diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if index f423376..5c1c23b 100644 --- a/refpolicy/policy/modules/services/apache.if +++ b/refpolicy/policy/modules/services/apache.if @@ -200,6 +200,8 @@ template(`apache_content_template',` corenet_udp_sendrecv_all_ports(httpd_$1_script_t) corenet_tcp_connect_postgresql_port(httpd_$1_script_t) corenet_tcp_connect_mysqld_port(httpd_$1_script_t) + corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t) + corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t) sysnet_read_config(httpd_$1_script_t) ') @@ -216,6 +218,7 @@ template(`apache_content_template',` corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) corenet_udp_sendrecv_all_ports(httpd_$1_script_t) corenet_tcp_connect_all_ports(httpd_$1_script_t) + corenet_sendrecv_all_client_packets(httpd_$1_script_t) sysnet_read_config(httpd_$1_script_t) ') diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index d4ecc88..138d4bd 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -1,5 +1,5 @@ -policy_module(apache,1.3.11) +policy_module(apache,1.3.12) # # NOTES: @@ -301,6 +301,8 @@ tunable_policy(`httpd_can_network_connect_db',` # allow httpd to connect to mysql/posgresql corenet_tcp_connect_postgresql_port(httpd_t) corenet_tcp_connect_mysqld_port(httpd_t) + corenet_sendrecv_postgresql_client_packets(httpd_t) + corenet_sendrecv_mysqld_client_packets(httpd_t) ') tunable_policy(`httpd_can_network_relay',` @@ -309,6 +311,10 @@ tunable_policy(`httpd_can_network_relay',` corenet_tcp_connect_ftp_port(httpd_t) corenet_tcp_connect_http_port(httpd_t) corenet_tcp_connect_http_cache_port(httpd_t) + corenet_sendrecv_gopher_client_packets(httpd_t) + corenet_sendrecv_ftp_client_packets(httpd_t) + corenet_sendrecv_http_client_packets(httpd_t) + corenet_sendrecv_http_cache_client_packets(httpd_t) ') tunable_policy(`httpd_enable_cgi',` @@ -573,6 +579,7 @@ tunable_policy(`httpd_can_network_connect',` corenet_tcp_sendrecv_all_ports(httpd_suexec_t) corenet_udp_sendrecv_all_ports(httpd_suexec_t) corenet_tcp_connect_all_ports(httpd_suexec_t) + corenet_sendrecv_all_client_packets(httpd_suexec_t) sysnet_read_config(httpd_suexec_t) ') diff --git a/refpolicy/policy/modules/services/asterisk.te b/refpolicy/policy/modules/services/asterisk.te index 5f4eaa4..7c32504 100644 --- a/refpolicy/policy/modules/services/asterisk.te +++ b/refpolicy/policy/modules/services/asterisk.te @@ -1,5 +1,5 @@ -policy_module(asterisk,1.0.1) +policy_module(asterisk,1.0.2) ######################################## # @@ -97,9 +97,11 @@ corenet_tcp_bind_all_nodes(asterisk_t) corenet_udp_bind_all_nodes(asterisk_t) corenet_tcp_bind_asterisk_port(asterisk_t) corenet_udp_bind_asterisk_port(asterisk_t) +corenet_sendrecv_asterisk_server_packets(asterisk_t) # for VOIP voice channels. corenet_tcp_bind_generic_port(asterisk_t) corenet_udp_bind_generic_port(asterisk_t) +corenet_sendrecv_generic_server_packets(asterisk_t) dev_read_sysfs(asterisk_t) dev_read_sound(asterisk_t) diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te index 1950541..d2f4750 100644 --- a/refpolicy/policy/modules/services/bluetooth.te +++ b/refpolicy/policy/modules/services/bluetooth.te @@ -1,5 +1,5 @@ -policy_module(bluetooth,1.2.5) +policy_module(bluetooth,1.2.6) ######################################## # @@ -87,6 +87,7 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(bluetooth_t) kernel_read_system_state(bluetooth_t) +corenet_non_ipsec_sendrecv(bluetooth_t) corenet_tcp_sendrecv_all_if(bluetooth_t) corenet_udp_sendrecv_all_if(bluetooth_t) corenet_raw_sendrecv_all_if(bluetooth_t) @@ -95,9 +96,6 @@ corenet_udp_sendrecv_all_nodes(bluetooth_t) corenet_raw_sendrecv_all_nodes(bluetooth_t) corenet_tcp_sendrecv_all_ports(bluetooth_t) corenet_udp_sendrecv_all_ports(bluetooth_t) -corenet_non_ipsec_sendrecv(bluetooth_t) -corenet_tcp_bind_all_nodes(bluetooth_t) -corenet_udp_bind_all_nodes(bluetooth_t) dev_read_sysfs(bluetooth_t) dev_rw_usbfs(bluetooth_t) diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te index a2dad48..a7724ca 100644 --- a/refpolicy/policy/modules/services/canna.te +++ b/refpolicy/policy/modules/services/canna.te @@ -1,5 +1,5 @@ -policy_module(canna,1.2.1) +policy_module(canna,1.2.2) ######################################## # @@ -52,8 +52,8 @@ corenet_non_ipsec_sendrecv(canna_t) corenet_tcp_sendrecv_all_if(canna_t) corenet_tcp_sendrecv_all_nodes(canna_t) corenet_tcp_sendrecv_all_ports(canna_t) -corenet_tcp_bind_all_nodes(canna_t) corenet_tcp_connect_all_ports(canna_t) +corenet_sendrecv_all_client_packets(canna_t) dev_read_sysfs(canna_t) diff --git a/refpolicy/policy/modules/services/cipe.te b/refpolicy/policy/modules/services/cipe.te index 697fa66..4c43de5 100644 --- a/refpolicy/policy/modules/services/cipe.te +++ b/refpolicy/policy/modules/services/cipe.te @@ -1,5 +1,5 @@ -policy_module(cipe,1.0.1) +policy_module(cipe,1.0.2) ######################################## # @@ -37,6 +37,7 @@ corenet_udp_sendrecv_all_ports(ciped_t) corenet_udp_bind_all_nodes(ciped_t) # cipe uses the afs3-bos port (udp 7007) corenet_udp_bind_afs_bos_port(ciped_t) +corenet_sendrecv_afs_bos_server_packets(ciped_t) dev_read_sysfs(ciped_t) dev_read_rand(ciped_t) diff --git a/refpolicy/policy/modules/services/clamav.te b/refpolicy/policy/modules/services/clamav.te index a662e6c..1f5dee6 100644 --- a/refpolicy/policy/modules/services/clamav.te +++ b/refpolicy/policy/modules/services/clamav.te @@ -1,5 +1,5 @@ -policy_module(clamav,1.0.1) +policy_module(clamav,1.0.2) ######################################## # @@ -100,8 +100,9 @@ corenet_tcp_sendrecv_all_if(clamd_t) corenet_tcp_sendrecv_all_nodes(clamd_t) corenet_tcp_sendrecv_all_ports(clamd_t) corenet_tcp_sendrecv_clamd_port(clamd_t) -corenet_tcp_bind_clamd_port(clamd_t) corenet_tcp_bind_all_nodes(clamd_t) +corenet_tcp_bind_clamd_port(clamd_t) +corenet_sendrecv_clamd_server_packets(clamd_t) dev_read_rand(clamd_t) dev_read_urand(clamd_t) @@ -171,6 +172,7 @@ corenet_tcp_sendrecv_all_nodes(freshclam_t) corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) +corenet_sendrecv_http_client_packets(freshclam_t) dev_read_rand(freshclam_t) dev_read_urand(freshclam_t) diff --git a/refpolicy/policy/modules/services/clockspeed.te b/refpolicy/policy/modules/services/clockspeed.te index b06c5ea..7866470 100644 --- a/refpolicy/policy/modules/services/clockspeed.te +++ b/refpolicy/policy/modules/services/clockspeed.te @@ -1,5 +1,5 @@ -policy_module(clockspeed,1.0.0) +policy_module(clockspeed,1.0.1) ######################################## # @@ -32,6 +32,7 @@ corenet_non_ipsec_sendrecv(clockspeed_cli_t) corenet_udp_sendrecv_generic_if(clockspeed_cli_t) corenet_udp_sendrecv_generic_node(clockspeed_cli_t) corenet_udp_sendrecv_ntp_port(clockspeed_cli_t) +corenet_sendrecv_ntp_client_packets(clockspeed_cli_t) files_list_var_lib(clockspeed_cli_t) files_read_etc_files(clockspeed_cli_t) @@ -59,8 +60,9 @@ corenet_non_ipsec_sendrecv(clockspeed_srv_t) corenet_udp_sendrecv_generic_if(clockspeed_srv_t) corenet_udp_sendrecv_generic_node(clockspeed_srv_t) corenet_udp_sendrecv_ntp_port(clockspeed_srv_t) -corenet_udp_bind_inaddr_any_node(clockspeed_srv_t) +corenet_udp_bind_all_nodes(clockspeed_srv_t) corenet_udp_bind_clockspeed_port(clockspeed_srv_t) +corenet_sendrecv_clockspeed_server_packets(clockspeed_srv_t) files_read_etc_files(clockspeed_srv_t) files_list_var_lib(clockspeed_srv_t) diff --git a/refpolicy/policy/modules/services/courier.if b/refpolicy/policy/modules/services/courier.if index c69b60a..d5866bb 100644 --- a/refpolicy/policy/modules/services/courier.if +++ b/refpolicy/policy/modules/services/courier.if @@ -56,8 +56,6 @@ template(`courier_domain_template',` corenet_udp_sendrecv_all_nodes(courier_$1_t) corenet_tcp_sendrecv_all_ports(courier_$1_t) corenet_udp_sendrecv_all_ports(courier_$1_t) - corenet_tcp_bind_all_nodes(courier_$1_t) - corenet_udp_bind_all_nodes(courier_$1_t) dev_read_sysfs(courier_$1_t) diff --git a/refpolicy/policy/modules/services/courier.te b/refpolicy/policy/modules/services/courier.te index 9e0b787..0c41a0f 100644 --- a/refpolicy/policy/modules/services/courier.te +++ b/refpolicy/policy/modules/services/courier.te @@ -1,5 +1,5 @@ -policy_module(courier,1.0.1) +policy_module(courier,1.0.2) ######################################## # @@ -119,7 +119,9 @@ files_search_var_lib(courier_tcpd_t) corecmd_search_sbin(courier_tcpd_t) +corenet_tcp_bind_all_nodes(courier_tcpd_t) corenet_tcp_bind_pop_port(courier_tcpd_t) +corenet_sendrecv_pop_server_packets(courier_tcpd_t) # for TLS dev_read_rand(courier_tcpd_t) diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index 406af37..fb6b883 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -91,18 +91,15 @@ template(`cron_per_userdomain_template',` # ps does not need to access /boot when run from cron files_dontaudit_search_boot($1_crond_t) + corenet_non_ipsec_sendrecv($1_crond_t) corenet_tcp_sendrecv_all_if($1_crond_t) - corenet_raw_sendrecv_all_if($1_crond_t) corenet_udp_sendrecv_all_if($1_crond_t) corenet_tcp_sendrecv_all_nodes($1_crond_t) - corenet_raw_sendrecv_all_nodes($1_crond_t) corenet_udp_sendrecv_all_nodes($1_crond_t) corenet_tcp_sendrecv_all_ports($1_crond_t) corenet_udp_sendrecv_all_ports($1_crond_t) - corenet_non_ipsec_sendrecv($1_crond_t) - corenet_tcp_bind_all_nodes($1_crond_t) - corenet_udp_bind_all_nodes($1_crond_t) corenet_tcp_connect_all_ports($1_crond_t) + corenet_sendrecv_all_client_packets($1_crond_t) dev_read_urand($1_crond_t) diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index dca68e0..ba99a7b 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron,1.3.6) +policy_module(cron,1.3.7) gen_require(` class passwd rootok; diff --git a/refpolicy/policy/modules/services/cvs.te b/refpolicy/policy/modules/services/cvs.te index ef87fb9..fe2e4b0 100644 --- a/refpolicy/policy/modules/services/cvs.te +++ b/refpolicy/policy/modules/services/cvs.te @@ -1,5 +1,5 @@ -policy_module(cvs,1.2.0) +policy_module(cvs,1.2.1) ######################################## # @@ -48,17 +48,13 @@ kernel_read_kernel_sysctls(cvs_t) kernel_read_system_state(cvs_t) kernel_read_network_state(cvs_t) +corenet_non_ipsec_sendrecv(cvs_t) corenet_tcp_sendrecv_all_if(cvs_t) corenet_udp_sendrecv_all_if(cvs_t) -corenet_raw_sendrecv_all_if(cvs_t) corenet_tcp_sendrecv_all_nodes(cvs_t) corenet_udp_sendrecv_all_nodes(cvs_t) -corenet_raw_sendrecv_all_nodes(cvs_t) corenet_tcp_sendrecv_all_ports(cvs_t) corenet_udp_sendrecv_all_ports(cvs_t) -corenet_non_ipsec_sendrecv(cvs_t) -corenet_tcp_bind_all_nodes(cvs_t) -corenet_udp_bind_all_nodes(cvs_t) dev_read_urand(cvs_t) diff --git a/refpolicy/policy/modules/services/cyrus.te b/refpolicy/policy/modules/services/cyrus.te index bf2924b..65d5551 100644 --- a/refpolicy/policy/modules/services/cyrus.te +++ b/refpolicy/policy/modules/services/cyrus.te @@ -1,5 +1,5 @@ -policy_module(cyrus,1.1.1) +policy_module(cyrus,1.1.2) ######################################## # @@ -59,20 +59,20 @@ kernel_read_kernel_sysctls(cyrus_t) kernel_read_system_state(cyrus_t) kernel_read_all_sysctls(cyrus_t) +corenet_non_ipsec_sendrecv(cyrus_t) corenet_tcp_sendrecv_all_if(cyrus_t) corenet_udp_sendrecv_all_if(cyrus_t) -corenet_raw_sendrecv_all_if(cyrus_t) corenet_tcp_sendrecv_all_nodes(cyrus_t) corenet_udp_sendrecv_all_nodes(cyrus_t) -corenet_raw_sendrecv_all_nodes(cyrus_t) corenet_tcp_sendrecv_all_ports(cyrus_t) corenet_udp_sendrecv_all_ports(cyrus_t) -corenet_non_ipsec_sendrecv(cyrus_t) corenet_tcp_bind_all_nodes(cyrus_t) -corenet_udp_bind_all_nodes(cyrus_t) corenet_tcp_bind_mail_port(cyrus_t) corenet_tcp_bind_pop_port(cyrus_t) corenet_tcp_connect_all_ports(cyrus_t) +corenet_sendrecv_mail_server_packets(cyrus_t) +corenet_sendrecv_pop_server_packets(cyrus_t) +corenet_sendrecv_all_client_packets(cyrus_t) dev_read_rand(cyrus_t) dev_read_urand(cyrus_t) diff --git a/refpolicy/policy/modules/services/dante.te b/refpolicy/policy/modules/services/dante.te index 5b32250..149677d 100644 --- a/refpolicy/policy/modules/services/dante.te +++ b/refpolicy/policy/modules/services/dante.te @@ -1,5 +1,5 @@ -policy_module(dante,1.0.0) +policy_module(dante,1.0.1) ######################################## # @@ -39,17 +39,14 @@ kernel_read_kernel_sysctls(dante_t) kernel_list_proc(dante_t) kernel_read_proc_symlinks(dante_t) +corenet_non_ipsec_sendrecv(dante_t) corenet_tcp_sendrecv_generic_if(dante_t) corenet_udp_sendrecv_generic_if(dante_t) -corenet_raw_sendrecv_generic_if(dante_t) corenet_tcp_sendrecv_all_nodes(dante_t) corenet_udp_sendrecv_all_nodes(dante_t) -corenet_raw_sendrecv_all_nodes(dante_t) corenet_tcp_sendrecv_all_ports(dante_t) corenet_udp_sendrecv_all_ports(dante_t) -corenet_non_ipsec_sendrecv(dante_t) corenet_tcp_bind_all_nodes(dante_t) -corenet_udp_bind_all_nodes(dante_t) #TODO: no portcons for this type #allow dante_t socks_port_t:tcp_socket name_bind; diff --git a/refpolicy/policy/modules/services/dbskk.te b/refpolicy/policy/modules/services/dbskk.te index bb54982..914627c 100644 --- a/refpolicy/policy/modules/services/dbskk.te +++ b/refpolicy/policy/modules/services/dbskk.te @@ -1,5 +1,5 @@ -policy_module(dbskk,1.1.0) +policy_module(dbskk,1.1.1) ######################################## # @@ -49,17 +49,13 @@ kernel_read_kernel_sysctls(dbskkd_t) kernel_read_system_state(dbskkd_t) kernel_read_network_state(dbskkd_t) +corenet_non_ipsec_sendrecv(dbskkd_t) corenet_tcp_sendrecv_all_if(dbskkd_t) corenet_udp_sendrecv_all_if(dbskkd_t) -corenet_raw_sendrecv_all_if(dbskkd_t) corenet_tcp_sendrecv_all_nodes(dbskkd_t) corenet_udp_sendrecv_all_nodes(dbskkd_t) -corenet_raw_sendrecv_all_nodes(dbskkd_t) corenet_tcp_sendrecv_all_ports(dbskkd_t) corenet_udp_sendrecv_all_ports(dbskkd_t) -corenet_non_ipsec_sendrecv(dbskkd_t) -corenet_tcp_bind_all_nodes(dbskkd_t) -corenet_udp_bind_all_nodes(dbskkd_t) dev_read_urand(dbskkd_t) diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if index 36877e6..9c68d4a 100644 --- a/refpolicy/policy/modules/services/dbus.if +++ b/refpolicy/policy/modules/services/dbus.if @@ -106,12 +106,10 @@ template(`dbus_per_userdomain_template',` kernel_read_system_state($1_dbusd_t) kernel_read_kernel_sysctls($1_dbusd_t) + corenet_non_ipsec_sendrecv($1_dbusd_t) corenet_tcp_sendrecv_all_if($1_dbusd_t) - corenet_raw_sendrecv_all_if($1_dbusd_t) corenet_tcp_sendrecv_all_nodes($1_dbusd_t) - corenet_raw_sendrecv_all_nodes($1_dbusd_t) corenet_tcp_sendrecv_all_ports($1_dbusd_t) - corenet_non_ipsec_sendrecv($1_dbusd_t) corenet_tcp_bind_all_nodes($1_dbusd_t) corenet_tcp_bind_reserved_port($1_dbusd_t) diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te index 88289c1..93c7ab0 100644 --- a/refpolicy/policy/modules/services/dbus.te +++ b/refpolicy/policy/modules/services/dbus.te @@ -1,5 +1,5 @@ -policy_module(dbus,1.2.2) +policy_module(dbus,1.2.3) gen_require(` class dbus { send_msg acquire_svc }; diff --git a/refpolicy/policy/modules/services/dcc.te b/refpolicy/policy/modules/services/dcc.te index 9365c15..0214b5d 100644 --- a/refpolicy/policy/modules/services/dcc.te +++ b/refpolicy/policy/modules/services/dcc.te @@ -1,5 +1,5 @@ -policy_module(dcc,1.0.0) +policy_module(dcc,1.0.1) ######################################## # @@ -253,6 +253,7 @@ corenet_udp_sendrecv_all_nodes(dccd_t) corenet_udp_sendrecv_all_ports(dccd_t) corenet_udp_bind_all_nodes(dccd_t) corenet_udp_bind_dcc_port(dccd_t) +corenet_sendrecv_dcc_server_packets(dccd_t) dev_read_sysfs(dccd_t) @@ -338,7 +339,6 @@ corenet_non_ipsec_sendrecv(dccifd_t) corenet_udp_sendrecv_generic_if(dccifd_t) corenet_udp_sendrecv_all_nodes(dccifd_t) corenet_udp_sendrecv_all_ports(dccifd_t) -corenet_udp_bind_all_nodes(dccifd_t) dev_read_sysfs(dccifd_t) diff --git a/refpolicy/policy/modules/services/ddclient.te b/refpolicy/policy/modules/services/ddclient.te index 3de2831..633e49f 100644 --- a/refpolicy/policy/modules/services/ddclient.te +++ b/refpolicy/policy/modules/services/ddclient.te @@ -1,5 +1,5 @@ -policy_module(ddclient,1.0.0) +policy_module(ddclient,1.0.1) ######################################## # @@ -66,18 +66,15 @@ kernel_read_kernel_sysctls(ddclient_t) corecmd_exec_shell(ddclient_t) corecmd_exec_bin(ddclient_t) +corenet_non_ipsec_sendrecv(ddclient_t) corenet_tcp_sendrecv_generic_if(ddclient_t) corenet_udp_sendrecv_generic_if(ddclient_t) -corenet_raw_sendrecv_generic_if(ddclient_t) corenet_tcp_sendrecv_all_nodes(ddclient_t) corenet_udp_sendrecv_all_nodes(ddclient_t) -corenet_raw_sendrecv_all_nodes(ddclient_t) corenet_tcp_sendrecv_all_ports(ddclient_t) corenet_udp_sendrecv_all_ports(ddclient_t) -corenet_non_ipsec_sendrecv(ddclient_t) -corenet_tcp_bind_all_nodes(ddclient_t) -corenet_udp_bind_all_nodes(ddclient_t) corenet_tcp_connect_all_ports(ddclient_t) +corenet_sendrecv_all_client_packets(ddclient_t) dev_read_sysfs(ddclient_t) dev_read_urand(ddclient_t) diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te index 72af5a9..d4a84a0 100644 --- a/refpolicy/policy/modules/services/dhcp.te +++ b/refpolicy/policy/modules/services/dhcp.te @@ -1,5 +1,5 @@ -policy_module(dhcp,1.1.0) +policy_module(dhcp,1.1.1) ######################################## # @@ -54,6 +54,7 @@ files_pid_filetrans(dhcpd_t,dhcpd_var_run_t,file) kernel_read_system_state(dhcpd_t) kernel_read_kernel_sysctls(dhcpd_t) +corenet_non_ipsec_sendrecv(dhcpd_t) corenet_tcp_sendrecv_all_if(dhcpd_t) corenet_udp_sendrecv_all_if(dhcpd_t) corenet_raw_sendrecv_all_if(dhcpd_t) @@ -62,13 +63,15 @@ corenet_udp_sendrecv_all_nodes(dhcpd_t) corenet_raw_sendrecv_all_nodes(dhcpd_t) corenet_tcp_sendrecv_all_ports(dhcpd_t) corenet_udp_sendrecv_all_ports(dhcpd_t) -corenet_non_ipsec_sendrecv(dhcpd_t) corenet_tcp_bind_all_nodes(dhcpd_t) corenet_udp_bind_all_nodes(dhcpd_t) corenet_tcp_bind_dhcpd_port(dhcpd_t) corenet_udp_bind_dhcpd_port(dhcpd_t) corenet_udp_bind_pxe_port(dhcpd_t) corenet_tcp_connect_all_ports(dhcpd_t) +corenet_sendrecv_dhcpd_server_packets(dhcpd_t) +corenet_sendrecv_pxe_server_packets(dhcpd_t) +corenet_sendrecv_all_client_packets(dhcpd_t) dev_read_sysfs(dhcpd_t) dev_read_rand(dhcpd_t) diff --git a/refpolicy/policy/modules/services/dictd.te b/refpolicy/policy/modules/services/dictd.te index 362b4ba..1a8ae10 100644 --- a/refpolicy/policy/modules/services/dictd.te +++ b/refpolicy/policy/modules/services/dictd.te @@ -1,5 +1,5 @@ -policy_module(dictd,1.1.0) +policy_module(dictd,1.1.1) ######################################## # @@ -38,6 +38,7 @@ kernel_read_system_state(dictd_t) kernel_read_kernel_sysctls(dictd_t) kernel_tcp_recvfrom(dictd_t) +corenet_non_ipsec_sendrecv(dictd_t) corenet_tcp_sendrecv_all_if(dictd_t) corenet_raw_sendrecv_all_if(dictd_t) corenet_udp_sendrecv_all_if(dictd_t) @@ -46,10 +47,9 @@ corenet_udp_sendrecv_all_nodes(dictd_t) corenet_raw_sendrecv_all_nodes(dictd_t) corenet_tcp_sendrecv_all_ports(dictd_t) corenet_udp_sendrecv_all_ports(dictd_t) -corenet_non_ipsec_sendrecv(dictd_t) corenet_tcp_bind_all_nodes(dictd_t) -corenet_udp_bind_all_nodes(dictd_t) corenet_tcp_bind_dict_port(dictd_t) +corenet_sendrecv_dict_server_packets(dictd_t) dev_read_sysfs(dictd_t) diff --git a/refpolicy/policy/modules/services/distcc.te b/refpolicy/policy/modules/services/distcc.te index ec0a754..69a89ff 100644 --- a/refpolicy/policy/modules/services/distcc.te +++ b/refpolicy/policy/modules/services/distcc.te @@ -1,5 +1,5 @@ -policy_module(distcc,1.1.0) +policy_module(distcc,1.1.1) ######################################## # @@ -45,18 +45,16 @@ files_pid_filetrans(distccd_t,distccd_var_run_t,file) kernel_read_system_state(distccd_t) kernel_read_kernel_sysctls(distccd_t) +corenet_non_ipsec_sendrecv(distccd_t) corenet_tcp_sendrecv_all_if(distccd_t) corenet_udp_sendrecv_all_if(distccd_t) -corenet_raw_sendrecv_all_if(distccd_t) corenet_tcp_sendrecv_all_nodes(distccd_t) corenet_udp_sendrecv_all_nodes(distccd_t) -corenet_raw_sendrecv_all_nodes(distccd_t) corenet_tcp_sendrecv_all_ports(distccd_t) corenet_udp_sendrecv_all_ports(distccd_t) -corenet_non_ipsec_sendrecv(distccd_t) corenet_tcp_bind_all_nodes(distccd_t) -corenet_udp_bind_all_nodes(distccd_t) corenet_tcp_bind_distccd_port(distccd_t) +corenet_sendrecv_distccd_server_packets(distccd_t) dev_read_sysfs(distccd_t) diff --git a/refpolicy/policy/modules/services/djbdns.if b/refpolicy/policy/modules/services/djbdns.if index 9b16ddd..dcafb95 100644 --- a/refpolicy/policy/modules/services/djbdns.if +++ b/refpolicy/policy/modules/services/djbdns.if @@ -32,13 +32,13 @@ template(`djbdns_daemontools_domain_template',` allow djbdns_$1_t djbdns_$1_conf_t:dir r_dir_perms; allow djbdns_$1_t djbdns_$1_conf_t:file r_file_perms; + corenet_non_ipsec_sendrecv(djbdns_$1_t) corenet_tcp_sendrecv_all_if(djbdns_$1_t) corenet_udp_sendrecv_all_if(djbdns_$1_t) corenet_tcp_sendrecv_all_nodes(djbdns_$1_t) corenet_udp_sendrecv_all_nodes(djbdns_$1_t) corenet_tcp_sendrecv_all_ports(djbdns_$1_t) corenet_udp_sendrecv_all_ports(djbdns_$1_t) - corenet_non_ipsec_sendrecv(djbdns_$1_t) corenet_tcp_bind_all_nodes(djbdns_$1_t) corenet_udp_bind_all_nodes(djbdns_$1_t) corenet_tcp_bind_dns_port(djbdns_$1_t) @@ -49,6 +49,4 @@ template(`djbdns_daemontools_domain_template',` libs_use_ld_so(djbdns_$1_t) libs_use_shared_libs(djbdns_$1_t) - ') - diff --git a/refpolicy/policy/modules/services/dnsmasq.te b/refpolicy/policy/modules/services/dnsmasq.te index afeb841..79063d1 100644 --- a/refpolicy/policy/modules/services/dnsmasq.te +++ b/refpolicy/policy/modules/services/dnsmasq.te @@ -1,5 +1,5 @@ -policy_module(dnsmasq,1.0.0) +policy_module(dnsmasq,1.0.1) ######################################## # @@ -41,6 +41,7 @@ kernel_read_kernel_sysctls(dnsmasq_t) kernel_list_proc(dnsmasq_t) kernel_read_proc_symlinks(dnsmasq_t) +corenet_non_ipsec_sendrecv(dnsmasq_t) corenet_tcp_sendrecv_generic_if(dnsmasq_t) corenet_udp_sendrecv_generic_if(dnsmasq_t) corenet_raw_sendrecv_generic_if(dnsmasq_t) @@ -49,12 +50,13 @@ corenet_udp_sendrecv_all_nodes(dnsmasq_t) corenet_raw_sendrecv_all_nodes(dnsmasq_t) corenet_tcp_sendrecv_all_ports(dnsmasq_t) corenet_udp_sendrecv_all_ports(dnsmasq_t) -corenet_non_ipsec_sendrecv(dnsmasq_t) corenet_tcp_bind_all_nodes(dnsmasq_t) corenet_udp_bind_all_nodes(dnsmasq_t) corenet_tcp_bind_dns_port(dnsmasq_t) corenet_udp_bind_dns_port(dnsmasq_t) corenet_udp_bind_dhcpd_port(dnsmasq_t) +corenet_sendrecv_dns_server_packets(dnsmasq_t) +corenet_sendrecv_dhcpd_server_packets(dnsmasq_t) dev_read_sysfs(dnsmasq_t) dev_read_urand(dnsmasq_t) diff --git a/refpolicy/policy/modules/services/gatekeeper.te b/refpolicy/policy/modules/services/gatekeeper.te index 08cb0d5..c33041d 100644 --- a/refpolicy/policy/modules/services/gatekeeper.te +++ b/refpolicy/policy/modules/services/gatekeeper.te @@ -1,5 +1,5 @@ -policy_module(gatekeeper,1.0.1) +policy_module(gatekeeper,1.0.2) ######################################## # @@ -66,6 +66,7 @@ corenet_tcp_bind_all_nodes(gatekeeper_t) corenet_udp_bind_all_nodes(gatekeeper_t) corenet_tcp_bind_gatekeeper_port(gatekeeper_t) corenet_udp_bind_gatekeeper_port(gatekeeper_t) +corenet_sendrecv_gatekeeper_server_packets(gatekeeper_t) dev_read_sysfs(gatekeeper_t) # for SSP diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 499e339..b882b91 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal,1.3.7) +policy_module(hal,1.3.8) ######################################## # @@ -55,17 +55,13 @@ auth_read_pam_console_data(hald_t) corecmd_exec_all_executables(hald_t) +corenet_non_ipsec_sendrecv(hald_t) corenet_tcp_sendrecv_all_if(hald_t) corenet_udp_sendrecv_all_if(hald_t) -corenet_raw_sendrecv_all_if(hald_t) corenet_tcp_sendrecv_all_nodes(hald_t) corenet_udp_sendrecv_all_nodes(hald_t) -corenet_raw_sendrecv_all_nodes(hald_t) corenet_tcp_sendrecv_all_ports(hald_t) corenet_udp_sendrecv_all_ports(hald_t) -corenet_non_ipsec_sendrecv(hald_t) -corenet_tcp_bind_all_nodes(hald_t) -corenet_udp_bind_all_nodes(hald_t) dev_rw_usbfs(hald_t) dev_read_urand(hald_t) diff --git a/refpolicy/policy/modules/services/howl.te b/refpolicy/policy/modules/services/howl.te index c72d602..061a23d 100644 --- a/refpolicy/policy/modules/services/howl.te +++ b/refpolicy/policy/modules/services/howl.te @@ -1,5 +1,5 @@ -policy_module(howl,1.1.1) +policy_module(howl,1.1.2) ######################################## # @@ -46,6 +46,7 @@ corenet_tcp_bind_all_nodes(howl_t) corenet_udp_bind_all_nodes(howl_t) corenet_tcp_bind_howl_port(howl_t) corenet_udp_bind_howl_port(howl_t) +corenet_sendrecv_howl_server_packets(howl_t) dev_read_sysfs(howl_t) diff --git a/refpolicy/policy/modules/services/i18n_input.te b/refpolicy/policy/modules/services/i18n_input.te index 20ec0fb..5152da5 100644 --- a/refpolicy/policy/modules/services/i18n_input.te +++ b/refpolicy/policy/modules/services/i18n_input.te @@ -1,5 +1,5 @@ -policy_module(i18n_input,1.1.1) +policy_module(i18n_input,1.1.2) ######################################## # @@ -48,6 +48,8 @@ corenet_udp_sendrecv_all_ports(i18n_input_t) corenet_tcp_bind_all_nodes(i18n_input_t) corenet_tcp_bind_i18n_input_port(i18n_input_t) corenet_tcp_connect_all_ports(i18n_input_t) +corenet_sendrecv_i18n_input_server_packets(i18n_input_t) +corenet_sendrecv_all_client_packets(i18n_input_t) dev_read_sysfs(i18n_input_t) diff --git a/refpolicy/policy/modules/services/imaze.te b/refpolicy/policy/modules/services/imaze.te index 6dfe38a..97ddd5f 100644 --- a/refpolicy/policy/modules/services/imaze.te +++ b/refpolicy/policy/modules/services/imaze.te @@ -1,5 +1,5 @@ -policy_module(imaze,1.0.1) +policy_module(imaze,1.0.2) ######################################## # @@ -67,6 +67,7 @@ corenet_tcp_bind_all_nodes(imazesrv_t) corenet_udp_bind_all_nodes(imazesrv_t) corenet_tcp_bind_imaze_port(imazesrv_t) corenet_udp_bind_imaze_port(imazesrv_t) +corenet_sendrecv_imaze_server_packets(imazesrv_t) dev_read_sysfs(imazesrv_t) diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te index 37911ad..84869b0 100644 --- a/refpolicy/policy/modules/services/inn.te +++ b/refpolicy/policy/modules/services/inn.te @@ -1,5 +1,5 @@ -policy_module(inn,1.1.1) +policy_module(inn,1.1.2) ######################################## # @@ -73,6 +73,8 @@ corenet_udp_sendrecv_all_ports(innd_t) corenet_tcp_bind_all_nodes(innd_t) corenet_tcp_bind_innd_port(innd_t) corenet_tcp_connect_all_ports(innd_t) +corenet_sendrecv_innd_server_packets(innd_t) +corenet_sendrecv_all_client_packets(innd_t) dev_read_sysfs(innd_t) dev_read_urand(innd_t) diff --git a/refpolicy/policy/modules/services/ircd.te b/refpolicy/policy/modules/services/ircd.te index 5e543b9..fb4c356 100644 --- a/refpolicy/policy/modules/services/ircd.te +++ b/refpolicy/policy/modules/services/ircd.te @@ -1,5 +1,5 @@ -policy_module(ircd,1.0.1) +policy_module(ircd,1.0.2) ######################################## # @@ -63,6 +63,7 @@ corenet_tcp_sendrecv_all_ports(ircd_t) corenet_udp_sendrecv_all_ports(ircd_t) corenet_tcp_bind_all_nodes(ircd_t) corenet_tcp_bind_ircd_port(ircd_t) +corenet_sendrecv_ircd_server_packets(ircd_t) dev_read_sysfs(ircd_t) diff --git a/refpolicy/policy/modules/services/jabber.te b/refpolicy/policy/modules/services/jabber.te index 3c5159d..01f85a7 100644 --- a/refpolicy/policy/modules/services/jabber.te +++ b/refpolicy/policy/modules/services/jabber.te @@ -1,5 +1,5 @@ -policy_module(jabber,1.0.1) +policy_module(jabber,1.0.2) ######################################## # @@ -58,6 +58,8 @@ corenet_udp_sendrecv_all_ports(jabberd_t) corenet_tcp_bind_all_nodes(jabberd_t) corenet_tcp_bind_jabber_client_port(jabberd_t) corenet_tcp_bind_jabber_interserver_port(jabberd_t) +corenet_sendrecv_jabber_client_server_packets(jabberd_t) +corenet_sendrecv_jabber_interserver_server_packets(jabberd_t) dev_read_sysfs(jabberd_t) # For SSL diff --git a/refpolicy/policy/modules/services/kerberos.if b/refpolicy/policy/modules/services/kerberos.if index 5d74414..b700f65 100644 --- a/refpolicy/policy/modules/services/kerberos.if +++ b/refpolicy/policy/modules/services/kerberos.if @@ -43,18 +43,19 @@ interface(`kerberos_use',` tunable_policy(`allow_kerberos',` allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; + + corenet_non_ipsec_sendrecv($1) corenet_tcp_sendrecv_all_if($1) corenet_udp_sendrecv_all_if($1) - corenet_raw_sendrecv_all_if($1) corenet_tcp_sendrecv_all_nodes($1) corenet_udp_sendrecv_all_nodes($1) - corenet_raw_sendrecv_all_nodes($1) corenet_tcp_sendrecv_kerberos_port($1) corenet_udp_sendrecv_kerberos_port($1) - corenet_non_ipsec_sendrecv($1) corenet_tcp_bind_all_nodes($1) corenet_udp_bind_all_nodes($1) corenet_tcp_connect_kerberos_port($1) + corenet_sendrecv_kerberos_client_packets($1) + sysnet_read_config($1) sysnet_dns_name_resolve($1) ') diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te index a72532e..627681c 100644 --- a/refpolicy/policy/modules/services/kerberos.te +++ b/refpolicy/policy/modules/services/kerberos.te @@ -1,5 +1,5 @@ -policy_module(kerberos,1.1.1) +policy_module(kerberos,1.1.2) ######################################## # @@ -100,6 +100,7 @@ corenet_tcp_bind_kerberos_admin_port(kadmind_t) corenet_udp_bind_kerberos_admin_port(kadmind_t) corenet_tcp_bind_reserved_port(kadmind_t) corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t) +corenet_sendrecv_kerberos_admin_server_packets(kadmind_t) dev_read_sysfs(kadmind_t) dev_read_rand(kadmind_t) @@ -199,6 +200,7 @@ corenet_tcp_bind_all_nodes(krb5kdc_t) corenet_udp_bind_all_nodes(krb5kdc_t) corenet_tcp_bind_kerberos_port(krb5kdc_t) corenet_udp_bind_kerberos_port(krb5kdc_t) +corenet_sendrecv_kerberos_server_packets(krb5kdc_t) dev_read_sysfs(krb5kdc_t) dev_read_urand(krb5kdc_t) diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te index 8d9594a..d62804f 100644 --- a/refpolicy/policy/modules/services/ldap.te +++ b/refpolicy/policy/modules/services/ldap.te @@ -1,5 +1,5 @@ -policy_module(ldap,1.2.1) +policy_module(ldap,1.2.2) ######################################## # @@ -81,15 +81,15 @@ kernel_tcp_recvfrom(slapd_t) corenet_non_ipsec_sendrecv(slapd_t) corenet_tcp_sendrecv_all_if(slapd_t) corenet_udp_sendrecv_all_if(slapd_t) -corenet_raw_sendrecv_all_if(slapd_t) corenet_tcp_sendrecv_all_nodes(slapd_t) corenet_udp_sendrecv_all_nodes(slapd_t) -corenet_raw_sendrecv_all_nodes(slapd_t) corenet_tcp_sendrecv_all_ports(slapd_t) corenet_udp_sendrecv_all_ports(slapd_t) corenet_tcp_bind_all_nodes(slapd_t) corenet_tcp_bind_ldap_port(slapd_t) corenet_tcp_connect_all_ports(slapd_t) +corenet_sendrecv_ldap_server_packets(slapd_t) +corenet_sendrecv_all_client_packets(slapd_t) dev_read_urand(slapd_t) dev_read_sysfs(slapd_t) diff --git a/refpolicy/policy/modules/services/lpd.if b/refpolicy/policy/modules/services/lpd.if index b981547..fd149e4 100644 --- a/refpolicy/policy/modules/services/lpd.if +++ b/refpolicy/policy/modules/services/lpd.if @@ -112,15 +112,12 @@ template(`lpd_per_userdomain_template',` corenet_tcp_sendrecv_generic_if($1_lpr_t) corenet_udp_sendrecv_generic_if($1_lpr_t) - corenet_raw_sendrecv_generic_if($1_lpr_t) corenet_tcp_sendrecv_all_nodes($1_lpr_t) corenet_udp_sendrecv_all_nodes($1_lpr_t) - corenet_raw_sendrecv_all_nodes($1_lpr_t) corenet_tcp_sendrecv_all_ports($1_lpr_t) corenet_udp_sendrecv_all_ports($1_lpr_t) - corenet_tcp_bind_all_nodes($1_lpr_t) - corenet_udp_bind_all_nodes($1_lpr_t) corenet_tcp_connect_all_ports($1_lpr_t) + corenet_sendrecv_all_client_packets($1_lpr_t) # for /dev/null dev_list_all_dev_nodes($1_lpr_t) diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te index 9e0071c..c2eedbd 100644 --- a/refpolicy/policy/modules/services/lpd.te +++ b/refpolicy/policy/modules/services/lpd.te @@ -1,5 +1,5 @@ -policy_module(lpd,1.2.3) +policy_module(lpd,1.2.4) ######################################## # @@ -73,6 +73,7 @@ corenet_udp_sendrecv_all_nodes(checkpc_t) corenet_tcp_sendrecv_all_ports(checkpc_t) corenet_udp_sendrecv_all_ports(checkpc_t) corenet_tcp_connect_all_ports(checkpc_t) +corenet_sendrecv_all_client_packets(checkpc_t) dev_append_printer(checkpc_t) @@ -166,6 +167,7 @@ corenet_tcp_sendrecv_all_ports(lpd_t) corenet_udp_sendrecv_all_ports(lpd_t) corenet_tcp_bind_all_nodes(lpd_t) corenet_tcp_bind_printer_port(lpd_t) +corenet_sendrecv_printer_server_packets(lpd_t) dev_read_sysfs(lpd_t) dev_rw_printer(lpd_t) diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if index d95f0ac..c6b2e65 100644 --- a/refpolicy/policy/modules/services/mailman.if +++ b/refpolicy/policy/modules/services/mailman.if @@ -50,6 +50,7 @@ template(`mailman_domain_template', ` kernel_read_kernel_sysctls(mailman_$1_t) kernel_read_system_state(mailman_$1_t) + corenet_non_ipsec_sendrecv(mailman_$1_t) corenet_tcp_sendrecv_all_if(mailman_$1_t) corenet_udp_sendrecv_all_if(mailman_$1_t) corenet_raw_sendrecv_all_if(mailman_$1_t) @@ -58,7 +59,6 @@ template(`mailman_domain_template', ` corenet_raw_sendrecv_all_nodes(mailman_$1_t) corenet_tcp_sendrecv_all_ports(mailman_$1_t) corenet_udp_sendrecv_all_ports(mailman_$1_t) - corenet_non_ipsec_sendrecv(mailman_$1_t) corenet_tcp_bind_all_nodes(mailman_$1_t) corenet_udp_bind_all_nodes(mailman_$1_t) corenet_tcp_connect_smtp_port(mailman_$1_t) diff --git a/refpolicy/policy/modules/services/monop.te b/refpolicy/policy/modules/services/monop.te index 47def3d..dc24c3c 100644 --- a/refpolicy/policy/modules/services/monop.te +++ b/refpolicy/policy/modules/services/monop.te @@ -1,5 +1,5 @@ -policy_module(monop,1.0.0) +policy_module(monop,1.0.1) ######################################## # @@ -44,18 +44,16 @@ kernel_read_kernel_sysctls(monopd_t) kernel_list_proc(monopd_t) kernel_read_proc_symlinks(monopd_t) +corenet_non_ipsec_sendrecv(monopd_t) corenet_tcp_sendrecv_generic_if(monopd_t) corenet_udp_sendrecv_generic_if(monopd_t) -corenet_raw_sendrecv_generic_if(monopd_t) corenet_tcp_sendrecv_all_nodes(monopd_t) corenet_udp_sendrecv_all_nodes(monopd_t) -corenet_raw_sendrecv_all_nodes(monopd_t) corenet_tcp_sendrecv_all_ports(monopd_t) corenet_udp_sendrecv_all_ports(monopd_t) -corenet_non_ipsec_sendrecv(monopd_t) corenet_tcp_bind_all_nodes(monopd_t) -corenet_udp_bind_all_nodes(monopd_t) corenet_tcp_bind_monopd_port(monopd_t) +corenet_sendrecv_monopd_server_packets(monopd_t) dev_read_sysfs(monopd_t) diff --git a/refpolicy/policy/modules/services/munin.te b/refpolicy/policy/modules/services/munin.te index a68abc7..c77591e 100644 --- a/refpolicy/policy/modules/services/munin.te +++ b/refpolicy/policy/modules/services/munin.te @@ -1,5 +1,5 @@ -policy_module(munin,1.0.0) +policy_module(munin,1.0.1) ######################################## # @@ -66,17 +66,13 @@ kernel_read_kernel_sysctls(munin_t) corecmd_exec_bin(munin_t) +corenet_non_ipsec_sendrecv(munin_t) corenet_tcp_sendrecv_generic_if(munin_t) corenet_udp_sendrecv_generic_if(munin_t) -corenet_raw_sendrecv_generic_if(munin_t) corenet_tcp_sendrecv_all_nodes(munin_t) corenet_udp_sendrecv_all_nodes(munin_t) -corenet_raw_sendrecv_all_nodes(munin_t) corenet_tcp_sendrecv_all_ports(munin_t) corenet_udp_sendrecv_all_ports(munin_t) -corenet_non_ipsec_sendrecv(munin_t) -corenet_tcp_bind_all_nodes(munin_t) -corenet_udp_bind_all_nodes(munin_t) dev_read_sysfs(munin_t) dev_read_urand(munin_t) diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te index 56776c2..4edf487 100644 --- a/refpolicy/policy/modules/services/mysql.te +++ b/refpolicy/policy/modules/services/mysql.te @@ -1,5 +1,5 @@ -policy_module(mysql,1.2.1) +policy_module(mysql,1.2.2) ######################################## # @@ -60,24 +60,21 @@ allow mysqld_t mysqld_var_run_t:sock_file create_file_perms; allow mysqld_t mysqld_var_run_t:file create_file_perms; files_pid_filetrans(mysqld_t,mysqld_var_run_t,file) -kernel_list_proc(mysqld_t) -kernel_read_kernel_sysctls(mysqld_t) -kernel_read_proc_symlinks(mysqld_t) kernel_read_system_state(mysqld_t) +kernel_read_kernel_sysctls(mysqld_t) +corenet_non_ipsec_sendrecv(mysqld_t) corenet_tcp_sendrecv_all_if(mysqld_t) corenet_udp_sendrecv_all_if(mysqld_t) -corenet_raw_sendrecv_all_if(mysqld_t) corenet_tcp_sendrecv_all_nodes(mysqld_t) corenet_udp_sendrecv_all_nodes(mysqld_t) -corenet_raw_sendrecv_all_nodes(mysqld_t) corenet_tcp_sendrecv_all_ports(mysqld_t) corenet_udp_sendrecv_all_ports(mysqld_t) -corenet_non_ipsec_sendrecv(mysqld_t) corenet_tcp_bind_all_nodes(mysqld_t) -corenet_udp_bind_all_nodes(mysqld_t) corenet_tcp_bind_mysqld_port(mysqld_t) corenet_tcp_connect_mysqld_port(mysqld_t) +corenet_sendrecv_mysqld_client_packets(mysqld_t) +corenet_sendrecv_mysqld_server_packets(mysqld_t) dev_read_sysfs(mysqld_t) diff --git a/refpolicy/policy/modules/services/nagios.te b/refpolicy/policy/modules/services/nagios.te index 103ce70..423c664 100644 --- a/refpolicy/policy/modules/services/nagios.te +++ b/refpolicy/policy/modules/services/nagios.te @@ -1,5 +1,5 @@ -policy_module(nagios,1.0.1) +policy_module(nagios,1.0.2) ######################################## # @@ -68,17 +68,13 @@ kernel_read_kernel_sysctls(nagios_t) corecmd_exec_bin(nagios_t) corecmd_exec_shell(nagios_t) +corenet_non_ipsec_sendrecv(nagios_t) corenet_tcp_sendrecv_generic_if(nagios_t) corenet_udp_sendrecv_generic_if(nagios_t) -corenet_raw_sendrecv_generic_if(nagios_t) corenet_tcp_sendrecv_all_nodes(nagios_t) corenet_udp_sendrecv_all_nodes(nagios_t) -corenet_raw_sendrecv_all_nodes(nagios_t) corenet_tcp_sendrecv_all_ports(nagios_t) corenet_udp_sendrecv_all_ports(nagios_t) -corenet_non_ipsec_sendrecv(nagios_t) -corenet_tcp_bind_all_nodes(nagios_t) -corenet_udp_bind_all_nodes(nagios_t) dev_read_sysfs(nagios_t) diff --git a/refpolicy/policy/modules/services/nessus.te b/refpolicy/policy/modules/services/nessus.te index a7c50ee..b049bf5 100644 --- a/refpolicy/policy/modules/services/nessus.te +++ b/refpolicy/policy/modules/services/nessus.te @@ -1,5 +1,5 @@ -policy_module(nessus,1.0.0) +policy_module(nessus,1.0.1) ######################################## # @@ -60,6 +60,7 @@ kernel_tcp_recvfrom(nessusd_t) # for nmap etc corecmd_exec_bin(nessusd_t) +corenet_non_ipsec_sendrecv(nessusd_t) corenet_tcp_sendrecv_generic_if(nessusd_t) corenet_udp_sendrecv_generic_if(nessusd_t) corenet_raw_sendrecv_generic_if(nessusd_t) @@ -68,11 +69,11 @@ corenet_udp_sendrecv_all_nodes(nessusd_t) corenet_raw_sendrecv_all_nodes(nessusd_t) corenet_tcp_sendrecv_all_ports(nessusd_t) corenet_udp_sendrecv_all_ports(nessusd_t) -corenet_non_ipsec_sendrecv(nessusd_t) corenet_tcp_bind_all_nodes(nessusd_t) -corenet_udp_bind_all_nodes(nessusd_t) corenet_tcp_bind_nessus_port(nessusd_t) corenet_tcp_connect_all_ports(nessusd_t) +corenet_sendrecv_all_client_packets(nessusd_t) +corenet_sendrecv_nessus_server_packets(nessusd_t) dev_read_sysfs(nessusd_t) dev_read_urand(nessusd_t) diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te index eaf58e1..6d54fec 100644 --- a/refpolicy/policy/modules/services/networkmanager.te +++ b/refpolicy/policy/modules/services/networkmanager.te @@ -1,5 +1,5 @@ -policy_module(networkmanager,1.3.1) +policy_module(networkmanager,1.3.2) ######################################## # @@ -39,6 +39,7 @@ kernel_read_network_state(NetworkManager_t) kernel_read_kernel_sysctls(NetworkManager_t) kernel_load_module(NetworkManager_t) +corenet_non_ipsec_sendrecv(NetworkManager_t) corenet_tcp_sendrecv_all_if(NetworkManager_t) corenet_udp_sendrecv_all_if(NetworkManager_t) corenet_raw_sendrecv_all_if(NetworkManager_t) @@ -47,12 +48,13 @@ corenet_udp_sendrecv_all_nodes(NetworkManager_t) corenet_raw_sendrecv_all_nodes(NetworkManager_t) corenet_tcp_sendrecv_all_ports(NetworkManager_t) corenet_udp_sendrecv_all_ports(NetworkManager_t) -corenet_non_ipsec_sendrecv(NetworkManager_t) -corenet_tcp_bind_all_nodes(NetworkManager_t) corenet_udp_bind_all_nodes(NetworkManager_t) -corenet_tcp_connect_all_ports(NetworkManager_t) corenet_udp_bind_isakmp_port(NetworkManager_t) corenet_udp_bind_dhcpc_port(NetworkManager_t) +corenet_tcp_connect_all_ports(NetworkManager_t) +corenet_sendrecv_isakmp_server_packets(NetworkManager_t) +corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) +corenet_sendrecv_all_client_packets(NetworkManager_t) dev_read_sysfs(NetworkManager_t) dev_read_rand(NetworkManager_t) diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if index bae0653..99ba6cb 100644 --- a/refpolicy/policy/modules/services/nis.if +++ b/refpolicy/policy/modules/services/nis.if @@ -37,15 +37,13 @@ interface(`nis_use_ypbind_uncond',` allow $1 var_yp_t:lnk_file { getattr read }; allow $1 var_yp_t:file