diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index 43060de..91b6f8c 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -26,10 +26,10 @@ define(`cron_per_userdomain_template',` # allow $1_crond_t self:capability dac_override; - allow $1_crond_t self:process { sigkill sigstop signull signal setsched }; - allow $1_crond_t self:fifo_file { read getattr write append }; - allow $1_crond_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; - allow $1_crond_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; + allow $1_crond_t self:process signal_perms; + allow $1_crond_t self:fifo_file rw_file_perms; + allow $1_crond_t self:unix_stream_socket create_socket_perms; + allow $1_crond_t self:unix_dgram_socket create_stream_socket_perms; # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are @@ -96,7 +96,7 @@ define(`cron_per_userdomain_template',` miscfiles_read_localization($1_crond_t) tunable_policy(`fcron_crond', ` - allow crond_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow crond_t $1_cron_spool_t:file create_file_perms; ') ifdef(`TODO',` @@ -111,7 +111,7 @@ define(`cron_per_userdomain_template',` ifdef(`mta.te', ` domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t) - allow $1_crond_t sendmail_exec_t:lnk_file { getattr read }; + allow $1_crond_t sendmail_exec_t:lnk_file r_file_perms; # $1_mail_t should only be reading from the cron fifo not needing to write dontaudit $1_mail_t crond_t:fifo_file write; @@ -122,7 +122,7 @@ define(`cron_per_userdomain_template',` can_ypbind($1_crond_t) allow $1_crond_t var_spool_t:dir search; allow $1_crond_t var_t:dir r_dir_perms; - allow $1_crond_t var_t:file { getattr read ioctl }; + allow $1_crond_t var_t:file r_file_perms; # quiet other ps operations dontaudit $1_crond_t domain:dir { getattr search }; @@ -137,21 +137,21 @@ define(`cron_per_userdomain_template',` allow $1_t $1_crontab_t:process signal; # Allow crond to read those crontabs in cron spool. - allow crond_t $1_cron_spool_t:file { getattr read }; + allow crond_t $1_cron_spool_t:file r_file_perms; # dac_override is to create the file in the directory under /tmp allow $1_crontab_t self:capability { setuid setgid chown dac_override }; - allow $1_crontab_t self:process { sigkill sigstop signull signal }; + allow $1_crontab_t self:process signal_perms; # create files in /var/spool/cron - allow $1_crontab_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1_crontab_t cron_spool_t:dir { getattr search read write add_name remove_name }; + allow $1_crontab_t $1_cron_spool_t:file create_file_perms; + allow $1_crontab_t cron_spool_t:dir rw_dir_perms; type_transition $1_crontab_t $1_cron_spool_t:file system_crond_tmp_t; # crontab signals crond by updating the mtime on the spooldir allow $1_crontab_t cron_spool_t:dir setattr; - allow $1_crontab_t crond_log_t:file { getattr read append }; + allow $1_crontab_t crond_log_t:file ra_file_perms; fs_get_persistent_fs_attributes($1_crontab_t) @@ -201,9 +201,9 @@ define(`cron_per_userdomain_template',` dontaudit $1_crontab_t $1_home_dir_t:dir write; # Access terminals. - allow $1_crontab_t devpts_t:dir { read search getattr }; - allow $1_crontab_t $1_tty_device_t:chr_file { read write getattr ioctl }; - allow $1_crontab_t $1_devpts_t:chr_file { read write getattr ioctl }; + allow $1_crontab_t devpts_t:dir r_dir_perms; + allow $1_crontab_t $1_tty_device_t:chr_file rw_file_perms; + allow $1_crontab_t $1_devpts_t:chr_file rw_file_perms; # Inherit and use descriptors from gnome-pty-helper. ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;') @@ -246,7 +246,7 @@ define(`cron_admin_template',` define(`cron_modify_log',` requires_block_template(`$0'_depend) - allow $1 crond_log_t:file { getattr read write ioctl lock append }; + allow $1 crond_log_t:file rw_file_perms; ') define(`cron_modify_log_depend',` diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 515880f..d1c045e 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -54,29 +54,29 @@ dontaudit crond_t self:capability { sys_resource sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow crond_t self:process setexec; allow crond_t self:fd use; -allow crond_t self:fifo_file { read getattr lock ioctl write append }; -allow crond_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow crond_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow crond_t self:fifo_file rw_file_perms; +allow crond_t self:unix_dgram_socket create_socket_perms; +allow crond_t self:unix_stream_socket create_stream_socket_perms; allow crond_t self:unix_dgram_socket sendto; allow crond_t self:unix_stream_socket connectto; -allow crond_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; -allow