From fc0d3d55f80a441c95236e60d287997e97667924 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Sep 21 2010 11:57:06 +0000 Subject: Merge branch 'base' --- diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if index 733dc77..311aaed 100644 --- a/policy/modules/services/mpd.if +++ b/policy/modules/services/mpd.if @@ -258,7 +258,6 @@ interface(`mpd_admin',` files_list_var_lib($1) admin_pattern($1, mpd_var_lib_t) - mpd_list_lib($1) admin_pattern($1, mpd_data_t) admin_pattern($1, mpd_log_t) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if index aed3720..7391f7e 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -710,8 +710,8 @@ interface(`postfix_admin',` allow $1 postfix_smtpd_t:process { ptrace signal_perms }; ps_process_pattern($1, postfix_smtpd_t) - postfix_run_map($1,$2) - postfix_run_postdrop($1,$2) + postfix_run_map($1, $2) + postfix_run_postdrop($1, $2) postfix_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/policy/modules/services/postfixpolicyd.if b/policy/modules/services/postfixpolicyd.if index feae93b..d960d3f 100644 --- a/policy/modules/services/postfixpolicyd.if +++ b/policy/modules/services/postfixpolicyd.if @@ -20,8 +20,7 @@ interface(`postfixpolicyd_admin',` gen_require(` type postfix_policyd_t, postfix_policyd_conf_t; - type postfix_policyd_var_run_t; - type postfix_policyd_initrc_exec_t; + type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t; ') allow $1 postfix_policyd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index fd75d3d..4782bdb 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -10,7 +10,7 @@ ## ## ## -## +## ## The type of the user domain. ## ## @@ -45,14 +45,6 @@ interface(`postgresql_role',` # Client local policy # - tunable_policy(`sepgsql_enable_users_ddl',` - allow $2 user_sepgsql_table_t:db_table { create drop setattr }; - allow $2 user_sepgsql_table_t:db_column { create drop setattr }; - - allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete }; - allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; - ') - allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock }; allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; @@ -69,6 +61,14 @@ interface(`postgresql_role',` allow $2 sepgsql_trusted_proc_t:process transition; type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; + + tunable_policy(`sepgsql_enable_users_ddl',` + allow $2 user_sepgsql_table_t:db_table { create drop setattr }; + allow $2 user_sepgsql_table_t:db_column { create drop setattr }; + + allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete }; + allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; + ') ') ######################################## @@ -195,7 +195,7 @@ interface(`postgresql_search_db',` type postgresql_db_t; ') - allow $1 postgresql_db_t:dir search; + allow $1 postgresql_db_t:dir search_dir_perms; ') ######################################## @@ -207,6 +207,7 @@ interface(`postgresql_search_db',` ## Domain allowed access. ## ## +# interface(`postgresql_manage_db',` gen_require(` type postgresql_db_t; @@ -214,7 +215,7 @@ interface(`postgresql_manage_db',` allow $1 postgresql_db_t:dir rw_dir_perms; allow $1 postgresql_db_t:file rw_file_perms; - allow $1 postgresql_db_t:lnk_file { getattr read }; + allow $1 postgresql_db_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -304,7 +305,6 @@ interface(`postgresql_tcp_connect',` ## Domain allowed access. ## ## -## # interface(`postgresql_stream_connect',` gen_require(` @@ -313,7 +313,7 @@ interface(`postgresql_stream_connect',` files_search_pids($1) files_search_tmp($1) - stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t}, { postgresql_var_run_t postgresql_tmp_t}, postgresql_t) + stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t) ') ######################################## @@ -359,13 +359,6 @@ interface(`postgresql_unpriv_client',` type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; allow $1 sepgsql_trusted_proc_t:process transition; - tunable_policy(`sepgsql_enable_users_ddl',` - allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; - allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr }; - allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete }; - allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr }; - ') - allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock }; allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert }; allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; @@ -379,6 +372,13 @@ interface(`postgresql_unpriv_client',` allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t; + + tunable_policy(`sepgsql_enable_users_ddl',` + allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; + allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr }; + allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete }; + allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr }; + ') ') ######################################## @@ -418,13 +418,10 @@ interface(`postgresql_unconfined',` # interface(`postgresql_admin',` gen_require(` - attribute