules/services/cyrus.te +++ b/refpolicy/policy/modules/services/cyrus.te @@ -118,26 +118,26 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(cyrus_t) ') -optional_policy(`cron',` +optional_policy(` cron_system_entry(cyrus_t,cyrus_exec_t) ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(cyrus_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(cyrus_t) ') -optional_policy(`sasl',` +optional_policy(` sasl_connect(cyrus_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(cyrus_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(cyrus_t) ') diff --git a/refpolicy/policy/modules/services/dbskk.te b/refpolicy/policy/modules/services/dbskk.te index 090a661..bb54982 100644 --- a/refpolicy/policy/modules/services/dbskk.te +++ b/refpolicy/policy/modules/services/dbskk.te @@ -32,7 +32,7 @@ allow dbskkd_t self:udp_socket create_socket_perms; allow dbskkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow dbskkd_t self:capability { setuid setgid }; files_search_home(dbskkd_t) -optional_policy(`kerberos',` +optional_policy(` kerberos_use(dbskkd_t) ') #end for identd @@ -76,10 +76,10 @@ miscfiles_read_localization(dbskkd_t) sysnet_read_config(dbskkd_t) -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(dbskkd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(dbskkd_t) ') diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if index e376365..a0f6b56 100644 --- a/refpolicy/policy/modules/services/dbus.if +++ b/refpolicy/policy/modules/services/dbus.if @@ -164,11 +164,11 @@ template(`dbus_per_userdomain_template',` files_read_default_pipes($1_dbusd_t) ') - optional_policy(`authlogin',` + optional_policy(` auth_read_pam_console_data($1_dbusd_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_dbusd_t) ') diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te index 2d35030..07bd6fc 100644 --- a/refpolicy/policy/modules/services/dbus.te +++ b/refpolicy/policy/modules/services/dbus.te @@ -124,18 +124,18 @@ tunable_policy(`read_default_t',` files_read_default_pipes(system_dbusd_t) ') -optional_policy(`bind',` +optional_policy(` bind_domtrans(system_dbusd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(system_dbusd_t) ') -optional_policy(`sysnetwork',` +optional_policy(` sysnet_domtrans_dhcpc(system_dbusd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(system_dbusd_t) ') diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te index d9e0cb9..72af5a9 100644 --- a/refpolicy/policy/modules/services/dhcp.te +++ b/refpolicy/policy/modules/services/dhcp.te @@ -115,27 +115,27 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(dhcpd_t) ') -optional_policy(`bind',` +optional_policy(` # used for dynamic DNS bind_read_dnssec_keys(dhcpd_t) ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(dhcpd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(dhcpd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(dhcpd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(dhcpd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(dhcpd_t) ') diff --git a/refpolicy/policy/modules/services/dictd.te b/refpolicy/policy/modules/services/dictd.te index f00e31d..362b4ba 100644 --- a/refpolicy/policy/modules/services/dictd.te +++ b/refpolicy/policy/modules/services/dictd.te @@ -87,18 +87,18 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(dictd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(dictd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(dictd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(dictd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(dictd_t) ') diff --git a/refpolicy/policy/modules/services/distcc.te b/refpolicy/policy/modules/services/distcc.te index 2a491e4..ec0a754 100644 --- a/refpolicy/policy/modules/services/distcc.te +++ b/refpolicy/policy/modules/services/distcc.te @@ -95,14 +95,14 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(distccd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(distccd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(distccd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(distccd_t) ') diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te index 3eff293..b84404a 100644 --- a/refpolicy/policy/modules/services/dovecot.te +++ b/refpolicy/policy/modules/services/dovecot.te @@ -124,19 +124,19 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(dovecot_t) ') -optional_policy(`kerberos',` +optional_policy(` kerberos_use(dovecot_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(dovecot_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(dovecot_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(dovecot_t) ') @@ -180,18 +180,18 @@ seutil_dontaudit_search_config(dovecot_auth_t) sysnet_dns_name_resolve(dovecot_auth_t) -optional_policy(`kerberos',` +optional_policy(` kerberos_use(dovecot_auth_t) ') -optional_policy(`logging',` +optional_policy(` logging_send_syslog_msg(dovecot_auth_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(dovecot_auth_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(dovecot_auth_t) ') diff --git a/refpolicy/policy/modules/services/fetchmail.te b/refpolicy/policy/modules/services/fetchmail.te index cd16606..b4c2276 100644 --- a/refpolicy/policy/modules/services/fetchmail.te +++ b/refpolicy/policy/modules/services/fetchmail.te @@ -98,10 +98,10 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(fetchmail_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(fetchmail_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(fetchmail_t) ') diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te index fad79af..b6a591d 100644 --- a/refpolicy/policy/modules/services/finger.te +++ b/refpolicy/policy/modules/services/finger.te @@ -110,26 +110,26 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(fingerd_t) ') -optional_policy(`cron',` +optional_policy(` cron_system_entry(fingerd_t,fingerd_exec_t) ') -optional_policy(`logrotate',` +optional_policy(` logrotate_exec(fingerd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(fingerd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(fingerd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(fingerd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(fingerd_t) ') diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te index 252024e..169e8da 100644 --- a/refpolicy/policy/modules/services/ftp.te +++ b/refpolicy/policy/modules/services/ftp.te @@ -135,7 +135,7 @@ ifdef(`targeted_policy',` term_dontaudit_use_generic_ptys(ftpd_t) term_dontaudit_use_unallocated_ttys(ftpd_t) - optional_policy(`ftp',` + optional_policy(` tunable_policy(`ftpd_is_daemon',` userdom_manage_generic_user_home_content_files(ftpd_t) userdom_manage_generic_user_home_content_symlinks(ftpd_t) @@ -180,23 +180,23 @@ tunable_policy(`use_samba_home_dirs && ftp_home_dir',` fs_read_cifs_symlinks(ftpd_t) ') -optional_policy(`cron',` +optional_policy(` corecmd_exec_shell(ftpd_t) files_read_usr_files(ftpd_t) cron_system_entry(ftpd_t, ftpd_exec_t) - optional_policy(`logrotate',` + optional_policy(` logrotate_exec(ftpd_t) ') ') -optional_policy(`daemontools',` +optional_policy(` daemontools_service_domain(ftpd_t, ftpd_exec_t) ') -optional_policy(`inetd',` +optional_policy(` #reh: typeattributes not allowed in conditionals yet. #tunable_policy(`! ftpd_is_daemon',` # inetd_tcp_service_domain(ftpd_t,ftpd_exec_t) @@ -204,25 +204,25 @@ optional_policy(`inetd',` inetd_tcp_service_domain(ftpd_t,ftpd_exec_t) - optional_policy(`tcpd',` + optional_policy(` tunable_policy(`! ftpd_is_daemon',` tcpd_domtrans(tcpd_t) ') ') ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(ftpd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(ftpd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(ftpd_t) ') -optional_policy(`udev', ` +optional_policy(` udev_read_db(ftpd_t) ') diff --git a/refpolicy/policy/modules/services/gpm.te b/refpolicy/policy/modules/services/gpm.te index 4fae74d..faf01f4 100644 --- a/refpolicy/policy/modules/services/gpm.te +++ b/refpolicy/policy/modules/services/gpm.te @@ -84,11 +84,11 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(gpm_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(gpm_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(gpm_t) ') diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 8ef18ef..827f414 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -153,30 +153,30 @@ ifdef(`targeted_policy', ` files_dontaudit_getattr_home_dir(hald_t) ') -optional_policy(`apm',` +optional_policy(` # For /usr/libexec/hald-addon-acpi # writes to /var/run/acpid.socket apm_stream_connect(hald_t) ') -optional_policy(`automount', ` +optional_policy(` automount_dontaudit_getattr_tmp_dirs(hald_t) ') -optional_policy(`bind',` +optional_policy(` bind_search_cache(hald_t) ') -optional_policy(`clock',` +optional_policy(` clock_domtrans(hald_t) ') -optional_policy(`cups',` +optional_policy(` cups_domtrans_config(hald_t) cups_signal_config(hald_t) ') -optional_policy(`dbus',` +optional_policy(` dbus_system_bus_client_template(hald,hald_t) dbus_send_system_bus(hald_t) dbus_connect_system_bus(hald_t) @@ -184,58 +184,58 @@ optional_policy(`dbus',` init_dbus_chat_script(hald_t) - optional_policy(`networkmanager',` + optional_policy(` networkmanager_dbus_chat(hald_t) ') ') -optional_policy(`dmidecode',` +optional_policy(` # For /usr/libexec/hald-probe-smbios dmidecode_domtrans(hald_t) ') -optional_policy(`hotplug',` +optional_policy(` hotplug_read_config(hald_t) ') -optional_policy(`lvm', ` +optional_policy(` lvm_domtrans(hald_t) ') -optional_policy(`mount',` +optional_policy(` mount_domtrans(hald_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(hald_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(hald_t) ') -optional_policy(`pcmcia',` +optional_policy(` pcmcia_manage_pid(hald_t) pcmcia_manage_pid_chr_files(hald_t) ') -optional_policy(`rpc',` +optional_policy(` rpc_search_nfs_state_data(hald_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(hald_t) ') -optional_policy(`udev', ` +optional_policy(` udev_domtrans(hald_t) udev_read_db(hald_t) ') -optional_policy(`updfstab',` +optional_policy(` updfstab_domtrans(hald_t) ') -optional_policy(`vbetool',` +optional_policy(` vbetool_domtrans(hald_t) ') diff --git a/refpolicy/policy/modules/services/howl.te b/refpolicy/policy/modules/services/howl.te index c174c49..64e7ec8 100644 --- a/refpolicy/policy/modules/services/howl.te +++ b/refpolicy/policy/modules/services/howl.te @@ -82,14 +82,14 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(howl_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(howl_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(howl_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(howl_t) ') diff --git a/refpolicy/policy/modules/services/i18n_input.te b/refpolicy/policy/modules/services/i18n_input.te index 76b204d..3be7c8f 100644 --- a/refpolicy/policy/modules/services/i18n_input.te +++ b/refpolicy/policy/modules/services/i18n_input.te @@ -102,22 +102,22 @@ tunable_policy(`use_samba_home_dirs',` fs_read_cifs_symlinks(i18n_input_t) ') -optional_policy(`canna',` +optional_policy(` canna_stream_connect(i18n_input_t) ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(i18n_input_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(i18n_input_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(i18n_input_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(i18n_input_t) ') diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index 2df83f3..d92c91d 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -127,31 +127,31 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(inetd_t) ') -optional_policy(`amanda',` +optional_policy(` amanda_search_lib(inetd_t) ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(inetd_t) ') # Communicate with the portmapper. -optional_policy(`portmap',` +optional_policy(` portmap_udp_send(inetd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(inetd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(inetd_t) ') ifdef(`targeted_policy',` unconfined_domain(inetd_t) ',` - optional_policy(`unconfined',` + optional_policy(` unconfined_domtrans(inetd_t) ') ') @@ -216,21 +216,21 @@ tunable_policy(`run_ssh_inetd',` corenet_tcp_bind_ssh_port(inetd_t) ') -optional_policy(`ftp',` +optional_policy(` tunable_policy(`ftpd_is_daemon',` # Allows it to check exec privs on daemon ftp_check_exec(inetd_t) ') ') -optional_policy(`kerberos',` +optional_policy(` kerberos_use(inetd_child_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(inetd_child_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(inetd_child_t) ') diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te index a83d9d2..ec28063 100644 --- a/refpolicy/policy/modules/services/inn.te +++ b/refpolicy/policy/modules/services/inn.te @@ -122,26 +122,26 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(innd_t) ') -optional_policy(`cron',` +optional_policy(` cron_system_entry(innd_t, innd_exec_t) ') -optional_policy(`hostname',` +optional_policy(` hostname_exec(innd_t) ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(innd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(innd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(innd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(innd_t) ') diff --git a/refpolicy/policy/modules/services/irqbalance.te b/refpolicy/policy/modules/services/irqbalance.te index f470ec4..25368c0 100644 --- a/refpolicy/policy/modules/services/irqbalance.te +++ b/refpolicy/policy/modules/services/irqbalance.te @@ -60,10 +60,10 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(irqbalance_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(irqbalance_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(irqbalance_t) ') diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te index 2374b88..89e3d43 100644 --- a/refpolicy/policy/modules/services/kerberos.te +++ b/refpolicy/policy/modules/services/kerberos.te @@ -137,15 +137,15 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(kadmind_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(kadmind_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(kadmind_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(kadmind_t) ') @@ -237,14 +237,14 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(krb5kdc_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(krb5kdc_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(krb5kdc_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(krb5kdc_t) ') diff --git a/refpolicy/policy/modules/services/ktalk.te b/refpolicy/policy/modules/services/ktalk.te index d00edae..9f2cbb8 100644 --- a/refpolicy/policy/modules/services/ktalk.te +++ b/refpolicy/policy/modules/services/ktalk.te @@ -36,7 +36,7 @@ allow ktalkd_t self:capability { setuid setgid }; allow ktalkd_t self:dir search; allow ktalkd_t self:{ lnk_file file } { getattr read }; files_search_home(ktalkd_t) -optional_policy(`kerberos',` +optional_policy(` kerberos_use(ktalkd_t) ') #end for identd @@ -84,10 +84,10 @@ miscfiles_read_localization(ktalkd_t) sysnet_read_config(ktalkd_t) -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(ktalkd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(ktalkd_t) ') diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te index 290da67..5cb2797 100644 --- a/refpolicy/policy/modules/services/ldap.te +++ b/refpolicy/policy/modules/services/ldap.te @@ -138,18 +138,18 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(slapd_t) ') -optional_policy(`kerberos',` +optional_policy(` kerberos_use(slapd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(slapd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(slapd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(slapd_t) ') diff --git a/refpolicy/policy/modules/services/lpd.if b/refpolicy/policy/modules/services/lpd.if index 3873992..b981547 100644 --- a/refpolicy/policy/modules/services/lpd.if +++ b/refpolicy/policy/modules/services/lpd.if @@ -184,27 +184,27 @@ template(`lpd_per_userdomain_template',` fs_read_cifs_symlinks($1_lpr_t) ') - optional_policy(`cups',` + optional_policy(` cups_read_config($1_lpr_t) cups_tcp_connect($1_lpr_t) cups_read_config($2) cups_tcp_connect($2) ') - optional_policy(`logging',` + optional_policy(` logging_send_syslog_msg($1_lpr_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_lpr_t) ') - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1_lpr_t) ') ifdef(`TODO',` - optional_policy(`xdm', ` + optional_policy(` allow $1_lpr_t xdm_t:fd use; allow $1_lpr_t xdm_var_run_t:dir search; allow $1_lpr_t xdm_t:fifo_file { getattr read write ioctl }; diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te index f3e7514..e9516cb 100644 --- a/refpolicy/policy/modules/services/lpd.te +++ b/refpolicy/policy/modules/services/lpd.te @@ -104,15 +104,15 @@ ifdef(`targeted_policy',` term_use_unallocated_ttys(checkpc_t) ') -optional_policy(`cron',` +optional_policy(` cron_system_entry(checkpc_t,checkpc_exec_t) ') -optional_policy(`logging',` +optional_policy(` logging_send_syslog_msg(checkpc_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(checkpc_t) ') @@ -223,19 +223,19 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(lpd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(lpd_t) nis_tcp_connect_ypbind(lpd_t) ') -optional_policy(`portmap',` +optional_policy(` portmap_udp_send(lpd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(lpd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(lpd_t) ') diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if index b398141..91e99dc 100644 --- a/refpolicy/policy/modules/services/mailman.if +++ b/refpolicy/policy/modules/services/mailman.if @@ -88,11 +88,11 @@ template(`mailman_domain_template', ` sysnet_read_config(mailman_$1_t) - optional_policy(`mount',` + optional_policy(` mount_send_nfs_client_request(mailman_$1_t) ') - optional_policy(`nis',` + optional_policy(` nis_use_ypbind(mailman_$1_t) ') ') diff --git a/refpolicy/policy/modules/services/mailman.te b/refpolicy/policy/modules/services/mailman.te index 03228c9..742b23f 100644 --- a/refpolicy/policy/modules/services/mailman.te +++ b/refpolicy/policy/modules/services/mailman.te @@ -35,7 +35,7 @@ mailman_domain_template(queue) # optionals for file contexts yet, so it is promoted # to global scope until such facilities exist. -optional_policy(`apache',` +optional_policy(` allow mailman_cgi_t mailman_archive_t:dir create_dir_perms; allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms; allow mailman_cgi_t mailman_archive_t:file create_file_perms; @@ -64,7 +64,7 @@ allow mailman_mail_t self:unix_dgram_socket create_socket_perms; mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) ifdef(`TODO',` -optional_policy(`qmail',` +optional_policy(` allow mailman_mail_t qmail_spool_t:file { read ioctl getattr }; # do we really need this? allow mailman_mail_t qmail_lspawn_t:fifo_file write; @@ -105,10 +105,10 @@ mta_tcp_connect_all_mailservers(mailman_queue_t) su_exec(mailman_queue_t) -optional_policy(`cron',` +optional_policy(` cron_system_entry(mailman_queue_t,mailman_queue_exec_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(mailman_queue_t) ') diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index ec6a483..3f76942 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -95,23 +95,23 @@ template(`mta_base_mail_template',` sysnet_read_config($1_mail_t) sysnet_dns_name_resolve($1_mail_t) - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1_mail_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_mail_t) ') - optional_policy(`postfix',` + optional_policy(` postfix_domtrans_user_mail_handler($1_mail_t) ') - optional_policy(`procmail',` + optional_policy(` procmail_exec($1_mail_t) ') - optional_policy(`sendmail',` + optional_policy(` gen_require(` type etc_mail_t, mail_spool_t, mqueue_spool_t; ') @@ -236,7 +236,7 @@ template(`mta_per_userdomain_template',` fs_manage_cifs_symlinks($1_mail_t) ') - optional_policy(`postfix',` + optional_policy(` allow $1_mail_t self:capability dac_override; # Read user temporary files. @@ -282,7 +282,7 @@ template(`mta_admin_template',` userdom_read_unpriv_users_home_content_files($1_mail_t) ') - optional_policy(`postfix',` + optional_policy(` gen_require(` attribute mta_user_agent; type etc_aliases_t; @@ -409,11 +409,11 @@ interface(`mta_mailserver_delivery',` allow $1 mail_spool_t:file { create ioctl read getattr lock append }; allow $1 mail_spool_t:lnk_file { create read getattr }; - optional_policy(`dovecot',` + optional_policy(` dovecot_manage_spool($1) ') - optional_policy(`mailman',` + optional_policy(` # so MTA can access /var/lib/mailman/mail/wrapper files_search_var_lib($1) @@ -441,7 +441,7 @@ interface(`mta_mailserver_user_agent',` typeattribute $1 mta_user_agent; - optional_policy(`apache',` + optional_policy(` # apache should set close-on-exec apache_dontaudit_rw_stream_sockets($1) apache_dontaudit_rw_sys_script_stream_sockets($1) diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index c2fe2fc..534bddc 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -34,7 +34,7 @@ role system_r types system_mail_t; # cjp: need to resolve this, but require{} # does not work in the else part of the optional #ifdef(`strict_policy',` -# optional_policy(`sendmail',`',` +# optional_policy(`',` # init_system_domain(system_mail_t,sendmail_exec_t) # ') #') @@ -85,7 +85,7 @@ ifdef(`targeted_policy',` userdom_generic_user_home_dir_filetrans_generic_user_home_content(mailserver_delivery,{ dir file lnk_file sock_file fifo_file }) # cjp: another require-in-else to resolve -# optional_policy(`postfix',`',` +# optional_policy(`',` corecmd_exec_bin(system_mail_t) corecmd_exec_sbin(system_mail_t) @@ -98,7 +98,7 @@ ifdef(`targeted_policy',` # ') ') -optional_policy(`apache',` +optional_policy(` apache_read_squirrelmail_data(system_mail_t) apache_append_squirrelmail_data(system_mail_t) @@ -109,7 +109,7 @@ optional_policy(`apache',` apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) ') -optional_policy(`arpwatch',` +optional_policy(` arpwatch_manage_tmp_files(system_mail_t) ifdef(`hide_broken_symptoms', ` @@ -117,24 +117,24 @@ optional_policy(`arpwatch',` ') ') -optional_policy(`cron',` +optional_policy(` cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) ') -optional_policy(`cvs',` +optional_policy(` cvs_read_data(system_mail_t) ') -optional_policy(`logrotate',` +optional_policy(` logrotate_read_tmp_files(system_mail_t) ') -optional_policy(`logwatch',` +optional_policy(` logwatch_read_tmp_files(system_mail_t) ') -optional_policy(`postfix',` +optional_policy(` allow system_mail_t etc_aliases_t:dir create_dir_perms; allow system_mail_t etc_aliases_t:file create_file_perms; allow system_mail_t etc_aliases_t:lnk_file create_lnk_perms; @@ -156,33 +156,33 @@ optional_policy(`postfix',` postfix_config_filetrans(system_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file }) ') - optional_policy(`cron',` + optional_policy(` cron_rw_tcp_sockets(system_mail_t) ') ') -optional_policy(`sendmail',` +optional_policy(` userdom_dontaudit_use_unpriv_users_ptys(system_mail_t) - optional_policy(`cron',` + optional_policy(` cron_dontaudit_append_system_job_tmp_files(system_mail_t) ') ') -optional_policy(`smartmon',` +optional_policy(` smartmon_read_tmp_files(system_mail_t) ') # should break this up among sections: -optional_policy(`arpwatch',` +optional_policy(` # why is mail delivered to a directory of type arpwatch_data_t? arpwatch_search_data(mailserver_delivery) arpwatch_manage_tmp_files(mta_user_agent) ifdef(`hide_broken_symptoms', ` arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) ') - optional_policy(`cron',` + optional_policy(` cron_read_system_job_tmp_files(mta_user_agent) ') ') diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te index af86f54..d4a30c2 100644 --- a/refpolicy/policy/modules/services/mysql.te +++ b/refpolicy/policy/modules/services/mysql.te @@ -121,26 +121,26 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(mysqld_t) ') -optional_policy(`daemontools',` +optional_policy(` daemontools_service_domain(mysqld_t, mysqld_exec_t) ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(mysqld_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(mysqld_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(mysqld_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(mysqld_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(mysqld_t) ') diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te index 7cd261a..8112eb5 100644 --- a/refpolicy/policy/modules/services/networkmanager.te +++ b/refpolicy/policy/modules/services/networkmanager.te @@ -115,21 +115,21 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(NetworkManager_t) ') -optional_policy(`bind',` +optional_policy(` bind_domtrans(NetworkManager_t) bind_manage_cache(NetworkManager_t) bind_signal(NetworkManager_t) ') -optional_policy(`bluetooth',` +optional_policy(` bluetooth_dontaudit_read_helper_files(NetworkManager_t) ') -optional_policy(`consoletype',` +optional_policy(` consoletype_exec(NetworkManager_t) ') -optional_policy(`dbus',` +optional_policy(` gen_require(` class dbus send_msg; ') @@ -141,31 +141,31 @@ optional_policy(`dbus',` dbus_send_system_bus(NetworkManager_t) ') -optional_policy(`howl',` +optional_policy(` howl_signal(NetworkManager_t) ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(NetworkManager_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(NetworkManager_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(NetworkManager_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(NetworkManager_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(NetworkManager_t) ') -optional_policy(`vpn',` +optional_policy(` vpn_domtrans(NetworkManager_t) vpn_signal(NetworkManager_t) ') diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if index f5b10e8..bae0653 100644 --- a/refpolicy/policy/modules/services/nis.if +++ b/refpolicy/policy/modules/services/nis.if @@ -114,7 +114,7 @@ interface(`nis_use_ypbind',` dontaudit $1 var_yp_t:dir search; ') - optional_policy(`mount',` + optional_policy(` tunable_policy(`allow_ypbind',` mount_send_nfs_client_request($1) ') diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te index b11a6cb..137b5f1 100644 --- a/refpolicy/policy/modules/services/nis.te +++ b/refpolicy/policy/modules/services/nis.te @@ -127,15 +127,15 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(ypbind_t) ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(ypbind_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(ypbind_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(ypbind_t) ') @@ -228,15 +228,15 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(yppasswdd_t) ') -optional_policy(`hostname',` +optional_policy(` hostname_exec(yppasswdd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(yppasswdd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(yppasswdd_t) ') @@ -326,11 +326,11 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(ypserv_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(ypserv_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(ypserv_t) ') diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te index e4ae3dc..37802b0 100644 --- a/refpolicy/policy/modules/services/nscd.te +++ b/refpolicy/policy/modules/services/nscd.te @@ -122,14 +122,14 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(nscd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(nscd_t) ') -optional_policy(`samba',` +optional_policy(` samba_stream_connect_winbind(nscd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(nscd_t) ') diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te index 7492501..39f0b90 100644 --- a/refpolicy/policy/modules/services/ntp.te +++ b/refpolicy/policy/modules/services/ntp.te @@ -122,40 +122,40 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(ntpd_t) ') -optional_policy(`cron',` +optional_policy(` # for cron jobs cron_system_entry(ntpd_t,ntpdate_exec_t) ') -optional_policy(`firstboot',` +optional_policy(` firstboot_dontaudit_use_fds(ntpd_t) ') -optional_policy(`logrotate',` +optional_policy(` logrotate_exec(ntpd_t) ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(ntpd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(ntpd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(ntpd_t) ') -optional_policy(`samba',` +optional_policy(` samba_stream_connect_winbind(ntpd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(ntpd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(ntpd_t) ') diff --git a/refpolicy/policy/modules/services/openct.te b/refpolicy/policy/modules/services/openct.te index b6ccdd8..3e55f55 100644 --- a/refpolicy/policy/modules/services/openct.te +++ b/refpolicy/policy/modules/services/openct.te @@ -62,10 +62,10 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(openct_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(openct_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(openct_t) ') diff --git a/refpolicy/policy/modules/services/pegasus.te b/refpolicy/policy/modules/services/pegasus.te index 6c44a03..55a5075 100644 --- a/refpolicy/policy/modules/services/pegasus.te +++ b/refpolicy/policy/modules/services/pegasus.te @@ -117,19 +117,19 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(pegasus_t) ') -optional_policy(`logging',` +optional_policy(` logging_send_syslog_msg(pegasus_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(pegasus_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(pegasus_t) seutil_dontaudit_read_config(pegasus_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(pegasus_t) ') diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te index a76f2f2..113f921 100644 --- a/refpolicy/policy/modules/services/portmap.te +++ b/refpolicy/policy/modules/services/portmap.te @@ -103,32 +103,32 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(portmap_t) ') -optional_policy(`inetd',` +optional_policy(` inetd_udp_send(portmap_t) ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(portmap_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(portmap_t) nis_udp_send_ypbind(portmap_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(portmap_t) ') -optional_policy(`rpc',` +optional_policy(` rpc_udp_send_nfs(portmap_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(portmap_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(portmap_t) ') @@ -202,10 +202,10 @@ ifdef(`targeted_policy', ` term_dontaudit_use_generic_ptys(portmap_helper_t) ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(portmap_helper_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(portmap_helper_t) ') diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if index 2202fc7..adde578 100644 --- a/refpolicy/policy/modules/services/postfix.if +++ b/refpolicy/policy/modules/services/postfix.if @@ -91,11 +91,11 @@ template(`postfix_domain_template',` files_dontaudit_read_root_files(postfix_$1_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use(postfix_$1_t) ') - optional_policy(`udev',` + optional_policy(` udev_read_db(postfix_$1_t) ') ') @@ -129,7 +129,7 @@ template(`postfix_server_domain_template',` sysnet_read_config(postfix_$1_t) - optional_policy(`nis',` + optional_policy(` nis_use_ypbind(postfix_$1_t) ') ') diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te index 37e7cf7..cd496b0 100644 --- a/refpolicy/policy/modules/services/postfix.te +++ b/refpolicy/policy/modules/services/postfix.te @@ -174,11 +174,11 @@ sysnet_read_config(postfix_master_t) mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(postfix_master_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(postfix_master_t) ') @@ -280,7 +280,7 @@ mta_delete_spool(postfix_local_t) # For reading spamassasin mta_read_config(postfix_local_t) -optional_policy(`procmail',` +optional_policy(` procmail_domtrans(postfix_local_t) ') @@ -360,7 +360,7 @@ tunable_policy(`read_default_t',` files_read_default_pipes(postfix_map_t) ') -optional_policy(`locallogin',` +optional_policy(` locallogin_dontaudit_use_fds(postfix_map_t) ') @@ -402,11 +402,11 @@ allow postfix_pipe_t postfix_public_t:fifo_file { getattr write }; allow postfix_pipe_t postfix_spool_t:dir search; allow postfix_pipe_t postfix_spool_t:file rw_file_perms; -optional_policy(`procmail',` +optional_policy(` procmail_domtrans(postfix_pipe_t) ') -optional_policy(`mailman',` +optional_policy(` mailman_domtrans_queue(postfix_pipe_t) ') @@ -441,14 +441,14 @@ ifdef(`targeted_policy', ` term_use_generic_ptys(postfix_postdrop_t) ') -optional_policy(`crond',` +optional_policy(` cron_use_fds(postfix_postdrop_t) cron_rw_pipes(postfix_postdrop_t) cron_use_system_job_fds(postfix_postdrop_t) cron_rw_system_job_pipes(postfix_postdrop_t) ') -optional_policy(`ppp',` +optional_policy(` ppp_use_fds(postfix_postqueue_t) ppp_sigchld(postfix_postqueue_t) ') @@ -491,7 +491,7 @@ init_use_script_fds(postfix_postqueue_t) sysnet_dontaudit_read_config(postfix_postqueue_t) ifdef(`TODO',` -optional_policy(`gnome-pty-helper', `allow postfix_postqueue_t user_gph_t:fd use;') +optional_policy(`allow postfix_postqueue_t user_gph_t:fd use;') ') ######################################## @@ -584,6 +584,6 @@ allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms; files_read_usr_files(postfix_smtpd_t) mta_read_aliases(postfix_smtpd_t) -optional_policy(`sasl',` +optional_policy(` sasl_connect(postfix_smtpd_t) ') diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te index faf817a..d602f4d 100644 --- a/refpolicy/policy/modules/services/postgresql.te +++ b/refpolicy/policy/modules/services/postgresql.te @@ -152,36 +152,36 @@ tunable_policy(`allow_execmem',` allow postgresql_t self:process execmem; ') -optional_policy(`consoletype',` +optional_policy(` consoletype_exec(postgresql_t) ') -optional_policy(`cron',` +optional_policy(` cron_search_spool(postgresql_t) cron_system_entry(postgresql_t,postgresql_exec_t) ') -optional_policy(`hostname',` +optional_policy(` hostname_exec(postgresql_t) ') -optional_policy(`kerberos',` +optional_policy(` kerberos_use(postgresql_t) ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(postgresql_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(postgresql_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(postgresql_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(postgresql_t) ') diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te index 62f156d..6ec1539 100644 --- a/refpolicy/policy/modules/services/ppp.te +++ b/refpolicy/policy/modules/services/ppp.te @@ -181,7 +181,7 @@ ifdef(`targeted_policy', ` term_dontaudit_use_generic_ptys(pppd_t) files_dontaudit_read_root_files(pppd_t) - optional_policy(`postfix',` + optional_policy(` gen_require(` bool postfix_disable_trans; ') @@ -191,34 +191,34 @@ ifdef(`targeted_policy', ` } ') ',` - optional_policy(`postfix',` + optional_policy(` postfix_domtrans_master(pppd_t) ') ') -optional_policy(`modutils',` +optional_policy(` tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',` modutils_domtrans_insmod_uncond(pppd_t) ') ') -optional_policy(`mta',` +optional_policy(` mta_send_mail(pppd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(pppd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(pppd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(pppd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(pppd_t) ') @@ -302,23 +302,23 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(pptp_t) ') -optional_policy(`hostname',` +optional_policy(` hostname_exec(pptp_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(pptp_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(pptp_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(pptp_t) ') -optional_policy(`postfix',` +optional_policy(` postfix_read_config(pppd_t) ') diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te index 8146e06..b4ba164 100644 --- a/refpolicy/policy/modules/services/privoxy.te +++ b/refpolicy/policy/modules/services/privoxy.te @@ -86,18 +86,18 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(privoxy_t) ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(privoxy_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(privoxy_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(privoxy_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(privoxy_t) ') diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te index a8366b0..e3a8433 100644 --- a/refpolicy/policy/modules/services/procmail.te +++ b/refpolicy/policy/modules/services/procmail.te @@ -79,27 +79,27 @@ ifdef(`targeted_policy', ` files_getattr_tmp_dirs(procmail_t) ') -optional_policy(`logging',` +optional_policy(` logging_send_syslog_msg(procmail_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(procmail_t) ') -optional_policy(`postfix',` +optional_policy(` # for a bug in the postfix local program postfix_dontaudit_rw_local_tcp_sockets(procmail_t) postfix_dontaudit_use_fds(procmail_t) ') -optional_policy(`sendmail',` +optional_policy(` mta_read_config(procmail_t) sendmail_rw_tcp_sockets(procmail_t) sendmail_rw_unix_stream_sockets(procmail_t) ') -optional_policy(`spamassassin',` +optional_policy(` corenet_udp_bind_generic_port(procmail_t) corenet_tcp_connect_spamd_port(procmail_t) diff --git a/refpolicy/policy/modules/services/publicfile.te b/refpolicy/policy/modules/services/publicfile.te index ceab2ae..7b91ac9 100644 --- a/refpolicy/policy/modules/services/publicfile.te +++ b/refpolicy/policy/modules/services/publicfile.te @@ -28,11 +28,11 @@ files_search_var(publicfile_t) libs_use_ld_so(publicfile_t) libs_use_shared_libs(publicfile_t) -optional_policy(`daemontools',` +optional_policy(` daemontools_ipc_domain(publicfile_t) ') -optional_policy(`ucspitcp',` +optional_policy(` ucspitcp_service_domain(publicfile_t, publicfile_exec_t) ') diff --git a/refpolicy/policy/modules/services/radius.te b/refpolicy/policy/modules/services/radius.te index 5955b4d..9335bc9 100644 --- a/refpolicy/policy/modules/services/radius.te +++ b/refpolicy/policy/modules/services/radius.te @@ -109,26 +109,26 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(radiusd_t) ') -optional_policy(`cron',` +optional_policy(` cron_system_entry(radiusd_t,radiusd_exec_t) ') -optional_policy(`logrotate',` +optional_policy(` logrotate_exec(radiusd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(radiusd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(radiusd_t) ') -optional_policy(`snmp',` +optional_policy(` snmp_tcp_connect(radiusd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(radiusd_t) ') diff --git a/refpolicy/policy/modules/services/radvd.te b/refpolicy/policy/modules/services/radvd.te index ab311e8..5e2fb65 100644 --- a/refpolicy/policy/modules/services/radvd.te +++ b/refpolicy/policy/modules/services/radvd.te @@ -84,14 +84,14 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(radvd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(radvd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(radvd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(radvd_t) ') diff --git a/refpolicy/policy/modules/services/rdisc.te b/refpolicy/policy/modules/services/rdisc.te index 1a734f7..2226c7d 100644 --- a/refpolicy/policy/modules/services/rdisc.te +++ b/refpolicy/policy/modules/services/rdisc.te @@ -62,10 +62,10 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(rdisc_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(rdisc_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(rdisc_t) ') diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index 8e96e51..18d90dc 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -153,18 +153,18 @@ tunable_policy(`use_samba_home_dirs',` fs_read_cifs_symlinks(remote_login_t) ') -optional_policy(`alsa',` +optional_policy(` alsa_domtrans(remote_login_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(remote_login_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(remote_login_t) ') -optional_policy(`usermanage',` +optional_policy(` usermanage_read_crack_db(remote_login_t) ') diff --git a/refpolicy/policy/modules/services/rhgb.te b/refpolicy/policy/modules/services/rhgb.te index 99acd6b..a02aeb7 100644 --- a/refpolicy/policy/modules/services/rhgb.te +++ b/refpolicy/policy/modules/services/rhgb.te @@ -112,19 +112,19 