crond_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; -allow crond_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow crond_t self:shm create_shm_perms; +allow crond_t self:sem create_sem_perms; +allow crond_t self:msgq create_msgq_perms; allow crond_t self:msg { send receive }; -allow crond_t crond_log_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow crond_t crond_log_t:file create_file_perms; allow crond_t crond_var_run_t:file create_file_perms; files_create_daemon_runtime_data(crond_t,crond_var_run_t) -allow crond_t crond_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow crond_t crond_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow crond_t crond_tmp_t:dir create_dir_perms; +allow crond_t crond_tmp_t:file create_file_perms; files_create_private_tmp_data(crond_t, crond_tmp_t, { file dir }) -allow crond_t cron_spool_t:dir { getattr search read }; -allow crond_t cron_spool_t:file { getattr read }; -allow crond_t system_cron_spool_t:dir { getattr search read }; -allow crond_t system_cron_spool_t:file { getattr read }; +allow crond_t cron_spool_t:dir r_dir_perms; +allow crond_t cron_spool_t:file r_file_perms; +allow crond_t system_cron_spool_t:dir r_dir_perms; +allow crond_t system_cron_spool_t:file r_file_perms; kernel_read_kernel_sysctl(crond_t) kernel_read_hardware_state(crond_t) @@ -121,7 +121,7 @@ miscfiles_read_localization(crond_t) userdomain_use_all_unprivileged_users_file_descriptors(crond_t) tunable_policy(`fcron_crond', ` - allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow crond_t system_cron_spool_t:file create_file_perms; ') ifdef(`targeted_policy', ` @@ -184,8 +184,8 @@ allow system_crond_t rpm_log_t:file create_file_perms; # allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid }; -allow system_crond_t self:process { sigkill sigstop signull signal setsched }; -allow system_crond_t self:fifo_file { read getattr write append }; +allow system_crond_t self:process signal_perms; +allow system_crond_t self:fifo_file rw_file_perms; allow system_crond_t self:passwd rootok; # The entrypoint interface is not used as this is not @@ -197,7 +197,7 @@ allow system_crond_t self:passwd rootok; # for this purpose. allow system_crond_t system_cron_spool_t:file entrypoint; -allow system_crond_t system_cron_spool_t:file { getattr read }; +allow system_crond_t system_cron_spool_t:file r_file_perms; # Permit a transition from the crond_t domain to this domain. # The transition is requested explicitly by the modified crond @@ -211,23 +211,23 @@ allow system_crond_t crond_t:fifo_file rw_file_perms; allow system_crond_t crond_t:process sigchld; # Write /var/lock/makewhatis.lock. -allow system_crond_t system_crond_lock_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow system_crond_t system_crond_lock_t:file create_file_perms; files_create_private_lock_file(system_crond_t,system_crond_lock_t) # write temporary files -allow system_crond_t system_crond_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow system_crond_t system_crond_tmp_t:file createfile_perms; files_create_private_tmp_data(system_crond_t,system_crond_tmp_t) # write temporary files in crond tmp dir: -allow system_crond_t crond_tmp_t:dir { getattr search read write add_name remove_name }; +allow system_crond_t crond_tmp_t:dir rw_dir_perms; type_transition system_crond_t crond_tmp_t:file system_crond_tmp_t; # Read from /var/spool/cron. -allow system_crond_t cron_spool_t:dir { getattr search read }; -allow system_crond_t cron_spool_t:file { getattr read }; +allow system_crond_t cron_spool_t:dir r_dir_perms; +allow system_crond_t cron_spool_t:file r_file_perms; # Access crond log files -allow system_crond_t crond_log_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow system_crond_t crond_log_t:file create_file_perms; logging_create_private_log(system_crond_t,crond_log_t) kernel_read_kernel_sysctl(system_crond_t) @@ -323,7 +323,7 @@ allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr; allow system_crond_t initctl_t:fifo_file write; allow system_crond_t var_t:dir r_dir_perms; -allow system_crond_t var_t:file { getattr read ioctl }; +allow system_crond_t var_t:file r_file_perms; # Write to /var/lib/slocate.db. allow system_crond_t var_lib_t:dir rw_dir_perms; @@ -345,7 +345,7 @@ allow system_crond_su_t crond_t:fifo_file ioctl; # Required for webalizer # ifdef(`apache.te', ` -allow system_crond_t httpd_log_t:file { getattr read }; +allow system_crond_t httpd_log_t:file r_file_perms; ') ifdef(`distro_redhat', ` diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 220ae94..1fb9daf 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -23,21 +23,18 @@ define(`mta_per_userdomain_template',` # allow $1_mail_t self:capability { setuid setgid chown }; - allow $1_mail_t self:process { sigkill sigstop signull signal setrlimit }; + allow $1_mail_t self:process { signal_perms setrlimit }; # tcp networking - allow $1_mail_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; + allow $1_mail_t self:tcp_socket create_socket_perms; # re-exec itself - allow $1_mail_t sendmail_exec_t:file { getattr read execute execute_no_trans }; - allow $1_mail_t sendmail_exec_t:lnk_file { getattr read }; + can_exec($1_mail_t, sendmail_exec_t) + allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms; # Transition from the user domain to the derived domain. - allow $1_t sendmail_exec_t:file { getattr read execute execute_no_trans }; - allow $1_t sendmail_exec_t:lnk_file { getattr read }; - allow $1_t $1_mail_t:process transition; - type_transition $1_t sendmail_exec_t:process $1_mail_t; - dontaudit $1_t $1_mail_t:process { noatsecure siginh rlimitinh }; + can_exec($1_t, sendmail_exec_t) + domain_auto_trans($1_t, sendmail_exec_t, $1_mail_t) allow $1_t $1_mail_t:fd use; allow $1_mail_t $1_t:fd use; @@ -69,7 +66,7 @@ define(`mta_per_userdomain_template',` sysnetwork_read_network_config($1_mail_t) tunable_policy(`use_dns',` - allow $1_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; + allow $1_mail_t self:udp_socket create_socket_perms; corenetwork_sendrecv_udp_on_all_interfaces($1_mail_t) corenetwork_sendrecv_udp_on_all_nodes($1_mail_t) corenetwork_bind_udp_on_all_nodes($1_mail_t) @@ -102,16 +99,16 @@ define(`mta_per_userdomain_template',` allow $1_mail_t $1_tmp_t:file write; ') - allow mta_user_agent $1_tmp_t:file { read getattr }; + allow mta_user_agent $1_tmp_t:file r_file_perms; # Write to the user domain tty. - allow mta_user_agent $1_tty_device_t:chr_file { read write getattr ioctl }; - allow mta_user_agent devpts_t:dir { read search getattr }; - allow mta_user_agent $1_devpts_t:chr_file { read write getattr ioctl }; + allow mta_user_agent $1_tty_device_t:chr_file rw_file_perms; + allow mta_user_agent devpts_t:dir r_dir_perms; + allow mta_user_agent $1_devpts_t:chr_file rw_file_perms; - allow $1_mail_t $1_tty_device_t:chr_file { read write getattr ioctl }; - allow $1_mail_t devpts_t:dir { read search getattr }; - allow $1_mail_t $1_devpts_t:chr_file { read write getattr ioctl }; + allow $1_mail_t $1_tty_device_t:chr_file rw_file_perms; + allow $1_mail_t devpts_t:dir r_dir_perms; + allow $1_mail_t $1_devpts_t:chr_file rw_file_perms; # Inherit and use descriptors from gnome-pty-helper. ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;') @@ -179,11 +176,8 @@ define(`mta_make_sendmail_mailserver_domain_depend',` define(`mta_send_mail',` requires_block_template(`$0'_depend) - allow $1 sendmail_exec_t:lnk_file { getattr read }; - allow $1 sendmail_exec_t:file { getattr read execute }; - allow $1 system_mail_t:process transition; - type_transition $1 sendmail_exec_t:process system_mail_t; - dontaudit $1 system_mail_t:process { noatsecure siginh rlimitinh }; + allow $1 sendmail_exec_t:lnk_file r_file_perms; + domain_auto_trans($1, sendmail_exec_t, system_mail_t) allow $1 system_mail_t:fd use; allow system_mail_t $1:fd use; @@ -195,7 +189,7 @@ define(`mta_send_mail_depend',` type system_mail_t, sendmail_exec_t; class file { getattr read execute }; - class lnk_file { getattr read }; + class lnk_file r_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -208,7 +202,7 @@ define(`mta_send_mail_depend',` define(`mta_execute',` requires_block_template(`$0'_depend) - allow $1 sendmail_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1, sendmail_exec_t) ') define(`mta_execute_depend',` @@ -231,13 +225,13 @@ define(`mta_execute_depend',` define(`mta_read_mail_aliases',` requires_block_template(`$0'_depend) - allow $1 etc_aliases_t:file { getattr read }; + allow $1 etc_aliases_t:file r_file_perms; ') define(`mta_read_mail_aliases_depend',` type etc_aliases_t; - class file { getattr read }; + class file r_file_perms; ') ####################################### @@ -247,13 +241,13 @@ define(`mta_read_mail_aliases_depend',` define(`mta_modify_mail_aliases',` requires_block_template(`$0'_depend) - allow sendmail_t etc_aliases_t:file { getattr read write append setattr }; + allow sendmail_t etc_aliases_t:file { rw_file_perms setattr }; ') define(`mta_modify_mail_aliases_depend',` type etc_aliases_t; - class file { getattr read write append setattr }; + class file { rw_file_perms setattr }; ') ####################################### @@ -285,15 +279,15 @@ define(`mta_modify_mail_spool',` requires_block_template(`$0'_depend) files_search_system_spool_directory($1) - allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write }; - allow $1 mail_spool_t:file { getattr read write append setattr }; + allow $1 mail_spool_t:dir rw_dir_perms; + allow $1 mail_spool_t:file { rw_file_perms setattr }; ') define(`mta_modify_mail_spool_depend',` type mail_spool_t; - class dir { read getattr lock search ioctl add_name remove_name write }; - class file { create ioctl read getattr lock write setattr append link unlink rename }; + class dir rw_dir_perms; + class file { rw_file_perms setattr }; ') ####################################### @@ -304,15 +298,15 @@ define(`mta_manage_mail_spool',` requires_block_template(`$0'_depend) files_search_system_spool_directory($1) - allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write }; - allow $1 mail_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1 mail_spool_t:dir rw_dir_perms; + allow $1 mail_spool_t:file create_file_perms; ') define(`mta_manage_mail_spool_depend',` type mail_spool_t; - class dir { read getattr lock search ioctl add_name remove_name write }; - class file { create ioctl read getattr lock write setattr append link unlink rename }; + class dir rw_dir_perms; + class file create_file_perms; ') ####################################### @@ -322,15 +316,15 @@ define(`mta_manage_mail_spool_depend',` define(`mta_manage_mail_queue',` requires_block_template(`$0'_depend) - allow $1 mqueue_spool_t:dir { read getattr lock search ioctl add_name remove_name write }; - allow $1 mqueue_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1 mqueue_spool_t:dir rw_dir_perms; + allow $1 mqueue_spool_t:file create_file_perms; ') define(`mta_manage_mail_queue_depend',` type mqueue_spool_t; - class dir { read getattr lock search ioctl add_name remove_name write }; - class file { create ioctl read getattr lock write setattr append link unlink rename } + class dir rw_dir_perms; + class file create_file_perms; ') ## diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 1e7cb0b..bd69aba 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -41,13 +41,13 @@ init_make_system_domain(system_mail_t,sendmail_exec_t) # allow system_mail_t self:capability { setuid setgid chown }; -allow system_mail_t self:process { sigkill sigstop signull signal setrlimit }; +allow system_mail_t self:process { signal_perms setrlinit }; -allow system_mail_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; +allow system_mail_t self:tcp_socket create_socket_perms; # re-exec itself -allow system_mail_t sendmail_exec_t:file { getattr read execute execute_no_trans }; -allow system_mail_t sendmail_exec_t:lnk_file { getattr read }; +can_exec(system_mail_t, sendmail_exec_t) +allow system_mail_t sendmail_exec_t:lnk_file r_file_perms; kernel_read_kernel_sysctl(system_mail_t) kernel_read_system_state(system_mail_t) @@ -83,7 +83,7 @@ miscfiles_read_localization(system_mail_t) sysnetwork_read_network_config(system_mail_t) tunable_policy(`use_dns',` - allow system_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; + allow system_mail_t self:udp_socket create_socket_perms; corenetwork_sendrecv_udp_on_all_interfaces(system_mail_t) corenetwork_sendrecv_udp_on_all_nodes(system_mail_t) corenetwork_bind_udp_on_all_nodes(system_mail_t) @@ -130,8 +130,8 @@ allow privmail sendmail_exec_t:lnk_file { getattr read }; ifdef(`crond.te', ` # Read cron temporary files. -allow system_mail_t system_crond_tmp_t:file { read getattr ioctl }; -allow mta_user_agent system_crond_tmp_t:file { read getattr }; +allow system_mail_t system_crond_tmp_t:file r_file_perms; +allow mta_user_agent system_crond_tmp_t:file r_file_perms; ') ifdef(`qmail.te', ` @@ -156,16 +156,16 @@ libraries_execute_library_scripts(system_mail_t) allow system_mail_t { var_t var_spool_t }:dir getattr; -allow system_mail_t mqueue_spool_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow system_mail_t mqueue_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow system_mail_t mqueue_spool_t:lnk_file { create read getattr setattr link unlink rename }; +allow system_mail_t mqueue_spool_t:dir create_dir_perms; +allow system_mail_t mqueue_spool_t:file create_file_perms; +allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms; -allow system_mail_t mail_spool_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow system_mail_t mail_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow system_mail_t mail_spool_t:lnk_file { create read getattr setattr link unlink rename }; +allow system_mail_t mail_spool_t:dir create_dir_perms; +allow system_mail_t mail_spool_t:file create_file_perms; +allow system_mail_t mail_spool_t:lnk_file create_lnk_perms; allow