sepgsql_admin_type; - attribute sepgsql_client_type; - - type postgresql_t, postgresql_var_run_t; - type postgresql_tmp_t, postgresql_db_t; - type postgresql_etc_t, postgresql_log_t; - type postgresql_initrc_exec_t; + attribute sepgsql_admin_type, sepgsql_client_type; + type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t; + type postgresql_tmp_t, postgresql_db_t, postgresql_log_t; + type postgresql_etc_t; ') typeattribute $1 sepgsql_admin_type; @@ -437,6 +434,7 @@ interface(`postgresql_admin',` role_transition $2 postgresql_initrc_exec_t system_r; allow $2 system_r; + files_list_pids($1) admin_pattern($1, postgresql_var_run_t) files_list_var_lib($1) @@ -448,6 +446,7 @@ interface(`postgresql_admin',` logging_list_logs($1) admin_pattern($1, postgresql_log_t) + files_list_tmp($1) admin_pattern($1, postgresql_tmp_t) postgresql_tcp_connect($1) diff --git a/policy/modules/services/postgrey.if b/policy/modules/services/postgrey.if index ad15fde..6f55445 100644 --- a/policy/modules/services/postgrey.if +++ b/policy/modules/services/postgrey.if @@ -15,9 +15,9 @@ interface(`postgrey_stream_connect',` type postgrey_var_run_t, postgrey_t, postgrey_spool_t; ') - stream_connect_pattern($1, postgrey_var_run_t, postgrey_var_run_t, postgrey_t) - stream_connect_pattern($1, postgrey_spool_t, postgrey_spool_t, postgrey_t) + stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t) files_search_pids($1) + files_search_spool($1) ') ######################################## @@ -35,6 +35,7 @@ interface(`postgrey_search_spool',` type postgrey_spool_t; ') + files_search_spool($1) allow $1 postgrey_spool_t:dir search_dir_perms; ') @@ -57,9 +58,8 @@ interface(`postgrey_search_spool',` # interface(`postgrey_admin',` gen_require(` - type postgrey_t, postgrey_etc_t; + type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t; type postgrey_var_lib_t, postgrey_var_run_t; - type postgrey_initrc_exec_t; ') allow $1 postgrey_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if index f916c76..09699d1 100644 --- a/policy/modules/services/ppp.if +++ b/policy/modules/services/ppp.if @@ -66,7 +66,6 @@ interface(`ppp_sigchld',` ## ## # -# interface(`ppp_kill',` gen_require(` type pppd_t; @@ -180,8 +179,7 @@ interface(`ppp_run',` ') ppp_domtrans($1) - role $2 types pppd_t; - role $2 types pptp_t; + role $2 types { pppd_t pptp_t }; optional_policy(` ddclient_run(pppd_t, $2) @@ -281,6 +279,7 @@ interface(`ppp_read_pid_files',` type pppd_var_run_t; ') + files_search_pids($1) allow $1 pppd_var_run_t:file read_file_perms; ') @@ -299,6 +298,7 @@ interface(`ppp_manage_pid_files',` type pppd_var_run_t; ') + files_search_pids($1) allow $1 pppd_var_run_t:file manage_file_perms; ') @@ -353,16 +353,17 @@ interface(`ppp_initrc_domtrans',` interface(`ppp_admin',` gen_require(` type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t; - type pppd_etc_t, pppd_secret_t; - type pppd_etc_rw_t, pppd_var_run_t; - + type pppd_etc_t, pppd_secret_t, pppd_var_run_t; type pptp_t, pptp_log_t, pptp_var_run_t; - type pppd_initrc_exec_t; + type pppd_initrc_exec_t, pppd_etc_rw_t; ') allow $1 pppd_t:process { ptrace signal_perms }; ps_process_pattern($1, pppd_t) + allow $1 pptp_t:process { ptrace signal_perms }; + ps_process_pattern($1, pptp_t) + ppp_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 pppd_initrc_exec_t system_r; @@ -374,6 +375,7 @@ interface(`ppp_admin',` logging_list_logs($1) admin_pattern($1, pppd_log_t) + files_list_locks($1) admin_pattern($1, pppd_lock_t) files_list_etc($1) @@ -386,9 +388,6 @@ interface(`ppp_admin',` files_list_pids($1) admin_pattern($1, pppd_var_run_t) - allow $1 pptp_t:process { ptrace signal_perms }; - ps_process_pattern($1, pptp_t) - admin_pattern($1, pptp_log_t) admin_pattern($1, pptp_var_run_t) diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if index 1bf96b0..77ef768 100644 --- a/policy/modules/services/prelude.if +++ b/policy/modules/services/prelude.if @@ -5,9 +5,9 @@ ## Execute a domain transition to run prelude. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`prelude_domtrans',` @@ -23,9 +23,9 @@ interface(`prelude_domtrans',` ## Execute a domain transition to run prelude_audisp. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`prelude_domtrans_audisp',` @@ -41,9 +41,9 @@ interface(`prelude_domtrans_audisp',` ## Signal the prelude_audisp domain. ## ## -## +## ## Domain allowed acccess. -## +## ## # interface(`prelude_signal_audisp',` @@ -78,9 +78,9 @@ interface(`prelude_read_spool',` ## Manage to prelude-manager spool files. ## ## -## +## ## Domain allowed access. -## +## ## # interface(`prelude_manage_spool',` @@ -112,13 +112,10 @@ interface(`prelude_manage_spool',` # interface(`prelude_admin',` gen_require(` - type prelude_t, prelude_spool_t; - type prelude_var_run_t, prelude_var_lib_t; - type prelude_audisp_t, prelude_audisp_var_run_t; - type prelude_initrc_exec_t; - - type prelude_lml_t, prelude_lml_tmp_t; - type prelude_lml_var_run_t; + type prelude_t, prelude_spool_t, prelude_initrc_exec_t; + type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t; + type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t; + type prelude_lml_t; ') allow $1 prelude_t:process { ptrace signal_perms }; @@ -144,9 +141,8 @@ interface(`prelude_admin',` files_list_pids($1) admin_pattern($1, prelude_var_run_t) admin_pattern($1, prelude_audisp_var_run_t) + admin_pattern($1, prelude_lml_var_run_t) files_list_tmp($1) admin_pattern($1, prelude_lml_tmp_t) - - admin_pattern($1, prelude_lml_var_run_t) ') diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if index c8f6cb5..7221526 100644 --- a/policy/modules/services/privoxy.if +++ b/policy/modules/services/privoxy.if @@ -19,9 +19,8 @@ # interface(`privoxy_admin',` gen_require(` - type privoxy_t, privoxy_log_t; + type privoxy_t, privoxy_log_t, privoxy_initrc_exec_t; type privoxy_etc_rw_t, privoxy_var_run_t; - type privoxy_initrc_exec_t; ') allow $1 privoxy_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if index 5bfbd7b..166e9c3 100644 --- a/policy/modules/services/procmail.if +++ b/policy/modules/services/procmail.if @@ -93,7 +93,6 @@ interface(`procmail_read_home_files',` type procmail_home_t; ') - userdom_search_user_home_dirs($1) + userdom_search_user_home_dirs($1) read_files_pattern($1, procmail_home_t, procmail_home_t) ') - diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if index 96440db..d1a3745 100644 --- a/policy/modules/services/psad.if +++ b/policy/modules/services/psad.if @@ -91,7 +91,6 @@ interface(`psad_manage_config',` files_search_etc($1) manage_dirs_pattern($1, psad_etc_t, psad_etc_t) manage_files_pattern($1, psad_etc_t, psad_etc_t) - ') ######################################## @@ -115,7 +114,7 @@ interface(`psad_read_pid_files',` ######################################## ## -## Read psad PID files. +## Read and write psad PID files. ## ## ## @@ -253,8 +252,8 @@ interface(`psad_rw_tmp_files',` interface(`psad_admin',` gen_require(` type psad_t, psad_var_run_t, psad_var_log_t; - type psad_initrc_exec_t, psad_var_lib_t; - type psad_tmp_t, psad_etc_t; + type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t; + type psad_tmp_t; ') allow $1 psad_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if index 2855a44..0456b11 100644 --- a/policy/modules/services/puppet.if +++ b/policy/modules/services/puppet.if @@ -21,7 +21,7 @@ ## ## # -interface(`puppet_rw_tmp', ` +interface(`puppet_rw_tmp',` gen_require(` type puppet_tmp_t; ') diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if index 6443f30..aa3d0b4 100644 --- a/policy/modules/services/pyzor.if +++ b/policy/modules/services/pyzor.if @@ -14,6 +14,7 @@ ## User domain for the role ## ## +## # interface(`pyzor_role',` gen_require(` @@ -28,7 +29,7 @@ interface(`pyzor_role',` # allow ps to show pyzor and allow the user to kill it ps_process_pattern($2, pyzor_t) - allow $2 pyzor_t:process signal; + allow $2 pyzor_t:process { ptrace signal_perms }; ') ######################################## @@ -109,13 +110,12 @@ interface(`pyzor_exec',` interface(`pyzor_admin',` gen_require(` type pyzord_t, pyzor_tmp_t, pyzord_log_t; - type pyzor_etc_t, pyzor_var_lib_t; - type pyzord_initrc_exec_t; + type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t; ') allow $1 pyzord_t:process { ptrace signal_perms }; ps_process_pattern($1, pyzord_t) - + init_labeled_script_domtrans($1, pyzord_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 pyzord_initrc_exec_t system_r; @@ -133,5 +133,3 @@ interface(`pyzor_admin',` files_list_var_lib($1) admin_pattern($1, pyzor_var_lib_t) ') - - diff --git a/policy/modules/services/qpidd.if b/policy/modules/services/qpidd.if index 5dbca44..c403abc 100644 --- a/policy/modules/services/qpidd.if +++ b/policy/modules/services/qpidd.if @@ -1,4 +1,3 @@ - ## policy for qpidd ######################################## @@ -6,9 +5,9 @@ ## Execute a domain transition to run qpidd. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`qpidd_domtrans',` @@ -19,7 +18,6 @@ interface(`qpidd_domtrans',` domtrans_pattern($1, qpidd_exec_t, qpidd_t) ') - ######################################## ## ## Execute qpidd server in the qpidd domain. @@ -72,12 +70,12 @@ interface(`qpidd_manage_var_run',` type qpidd_var_run_t; ') - manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t) - manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) - manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) + files_search_pids($1) + manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t) + manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) + manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) ') - ######################################## ## ## Search qpidd lib directories. @@ -113,7 +111,7 @@ interface(`qpidd_read_lib_files',` ') files_search_var_lib($1) - read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) + read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) ') ######################################## @@ -133,7 +131,7 @@ interface(`qpidd_manage_lib_files',` ') files_search_var_lib($1) - manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) + manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) ') ######################################## @@ -151,12 +149,12 @@ interface(`qpidd_manage_var_lib',` type qpidd_var_lib_t; ') - manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) - manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) - manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) + files_search_var_lib($1) + manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) + manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) + manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) ') - ######################################## ## ## All of the rules required to administrate @@ -176,16 +174,11 @@ interface(`qpidd_manage_var_lib',` # interface(`qpidd_admin',` gen_require(` - type qpidd_t; + type qpidd_t, qpidd_initrc_exec_t; ') allow $1 qpidd_t:process { ptrace signal_perms }; ps_process_pattern($1, qpidd_t) - - - gen_require(` - type qpidd_initrc_exec_t; - ') # Allow qpidd_t to restart the apache service qpidd_initrc_domtrans($1) @@ -196,41 +189,40 @@ interface(`qpidd_admin',` qpidd_manage_var_run($1) qpidd_manage_var_lib($1) - ') ##################################### ## -## Allow read and write access to qpidd semaphores. +## Allow read and write access to qpidd semaphores. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`qpidd_rw_semaphores',` - gen_require(` - type qpidd_t; - ') + gen_require(` + type qpidd_t; + ') - allow $1 qpidd_t:sem rw_sem_perms; + allow $1 qpidd_t:sem rw_sem_perms; ') ######################################## ## -## Read and write to qpidd shared memory. +## Read and write to qpidd shared memory. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`qpidd_rw_shm',` - gen_require(` - type qpidd_t; - ') + gen_require(` + type qpidd_t; + ') - allow $1 qpidd_t:shm rw_shm_perms; + allow $1 qpidd_t:shm rw_shm_perms; ') diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if index be05bff..2bd662a 100644 --- a/policy/modules/services/radvd.if +++ b/policy/modules/services/radvd.if @@ -19,8 +19,8 @@ # interface(`radvd_admin',` gen_require(` - type radvd_t, radvd_etc_t; - type radvd_var_run_t, radvd_initrc_exec_t; + type radvd_t, radvd_etc_t, radvd_initrc_exec_t; + type radvd_var_run_t; ') allow $1 radvd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if index 028e3fd..3203212 100644 --- a/policy/modules/services/razor.if +++ b/policy/modules/services/razor.if @@ -26,6 +26,7 @@ template(`razor_common_domain_template',` gen_require(` type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t; ') + type $1_t; domain_type($1_t) domain_entry_file($1_t, razor_exec_t) @@ -46,7 +47,7 @@ template(`razor_common_domain_template',` # Read system config file allow $1_t razor_etc_t:dir list_dir_perms; allow $1_t razor_etc_t:file read_file_perms; - allow $1_t razor_etc_t:lnk_file { getattr read }; + allow $1_t razor_etc_t:lnk_file read_lnk_file_perms; manage_dirs_pattern($1_t, razor_log_t, razor_log_t) manage_files_pattern($1_t, razor_log_t, razor_log_t) @@ -117,6 +118,7 @@ template(`razor_common_domain_template',` ## User domain for the role ## ## +## # interface(`razor_role',` gen_require(` @@ -130,7 +132,7 @@ interface(`razor_role',` # allow ps to show razor and allow the user to kill it ps_process_pattern($2, razor_t) - allow $2 razor_t:process signal; + allow $2 razor_t:process { ptrace signal_perms }; manage_dirs_pattern($2, razor_home_t, razor_home_t) manage_files_pattern($2, razor_home_t, razor_home_t) @@ -197,4 +199,3 @@ interface(`razor_read_lib_files',` files_search_var_lib($1) read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) ') - diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if index 7ef312e..9c2c963 100644 --- a/policy/modules/services/rgmanager.if +++ b/policy/modules/services/rgmanager.if @@ -5,9 +5,9 @@ ## Execute a domain transition to run rgmanager. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`rgmanager_domtrans',` @@ -78,20 +78,20 @@ interface(`rgmanager_manage_tmpfs_files',` ####################################### ## -## Allow read and write access to rgmanager semaphores. +## Allow read and write access to rgmanager semaphores. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`rgmanager_rw_semaphores',` - gen_require(` - type rgmanager_t; - ') + gen_require(` + type rgmanager_t; + ') - allow $1 rgmanager_t:sem { unix_read unix_write associate read write }; + allow $1 rgmanager_t:sem rw_sem_perms; ') ###################################### @@ -100,9 +100,9 @@ interface(`rgmanager_rw_semaphores',` ## an rgmanager environment ## ## -## +## ## Domain allowed access. -## +## ## ## ## @@ -115,7 +115,7 @@ interface(`rgmanager_admin',` gen_require(` type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t; type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t; - ') + ') allow $1 rgmanager_t:process { ptrace signal_perms }; ps_process_pattern($1, rgmanager_t) diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if index d8b97c2..229a3c7 100644 --- a/policy/modules/services/rhcs.if +++ b/policy/modules/services/rhcs.if @@ -13,9 +13,7 @@ # template(`rhcs_domain_template',` gen_require(` - attribute cluster_domain; - attribute cluster_tmpfs; - attribute cluster_pid; + attribute cluster_domain, cluster_tmpfs, cluster_pid; ') ############################## @@ -53,7 +51,6 @@ template(`rhcs_domain_template',` manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file }) - ') ###################################### @@ -61,9 +58,9 @@ template(`rhcs_domain_template',` ## Execute a domain transition to run dlm_controld. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`rhcs_domtrans_dlm_controld',` @@ -171,9 +168,8 @@ interface(`rhcs_stream_connect_fenced',` type fenced_var_run_t, fenced_t; ') - allow $1 fenced_t:unix_stream_socket connectto; - allow $1 fenced_var_run_t:sock_file { getattr write }; files_search_pids($1) + stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t) ') ##################################### @@ -349,8 +345,7 @@ interface(`rhcs_rw_groupd_shm',` # interface(`rhcs_rw_cluster_shm',` gen_require(` - attribute cluster_domain; - attribute cluster_tmpfs; + attribute cluster_domain, cluster_tmpfs; ') allow $1 cluster_domain:shm { rw_shm_perms destroy }; @@ -361,41 +356,40 @@ interface(`rhcs_rw_cluster_shm',` #################################### ## -## Read and write access to cluster domains semaphores. +## Read and write access to cluster domains semaphores. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`rhcs_rw_cluster_semaphores',` - gen_require(` + gen_require(` attribute cluster_domain; - ') + ') - allow $1 cluster_domain:sem { rw_sem_perms destroy }; + allow $1 cluster_domain:sem { rw_sem_perms destroy }; ') #################################### ## -## Connect to cluster domains over a unix domain -## stream socket. +## Connect to cluster domains over a unix domain +## stream socket. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`rhcs_stream_connect_cluster',` - gen_require(` - attribute cluster_domain; - attribute cluster_pid; - ') + gen_require(` + attribute cluster_domain, cluster_pid; + ') - files_search_pids($1) - stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) + files_search_pids($1) + stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) ') ###################################### @@ -432,24 +426,25 @@ interface(`rhcs_read_qdiskd_tmpfs_files',` type qdiskd_tmpfs_t; ') + fs_search_tmpfs($1) allow $1 qdiskd_tmpfs_t:file read_file_perms; ') ###################################### ## -## Allow domain to read cluster lib files +## Allow domain to read cluster lib files ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`rhcs_read_cluster_lib_files',` - gen_require(` - type cluster_var_lib_t; - ') + gen_require(` + type cluster_var_lib_t; + ') - files_search_var_lib($1) - read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) + files_search_var_lib($1) + read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) ') diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if index 96efae7..793a29f 100644 --- a/policy/modules/services/rhgb.if +++ b/policy/modules/services/rhgb.if @@ -194,5 +194,6 @@ interface(`rhgb_rw_tmpfs_files',` type rhgb_tmpfs_t; ') + fs_search_tmpfs($1) allow $1 rhgb_tmpfs_t:file rw_file_perms; ') diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if index 8a28c31..3128dd8 100644 --- a/policy/modules/services/ricci.if +++ b/policy/modules/services/ricci.if @@ -5,9 +5,9 @@ ## Execute a domain transition to run ricci. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`ricci_domtrans',` @@ -20,20 +20,20 @@ interface(`ricci_domtrans',` ####################################### ## -## Execute ricci server in the ricci domain. +## Execute ricci server in the ricci domain. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # -interface(`ricci_initrc_domtrans', ` - gen_require(` - type ricci_initrc_exec_t; - ') +interface(`ricci_initrc_domtrans',` + gen_require(` + type ricci_initrc_exec_t; + ') - init_labeled_script_domtrans($1, ricci_initrc_exec_t) + init_labeled_script_domtrans($1, ricci_initrc_exec_t) ') ######################################## @@ -41,9 +41,9 @@ interface(`ricci_initrc_domtrans', ` ## Execute a domain transition to run ricci_modcluster. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`ricci_domtrans_modcluster',` @@ -89,7 +89,7 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',` type ricci_modcluster_t; ') - dontaudit $1 ricci_modcluster_t:fifo_file { read write }; + dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## @@ -126,6 +126,7 @@ interface(`ricci_rw_modclusterd_tmpfs_files',` type ricci_modcluserd_tmpfs_t; ') + fs_search_tmpfs($1) allow $1 ricci_modcluserd_tmpfs_t:file rw_file_perms; ') @@ -134,9 +135,9 @@ interface(`ricci_rw_modclusterd_tmpfs_files',` ## Execute a domain transition to run ricci_modlog. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`ricci_domtrans_modlog',` @@ -152,9 +153,9 @@ interface(`ricci_domtrans_modlog',` ## Execute a domain transition to run ricci_modrpm. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`ricci_domtrans_modrpm',` @@ -170,9 +171,9 @@ interface(`ricci_domtrans_modrpm',` ## Execute a domain transition to run ricci_modservice. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`ricci_domtrans_modservice',` @@ -188,9 +189,9 @@ interface(`ricci_domtrans_modservice',` ## Execute a domain transition to run ricci_modstorage. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`ricci_domtrans_modstorage',` @@ -203,22 +204,22 @@ interface(`ricci_domtrans_modstorage',` #################################### ## -## Allow the specified domain to manage ricci's lib files. +## Allow the specified domain to manage ricci's lib files. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`ricci_manage_lib_files',` - gen_require(` - type ricci_var_lib_t; - ') + gen_require(` + type ricci_var_lib_t; + ') - files_search_var_lib($1) - manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t) - manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t) + files_search_var_lib($1) + manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t) + manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t) ') ######################################## @@ -254,7 +255,7 @@ interface(`ricci_admin',` files_list_tmp($1) admin_pattern($1, ricci_tmp_t) - + files_list_var_lib($1) admin_pattern($1, ricci_var_lib_t) diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if index b65be0c..28e7576 100644 --- a/policy/modules/services/rpc.if +++ b/policy/modules/services/rpc.if @@ -32,7 +32,11 @@ interface(`rpc_stub',` ## ## # -template(`rpc_domain_template', ` +template(`rpc_domain_template',` + gen_require(` + type var_lib_nfs_t; + ') + ######################################## # # Declarations @@ -152,7 +156,7 @@ interface(`rpc_dontaudit_getattr_exports',` type exports_t; ') - dontaudit $1 exports_t:file getattr; + dontaudit $1 exports_t:file getattr_file_perms; ') ######################################## @@ -188,7 +192,7 @@ interface(`rpc_write_exports',` type exports_t; ') - allow $1 exports_t:file write; + allow $1 exports_t:file write_file_perms; ') ######################################## @@ -302,7 +306,7 @@ interface(`rpc_read_nfs_content',` allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms; allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms; - allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read }; + allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms; ') ######################################## @@ -395,7 +399,7 @@ interface(`rpc_search_nfs_state_data',` ') files_search_var_lib($1) - allow $1 var_lib_nfs_t:dir search; + allow $1 var_lib_nfs_t:dir search_dir_perms; ') ######################################## diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if index 14173f7..0458ba7 100644 --- a/policy/modules/services/rpcbind.if +++ b/policy/modules/services/rpcbind.if @@ -5,9 +5,9 @@ ## Execute a domain transition to run rpcbind. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`rpcbind_domtrans',` diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if index eefa329..b28cae5 100644 --- a/policy/modules/services/rsync.if +++ b/policy/modules/services/rsync.if @@ -109,9 +109,9 @@ interface(`rsync_exec',` ## Read rsync config files. ## ## -## +## ## Domain allowed access. -## +## ## # interface(`rsync_read_config',` @@ -128,9 +128,9 @@ interface(`rsync_read_config',` ## Write to rsync config files. ## ## -## +## ## Domain allowed access. -## +## ## # interface(`rsync_write_config',` @@ -147,9 +147,9 @@ interface(`rsync_write_config',` ## Manage rsync config files. ## ## -## -## Domain allowed. -## +## +## Domain allowed access. +## ## # interface(`rsync_manage_config',` diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if index 21079f8..d632bc0 100644 --- a/policy/modules/services/rtkit.if +++ b/policy/modules/services/rtkit.if @@ -5,9 +5,9 @@ ## Execute a domain transition to run rtkit_daemon. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`rtkit_daemon_domtrans',` @@ -46,7 +46,7 @@ interface(`rtkit_daemon_dbus_chat',` ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # @@ -75,6 +75,7 @@ interface(`rtkit_scheduled',` type rtkit_daemon_t; ') + kernel_search_proc($1) ps_process_pattern(rtkit_daemon_t, $1) allow rtkit_daemon_t $1:process { getsched setsched }; rtkit_daemon_dbus_chat($1) diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if index 71ea0ea..664e68e 100644 --- a/policy/modules/services/rwho.if +++ b/policy/modules/services/rwho.if @@ -5,9 +5,9 @@ ## Execute a domain transition to run rwho. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`rwho_domtrans',` diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if index fd5a17e..9e72970 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -83,7 +83,7 @@ interface(`samba_domtrans_net',` ## ## ## -## Domain allowed access. +## Domain allowed to transition. ## ## # @@ -148,7 +148,7 @@ interface(`samba_role_notrans',` ## ## ## -## Domain allowed access. +## Domain allowed to transition. ## ## ## @@ -391,7 +391,6 @@ interface(`samba_search_var',` type samba_var_t; ') - files_search_var($1) files_search_var_lib($1) allow $1 samba_var_t:dir search_dir_perms; ') @@ -412,7 +411,6 @@ interface(`samba_read_var_files',` type samba_var_t; ') - files_search_var($1) files_search_var_lib($1) read_files_pattern($1, samba_var_t, samba_var_t) ') @@ -452,7 +450,6 @@ interface(`samba_rw_var_files',` type samba_var_t; ') - files_search_var($1) files_search_var_lib($1) rw_files_pattern($1, samba_var_t, samba_var_t) ') @@ -473,7 +470,6 @@ interface(`samba_manage_var_files',` type samba_var_t; ') - files_search_var($1) files_search_var_lib($1) manage_files_pattern($1, samba_var_t, samba_var_t) manage_lnk_files_pattern($1, samba_var_t, samba_var_t) @@ -761,9 +757,8 @@ interface(`samba_admin',` type smbd_t, smbd_tmp_t, samba_secrets_t; type samba_initrc_exec_t, samba_log_t, samba_var_t; type samba_etc_t, samba_share_t, winbind_log_t; - type swat_var_run_t, swat_tmp_t; - type winbind_var_run_t, winbind_tmp_t; - type samba_unconfined_script_t, samba_unconfined_script_exec_t; + type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t; + type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t; ') allow $1 smbd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if index a7fbedc..d9f5dbc 100644 --- a/policy/modules/services/setroubleshoot.if +++ b/policy/modules/services/setroubleshoot.if @@ -136,8 +136,8 @@ interface(`setroubleshoot_fixit_dontaudit_leaks',` # interface(`setroubleshoot_admin',` gen_require(` - type setroubleshootd_t, setroubleshoot_var_log_t; - type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; + type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t; + type setroubleshoot_var_lib_t; ') allow $1 setroubleshootd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if index 6aa68d8..bfdf197 100644 --- a/policy/modules/services/snmp.if +++ b/policy/modules/services/snmp.if @@ -125,9 +125,8 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',` # interface(`snmp_admin',` gen_require(` - type snmpd_t, snmpd_log_t; + type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t; type snmpd_var_lib_t, snmpd_var_run_t; - type snmpd_initrc_exec_t; ') allow $1 snmpd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/soundserver.if b/policy/modules/services/soundserver.if index 93fe7bf..4a15633 100644 --- a/policy/modules/services/soundserver.if +++ b/policy/modules/services/soundserver.if @@ -33,9 +33,8 @@ interface(`soundserver_tcp_connect',` # interface(`soundserver_admin',` gen_require(` - type soundd_t, soundd_etc_t; + type soundd_t, soundd_etc_t, soundd_initrc_exec_t; type soundd_tmp_t, soundd_var_run_t; - type soundd_initrc_exec_t; ') allow $1 soundd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if index dc4f590..1d0c078 100644 --- a/policy/modules/services/squid.if +++ b/policy/modules/services/squid.if @@ -206,8 +206,7 @@ interface(`squid_use',` interface(`squid_admin',` gen_require(` type squid_t, squid_cache_t, squid_conf_t; - type squid_log_t, squid_var_run_t; - type squid_initrc_exec_t; + type squid_log_t, squid_var_run_t, squid_initrc_exec_t; ') allow $1 squid_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if index 0f8e213..fe5ce10 100644 --- a/policy/modules/services/varnishd.if +++ b/policy/modules/services/varnishd.if @@ -58,7 +58,7 @@ interface(`varnishd_read_config',` ##################################### ## -## Read varnish lib files. +## Read varnish lib files. ## ## ## @@ -151,8 +151,8 @@ interface(`varnishd_manage_log',` # interface(`varnishd_admin_varnishlog',` gen_require(` - type varnishlog_t, varnishlog_initrc_exec_t; - type varnishlog_var_run_t, varnishlog_log_t; + type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t; + type varnishlog_var_run_t; ') allow $1 varnishlog_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if index e584e21..f98efcb 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -596,7 +596,7 @@ interface(`virt_transition_svirt',` ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if index 6144fb1..14f8906 100644 --- a/policy/modules/services/vnstatd.if +++ b/policy/modules/services/vnstatd.if @@ -1,15 +1,13 @@ - ## policy for vnstatd - ######################################## ## ## Execute a domain transition to run vnstatd. ## ## -## +## ## Domain allowed access. -## +## ## # interface(`vnstatd_domtrans',` @@ -20,16 +18,14 @@ interface(`vnstatd_domtrans',` domtrans_pattern($1, vnstatd_exec_t, vnstatd_t) ') - - ######################################## ## ## Execute a domain transition to run vnstat. ## ## -## +## ## Domain allowed access. -## +## ## # interface(`vnstatd_domtrans_vnstat',` @@ -75,7 +71,7 @@ interface(`vnstatd_read_lib_files',` ') files_search_var_lib($1) - read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) + read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) ') ######################################## @@ -95,7 +91,7 @@ interface(`vnstatd_manage_lib_files',` ') files_search_var_lib($1) - manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) + manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) ') ######################################## @@ -114,7 +110,7 @@ interface(`vnstatd_manage_lib_dirs',` ') files_search_var_lib($1) - manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) + manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) ') @@ -137,8 +133,7 @@ interface(`vnstatd_manage_lib_dirs',` # interface(`vnstatd_admin',` gen_require(` - type vnstatd_t; - type vnstatd_var_lib_t; + type vnstatd_t, vnstatd_var_lib_t; ') allow $1 vnstatd_t:process { ptrace signal_perms }; @@ -146,5 +141,4 @@ interface(`vnstatd_admin',` files_list_var_lib($1) admin_pattern($1, vnstatd_var_lib_t) - ') diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 9328c63..999066e 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -47,7 +47,7 @@ interface(`xserver_restricted_role',` manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) - allow $2 xserver_tmp_t:sock_file unlink; + allow $2 xserver_tmp_t:sock_file delete_sock_file_perms; files_search_tmp($2) # Communicate via System V shared memory. @@ -243,7 +243,7 @@ interface(`xserver_rw_session',` type xserver_t, xserver_tmpfs_t; ') - xserver_ro_session($1,$2) + xserver_ro_session($1, $2) allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file rw_file_perms; ') @@ -271,7 +271,7 @@ interface(`xserver_non_drawing_client',` allow $1 self:x_gc { create setattr }; - allow $1 xdm_var_run_t:dir search; + allow $1 xdm_var_run_t:dir search_dir_perms; allow $1 xserver_t:unix_stream_socket connectto; allow $1 xextension_t:x_extension { query use }; @@ -313,7 +313,7 @@ interface(`xserver_user_client',` # for when /tmp/.X11-unix is created by the system allow $1 xdm_t:fd use; allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; - allow $1 xdm_tmp_t:dir search; + allow $1 xdm_tmp_t:dir search_dir_perms; allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; @@ -358,7 +358,7 @@ interface(`xserver_user_client',` # template(`xserver_common_x_domain_template',` gen_require(` - type root_xdrawable_t; + type root_xdrawable_t, xdm_t, xserver_t; type xproperty_t, $1_xproperty_t; type xevent_t, client_xevent_t; type input_xevent_t, $1_input_xevent_t; @@ -375,7 +375,6 @@ template(`xserver_common_x_domain_template',` class x_screen { saver_setattr saver_hide saver_show }; class x_pointer { get_property set_property manage }; class x_keyboard { read manage }; - type xdm_t, xserver_t; ') ############################## @@ -474,8 +473,8 @@ template(`xserver_object_types_template',` # template(`xserver_user_x_domain_template',` gen_require(` - type xdm_t, xdm_tmp_t; - type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; + type xdm_t, xdm_tmp_t, xserver_tmpfs_t; + type xauth_home_t, iceauth_home_t, xserver_t; ') allow $2 self:shm create_shm_perms; @@ -787,8 +786,7 @@ interface(`xserver_stream_connect_xdm',` files_search_tmp($1) files_search_pids($1) - stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) - stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t) + stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t) ') ######################################## diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if index 78fc104..4f2dde8 100644 --- a/policy/modules/services/zarafa.if +++ b/policy/modules/services/zarafa.if @@ -98,5 +98,5 @@ interface(`zarafa_stream_connect_server',` ') files_search_var_lib($1) - stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t) + stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) ') diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if index 5860687..347f754 100644 --- a/policy/modules/services/zebra.if +++ b/policy/modules/services/zebra.if @@ -61,8 +61,7 @@ interface(`zebra_stream_connect',` interface(`zebra_admin',` gen_require(` type zebra_t, zebra_tmp_t, zebra_log_t; - type zebra_conf_t, zebra_var_run_t; - type zebra_initrc_exec_t; + type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t; ') allow $1 zebra_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if index 1d24e1e..13f0eef 100644 --- a/policy/modules/services/zosremote.if +++ b/policy/modules/services/zosremote.if @@ -34,6 +34,7 @@ interface(`zosremote_domtrans',` ## Role allowed access. ## ## +## # interface(`zosremote_run',` gen_require(` diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 447aaec..666a58f 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1207,12 +1207,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) - read_files_pattern($1, initrc_t, initrc_t) - read_lnk_files_pattern($1, initrc_t, initrc_t) - list_dirs_pattern($1, initrc_t, initrc_t) - - # should move this to separate interface - allow $1 initrc_t:process getattr; + ps_process_pattern($1, initrc_t) ') ########################################