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(rhgb_t) ') -optional_policy(`firstboot',` +optional_policy(` firstboot_read_rw_files(rhgb_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(rhgb_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(rhgb_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(rhgb_t) ') diff --git a/refpolicy/policy/modules/services/rlogin.te b/refpolicy/policy/modules/services/rlogin.te index 3c93e1a..028e5be 100644 --- a/refpolicy/policy/modules/services/rlogin.te +++ b/refpolicy/policy/modules/services/rlogin.te @@ -94,18 +94,18 @@ userdom_read_all_users_home_content_files(rlogind_t) remotelogin_domtrans(rlogind_t) -optional_policy(`kerberos',` +optional_policy(` kerberos_read_keytab(rlogind_t) # for identd; cjp: this should probably only be inetd_child rules? kerberos_use(rlogind_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(rlogind_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(rlogind_t) ') diff --git a/refpolicy/policy/modules/services/roundup.te b/refpolicy/policy/modules/services/roundup.te index d1ab3af..609ac11 100644 --- a/refpolicy/policy/modules/services/roundup.te +++ b/refpolicy/policy/modules/services/roundup.te @@ -94,19 +94,19 @@ ifdef(`targeted_policy',` term_dontaudit_use_generic_ptys(roundup_t) ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(roundup_t) ') -optional_policy(`mysql',` +optional_policy(` mysql_stream_connect(roundup_t) mysql_search_db(roundup_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(roundup_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(roundup_t) ') diff --git a/refpolicy/policy/modules/services/rpc.if b/refpolicy/policy/modules/services/rpc.if index 6083364..bd069ad 100644 --- a/refpolicy/policy/modules/services/rpc.if +++ b/refpolicy/policy/modules/services/rpc.if @@ -101,19 +101,19 @@ template(`rpc_domain_template', ` files_dontaudit_read_root_files($1_t) ') - optional_policy(`mount',` + optional_policy(` mount_send_nfs_client_request($1_t) ') - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1_t) ') - optional_policy(`selinuxutil',` + optional_policy(` seutil_sigchld_newrole($1_t) ') - optional_policy(`udev',` + optional_policy(` udev_read_db($1_t) ') ') diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te index abb9a7c..62e52cf 100644 --- a/refpolicy/policy/modules/services/rpc.te +++ b/refpolicy/policy/modules/services/rpc.te @@ -69,7 +69,7 @@ ifdef(`distro_redhat',` allow rpcd_t self:capability { chown dac_override setgid setuid }; ') -optional_policy(`nis',` +optional_policy(` nis_read_ypserv_config(rpcd_t) ') @@ -153,7 +153,7 @@ tunable_policy(`allow_gssd_read_tmp',` userdom_read_unpriv_users_tmp_symlinks(gssd_t) ') -optional_policy(`kerberos',` +optional_policy(` kerberos_use(gssd_t) kerberos_read_keytab(gssd_t) ') diff --git a/refpolicy/policy/modules/services/rshd.te b/refpolicy/policy/modules/services/rshd.te index 0d78310..f432bb4 100644 --- a/refpolicy/policy/modules/services/rshd.te +++ b/refpolicy/policy/modules/services/rshd.te @@ -82,16 +82,16 @@ tunable_policy(`use_samba_home_dirs',` fs_read_cifs_symlinks(rshd_t) ') -optional_policy(`kerberos',` +optional_policy(` kerberos_use(rshd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(rshd_t) ') ifdef(`TODO',` -optional_policy(`rlogind',` +optional_policy(` allow rshd_t rlogind_tmp_t:file rw_file_perms; ') ') diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te index 240ce5b..ae35a20 100644 --- a/refpolicy/policy/modules/services/rsync.te +++ b/refpolicy/policy/modules/services/rsync.te @@ -87,22 +87,22 @@ tunable_policy(`allow_rsync_anon_write',` miscfiles_manage_public_files(rsync_t) ') -optional_policy(`daemontools',` +optional_policy(` daemontools_service_domain(rsync_t, rsync_exec_t) ') -optional_policy(`kerberos',` +optional_policy(` kerberos_use(rsync_t) ') -optional_policy(`inetd',` +optional_policy(` inetd_service_domain(rsync_t,rsync_exec_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(rsync_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(rsync_t) ') diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te index b04994e..ef4fa9e 100644 --- a/refpolicy/policy/modules/services/samba.te +++ b/refpolicy/policy/modules/services/samba.te @@ -146,11 +146,11 @@ ifdef(`targeted_policy',` term_use_unallocated_ttys(samba_net_t) ') -optional_policy(`kerberos',` +optional_policy(` kerberos_use(samba_net_t) ') -optional_policy(`ldap',` +optional_policy(` allow samba_net_t self:tcp_socket create_socket_perms; corenet_tcp_sendrecv_all_if(samba_net_t) corenet_raw_sendrecv_all_if(samba_net_t) @@ -162,7 +162,7 @@ optional_policy(`ldap',` sysnet_read_config(samba_net_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(samba_net_t) ') @@ -298,27 +298,27 @@ tunable_policy(`allow_smbd_anon_write',` miscfiles_manage_public_files(smbd_t) ') -optional_policy(`cups',` +optional_policy(` cups_read_rw_config(smbd_t) ') -optional_policy(`kerberos',` +optional_policy(` kerberos_use(smbd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(smbd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(smbd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(smbd_t) ') -optional_policy(`udev', ` +optional_policy(` udev_read_db(smbd_t) ') @@ -425,15 +425,15 @@ ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(nmbd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(nmbd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(nmbd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(nmbd_t) ') @@ -515,11 +515,11 @@ sysnet_read_config(smbmount_t) userdom_use_all_users_fds(smbmount_t) userdom_use_sysadm_ttys(smbmount_t) -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(smbmount_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(smbmount_t) ') @@ -605,19 +605,19 @@ miscfiles_read_localization(swat_t) sysnet_read_config(swat_t) -optional_policy(`cups',` +optional_policy(` cups_read_rw_config(swat_t) ') -optional_policy(`kerberos',` +optional_policy(` kerberos_use(swat_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(swat_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(swat_t) ') @@ -717,23 +717,23 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(winbind_t) ') -optional_policy(`kerberos',` +optional_policy(` kerberos_use(winbind_t) ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(winbind_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(winbind_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(winbind_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(winbind_t) ') @@ -771,11 +771,11 @@ ifdef(`targeted_policy',` term_use_unallocated_ttys(winbind_helper_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(winbind_helper_t) ') -optional_policy(`squid',` +optional_policy(` squid_read_log(winbind_helper_t) squid_append_log(winbind_helper_t) ') diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te index 44719ba..5d0e609 100644 --- a/refpolicy/policy/modules/services/sasl.te +++ b/refpolicy/policy/modules/services/sasl.te @@ -93,15 +93,15 @@ tunable_policy(`allow_saslauthd_read_shadow',` auth_tunable_read_shadow(saslauthd_t) ') -optional_policy(`mysql',` +optional_policy(` mysql_search_db(saslauthd_t) mysql_stream_connect(saslauthd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(saslauthd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(saslauthd_t) ') diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index 3ce5d74..1139497 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -116,29 +116,29 @@ ifdef(`targeted_policy',` files_pid_filetrans(sendmail_t,sendmail_var_run_t,file) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(sendmail_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(sendmail_t) ') -optional_policy(`postfix',` +optional_policy(` postfix_exec_master(sendmail_t) postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) ') -optional_policy(`procmail',` +optional_policy(` procmail_domtrans(sendmail_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(sendmail_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(sendmail_t) ') diff --git a/refpolicy/policy/modules/services/slrnpull.te b/refpolicy/policy/modules/services/slrnpull.te index e25afb6..c7de93a 100644 --- a/refpolicy/policy/modules/services/slrnpull.te +++ b/refpolicy/policy/modules/services/slrnpull.te @@ -74,14 +74,14 @@ ifdef(`targeted_policy',` term_dontaudit_use_generic_ptys(slrnpull_t) ') -optional_policy(`cron',` +optional_policy(` cron_system_entry(slrnpull_t,slrnpull_exec_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(slrnpull_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(slrnpull_t) ') diff --git a/refpolicy/policy/modules/services/smartmon.te b/refpolicy/policy/modules/services/smartmon.te index 5791d1e..876d839 100644 --- a/refpolicy/policy/modules/services/smartmon.te +++ b/refpolicy/policy/modules/services/smartmon.te @@ -94,14 +94,14 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(fsdaemon_t) ') -optional_policy(`mta',` +optional_policy(` mta_send_mail(fsdaemon_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(fsdaemon_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(fsdaemon_t) ') diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te index d547023..df50f2f 100644 --- a/refpolicy/policy/modules/services/snmp.te +++ b/refpolicy/policy/modules/services/snmp.te @@ -117,7 +117,7 @@ userdom_dontaudit_use_unpriv_user_fds(snmpd_t) userdom_dontaudit_search_sysadm_home_dirs(snmpd_t) ifdef(`distro_redhat', ` - optional_policy(`rpm',` + optional_policy(` rpm_read_db(snmpd_t) rpm_dontaudit_manage_db(snmpd_t) ') @@ -129,31 +129,31 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(snmpd_t) ') -optional_policy(`amanda',` +optional_policy(` amanda_dontaudit_read_dumpdates(snmpd_t) ') -optional_policy(`cups',` +optional_policy(` cups_read_rw_config(snmpd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(snmpd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(snmpd_t) ') -optional_policy(`rpc',` +optional_policy(` rpc_search_nfs_state_data(snmpd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(snmpd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(snmpd_t) ') diff --git a/refpolicy/policy/modules/services/spamassassin.if b/refpolicy/policy/modules/services/spamassassin.if index 060b714..f57fdca 100644 --- a/refpolicy/policy/modules/services/spamassassin.if +++ b/refpolicy/policy/modules/services/spamassassin.if @@ -161,24 +161,24 @@ template(`spamassassin_per_userdomain_template',` files_read_default_pipes($1_spamc_t) ') - optional_policy(`evolution',` + optional_policy(` # Allow connection to spamd socket above evolution_stream_connect($1,$1_spamc_t) ') - optional_policy(`mount',` + optional_policy(` mount_send_nfs_client_request($1_spamc_t) ') - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1_spamc_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_spamc_t) ') - optional_policy(`sendmail',` + optional_policy(` mta_read_config($1_spamc_t) sendmail_stub($1_spamc_t) ') @@ -315,12 +315,12 @@ template(`spamassassin_per_userdomain_template',` fs_manage_cifs_symlinks($1_spamassassin_t) ') - optional_policy(`evolution',` + optional_policy(` # Write pid file and socket in ~/.evolution/cache/tmp evolution_home_filetrans($1,spamd_t,spamd_tmp_t,{ file sock_file }) ') - optional_policy(`nis',` + optional_policy(` # cjp: clearly some redundancy here nis_use_ypbind($1_spamassassin_t) @@ -330,7 +330,7 @@ template(`spamassassin_per_userdomain_template',` ') ') - optional_policy(`sendmail',` + optional_policy(` mta_read_config($1_spamassassin_t) sendmail_stub($1_spamassassin_t) ') diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te index 31167a0..ed2062a 100644 --- a/refpolicy/policy/modules/services/spamassassin.te +++ b/refpolicy/policy/modules/services/spamassassin.te @@ -138,37 +138,37 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(spamd_t) ') -optional_policy(`cron',` +optional_policy(` cron_system_entry(spamd_t,spamd_exec_t) ') -optional_policy(`amavis',` +optional_policy(` amavis_manage_lib_files(spamd_t) ') -optional_policy(`daemontools',` +optional_policy(` daemontools_service_domain(spamd_t,spamd_exec_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(spamd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(spamd_t) ') -optional_policy(`sendmail',` +optional_policy(` sendmail_stub(spamd_t) mta_read_config(spamd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(spamd_t) ') ifdef(`TODO',` -optional_policy(`amavis', ` +optional_policy(` # for bayes tokens allow spamd_t var_lib_t:dir { getattr search }; allow spamd_t amavisd_lib_t:dir rw_dir_perms; diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te index 8037fc7..808b1fe 100644 --- a/refpolicy/policy/modules/services/squid.te +++ b/refpolicy/policy/modules/services/squid.te @@ -145,7 +145,7 @@ tunable_policy(`squid_connect_any',` corenet_tcp_connect_all_ports(squid_t) ') -optional_policy(`logrotate',` +optional_policy(` allow squid_t self:capability kill; cron_use_fds(squid_t) cron_use_system_job_fds(squid_t) @@ -153,27 +153,27 @@ optional_policy(`logrotate',` cron_write_system_job_pipes(squid_t) ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(squid_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(squid_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(squid_t) ') -optional_policy(`samba',` +optional_policy(` samba_domtrans_winbind_helper(squid_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(squid_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(squid_t) ') diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index a89a355..8d7a188 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -208,19 +208,19 @@ template(`ssh_per_userdomain_template',` corenet_tcp_bind_ssh_port($1_ssh_t) ') - optional_policy(`kerberos',` + optional_policy(` kerberos_use($1_ssh_t) ') - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1_ssh_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_ssh_t) ') - optional_policy(`xserver',` + optional_policy(` xserver_user_client_template($1,$1_ssh_t,$1_ssh_tmpfs_t) xserver_domtrans_user_xauth($1,$1_ssh_t) ') @@ -348,11 +348,11 @@ template(`ssh_per_userdomain_template',` fs_cifs_domtrans($1_ssh_agent_t, $1_t) ') - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1_ssh_agent_t) ') -# optional_policy(`xdm',` +# optional_policy(` # # KDM: # xdm_sigchld($1_ssh_agent_t) # ') @@ -394,7 +394,7 @@ template(`ssh_per_userdomain_template',` # $1_ssh_keysign_t local policy # - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_ssh_keysign_t) ') ') @@ -530,7 +530,7 @@ template(`ssh_server_template', ` # cjp: commenting out until typeattribute works in conditional # and require block in optional else is resolved - #optional_policy(`inetd',` + #optional_policy(` # tunable_policy(`run_ssh_inetd',` # allow $1_t self:process signal; # files_list_pids($1_t) @@ -547,15 +547,15 @@ template(`ssh_server_template', ` init_use_script_ptys($1_t) #') - optional_policy(`kerberos',` + optional_policy(` kerberos_use($1_t) ') - optional_policy(`mount',` + optional_policy(` mount_send_nfs_client_request($1_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_t) ') ') diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index a320fca..546f8d7 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -52,7 +52,7 @@ ifdef(`targeted_policy',` ssh_server_template(sshd_extern) # cjp: commenting this out until typeattribute works in a conditional -# optional_policy(`inetd',` +# optional_policy(` # tunable_policy(`run_ssh_inetd',` # inetd_tcp_service_domain(sshd_t,sshd_exec_t) # ',` @@ -117,11 +117,11 @@ ifdef(`targeted_policy',`',` userdom_use_unpriv_users_ptys(sshd_t) ') - optional_policy(`daemontools',` + optional_policy(` daemontools_service_domain(sshd_t, sshd_exec_t) ') - optional_policy(`rpm',` + optional_policy(` rpm_use_script_fds(sshd_t) ') @@ -133,11 +133,11 @@ ifdef(`targeted_policy',`',` # some versions of sshd on the new SE Linux require setattr allow sshd_t ptyfile:chr_file relabelto; - optional_policy(`xauth',` + optional_policy(` domain_trans(sshd_t, xauth_exec_t, userdomain) ') ',` - optional_policy(`xauth',` + optional_policy(` domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) ') # Relabel and access ptys created by sshd @@ -176,7 +176,7 @@ ifdef(`targeted_policy',`',` # is allocated allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms; - optional_policy(`inetd',` + optional_policy(` tunable_policy(`run_ssh_inetd',` domain_trans(inetd_t, sshd_exec_t, sshd_extern_t) ',` @@ -258,11 +258,11 @@ ifdef(`targeted_policy',`',` files_dontaudit_read_root_files(ssh_keygen_t) ') - optional_policy(`selinuxutil',` + optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) ') - optional_policy(`udev',` + optional_policy(` udev_read_db(ssh_keygen_t) ') ') diff --git a/refpolicy/policy/modules/services/stunnel.te b/refpolicy/policy/modules/services/stunnel.te index 14e6a0f..88bda4a 100644 --- a/refpolicy/policy/modules/services/stunnel.te +++ b/refpolicy/policy/modules/services/stunnel.te @@ -103,19 +103,19 @@ ifdef(`distro_gentoo', ` files_dontaudit_read_root_files(stunnel_t) ') - optional_policy(`daemontools',` + optional_policy(` daemontools_service_domain(stunnel_t, stunnel_exec_t) ') - optional_policy(`mount',` + optional_policy(` mount_send_nfs_client_request(stunnel_t) ') - optional_policy(`selinuxutil',` + optional_policy(` seutil_sigchld_newrole(stunnel_t) ') - optional_policy(`udev',` + optional_policy(` udev_read_db(stunnel_t) ') ',` @@ -126,15 +126,15 @@ ifdef(`distro_gentoo', ` files_read_etc_files(stunnel_t) files_search_home(stunnel_t) - optional_policy(`kerberos',` + optional_policy(` kerberos_use(stunnel_t) ') - optional_policy(`nis',` + optional_policy(` nis_use_ypbind(stunnel_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use(stunnel_t) ') ') diff --git a/refpolicy/policy/modules/services/sysstat.te b/refpolicy/policy/modules/services/sysstat.te index 620c380..21ac35a 100644 --- a/refpolicy/policy/modules/services/sysstat.te +++ b/refpolicy/policy/modules/services/sysstat.te @@ -61,10 +61,10 @@ miscfiles_read_localization(sysstat_t) userdom_dontaudit_list_sysadm_home_dirs(sysstat_t) -optional_policy(`cron',` +optional_policy(` cron_system_entry(sysstat_t,sysstat_exec_t) ') -optional_policy(`logging',` +optional_policy(` logging_send_syslog_msg(sysstat_t) ') diff --git a/refpolicy/policy/modules/services/tcpd.te b/refpolicy/policy/modules/services/tcpd.te index dc6ec20..f80f307 100644 --- a/refpolicy/policy/modules/services/tcpd.te +++ b/refpolicy/policy/modules/services/tcpd.te @@ -52,22 +52,22 @@ sysnet_read_config(tcpd_t) inetd_domtrans_child(tcpd_t) -optional_policy(`finger',` +optional_policy(` finger_domtrans(tcpd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(tcpd_t) ') -optional_policy(`portmap',` +optional_policy(` portmap_udp_send(tcpd_t) ') -optional_policy(`rlogin',` +optional_policy(` rlogin_domtrans(tcpd_t) ') -optional_policy(`rshd',` +optional_policy(` rshd_domtrans(tcpd_t) ') diff --git a/refpolicy/policy/modules/services/telnet.te b/refpolicy/policy/modules/services/telnet.te index a36dfc7..3d4a2df 100644 --- a/refpolicy/policy/modules/services/telnet.te +++ b/refpolicy/policy/modules/services/telnet.te @@ -90,15 +90,15 @@ sysnet_read_config(telnetd_t) remotelogin_domtrans(telnetd_t) # for identd; cjp: this should probably only be inetd_child rules? -optional_policy(`kerberos',` +optional_policy(` kerberos_use(telnetd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(telnetd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(telnetd_t) ') diff --git a/refpolicy/policy/modules/services/tftp.te b/refpolicy/policy/modules/services/tftp.te index 3e1f202..9f3097c 100644 --- a/refpolicy/policy/modules/services/tftp.te +++ b/refpolicy/policy/modules/services/tftp.te @@ -90,18 +90,18 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(tftpd_t) ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(tftpd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(tftpd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(tftpd_t) ') -optional_policy(`udev', ` +optional_policy(` udev_read_db(tftpd_t) ') diff --git a/refpolicy/policy/modules/services/timidity.te b/refpolicy/policy/modules/services/timidity.te index 50d4a38..cea6beb 100644 --- a/refpolicy/policy/modules/services/timidity.te +++ b/refpolicy/policy/modules/services/timidity.te @@ -91,10 +91,10 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(timidity_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(timidity_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(timidity_t) ') diff --git a/refpolicy/policy/modules/services/tor.te b/refpolicy/policy/modules/services/tor.te index 705272c..901cd08 100644 --- a/refpolicy/policy/modules/services/tor.te +++ b/refpolicy/policy/modules/services/tor.te @@ -92,6 +92,6 @@ miscfiles_read_localization(tor_t) sysnet_dns_name_resolve(tor_t) -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(tor_t) ') diff --git a/refpolicy/policy/modules/services/ucspitcp.te b/refpolicy/policy/modules/services/ucspitcp.te index cdaa0fb..81ee26c 100644 --- a/refpolicy/policy/modules/services/ucspitcp.te +++ b/refpolicy/policy/modules/services/ucspitcp.te @@ -43,7 +43,7 @@ files_search_var(rblsmtpd_t) libs_use_ld_so(rblsmtpd_t) libs_use_shared_libs(rblsmtpd_t) -optional_policy(`daemontools',` +optional_policy(` daemontools_ipc_domain(rblsmtpd_t) ') @@ -84,7 +84,7 @@ libs_use_shared_libs(ucspitcp_t) sysnet_read_config(ucspitcp_t) -optional_policy(`daemontools',` +optional_policy(` daemontools_service_domain(ucspitcp_t,ucspitcp_exec_t) daemontools_read_svc(ucspitcp_t) ') diff --git a/refpolicy/policy/modules/services/uucp.te b/refpolicy/policy/modules/services/uucp.te index 20d12d9..bd62422 100644 --- a/refpolicy/policy/modules/services/uucp.te +++ b/refpolicy/policy/modules/services/uucp.te @@ -98,14 +98,14 @@ miscfiles_read_localization(uucpd_t) sysnet_read_config(uucpd_t) -optional_policy(`kerberos',` +optional_policy(` kerberos_use(uucpd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(uucpd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(uucpd_t) ') diff --git a/refpolicy/policy/modules/services/xfs.te b/refpolicy/policy/modules/services/xfs.te index d52a3ff..9cd8f96 100644 --- a/refpolicy/policy/modules/services/xfs.te +++ b/refpolicy/policy/modules/services/xfs.te @@ -79,14 +79,14 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(xfs_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(xfs_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(xfs_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(xfs_t) ') diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if index 6cf46cb..c928d83 100644 --- a/refpolicy/policy/modules/services/xserver.if +++ b/refpolicy/policy/modules/services/xserver.if @@ -159,19 +159,19 @@ template(`xserver_common_domain_template',` sysnet_read_config($1_xserver_t) - optional_policy(`authlogin',` + optional_policy(` auth_search_pam_console_data($1_xserver_t) ') - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1_xserver_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_xserver_t) ') - optional_policy(`xfs',` + optional_policy(` xfs_stream_connect($1_xserver_t) ') @@ -288,7 +288,7 @@ template(`xserver_per_userdomain_template',` userdom_setattr_user_ttys($1,$1_xserver_t) userdom_rw_user_tmpfs_files($1,$1_xserver_t) - optional_policy(`userhelper',` + optional_policy(` userhelper_search_config($1_xserver_t) ') @@ -371,11 +371,11 @@ template(`xserver_per_userdomain_template',` fs_manage_cifs_files($1_xauth_t) ') - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1_xauth_t) ') - optional_policy(`ssh',` + optional_policy(` ssh_sigchld($1_xauth_t) ssh_read_pipes($1_xauth_t) ssh_dontaudit_rw_tcp_sockets($1_xauth_t) @@ -567,7 +567,7 @@ template(`xserver_user_client_template',` ') # for X over a ssh tunnel - optional_policy(`ssh',` + optional_policy(` kernel_tcp_recvfrom($2) ssh_tcp_connect($2) ') diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te index d362fda..ae96e2e 100644 --- a/refpolicy/policy/modules/services/xserver.te +++ b/refpolicy/policy/modules/services/xserver.te @@ -60,7 +60,7 @@ logging_log_file(xserver_log_t) xserver_common_domain_template(xdm) init_system_domain(xdm_xserver_t,xserver_exec_t) -optional_policy(`prelink',` +optional_policy(` prelink_object_file(xkb_var_lib_t) ') @@ -290,7 +290,7 @@ ifdef(`strict_policy',` # allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms; ') - optional_policy(`alsa',` + optional_policy(` alsa_domtrans(xdm_t) ') ') @@ -315,50 +315,50 @@ tunable_policy(`use_samba_home_dirs',` fs_exec_cifs_files(xdm_t) ') -optional_policy(`gpm',` +optional_policy(` # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) ') -optional_policy(`hostname',` +optional_policy(` hostname_exec(xdm_t) ') -optional_policy(`loadkeys',` +optional_policy(` loadkeys_exec(xdm_t) ') -optional_policy(`locallogin',` +optional_policy(` locallogin_signull(xdm_t) ') -optional_policy(`mta',` +optional_policy(` # Do not audit attempts to check whether user root has email mta_dontaudit_getattr_spool_files(xdm_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(xdm_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(xdm_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(xdm_t) ') -optional_policy(`userhelper',` +optional_policy(` userhelper_dontaudit_search_config(xdm_t) ') -optional_policy(`usermanage',` +optional_policy(` usermanage_read_crack_db(xdm_t) ') -optional_policy(`xfs',` +optional_policy(` xfs_stream_connect(xdm_t) ') @@ -429,7 +429,7 @@ ifdef(`targeted_policy',` unconfined_domtrans(xdm_xserver_t) ') -optional_policy(`rhgb',` +optional_policy(` rhgb_rw_shm(xdm_xserver_t) rhgb_rw_tmpfs_files(xdm_xserver_t) ') diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te index 7002ab4..7124720 100644 --- a/refpolicy/policy/modules/services/zebra.te +++ b/refpolicy/policy/modules/services/zebra.te @@ -114,22 +114,22 @@ ifdef(`targeted_policy', ` unconfined_sigchld(zebra_t) ') -optional_policy(`ldap',` +optional_policy(` ldap_use(zebra_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(zebra_t) ') -optional_policy(`zebra',` +optional_policy(` rpm_read_pipes(zebra_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(zebra_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(zebra_t) ') diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 9e864a3..dddd366 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -58,19 +58,19 @@ template(`authlogin_common_auth_domain_template',` sysnet_dns_name_resolve($1_chkpwd_t) sysnet_use_ldap($1_chkpwd_t) - optional_policy(`kerberos',` + optional_policy(` kerberos_use($1_chkpwd_t) ') - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1_chkpwd_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_chkpwd_t) ') - optional_policy(`samba',` + optional_policy(` samba_stream_connect_winbind($1_chkpwd_t) ') ') @@ -275,15 +275,15 @@ interface(`auth_domtrans_chk_passwd',` sysnet_dns_name_resolve($1) sysnet_use_ldap($1) - optional_policy(`kerberos',` + optional_policy(` kerberos_use($1) ') - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1) ') - optional_policy(`samba',` + optional_policy(` samba_stream_connect_winbind($1) ') ') @@ -1154,11 +1154,11 @@ interface(`auth_use_nsswitch',` sysnet_dns_name_resolve($1) sysnet_use_ldap($1) - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1) ') - optional_policy(`samba',` + optional_policy(` samba_stream_connect_winbind($1) ') ') diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index fbb4652..11dddec 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -117,15 +117,15 @@ logging_send_syslog_msg(pam_t) userdom_use_unpriv_users_fds(pam_t) -optional_policy(`locallogin',` +optional_policy(` locallogin_use_fds(pam_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(pam_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(pam_t) ') @@ -223,25 +223,25 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(pam_console_t) ') -optional_policy(`gpm',` +optional_policy(` gpm_getattr_gpmctl(pam_console_t) gpm_setattr_gpmctl(pam_console_t) ') -optional_policy(`hotplug',` +optional_policy(` hotplug_use_fds(pam_console_t) hotplug_dontaudit_search_config(pam_console_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(pam_console_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(pam_console_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(pam_console_t) ') @@ -301,12 +301,12 @@ logging_search_logs(utempter_t) # Allow utemper to write to /tmp/.xses-* userdom_write_unpriv_users_tmp_files(utempter_t) -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(utempter_t) ') ifdef(`TODO',` -optional_policy(`xdm',` +optional_policy(` can_pipe_xdm(utempter_t) ') ') diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index eae12da..fa90fde 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -67,23 +67,23 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(hwclock_t) ') -optional_policy(`apm',` +optional_policy(` apm_append_log(hwclock_t) apm_rw_stream_sockets(hwclock_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(hwclock_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(hwclock_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(hwclock_t) ') -optional_policy(`userdomain',` +optional_policy(` userdom_dontaudit_use_unpriv_user_fds(hwclock_t) ') diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index cb4a266..ac64ff6 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -157,21 +157,21 @@ tunable_policy(`read_default_t',` files_read_default_pipes(fsadm_t) ') -optional_policy(`amanda',` +optional_policy(` amanda_rw_dumpdates_files(fsadm_t) amanda_append_log_files(fsadm_t) ') -optional_policy(`cron',` +optional_policy(` # for smartctl cron jobs cron_system_entry(fsadm_t,fsadm_exec_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(fsadm_t) ') -optional_policy(`rhgb',` +optional_policy(` fs_dontaudit_write_ramfs_pipes(fsadm_t) rhgb_stub(fsadm_t) ') diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index 456e3b5..cea7642 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -107,14 +107,14 @@ ifdef(`targeted_policy',` term_dontaudit_use_generic_ptys(getty_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(getty_t) ') -optional_policy(`ppp',` +optional_policy(` ppp_domtrans(getty_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(getty_t) ') diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index e039a86..a71dfa6 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -126,7 +126,7 @@ userdom_dontaudit_use_unpriv_user_fds(hotplug_t) userdom_dontaudit_search_sysadm_home_dirs(hotplug_t) ifdef(`distro_redhat', ` - optional_policy(`netutils',` + optional_policy(` # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(hotplug_t) fs_rw_tmpfs_chr_files(hotplug_t) @@ -138,52 +138,52 @@ ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(hotplug_t) term_dontaudit_use_generic_ptys(hotplug_t) - optional_policy(`consoletype',` + optional_policy(` consoletype_domtrans(hotplug_t) ') ') -optional_policy(`dbus',` +optional_policy(` dbus_system_bus_client_template(hotplug,hotplug_t) ') -optional_policy(`fstools',` +optional_policy(` fstools_domtrans(hotplug_t) ') -optional_policy(`hal',` +optional_policy(` hal_dgram_send(hotplug_t) ') -optional_policy(`hostname',` +optional_policy(` hostname_exec(hotplug_t) ') -optional_policy(`iptables',` +optional_policy(` iptables_domtrans(hotplug_t) ') -optional_policy(`mount',` +optional_policy(` mount_domtrans(hotplug_t) ') -optional_policy(`mta',` +optional_policy(` mta_send_mail(hotplug_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(hotplug_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(hotplug_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(hotplug_t) ') -optional_policy(`sysnetwork',` +optional_policy(` sysnet_domtrans_dhcpc(hotplug_t) sysnet_signal_dhcpc(hotplug_t) sysnet_kill_dhcpc(hotplug_t) @@ -195,16 +195,16 @@ optional_policy(`sysnetwork',` sysnet_domtrans_ifconfig(hotplug_t) ') -optional_policy(`udev',` +optional_policy(` udev_domtrans(hotplug_t) udev_helper_domtrans(hotplug_t) udev_read_db(hotplug_t) ') -optional_policy(`updfstab',` +optional_policy(` updfstab_domtrans(hotplug_t) ') -optional_policy(`usbmodules',` +optional_policy(` usbmodules_domtrans(hotplug_t) ') diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index dad3d96..819ff14 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -109,7 +109,7 @@ interface(`init_daemon_domain',` allow $1 $2:file { rx_file_perms entrypoint }; ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1) ') ') diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index ab16f6b..9ab09cc 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -174,20 +174,20 @@ ifdef(`targeted_policy',` unconfined_domain(init_t) ') -optional_policy(`authlogin',` +optional_policy(` auth_rw_login_records(init_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(init_t) ') -optional_policy(`portmap',` +optional_policy(` portmap_udp_send(init_t) ') # Run the shell in the sysadm_t domain for single-user mode. -optional_policy(`userdomain',` +optional_policy(` userdom_shell_domtrans_sysadm(init_t) ') @@ -402,11 +402,11 @@ ifdef(`distro_debian',` ') ifdef(`distro_gentoo',` - optional_policy(`arpwatch',` + optional_policy(` arpwatch_manage_data_files(initrc_t) ') - optional_policy(`dhcp',` + optional_policy(` dhcpd_setattr_state_files(initrc_t) ') ') @@ -453,27 +453,27 @@ ifdef(`distro_redhat',` miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) - optional_policy(`bind',` + optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) ') - optional_policy(`rpc',` + optional_policy(` #for /etc/rc.d/init.d/nfs to create /etc/exports rpc_write_exports(initrc_t) ') - optional_policy(`sysnetwork',` + optional_policy(` sysnet_rw_dhcp_config(initrc_t) ') - optional_policy(`xserver',` + optional_policy(` xserver_delete_log(initrc_t) ') ') ifdef(`distro_suse',` - optional_policy(`xserver',` + optional_policy(` # set permissions on /tmp/.X11-unix xserver_setattr_xdm_tmp_dirs(initrc_t) ') @@ -483,85 +483,85 @@ ifdef(`targeted_policy',` domain_subj_id_change_exemption(initrc_t) unconfined_domain(initrc_t) - optional_policy(`mono',` + optional_policy(` mono_domtrans(initrc_t) ') ',` # cjp: require doesnt work in optionals :\ # this also would result in a type transition # conflict if sendmail is enabled -# optional_policy(`sendmail',`',` +# optional_policy(`',` # mta_send_mail(initrc_t) # ') ') -optional_policy(`amavis',` +optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) ') -optional_policy(`apm',` +optional_policy(` dev_rw_apm_bios(initrc_t) ') -optional_policy(`apache',` +optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) ') -optional_policy(`automount',` +optional_policy(` automount_exec_config(initrc_t) ') -optional_policy(`bind',` +optional_policy(` bind_read_config(initrc_t) # for chmod in start script bind_setattr_pid_dirs(initrc_t) ') -optional_policy(`bluetooth',` +optional_policy(` dev_read_usbfs(initrc_t) bluetooth_read_config(initrc_t) ') -optional_policy(`clamav',` +optional_policy(` clamav_read_config(initrc_t) ') -optional_policy(`cpucontrol',` +optional_policy(` cpucontrol_stub(initrc_t) dev_getattr_cpu_dev(initrc_t) ') -optional_policy(`cups',` +optional_policy(` cups_read_log(initrc_t) ') -optional_policy(`daemontools',` +optional_policy(` daemontools_manage_svc(initrc_t) ') -optional_policy(`dbus',` +optional_policy(` dbus_connect_system_bus(initrc_t) dbus_send_system_bus(initrc_t) dbus_system_bus_client_template(initrc,initrc_t) dbus_read_config(initrc_t) - optional_policy(`networkmanager',` + optional_policy(` networkmanager_dbus_chat(initrc_t) ') ') -optional_policy(`ftp',` +optional_policy(` ftp_read_config(initrc_t) ') -optional_policy(`gpm',` +optional_policy(` gpm_setattr_gpmctl(initrc_t) ') -optional_policy(`hotplug',` +optional_policy(` dev_read_usbfs(initrc_t) # init scripts run /etc/hotplug/usb.rc @@ -570,29 +570,29 @@ optional_policy(`hotplug',` modutils_read_module_deps(initrc_t) ') -optional_policy(`inn',` +optional_policy(` inn_exec_config(initrc_t) ') -optional_policy(`ipsec',` +optional_policy(` ipsec_read_config(initrc_t) ipsec_manage_pid(initrc_t) ') -optional_policy(`kerberos',` +optional_policy(` kerberos_use(initrc_t) ') -optional_policy(`ldap',` +optional_policy(` ldap_read_config(initrc_t) ldap_list_db(initrc_t) ') -optional_policy(`loadkeys',` +optional_policy(` loadkeys_exec(initrc_t) ') -optional_policy(`lpd',` +optional_policy(` # This is needed to permit chown to read /var/spool/lpd/lp. # This is opens up security more than necessary; this means that ANYTHING # running in the initrc_t domain can read the printer spool directory. @@ -603,7 +603,7 @@ optional_policy(`lpd',` lpd_read_config(initrc_t) ') -optional_policy(`lvm',` +optional_policy(` #allow initrc_t lvm_control_t:chr_file unlink; dev_read_lvm_control(initrc_t) @@ -612,17 +612,17 @@ optional_policy(`lvm',` lvm_read_config(initrc_t) ') -optional_policy(`mailman',` +optional_policy(` mailman_list_data(initrc_t) mailman_read_data_symlinks(initrc_t) ') -optional_policy(`mta',` +optional_policy(` mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') -optional_policy(`mysql',` +optional_policy(` ifdef(`distro_redhat',` mysql_manage_db_dirs(initrc_t) ') @@ -631,38 +631,38 @@ optional_policy(`mysql',` mysql_write_log(initrc_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(initrc_t) nis_udp_send_ypbind(initrc_t) nis_list_var_yp(initrc_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(initrc_t) ') -optional_policy(`raid',` +optional_policy(` raid_manage_mdadm_pid(initrc_t) ') -optional_policy(`rpc',` +optional_policy(` rpc_read_exports(initrc_t) ') -optional_policy(`postgresql',` +optional_policy(` postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -optional_policy(`postfix',` +optional_policy(` postfix_list_spool(initrc_t) ') -optional_policy(`quota',` +optional_policy(` quota_manage_flags(initrc_t) ') -optional_policy(`rhgb',` +optional_policy(` corecmd_shell_entry_type(initrc_t) fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) @@ -671,7 +671,7 @@ optional_policy(`rhgb',` rhgb_stream_connect(initrc_t) ') -optional_policy(`rpm',` +optional_policy(` # bash tries to access a block device in the initrd kernel_dontaudit_getattr_unlabeled_blk_files(initrc_t) @@ -685,46 +685,46 @@ optional_policy(`rpm',` rpm_manage_db(initrc_t) ') -optional_policy(`samba',` +optional_policy(` samba_rw_config(initrc_t) samba_read_winbind_pid(initrc_t) ') -optional_policy(`squid',` +optional_policy(` squid_read_config(initrc_t) squid_manage_logs(initrc_t) ') -optional_policy(`ssh',` +optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) ') # allow init scripts to su -optional_policy(`su',` +optional_policy(` su_restricted_domain_template(initrc,initrc_t,system_r) ') -optional_policy(`sysnetwork',` +optional_policy(` sysnet_read_dhcpc_state(initrc_t) ') -optional_policy(`uml',` +optional_policy(` uml_setattr_util_sockets(initrc_t) ') -optional_policy(`xfs',` +optional_policy(` miscfiles_manage_fonts(initrc_t) # cjp: is this really needed? xfs_read_sockets(initrc_t) ') -optional_policy(`xserver',` +optional_policy(` # init s cript wants to check if it needs to update windowmanagerlist xserver_read_xdm_rw_config(initrc_t) ') -optional_policy(`zebra',` +optional_policy(` zebra_read_config(initrc_t) ') diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te index dd4ee28..4b618ef 100644 --- a/refpolicy/policy/modules/system/ipsec.te +++ b/refpolicy/policy/modules/system/ipsec.te @@ -130,15 +130,15 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(ipsec_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(ipsec_t) ') -optional_policy(`selinuxutils',` +optional_policy(` seutil_sigchld_newrole(ipsec_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(ipsec_t) ') @@ -255,11 +255,11 @@ sysnet_domtrans_ifconfig(ipsec_mgmt_t) userdom_use_sysadm_terms(ipsec_mgmt_t) -optional_policy(`consoletype',` +optional_policy(` consoletype_exec(ipsec_mgmt_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(ipsec_mgmt_t) ') diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index d81e6f1..5098c76 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -81,24 +81,24 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(iptables_t) ') -optional_policy(`firstboot',` +optional_policy(` firstboot_use_fds(iptables_t) firstboot_write_pipes(iptables_t) ') -optional_policy(`modutils',` +optional_policy(` modutils_domtrans_insmod(iptables_t) ') -optional_policy(`nis',` +optional_policy(` # for iptables -L nis_use_ypbind(iptables_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(iptables_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(iptables_t) ') diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index 8a2b5e0..8ed52a3 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -82,7 +82,7 @@ logging_send_syslog_msg(ldconfig_t) userdom_use_all_users_fds(ldconfig_t) ifdef(`hide_broken_symptoms',` - optional_policy(`unconfined',` + optional_policy(` unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) ') ') @@ -92,7 +92,7 @@ ifdef(`targeted_policy',` unconfined_domain(ldconfig_t) ') -optional_policy(`apache',` +optional_policy(` # dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway apache_dontaudit_search_modules(ldconfig_t) ') diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index f9be092..62e6690 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -196,24 +196,24 @@ tunable_policy(`use_samba_home_dirs',` fs_read_cifs_symlinks(local_login_t) ') -optional_policy(`gpm',` +optional_policy(` gpm_getattr_gpmctl(local_login_t) gpm_setattr_gpmctl(local_login_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(local_login_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(local_login_t) ') -optional_policy(`usermanage',` +optional_policy(` usermanage_read_crack_db(local_login_t) ') -optional_policy(`alsa',` +optional_policy(` alsa_domtrans(local_login_t) ') @@ -278,10 +278,10 @@ ifdef(`sulogin_no_pam', ` selinux_compute_user_contexts(sulogin_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(sulogin_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(sulogin_t) ') diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 80e2252..2268747 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -180,11 +180,11 @@ ifdef(`targeted_policy',` unconfined_dontaudit_read_pipes(auditd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(auditd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(auditd_t) ') @@ -242,7 +242,7 @@ mls_file_read_up(klogd_t) userdom_dontaudit_search_sysadm_home_dirs(klogd_t) -optional_policy(`udev',` +optional_policy(` udev_read_db(klogd_t) ') @@ -251,7 +251,7 @@ ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(klogd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(klogd_t) ') @@ -364,23 +364,23 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(syslogd_t) ') -optional_policy(`inn',` +optional_policy(` inn_manage_log(syslogd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(syslogd_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(syslogd_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(syslogd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(syslogd_t) ') diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index 1f9d055..1628962 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -110,15 +110,15 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(clvmd_t) ') -optional_policy(`mount',` +optional_policy(` mount_send_nfs_client_request(clvmd_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(clvmd_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(clvmd_t) ') @@ -258,14 +258,14 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(lvm_t) ') -optional_policy(`bootloader',` +optional_policy(` bootloader_rw_tmp_files(lvm_t) ') -optional_policy(`gpm',` +optional_policy(` gpm_dontaudit_getattr_gpmctl(lvm_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(lvm_t) ') diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 6d863ab..415ad30 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -127,23 +127,23 @@ ifdef(`targeted_policy',` unconfined_domain(insmod_t) ') -optional_policy(`hotplug',` +optional_policy(` hotplug_search_config(insmod_t) ') -optional_policy(`mount',` +optional_policy(` mount_domtrans(insmod_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(insmod_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(insmod_t) ') -optional_policy(`rhgb',` +optional_policy(` fs_manage_ramfs_files(insmod_t) rhgb_use_fds(insmod_t) @@ -153,13 +153,13 @@ optional_policy(`rhgb',` ') ') -optional_policy(`rpm',` +optional_policy(` rpm_rw_pipes(insmod_t) ') ifdef(`TODO',` allow insmod_t proc_t:file rw_file_perms; -optional_policy(`xserver',` +optional_policy(` xserver_getattr_log(insmod_t) allow insmod_t xserver_misc_device_t:chr_file { read write }; ') @@ -214,7 +214,7 @@ ifdef(`targeted_policy', ` term_use_generic_ptys(depmod_t) ') -optional_policy(`rpm',` +optional_policy(` rpm_rw_pipes(depmod_t) ') diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 9161405..08a5c9c 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -92,14 +92,14 @@ sysnet_use_portmap(mount_t) userdom_use_all_users_fds(mount_t) ifdef(`distro_redhat',` - optional_policy(`authlogin',` + optional_policy(` auth_read_pam_console_data(mount_t) # mount config by default sets fscontext=removable_t fs_relabelfrom_dos_fs(mount_t) ') ') -optional_policy(`portmap',` +optional_policy(` # for nfs corenet_non_ipsec_sendrecv(mount_t) corenet_tcp_sendrecv_all_if(mount_t) @@ -122,16 +122,16 @@ optional_policy(`portmap',` portmap_udp_chat(mount_t) - optional_policy(`nis',` + optional_policy(` nis_use_ypbind(mount_t) ') ') -optional_policy(`apm',` +optional_policy(` apm_use_fds(mount_t) ') -optional_policy(`rhgb',` +optional_policy(` ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) @@ -140,11 +140,11 @@ optional_policy(`rhgb',` ') # for kernel package installation -optional_policy(`rpm',` +optional_policy(` rpm_rw_pipes(mount_t) ') -optional_policy(`samba',` +optional_policy(` samba_domtrans_smbmount(mount_t) ') diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te index df17b40..e857127 100644 --- a/refpolicy/policy/modules/system/pcmcia.te +++ b/refpolicy/policy/modules/system/pcmcia.te @@ -128,12 +128,12 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(cardmgr_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_dontaudit_read_config(cardmgr_t) seutil_sigchld_newrole(cardmgr_t) ') -optional_policy(`sysnetwork',` +optional_policy(` sysnet_domtrans_dhcpc(cardmgr_t) sysnet_read_dhcpc_pid(cardmgr_t) @@ -145,7 +145,7 @@ optional_policy(`sysnetwork',` sysnet_sigstop_dhcpc(cardmgr_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(cardmgr_t) ') diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te index f6ad01f..e34eb6c 100644 --- a/refpolicy/policy/modules/system/raid.te +++ b/refpolicy/policy/modules/system/raid.te @@ -75,11 +75,11 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(mdadm_t) ') -optional_policy(`selinux',` +optional_policy(` seutil_sigchld_newrole(mdadm_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(mdadm_t) ') diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 9b7f564..54a4013 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -208,7 +208,7 @@ userdom_use_all_users_fds(load_policy_t) ifdef(`hide_broken_symptoms',` # cjp: cover up stray file descriptors. dontaudit load_policy_t selinux_config_t:file write; - optional_policy(`unconfined',` + optional_policy(` unconfined_dontaudit_read_pipes(load_policy_t) ') ') @@ -314,11 +314,11 @@ ifdef(`targeted_policy',` } ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(newrole_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(newrole_t) ') @@ -398,7 +398,7 @@ ifdef(`hide_broken_symptoms',` udev_dontaudit_rw_dgram_sockets(restorecon_t) ') -optional_policy(`hotplug',` +optional_policy(` hotplug_use_fds(restorecon_t) ') @@ -474,11 +474,11 @@ ifdef(`targeted_policy',`',` logging_send_syslog_msg(run_init_t) - optional_policy(`daemontools',` + optional_policy(` daemontools_domtrans_start(run_init_t) ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use(run_init_t) ') @@ -527,7 +527,7 @@ seutil_manage_module_store(semanage_t) seutil_get_semanage_trans_lock(semanage_t) seutil_get_semanage_read_lock(semanage_t) -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(semanage_t) ') diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 50e4d0f..34c1841 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -157,11 +157,11 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(dhcpc_t) ') -optional_policy(`consoletype',` +optional_policy(` consoletype_domtrans(dhcpc_t) ') -optional_policy(`dbus',` +optional_policy(` gen_require(` class dbus send_msg; ') @@ -174,7 +174,7 @@ optional_policy(`dbus',` dbus_connect_system_bus(dhcpc_t) dbus_send_system_bus(dhcpc_t) - optional_policy(`networkmanager',` + optional_policy(` networkmanager_dbus_chat(dhcpc_t) ') @@ -184,11 +184,11 @@ optional_policy(`dbus',` ') ') -optional_policy(`hostname',` +optional_policy(` hostname_domtrans(dhcpc_t) ') -optional_policy(`hotplug',` +optional_policy(` hotplug_getattr_config_dirs(dhcpc_t) hotplug_search_config(dhcpc_t) @@ -198,7 +198,7 @@ optional_policy(`hotplug',` ') # for the dhcp client to run ping to check IP addresses -optional_policy(`netutils',` +optional_policy(` netutils_domtrans_ping(dhcpc_t) netutils_domtrans(dhcpc_t) ',` @@ -206,7 +206,7 @@ optional_policy(`netutils',` allow dhcpc_t self:rawip_socket create_socket_perms; ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(dhcpc_t) nis_signal_ypbind(dhcpc_t) nis_read_ypbind_pid(dhcpc_t) @@ -217,36 +217,36 @@ optional_policy(`nis',` nis_domtrans_ypbind(dhcpc_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_domtrans(dhcpc_t) nscd_read_pid(dhcpc_t) ') -optional_policy(`ntp',` +optional_policy(` # dhclient sometimes starts ntpd init_exec_script_files(dhcpc_t) ntp_domtrans(dhcpc_t) ') -optional_policy(`pcmcia',` +optional_policy(` pcmcia_stub(dhcpc_t) dev_rw_cardmgr(dhcpc_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db(dhcpc_t) ') -optional_policy(`userdomain',` +optional_policy(` userdom_use_all_users_fds(dhcpc_t) ') -optional_policy(`xen',` +optional_policy(` xen_append_log(dhcpc_t) ') @@ -318,11 +318,11 @@ seutil_use_runinit_fds(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) ifdef(`hide_broken_symptoms',` - optional_policy(`pcmcia',` + optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') - optional_policy(`udev',` + optional_policy(` udev_dontaudit_rw_dgram_sockets(ifconfig_t) ') ') @@ -332,18 +332,18 @@ ifdef(`targeted_policy',` term_use_unallocated_ttys(ifconfig_t) ') -optional_policy(`netutils',` +optional_policy(` netutils_domtrans(dhcpc_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(ifconfig_t) ') -optional_policy(`ppp',` +optional_policy(` ppp_use_fds(ifconfig_t) ') -optional_policy(`xen',` +optional_policy(` xen_append_log(ifconfig_t) ') diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index b5c67a4..7c32ad7 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -166,40 +166,40 @@ ifdef(`targeted_policy',` unconfined_domain(udev_t) ') -optional_policy(`authlogin',` +optional_policy(` auth_read_pam_console_data(udev_t) auth_domtrans_pam_console(udev_t) ') -optional_policy(`consoletype',` +optional_policy(` consoletype_exec(udev_t) ') -optional_policy(`dbus',` +optional_policy(` dbus_system_bus_client_template(udev,udev_t) ') -optional_policy(`hal',` +optional_policy(` hal_dgram_send(udev_t) ') -optional_policy(`hotplug',` +optional_policy(` hotplug_read_config(udev_t) ') -optional_policy(`nis',` +optional_policy(` nis_use_ypbind(udev_t) ') -optional_policy(`nscd',` +optional_policy(` nscd_socket_use(udev_t) ') -optional_policy(`sysnetwork',` +optional_policy(` sysnet_domtrans_dhcpc(udev_t) ') -#optional_policy(`xdm',` +#optional_policy(` # xdm_read_pid(udev_t) #') diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index 68a09fd..79d3af0 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -63,29 +63,29 @@ interface(`unconfined_domain_noaudit',` ') - optional_policy(`authlogin',` + optional_policy(` auth_unconfined($1) ') - optional_policy(`dbus',` + optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) ') - optional_policy(`libraries',` + optional_policy(` libs_use_shared_libs($1) ') - optional_policy(`nscd',` + optional_policy(` nscd_unconfined($1) ') - optional_policy(`selinuxutil',` + optional_policy(` seutil_create_bin_policy($1) seutil_relabelto_bin_policy($1) ') - optional_policy(`storage',` + optional_policy(` storage_unconfined($1) ') diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index 1d76b1c..d6da5b4 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -41,123 +41,123 @@ ifdef(`targeted_policy',` userdom_unconfined(unconfined_t) userdom_priveleged_home_dir_manager(unconfined_t) - optional_policy(`amanda',` + optional_policy(` amanda_domtrans_recover(unconfined_t) ') - optional_policy(`apache',` + optional_policy(` apache_domtrans_helper(unconfined_t) ') - optional_policy(`bind',` + optional_policy(` bind_domtrans_ndc(unconfined_t) ') - optional_policy(`bluetooth',` + optional_policy(` bluetooth_domtrans_helper(unconfined_t) ') - optional_policy(`dbus',` + optional_policy(` dbus_stub(unconfined_t) - optional_policy(`avahi',` + optional_policy(` avahi_dbus_chat(unconfined_t) ') - optional_policy(`bluetooth',` + optional_policy(` bluetooth_dbus_chat(unconfined_t) ') - optional_policy(`cups',` + optional_policy(` cups_dbus_chat_config(unconfined_t) ') - optional_policy(`hal',` + optional_policy(` hal_dbus_chat(unconfined_t) ') - optional_policy(`networkmanager',` + optional_policy(` networkmanager_dbus_chat(unconfined_t) ') ') - optional_policy(`dmidecode',` + optional_policy(` dmidecode_domtrans(unconfined_t) ') - optional_policy(`firstboot',` + optional_policy(` firstboot_domtrans(unconfined_t) ') - optional_policy(`java',` + optional_policy(` java_domtrans(unconfined_t) ') - optional_policy(`lpd',` + optional_policy(` lpd_domtrans_checkpc(unconfined_t) ') - optional_policy(`modutils',` + optional_policy(` modutils_domtrans_update_mods(unconfined_t) ') - optional_policy(`mono',` + optional_policy(` mono_domtrans(unconfined_t) ') - optional_policy(`netutils',` + optional_policy(` netutils_domtrans_ping(unconfined_t) ') - optional_policy(`portmap',` + optional_policy(` portmap_domtrans_helper(unconfined_t) ') - optional_policy(`postfix',` + optional_policy(` postfix_domtrans_map(unconfined_t) # cjp: this should probably be removed: postfix_domtrans_master(unconfined_t) ') - optional_policy(`rpc',` + optional_policy(` # cjp: this should probably be removed: rpc_domtrans_nfsd(unconfined_t) ') - optional_policy(`rpm',` + optional_policy(` rpm_domtrans(unconfined_t) ') - optional_policy(`samba',` + optional_policy(` samba_domtrans_net(unconfined_t) samba_domtrans_winbind_helper(unconfined_t) ') - optional_policy(`sendmail',` + optional_policy(` sendmail_domtrans(unconfined_t) ') - optional_policy(`sysnetwork',` + optional_policy(` sysnet_domtrans_dhcpc(unconfined_t) ') - optional_policy(`usermanage',` + optional_policy(` usermanage_domtrans_admin_passwd(unconfined_t) ') - optional_policy(`vpn',` + optional_policy(` vpn_domtrans(unconfined_t) ') - optional_policy(`webalizer',` + optional_policy(` webalizer_domtrans(unconfined_t) ') - optional_policy(`wine',` + optional_policy(` wine_domtrans(unconfined_t) ') - optional_policy(`xserver',` + optional_policy(` xserver_domtrans_xdm_xserver(unconfined_t) ') ') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 8bda242..eb07854 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -318,71 +318,71 @@ template(`base_user_template',` term_getattr_all_user_ttys($1_t) ') - optional_policy(`apm',` + optional_policy(` # Allow graphical boot to check battery lifespan apm_stream_connect($1_t) ') - optional_policy(`canna',` + optional_policy(` canna_stream_connect($1_t) ') - optional_policy(`cups',` + optional_policy(` cups_stream_connect_ptal($1_t) ') - optional_policy(`dbus',` + optional_policy(` dbus_system_bus_client_template($1,$1_t) - optional_policy(`cups',` + optional_policy(` cups_dbus_chat_config($1_t) ') - optional_policy(`hal',` + optional_policy(` hal_dbus_chat($1_t) ') - optional_policy(`networkmanager',` + optional_policy(` networkmanager_dbus_chat($1_t) ') ') - optional_policy(`dictd',` + optional_policy(` dictd_tcp_connect($1_t) ') - optional_policy(`ftp',` + optional_policy(` tunable_policy(`ftpd_is_daemon',` ftp_tcp_connect($1_t) ') ') - optional_policy(`finger',` + optional_policy(` finger_tcp_connect($1_t) ') - optional_policy(`i18n_input',` + optional_policy(` i18n_use($1_t) ') - optional_policy(`inetd',` + optional_policy(` inetd_tcp_connect($1_t) inetd_udp_send($1_t) inetd_use_fds($1_t) inetd_rw_tcp_sockets($1_t) ') - optional_policy(`inn',` + optional_policy(` inn_read_config($1_t) inn_read_news_lib($1_t) inn_read_news_spool($1_t) ') - optional_policy(`nis',` + optional_policy(` nis_use_ypbind($1_t) ') - optional_policy(`mysql',` + optional_policy(` ifdef(`strict_policy',` tunable_policy(`allow_user_mysql_connect',` mysql_stream_connect($1_t) @@ -390,57 +390,57 @@ template(`base_user_template',` ') ') - optional_policy(`nscd',` + optional_policy(` nscd_socket_use($1_t) ') - optional_policy(`pcmcia',` + optional_policy(` # to allow monitoring of pcmcia status pcmcia_read_pid($1_t) ') - optional_policy(`portmap',` + optional_policy(` portmap_tcp_connect($1_t) ') - optional_policy(`quota',` + optional_policy(` quota_dontaudit_getattr_db($1_t) ') - optional_policy(`rpc',` + optional_policy(` rpc_dontaudit_getattr_exports($1_t) rpc_manage_nfs_rw_content($1_t) ') - optional_policy(`rpm',` + optional_policy(` files_getattr_var_lib_dirs($1_t) files_search_var_lib($1_t) rpm_read_db($1_t) rpm_dontaudit_manage_db($1_t) ') - optional_policy(`samba',` + optional_policy(` samba_stream_connect_winbind($1_t) ') - optional_policy(`slrnpull',` + optional_policy(` slrnpull_search_spool($1_t) ') - optional_policy(`squid',` + optional_policy(` squid_use($1_t) ') - optional_policy(`usermanage',` + optional_policy(` usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) ') - optional_policy(`usernetctl',` + optional_policy(` usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) ') - optional_policy(`xserver',` + optional_policy(` dev_rw_xserver_misc($1_t) xserver_user_client_template($1,$1_t,$1_tmpfs_t) xserver_xsession_entry_type($1_t) @@ -609,44 +609,44 @@ template(`unpriv_user_template', ` corenet_tcp_bind_generic_port($1_t) ') - optional_policy(`dbus',` + optional_policy(` dbus_stub($1_t) - optional_policy(`bluetooth',` + optional_policy(` bluetooth_dbus_chat($1_t) ') ') - optional_policy(`kerberos',` + optional_policy(` kerberos_use($1_t) ') - optional_policy(`loadkeys',` + optional_policy(` loadkeys_run($1_t,$1_r,$1_tty_device_t) ') # for running depmod as part of the kernel packaging process - optional_policy(`modutils',` + optional_policy(` modutils_read_module_config($1_t) ') - optional_policy(`netutils',` + optional_policy(` netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) ') # Run pppd in pppd_t by default for user - optional_policy(`ppp', ` + optional_policy(` ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) ') - optional_policy(`selinuxutil',` + optional_policy(` # for when the network connection is killed seutil_dontaudit_signal_newrole($1_t) ') # Need the following rule to allow users to run vpnc - optional_policy(`xserver', ` + optional_policy(` corenet_tcp_bind_xserver_port($1_t) ') @@ -890,19 +890,19 @@ template(`admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) - optional_policy(`cron',` + optional_policy(` cron_admin_template($1,$1_t,$1_r) ') - optional_policy(`ethereal',` + optional_policy(` ethereal_admin_template($1,$1_t,$1_r) ') - optional_policy(`lpd',` + optional_policy(` lpr_admin_template($1,$1_t,$1_r) ') - optional_policy(`mta',` + optional_policy(` mta_admin_template($1,$1_t,$1_r) ') diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index d43a2a4..c28ad16 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -110,7 +110,7 @@ ifdef(`targeted_policy',` allow staff_r secadm_r; ') - optional_policy(`samba',` + optional_policy(` samba_per_userdomain_template(user) ') ',` @@ -160,12 +160,12 @@ ifdef(`targeted_policy',` init_exec(sysadm_t) ifdef(`direct_sysadm_daemon',` - optional_policy(`init',` + optional_policy(` init_run_daemon(sysadm_t,sysadm_r,admin_terminal) ') ',` ifdef(`distro_gentoo',` - optional_policy(`selinuxutil',` + optional_policy(` seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal) ') ') @@ -190,46 +190,46 @@ ifdef(`targeted_policy',` domain_ptrace_all_domains(sysadm_t) ') - optional_policy(`amanda',` + optional_policy(` amanda_run_recover(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`apache',` + optional_policy(` apache_run_helper(sysadm_t,sysadm_r,admin_terminal) #apache_run_all_scripts(sysadm_t,sysadm_r) #apache_domtrans_sys_script(sysadm_t) ') - optional_policy(`apm',` + optional_policy(` # cjp: why is this not apm_run_client apm_domtrans_client(sysadm_t) ') - optional_policy(`apt',` + optional_policy(` apt_run(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`bootloader',` + optional_policy(` bootloader_run(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`bind',` + optional_policy(` bind_run_ndc(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`bluetooth',` + optional_policy(` bluetooth_run_helper(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`clock',` + optional_policy(` clock_run(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`certwatch',` + optional_policy(` certwatach_run(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`consoletype',` + optional_policy(` consoletype_exec(sysadm_t) ifdef(`enable_mls',` @@ -237,11 +237,11 @@ ifdef(`targeted_policy',` ') ') - optional_policy(`ddcprobe',` + optional_policy(` ddcprobe_run(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`dmesg',` + optional_policy(` dmesg_exec(sysadm_t) ifdef(`enable_mls',` @@ -249,31 +249,31 @@ ifdef(`targeted_policy',` ') ') - optional_policy(`dmidecode',` + optional_policy(` dmidecode_run(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`dpkg',` + optional_policy(` dpkg_run(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`ethereal',` + optional_policy(` ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`firstboot',` + optional_policy(` firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t) ') - optional_policy(`fstools',` + optional_policy(` fstools_run(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`hostname',` + optional_policy(` hostname_run(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`ipsec',` + optional_policy(` # allow system administrator to use the ipsec script to look # at things (e.g., ipsec auto --status) # probably should create an ipsec_admin role for this kind of thing @@ -283,89 +283,89 @@ ifdef(`targeted_policy',` ipsec_getattr_key_sockets(sysadm_t) ') - optional_policy(`iptables',` + optional_policy(` iptables_run(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`libraries',` + optional_policy(` libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`lvm',` + optional_policy(` lvm_run(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`logrotate',` + optional_policy(` logrotate_run(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`lpd',` + optional_policy(` lpd_run_checkpc(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`kudzu',` + optional_policy(` kudzu_run(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`modutils',` + optional_policy(` modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal) modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal) modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`mount',` + optional_policy(` mount_run(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`mysql',` + optional_policy(` mysql_stream_connect(sysadm_t) ') - optional_policy(`netutils',` + optional_policy(` netutils_run(sysadm_t,sysadm_r,admin_terminal) netutils_run_ping(sysadm_t,sysadm_r,admin_terminal) netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`rpc',` + optional_policy(` rpc_domtrans_nfsd(sysadm_t) ') - optional_policy(`ntp',` + optional_policy(` ntp_stub() corenet_udp_bind_ntp_port(sysadm_t) ') - optional_policy(`pcmcia',` + optional_policy(` pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`portage',` + optional_policy(` portage_run(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`portmap',` + optional_policy(` portmap_run_helper(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`quota',` + optional_policy(` quota_run(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`radius',` + optional_policy(` radius_use(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`rpm',` + optional_policy(` rpm_run(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`samba',` + optional_policy(` samba_run_net(sysadm_t,sysadm_r,admin_terminal) samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`selinuxutil',` + optional_policy(` seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal) seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal) @@ -393,30 +393,30 @@ ifdef(`targeted_policy',` ') ') - optional_policy(`sysnetwork',` + optional_policy(` sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal) sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`unconfined',` + optional_policy(` unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`usbmodules',` + optional_policy(` usbmodules_run(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`usermanage',` + optional_policy(` usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal) usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal) usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`vpn',` + optional_policy(` vpn_run(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`webalizer',` + optional_policy(` webalizer_run(sysadm_t,sysadm_r,admin_terminal) ') ') diff --git a/refpolicy/policy/support/loadable_module.spt b/refpolicy/policy/support/loadable_module.spt index 93b726a..efc9f6d 100644 --- a/refpolicy/policy/support/loadable_module.spt +++ b/refpolicy/policy/support/loadable_module.spt @@ -92,15 +92,28 @@ define(`policy_call_depth',0) # Optional policy handling # define(`optional_policy',` - optional { - pushdef(`__in_optional_policy') dnl - $2 - popdef(`__in_optional_policy') dnl - ifelse(`$3',`',`',` - } else { - $3 + ifelse(regexp(`$1',`\W'),`-1',` + errprint(__file__:__line__`: deprecated use of module name ($1) as first parameter of optional_policy() block.' __endline__) + optional { + pushdef(`__in_optional_policy') dnl + $2 + popdef(`__in_optional_policy') dnl + ifelse(`$3',`',`',` + } else { + $3 + ') + } + ',` + optional { + pushdef(`__in_optional_policy') dnl + $1 + popdef(`__in_optional_policy') dnl + ifelse(`$2',`',`',` + } else { + $2 + ') + } ') - } ') ##############################