system_mail_t mail_spool_t:fifo_file rw_file_perms; -allow system_mail_t etc_mail_t:file { getattr read }; +allow system_mail_t etc_mail_t:file r_file_perms; ', ` dnl if not targeted policy: optional_policy(`sendmail.te', ` # sendmail has an ugly design, the one process parses input from the user and @@ -209,16 +209,16 @@ ra_dir_create_file(mta_delivery_agent, mail_spool_t) can_exec(mta_delivery_agent, shell_exec_t) allow mta_delivery_agent bin_t:dir search; allow mta_delivery_agent bin_t:lnk_file read; -allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read }; +allow mta_delivery_agent { etc_runtime_t proc_t }:file r_file_perms; # Transition from a system domain to the derived domain. domain_auto_trans(privmail, sendmail_exec_t, system_mail_t) -allow privmail sendmail_exec_t:lnk_file { getattr read }; +allow privmail sendmail_exec_t:lnk_file r_file_perms; ifdef(`crond.te', ` # Read cron temporary files. -allow system_mail_t system_crond_tmp_t:file { read getattr ioctl }; -allow mta_user_agent system_crond_tmp_t:file { read getattr }; +allow system_mail_t system_crond_tmp_t:file r_file_perms; +allow mta_user_agent system_crond_tmp_t:file r_file_perms; ') ') dnl end TODO diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index 71979af..c1ba352 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -27,18 +27,18 @@ allow remote_login_t self:capability { dac_override chown fowner fsetid kill set allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow remote_login_t self:process { setrlimit setexec }; allow remote_login_t self:fd use; -allow remote_login_t self:fifo_file { read getattr lock ioctl write append }; -allow remote_login_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow remote_login_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow remote_login_t self:fifo_file rw_file_perms; +allow remote_login_t self:unix_dgram_socket create_socket_perms; +allow remote_login_t self:unix_stream_socket create_stream_socket_perms; allow remote_login_t self:unix_dgram_socket sendto; allow remote_login_t self:unix_stream_socket connectto; -allow remote_login_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; -allow remote_login_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; -allow remote_login_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow remote_login_t self:shm create_shm_perms; +allow remote_login_t self:sem create_sem_perms; +allow remote_login_t self:msgq create_msgq_perms; allow remote_login_t self:msg { send receive }; -allow remote_login_t remote_login_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow remote_login_t remote_login_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow remote_login_t remote_login_tmp_t:dir create_dir_perms; +allow remote_login_t remote_login_tmp_t:file create_file_perms; files_create_private_tmp_data(remote_login_t, remote_login_tmp_t, { file dir }) kernel_read_system_state(remote_login_t) @@ -113,7 +113,7 @@ allow remote_login_t device_t:lnk_file r_file_perms; dontaudit remote_login_t sysfs_t:dir search; -allow remote_login_t autofs_t:dir { search read getattr }; +allow remote_login_t autofs_t:dir r_dir_perms; allow remote_login_t mnt_t:dir r_dir_perms; if (use_nfs_home_dirs) { diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index d5f9ac4..0af0e48 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -24,16 +24,16 @@ files_make_daemon_runtime_file(sendmail_var_run_t) # allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config }; -allow sendmail_t self:fifo_file { getattr read write append ioctl lock }; -allow sendmail_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; -allow sendmail_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow sendmail_t self:fifo_file rw_file_perms; +allow sendmail_t self:unix_stream_socket create_stream_socket_perms; +allow sendmail_t self:unix_dgram_socket create_socket_perms; -allow sendmail_t sendmail_log_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow sendmail_t sendmail_log_t:dir { getattr search read lock ioctl add_name remove_name write setattr }; +allow sendmail_t sendmail_log_t:file create_file_perms; +allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr }; logging_create_private_log(sendmail_t,sendmail_log_t,{ file dir }) -allow sendmail_t sendmail_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow sendmail_t sendmail_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow sendmail_t sendmail_tmp_t:dir create_dir_perms; +allow sendmail_t sendmail_tmp_t:file create_file_perms; files_create_private_tmp_data(sendmail_t, sendmail_tmp_t, { file dir }) allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink };