From d542026b8686799587b652ef525292012cdb4a27 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Sep 22 2010 13:41:45 +0000 Subject: The capability IPC goes on top of the local policy. The capability IPC goes on top of the local policy. The capability IPC goes on top of the local policy. The capability IPC goes on top of the local policy. The capability IPC goes on top of the local policy. --- diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te index 0216eb4..e18dc0b 100644 --- a/policy/modules/services/cvs.te +++ b/policy/modules/services/cvs.te @@ -35,12 +35,12 @@ files_pid_file(cvs_var_run_t) # Local policy # +allow cvs_t self:capability { setuid setgid }; allow cvs_t self:process signal_perms; allow cvs_t self:fifo_file rw_fifo_file_perms; allow cvs_t self:tcp_socket connected_stream_socket_perms; # for identd; cjp: this should probably only be inetd_child rules? allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow cvs_t self:capability { setuid setgid }; manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t) manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t) diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te index 0c6a473..5fd29a5 100644 --- a/policy/modules/services/djbdns.te +++ b/policy/modules/services/djbdns.te @@ -23,11 +23,11 @@ djbdns_daemontools_domain_template(tinydns) # Local policy for axfrdns component # +allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot }; + daemontools_ipc_domain(djbdns_axfrdns_t) daemontools_read_svc(djbdns_axfrdns_t) -allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot }; - allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms; allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file read_file_perms; diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te index ac97ed9..96e3c80 100644 --- a/policy/modules/services/mailman.te +++ b/policy/modules/services/mailman.te @@ -61,9 +61,9 @@ optional_policy(` # Mailman mail local policy # -allow mailman_mail_t self:unix_dgram_socket create_socket_perms; -allow mailman_mail_t self:process { signal signull }; allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; +allow mailman_mail_t self:process { signal signull }; +allow mailman_mail_t self:unix_dgram_socket create_socket_perms; manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te index ac63be9..13c0555 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -157,8 +157,8 @@ optional_policy(` allow mysqld_safe_t self:capability { chown dac_override fowner kill }; dontaudit mysqld_safe_t self:capability sys_ptrace; -allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; allow mysqld_safe_t self:process { setsched getsched setrlimit }; +allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te index 4876cae..3bd04d9 100644 --- a/policy/modules/services/nis.te +++ b/policy/modules/services/nis.te @@ -57,8 +57,8 @@ files_pid_file(ypxfr_var_run_t) # ypbind local policy dontaudit ypbind_t self:capability { net_admin sys_tty_config }; -allow ypbind_t self:fifo_file rw_fifo_file_perms; allow ypbind_t self:process signal_perms; +allow ypbind_t self:fifo_file rw_fifo_file_perms; allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; allow ypbind_t self:tcp_socket create_stream_socket_perms; @@ -142,8 +142,8 @@ optional_policy(` allow yppasswdd_t self:capability dac_override; dontaudit yppasswdd_t self:capability sys_tty_config; -allow yppasswdd_t self:fifo_file rw_fifo_file_perms; allow yppasswdd_t self:process { getsched setfscreate signal_perms }; +allow yppasswdd_t self:fifo_file rw_fifo_file_perms; allow yppasswdd_t self:unix_dgram_socket create_socket_perms; allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms; allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; @@ -224,8 +224,8 @@ optional_policy(` # dontaudit ypserv_t self:capability sys_tty_config; -allow ypserv_t self:fifo_file rw_fifo_file_perms; allow ypserv_t self:process signal_perms; +allow ypserv_t self:fifo_file rw_fifo_file_perms; allow ypserv_t self:unix_dgram_socket create_socket_perms; allow ypserv_t self:unix_stream_socket create_stream_socket_perms; allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;