r_file_perms; + corenet_non_ipsec_sendrecv($1) corenet_tcp_sendrecv_all_if($1) corenet_udp_sendrecv_all_if($1) - corenet_raw_sendrecv_all_if($1) corenet_tcp_sendrecv_all_nodes($1) corenet_udp_sendrecv_all_nodes($1) - corenet_raw_sendrecv_all_nodes($1) corenet_tcp_sendrecv_all_ports($1) corenet_udp_sendrecv_all_ports($1) - corenet_non_ipsec_sendrecv($1) corenet_tcp_bind_all_nodes($1) corenet_udp_bind_all_nodes($1) corenet_tcp_bind_generic_port($1) @@ -58,6 +56,9 @@ interface(`nis_use_ypbind_uncond',` corenet_tcp_connect_reserved_port($1) corenet_tcp_connect_generic_port($1) corenet_dontaudit_tcp_connect_all_reserved_ports($1) + corenet_sendrecv_portmap_client_packets($1) + corenet_sendrecv_generic_client_packets($1) + corenet_sendrecv_generic_server_packets($1) sysnet_read_config($1) ') @@ -78,47 +79,10 @@ interface(`nis_use_ypbind',` ') tunable_policy(`allow_ypbind',` - dontaudit $1 self:capability net_bind_service; - - allow $1 self:tcp_socket create_stream_socket_perms; - allow $1 self:udp_socket create_socket_perms; - - allow $1 var_yp_t:dir r_dir_perms; - allow $1 var_yp_t:lnk_file { getattr read }; - allow $1 var_yp_t:file r_file_perms; - - corenet_tcp_sendrecv_all_if($1) - corenet_udp_sendrecv_all_if($1) - corenet_raw_sendrecv_all_if($1) - corenet_tcp_sendrecv_all_nodes($1) - corenet_udp_sendrecv_all_nodes($1) - corenet_raw_sendrecv_all_nodes($1) - corenet_tcp_sendrecv_all_ports($1) - corenet_udp_sendrecv_all_ports($1) - corenet_non_ipsec_sendrecv($1) - corenet_tcp_bind_all_nodes($1) - corenet_udp_bind_all_nodes($1) - corenet_tcp_bind_generic_port($1) - corenet_udp_bind_generic_port($1) - corenet_tcp_bind_reserved_port($1) - corenet_udp_bind_reserved_port($1) - corenet_dontaudit_tcp_bind_all_reserved_ports($1) - corenet_dontaudit_udp_bind_all_reserved_ports($1) - corenet_tcp_connect_portmap_port($1) - corenet_tcp_connect_reserved_port($1) - corenet_tcp_connect_generic_port($1) - corenet_dontaudit_tcp_connect_all_reserved_ports($1) - - sysnet_read_config($1) + nis_use_ypbind_uncond($1) ',` dontaudit $1 var_yp_t:dir search; ') - - optional_policy(` - tunable_policy(`allow_ypbind',` - mount_send_nfs_client_request($1) - ') - ') ') ######################################## diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te index 8f7938c..738b863 100644 --- a/refpolicy/policy/modules/services/nis.te +++ b/refpolicy/policy/modules/services/nis.te @@ -1,5 +1,5 @@ -policy_module(nis,1.1.2) +policy_module(nis,1.1.3) ######################################## # diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te index 06663c4..5fbc7ff 100644 --- a/refpolicy/policy/modules/services/nscd.te +++ b/refpolicy/policy/modules/services/nscd.te @@ -1,5 +1,5 @@ -policy_module(nscd,1.2.3) +policy_module(nscd,1.2.4) gen_require(` class nscd all_nscd_perms; @@ -76,6 +76,7 @@ corenet_udp_sendrecv_all_nodes(nscd_t) corenet_tcp_sendrecv_all_ports(nscd_t) corenet_udp_sendrecv_all_ports(nscd_t) corenet_tcp_connect_all_ports(nscd_t) +corenet_sendrecv_all_client_packets(nscd_t) corenet_rw_tun_tap_dev(nscd_t) selinux_get_fs_mount(nscd_t) diff --git a/refpolicy/policy/modules/services/nsd.te b/refpolicy/policy/modules/services/nsd.te index 1b833bb..e3b56d8 100644 --- a/refpolicy/policy/modules/services/nsd.te +++ b/refpolicy/policy/modules/services/nsd.te @@ -1,5 +1,5 @@ -policy_module(nsd,1.0.0) +policy_module(nsd,1.0.1) ######################################## # @@ -64,19 +64,18 @@ kernel_read_kernel_sysctls(nsd_t) corecmd_exec_bin(nsd_t) +corenet_non_ipsec_sendrecv(nsd_t) corenet_tcp_sendrecv_generic_if(nsd_t) corenet_udp_sendrecv_generic_if(nsd_t) -corenet_raw_sendrecv_generic_if(nsd_t) corenet_tcp_sendrecv_all_nodes(nsd_t) corenet_udp_sendrecv_all_nodes(nsd_t) -corenet_raw_sendrecv_all_nodes(nsd_t) corenet_tcp_sendrecv_all_ports(nsd_t) corenet_udp_sendrecv_all_ports(nsd_t) -corenet_non_ipsec_sendrecv(nsd_t) corenet_tcp_bind_all_nodes(nsd_t) corenet_udp_bind_all_nodes(nsd_t) corenet_tcp_bind_dns_port(nsd_t) corenet_udp_bind_dns_port(nsd_t) +corenet_sendrecv_dns_server_packets(nsd_t) dev_read_sysfs(nsd_t) @@ -164,15 +163,12 @@ corecmd_exec_shell(nsd_crond_t) corenet_non_ipsec_sendrecv(nsd_crond_t) corenet_tcp_sendrecv_generic_if(nsd_crond_t) corenet_udp_sendrecv_generic_if(nsd_crond_t) -corenet_raw_sendrecv_generic_if(nsd_crond_t) corenet_tcp_sendrecv_all_nodes(nsd_crond_t) corenet_udp_sendrecv_all_nodes(nsd_crond_t) -corenet_raw_sendrecv_all_nodes(nsd_crond_t) corenet_tcp_sendrecv_all_ports(nsd_crond_t) corenet_udp_sendrecv_all_ports(nsd_crond_t) -corenet_tcp_bind_all_nodes(nsd_crond_t) -corenet_udp_bind_all_nodes(nsd_crond_t) corenet_tcp_connect_all_ports(nsd_crond_t) +corenet_sendrecv_all_client_packets(nsd_crond_t) # for SSP dev_read_urand(nsd_crond_t) diff --git a/refpolicy/policy/modules/services/ntop.te b/refpolicy/policy/modules/services/ntop.te index 992b91a..d4a2380 100644 --- a/refpolicy/policy/modules/services/ntop.te +++ b/refpolicy/policy/modules/services/ntop.te @@ -1,5 +1,5 @@ -policy_module(ntop,1.0.0) +policy_module(ntop,1.0.1) ######################################## # @@ -62,6 +62,7 @@ kernel_read_kernel_sysctls(ntop_t) kernel_list_proc(ntop_t) kernel_read_proc_symlinks(ntop_t) +corenet_non_ipsec_sendrecv(ntop_t) corenet_tcp_sendrecv_generic_if(ntop_t) corenet_udp_sendrecv_generic_if(ntop_t) corenet_raw_sendrecv_generic_if(ntop_t) @@ -70,9 +71,6 @@ corenet_udp_sendrecv_all_nodes(ntop_t) corenet_raw_sendrecv_all_nodes(ntop_t) corenet_tcp_sendrecv_all_ports(ntop_t) corenet_udp_sendrecv_all_ports(ntop_t) -corenet_non_ipsec_sendrecv(ntop_t) -corenet_tcp_bind_all_nodes(ntop_t) -corenet_udp_bind_all_nodes(ntop_t) dev_read_sysfs(ntop_t) diff --git a/refpolicy/policy/modules/services/nx.te b/refpolicy/policy/modules/services/nx.te index 89af374..7c6d817 100644 --- a/refpolicy/policy/modules/services/nx.te +++ b/refpolicy/policy/modules/services/nx.te @@ -1,5 +1,5 @@ -policy_module(nx,1.0.0) +policy_module(nx,1.0.1) ######################################## # @@ -60,6 +60,7 @@ corenet_udp_sendrecv_all_nodes(nx_server_t) corenet_tcp_sendrecv_all_ports(nx_server_t) corenet_udp_sendrecv_all_ports(nx_server_t) corenet_tcp_connect_all_ports(nx_server_t) +corenet_sendrecv_all_client_packets(nx_server_t) dev_read_urand(nx_server_t) diff --git a/refpolicy/policy/modules/services/oav.te b/refpolicy/policy/modules/services/oav.te index e07a8b0..736c67e 100644 --- a/refpolicy/policy/modules/services/oav.te +++ b/refpolicy/policy/modules/services/oav.te @@ -1,5 +1,5 @@ -policy_module(oav,1.0.0) +policy_module(oav,1.0.1) ######################################## # @@ -50,17 +50,13 @@ allow oav_update_t oav_update_var_lib_t:lnk_file r_file_perms; corecmd_exec_all_executables(oav_update_t) +corenet_non_ipsec_sendrecv(oav_update_t) corenet_tcp_sendrecv_generic_if(oav_update_t) corenet_udp_sendrecv_generic_if(oav_update_t) -corenet_raw_sendrecv_generic_if(oav_update_t) corenet_tcp_sendrecv_all_nodes(oav_update_t) corenet_udp_sendrecv_all_nodes(oav_update_t) -corenet_raw_sendrecv_all_nodes(oav_update_t) corenet_tcp_sendrecv_all_ports(oav_update_t) corenet_udp_sendrecv_all_ports(oav_update_t) -corenet_non_ipsec_sendrecv(oav_update_t) -corenet_tcp_bind_all_nodes(oav_update_t) -corenet_udp_bind_all_nodes(oav_update_t) files_exec_etc_files(oav_update_t) @@ -109,17 +105,13 @@ kernel_read_kernel_sysctls(scannerdaemon_t) # Can run kaffe corecmd_exec_all_executables(scannerdaemon_t) +corenet_non_ipsec_sendrecv(scannerdaemon_t) corenet_tcp_sendrecv_generic_if(scannerdaemon_t) corenet_udp_sendrecv_generic_if(scannerdaemon_t) -corenet_raw_sendrecv_generic_if(scannerdaemon_t) corenet_tcp_sendrecv_all_nodes(scannerdaemon_t) corenet_udp_sendrecv_all_nodes(scannerdaemon_t) -corenet_raw_sendrecv_all_nodes(scannerdaemon_t) corenet_tcp_sendrecv_all_ports(scannerdaemon_t) corenet_udp_sendrecv_all_ports(scannerdaemon_t) -corenet_non_ipsec_sendrecv(scannerdaemon_t) -corenet_tcp_bind_all_nodes(scannerdaemon_t) -corenet_udp_bind_all_nodes(scannerdaemon_t) dev_read_sysfs(scannerdaemon_t) diff --git a/refpolicy/policy/modules/services/openvpn.te b/refpolicy/policy/modules/services/openvpn.te index 7b064b3..8967f0c 100644 --- a/refpolicy/policy/modules/services/openvpn.te +++ b/refpolicy/policy/modules/services/openvpn.te @@ -1,5 +1,5 @@ -policy_module(openvpn,1.0.0) +policy_module(openvpn,1.0.1) ######################################## # @@ -63,6 +63,7 @@ corenet_tcp_bind_all_nodes(openvpn_t) corenet_udp_bind_all_nodes(openvpn_t) corenet_tcp_bind_openvpn_port(openvpn_t) corenet_udp_bind_openvpn_port(openvpn_t) +corenet_sendrecv_openvpn_server_packets(openvpn_t) corenet_rw_tun_tap_dev(openvpn_t) dev_read_rand(openvpn_t) diff --git a/refpolicy/policy/modules/services/pegasus.te b/refpolicy/policy/modules/services/pegasus.te index 8445027..f19233c 100644 --- a/refpolicy/policy/modules/services/pegasus.te +++ b/refpolicy/policy/modules/services/pegasus.te @@ -1,5 +1,5 @@ -policy_module(pegasus,1.1.2) +policy_module(pegasus,1.1.3) ######################################## # @@ -66,18 +66,21 @@ kernel_read_fs_sysctls(pegasus_t) kernel_read_system_state(pegasus_t) kernel_search_vm_sysctl(pegasus_t) +corenet_non_ipsec_sendrecv(pegasus_t) corenet_tcp_sendrecv_all_if(pegasus_t) -corenet_raw_sendrecv_all_if(pegasus_t) corenet_tcp_sendrecv_all_nodes(pegasus_t) -corenet_raw_sendrecv_all_nodes(pegasus_t) corenet_tcp_sendrecv_all_ports(pegasus_t) -corenet_non_ipsec_sendrecv(pegasus_t) corenet_tcp_bind_all_nodes(pegasus_t) corenet_tcp_bind_pegasus_http_port(pegasus_t) corenet_tcp_bind_pegasus_https_port(pegasus_t) corenet_tcp_connect_pegasus_http_port(pegasus_t) corenet_tcp_connect_pegasus_https_port(pegasus_t) corenet_tcp_connect_generic_port(pegasus_t) +corenet_sendrecv_generic_client_packets(pegasus_t) +corenet_sendrecv_pegasus_http_client_packets(pegasus_t) +corenet_sendrecv_pegasus_http_server_packets(pegasus_t) +corenet_sendrecv_pegasus_https_client_packets(pegasus_t) +corenet_sendrecv_pegasus_https_server_packets(pegasus_t) corecmd_exec_sbin(pegasus_t) corecmd_exec_bin(pegasus_t) diff --git a/refpolicy/policy/modules/services/perdition.te b/refpolicy/policy/modules/services/perdition.te index f407289..d9c4037 100644 --- a/refpolicy/policy/modules/services/perdition.te +++ b/refpolicy/policy/modules/services/perdition.te @@ -1,5 +1,5 @@ -policy_module(perdition,1.0.0) +policy_module(perdition,1.0.1) ######################################## # @@ -42,15 +42,13 @@ kernel_tcp_recvfrom(perdition_t) corenet_non_ipsec_sendrecv(perdition_t) corenet_tcp_sendrecv_generic_if(perdition_t) corenet_udp_sendrecv_generic_if(perdition_t) -corenet_raw_sendrecv_generic_if(perdition_t) corenet_tcp_sendrecv_all_nodes(perdition_t) corenet_udp_sendrecv_all_nodes(perdition_t) -corenet_raw_sendrecv_all_nodes(perdition_t) corenet_tcp_sendrecv_all_ports(perdition_t) corenet_udp_sendrecv_all_ports(perdition_t) corenet_tcp_bind_all_nodes(perdition_t) -corenet_udp_bind_all_nodes(perdition_t) corenet_tcp_bind_pop_port(perdition_t) +corenet_sendrecv_pop_server_packets(perdition_t) dev_read_sysfs(perdition_t) diff --git a/refpolicy/policy/modules/services/portslave.te b/refpolicy/policy/modules/services/portslave.te index 9e58c3f..5ebc80d 100644 --- a/refpolicy/policy/modules/services/portslave.te +++ b/refpolicy/policy/modules/services/portslave.te @@ -1,5 +1,5 @@ -policy_module(portslave,1.0.0) +policy_module(portslave,1.0.1) ######################################## # @@ -62,8 +62,6 @@ corenet_tcp_sendrecv_all_nodes(portslave_t) corenet_udp_sendrecv_all_nodes(portslave_t) corenet_tcp_sendrecv_all_ports(portslave_t) corenet_udp_sendrecv_all_ports(portslave_t) -corenet_tcp_bind_all_nodes(portslave_t) -corenet_udp_bind_all_nodes(portslave_t) corenet_rw_ppp_dev(portslave_t) dev_read_sysfs(portslave_t) diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if index 16b3eb2..1618a94 100644 --- a/refpolicy/policy/modules/services/postfix.if +++ b/refpolicy/policy/modules/services/postfix.if @@ -135,18 +135,17 @@ template(`postfix_server_domain_template',` allow postfix_$1_t postfix_master_t:fifo_file rw_file_perms; allow postfix_$1_t postfix_master_t:process sigchld; + corenet_non_ipsec_sendrecv(postfix_$1_t) corenet_tcp_sendrecv_all_if(postfix_$1_t) corenet_udp_sendrecv_all_if(postfix_$1_t) - corenet_raw_sendrecv_all_if(postfix_$1_t) corenet_tcp_sendrecv_all_nodes(postfix_$1_t) corenet_udp_sendrecv_all_nodes(postfix_$1_t) - corenet_raw_sendrecv_all_nodes(postfix_$1_t) corenet_tcp_sendrecv_all_ports(postfix_$1_t) corenet_udp_sendrecv_all_ports(postfix_$1_t) - corenet_non_ipsec_sendrecv(postfix_$1_t) corenet_tcp_bind_all_nodes(postfix_$1_t) corenet_udp_bind_all_nodes(postfix_$1_t) corenet_tcp_connect_all_ports(postfix_$1_t) + corenet_sendrecv_all_client_packets(postfix_$1_t) sysnet_read_config(postfix_$1_t) diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te index 942ce2e..1df67a9 100644 --- a/refpolicy/policy/modules/services/postfix.te +++ b/refpolicy/policy/modules/services/postfix.te @@ -1,5 +1,5 @@ -policy_module(postfix,1.2.4) +policy_module(postfix,1.2.5) ######################################## # diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te index 760926f..116ac08 100644 --- a/refpolicy/policy/modules/services/postgresql.te +++ b/refpolicy/policy/modules/services/postgresql.te @@ -1,5 +1,5 @@ -policy_module(postgresql,1.1.0) +policy_module(postgresql,1.1.1) ################################# # @@ -85,19 +85,18 @@ kernel_read_all_sysctls(postgresql_t) kernel_read_proc_symlinks(postgresql_t) kernel_tcp_recvfrom(postgresql_t) +corenet_non_ipsec_sendrecv(postgresql_t) corenet_tcp_sendrecv_all_if(postgresql_t) corenet_udp_sendrecv_all_if(postgresql_t) -corenet_raw_sendrecv_all_if(postgresql_t) corenet_tcp_sendrecv_all_nodes(postgresql_t) corenet_udp_sendrecv_all_nodes(postgresql_t) -corenet_raw_sendrecv_all_nodes(postgresql_t) corenet_tcp_sendrecv_all_ports(postgresql_t) corenet_udp_sendrecv_all_ports(postgresql_t) -corenet_non_ipsec_sendrecv(postgresql_t) corenet_tcp_bind_all_nodes(postgresql_t) -corenet_udp_bind_all_nodes(postgresql_t) corenet_tcp_bind_postgresql_port(postgresql_t) corenet_tcp_connect_auth_port(postgresql_t) +corenet_sendrecv_postgresql_server_packets(postgresql_t) +corenet_sendrecv_auth_client_packets(postgresql_t) dev_read_sysfs(postgresql_t) dev_read_urand(postgresql_t) diff --git a/refpolicy/policy/modules/services/postgrey.te b/refpolicy/policy/modules/services/postgrey.te index af6fa8a..b794ca6 100644 --- a/refpolicy/policy/modules/services/postgrey.te +++ b/refpolicy/policy/modules/services/postgrey.te @@ -1,5 +1,5 @@ -policy_module(postgrey,1.0.0) +policy_module(postgrey,1.0.1) ######################################## # @@ -50,12 +50,11 @@ corecmd_search_sbin(postgrey_t) corenet_non_ipsec_sendrecv(postgrey_t) corenet_tcp_sendrecv_generic_if(postgrey_t) -corenet_raw_sendrecv_generic_if(postgrey_t) corenet_tcp_sendrecv_all_nodes(postgrey_t) -corenet_raw_sendrecv_all_nodes(postgrey_t) corenet_tcp_sendrecv_all_ports(postgrey_t) corenet_tcp_bind_all_nodes(postgrey_t) corenet_tcp_bind_postgrey_port(postgrey_t) +corenet_sendrecv_postgrey_server_packets(postgrey_t) dev_read_urand(postgrey_t) dev_read_sysfs(postgrey_t) diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te index b65a2ac..5ba43fd 100644 --- a/refpolicy/policy/modules/services/ppp.te +++ b/refpolicy/policy/modules/services/ppp.te @@ -1,5 +1,5 @@ -policy_module(ppp,1.2.2) +policy_module(ppp,1.2.3) ######################################## # @@ -57,8 +57,8 @@ files_pid_file(pptp_var_run_t) # PPPD Local policy # -dontaudit pppd_t self:capability sys_tty_config; allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override }; +dontaudit pppd_t self:capability sys_tty_config; allow pppd_t self:fifo_file rw_file_perms; allow pppd_t self:file { read getattr }; allow pppd_t self:socket create_socket_perms; @@ -117,6 +117,7 @@ dev_read_urand(pppd_t) dev_search_sysfs(pppd_t) dev_read_sysfs(pppd_t) +corenet_non_ipsec_sendrecv(pppd_t) corenet_tcp_sendrecv_all_if(pppd_t) corenet_raw_sendrecv_all_if(pppd_t) corenet_udp_sendrecv_all_if(pppd_t) @@ -125,9 +126,6 @@ corenet_raw_sendrecv_all_nodes(pppd_t) corenet_udp_sendrecv_all_nodes(pppd_t) corenet_tcp_sendrecv_all_ports(pppd_t) corenet_udp_sendrecv_all_ports(pppd_t) -corenet_non_ipsec_sendrecv(pppd_t) -corenet_tcp_bind_all_nodes(pppd_t) -corenet_udp_bind_all_nodes(pppd_t) # Access /dev/ppp. corenet_rw_ppp_dev(pppd_t) @@ -265,15 +263,16 @@ kernel_read_proc_symlinks(pptp_t) dev_read_sysfs(pptp_t) +corenet_non_ipsec_sendrecv(pptp_t) corenet_tcp_sendrecv_all_if(pptp_t) corenet_raw_sendrecv_all_if(pptp_t) corenet_tcp_sendrecv_all_nodes(pptp_t) corenet_raw_sendrecv_all_nodes(pptp_t) corenet_tcp_sendrecv_all_ports(pptp_t) -corenet_non_ipsec_sendrecv(pptp_t) corenet_tcp_bind_all_nodes(pptp_t) corenet_tcp_connect_generic_port(pptp_t) corenet_tcp_connect_all_reserved_ports(pptp_t) +corenet_sendrecv_generic_client_packets(pptp_t) fs_getattr_all_fs(pptp_t) fs_search_auto_mountpoints(pptp_t) diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te index d42237f..2049d5b 100644 --- a/refpolicy/policy/modules/services/privoxy.te +++ b/refpolicy/policy/modules/services/privoxy.te @@ -1,5 +1,5 @@ -policy_module(privoxy,1.1.2) +policy_module(privoxy,1.1.3) ######################################## # @@ -52,6 +52,11 @@ corenet_tcp_connect_http_port(privoxy_t) corenet_tcp_connect_http_cache_port(privoxy_t) corenet_tcp_connect_ftp_port(privoxy_t) corenet_tcp_connect_tor_port(privoxy_t) +corenet_sendrecv_http_cache_client_packets(privoxy_t) +corenet_sendrecv_http_cache_server_packets(privoxy_t) +corenet_sendrecv_http_client_packets(privoxy_t) +corenet_sendrecv_ftp_client_packets(privoxy_t) +corenet_sendrecv_tor_client_packets(privoxy_t) dev_read_sysfs(privoxy_t) diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te index faa439c..a4460d6 100644 --- a/refpolicy/policy/modules/services/procmail.te +++ b/refpolicy/policy/modules/services/procmail.te @@ -1,5 +1,5 @@ -policy_module(procmail,1.2.1) +policy_module(procmail,1.2.2) ######################################## # @@ -18,7 +18,7 @@ role system_r types procmail_t; # allow procmail_t self:capability { sys_nice chown setuid setgid dac_override }; -allow procmail_t self:process { setsched fork sigchld signal }; +allow procmail_t self:process { setsched signal }; allow procmail_t self:fifo_file rw_file_perms; allow procmail_t self:unix_stream_socket create_socket_perms; allow procmail_t self:unix_dgram_socket create_socket_perms; @@ -28,18 +28,15 @@ allow procmail_t self:udp_socket create_socket_perms; kernel_read_system_state(procmail_t) kernel_read_kernel_sysctls(procmail_t) +corenet_non_ipsec_sendrecv(procmail_t) corenet_tcp_sendrecv_all_if(procmail_t) -corenet_raw_sendrecv_all_if(procmail_t) corenet_udp_sendrecv_all_if(procmail_t) corenet_tcp_sendrecv_all_nodes(procmail_t) corenet_udp_sendrecv_all_nodes(procmail_t) -corenet_raw_sendrecv_all_nodes(procmail_t) corenet_tcp_sendrecv_all_ports(procmail_t) corenet_udp_sendrecv_all_ports(procmail_t) -corenet_non_ipsec_sendrecv(procmail_t) -corenet_tcp_bind_all_nodes(procmail_t) -corenet_udp_bind_all_nodes(procmail_t) corenet_tcp_connect_spamd_port(procmail_t) +corenet_sendrecv_spamd_client_packets(procmail_t) dev_read_urand(procmail_t) diff --git a/refpolicy/policy/modules/services/pyzor.te b/refpolicy/policy/modules/services/pyzor.te index 1bfd609..85b204a 100644 --- a/refpolicy/policy/modules/services/pyzor.te +++ b/refpolicy/policy/modules/services/pyzor.te @@ -1,5 +1,5 @@ -policy_module(pyzor,1.0.1) +policy_module(pyzor,1.0.2) ######################################## # @@ -79,14 +79,13 @@ dev_read_urand(pyzord_t) corecmd_exec_bin(pyzord_t) -corenet_raw_sendrecv_all_if(pyzord_t) +corenet_non_ipsec_sendrecv(pyzord_t) corenet_udp_sendrecv_all_if(pyzord_t) corenet_udp_sendrecv_all_nodes(pyzord_t) -corenet_raw_sendrecv_all_nodes(pyzord_t) corenet_udp_sendrecv_all_ports(pyzord_t) -corenet_non_ipsec_sendrecv(pyzord_t) corenet_udp_bind_all_nodes(pyzord_t) corenet_udp_bind_pyzor_port(pyzord_t) +corenet_sendrecv_pyzor_server_packets(pyzord_t) files_read_etc_files(pyzord_t) diff --git a/refpolicy/policy/modules/services/qmail.te b/refpolicy/policy/modules/services/qmail.te index 5209a06..3cd7e62 100644 --- a/refpolicy/policy/modules/services/qmail.te +++ b/refpolicy/policy/modules/services/qmail.te @@ -1,5 +1,5 @@ -policy_module(qmail,1.0.0) +policy_module(qmail,1.0.1) ######################################## # @@ -183,6 +183,7 @@ corenet_udp_sendrecv_generic_node(qmail_remote_t) corenet_tcp_sendrecv_smtp_port(qmail_remote_t) corenet_udp_sendrecv_dns_port(qmail_remote_t) corenet_tcp_connect_smtp_port(qmail_remote_t) +corenet_sendrecv_smtp_client_packets(qmail_remote_t) dev_read_rand(qmail_remote_t) dev_read_urand(qmail_remote_t) diff --git a/refpolicy/policy/modules/services/radius.te b/refpolicy/policy/modules/services/radius.te index 9335bc9..4f61a75 100644 --- a/refpolicy/policy/modules/services/radius.te +++ b/refpolicy/policy/modules/services/radius.te @@ -1,5 +1,5 @@ -policy_module(radius,1.1.0) +policy_module(radius,1.1.1) ######################################## # @@ -50,21 +50,21 @@ files_pid_filetrans(radiusd_t,radiusd_var_run_t,file) kernel_read_kernel_sysctls(radiusd_t) kernel_read_system_state(radiusd_t) +corenet_non_ipsec_sendrecv(radiusd_t) corenet_tcp_sendrecv_all_if(radiusd_t) corenet_udp_sendrecv_all_if(radiusd_t) -corenet_raw_sendrecv_all_if(radiusd_t) corenet_tcp_sendrecv_all_nodes(radiusd_t) corenet_udp_sendrecv_all_nodes(radiusd_t) -corenet_raw_sendrecv_all_nodes(radiusd_t) corenet_tcp_sendrecv_all_ports(radiusd_t) corenet_udp_sendrecv_all_ports(radiusd_t) -corenet_non_ipsec_sendrecv(radiusd_t) -corenet_tcp_bind_all_nodes(radiusd_t) corenet_udp_bind_all_nodes(radiusd_t) corenet_udp_bind_radacct_port(radiusd_t) corenet_udp_bind_radius_port(radiusd_t) +corenet_sendrecv_radius_server_packets(radiusd_t) +corenet_sendrecv_radacct_server_packets(radiusd_t) # for RADIUS proxy port corenet_udp_bind_generic_port(radiusd_t) +corenet_sendrecv_generic_server_packets(radiusd_t) dev_read_sysfs(radiusd_t) diff --git a/refpolicy/policy/modules/services/radvd.te b/refpolicy/policy/modules/services/radvd.te index 5e2fb65..a4c9bc8 100644 --- a/refpolicy/policy/modules/services/radvd.te +++ b/refpolicy/policy/modules/services/radvd.te @@ -1,5 +1,5 @@ -policy_module(radvd,1.1.0) +policy_module(radvd,1.1.1) ######################################## # @@ -39,6 +39,7 @@ kernel_read_net_sysctls(radvd_t) kernel_read_network_state(radvd_t) kernel_read_system_state(radvd_t) +corenet_non_ipsec_sendrecv(radvd_t) corenet_tcp_sendrecv_all_if(radvd_t) corenet_udp_sendrecv_all_if(radvd_t) corenet_raw_sendrecv_all_if(radvd_t) @@ -47,9 +48,6 @@ corenet_udp_sendrecv_all_nodes(radvd_t) corenet_raw_sendrecv_all_nodes(radvd_t) corenet_tcp_sendrecv_all_ports(radvd_t) corenet_udp_sendrecv_all_ports(radvd_t) -corenet_non_ipsec_sendrecv(radvd_t) -corenet_tcp_bind_all_nodes(radvd_t) -corenet_udp_bind_all_nodes(radvd_t) dev_read_sysfs(radvd_t) diff --git a/refpolicy/policy/modules/services/rdisc.te b/refpolicy/policy/modules/services/rdisc.te index 2226c7d..72d587d 100644 --- a/refpolicy/policy/modules/services/rdisc.te +++ b/refpolicy/policy/modules/services/rdisc.te @@ -1,5 +1,5 @@ -policy_module(rdisc,1.1.0) +policy_module(rdisc,1.1.1) ######################################## # @@ -26,13 +26,12 @@ kernel_list_proc(rdisc_t) kernel_read_proc_symlinks(rdisc_t) kernel_read_kernel_sysctls(rdisc_t) +corenet_non_ipsec_sendrecv(rdisc_t) corenet_udp_sendrecv_generic_if(rdisc_t) corenet_raw_sendrecv_generic_if(rdisc_t) corenet_udp_sendrecv_all_nodes(rdisc_t) corenet_raw_sendrecv_all_nodes(rdisc_t) corenet_udp_sendrecv_all_ports(rdisc_t) -corenet_non_ipsec_sendrecv(rdisc_t) -corenet_udp_bind_all_nodes(rdisc_t) dev_read_sysfs(rdisc_t) diff --git a/refpolicy/policy/modules/services/rhgb.te b/refpolicy/policy/modules/services/rhgb.te index a02aeb7..c12d219 100644 --- a/refpolicy/policy/modules/services/rhgb.te +++ b/refpolicy/policy/modules/services/rhgb.te @@ -1,5 +1,5 @@ -policy_module(rhgb,1.0.0) +policy_module(rhgb,1.0.1) ######################################## # @@ -46,18 +46,15 @@ kernel_read_system_state(rhgb_t) corecmd_exec_bin(rhgb_t) corecmd_exec_sbin(rhgb_t) +corenet_non_ipsec_sendrecv(rhgb_t) corenet_tcp_sendrecv_generic_if(rhgb_t) corenet_udp_sendrecv_generic_if(rhgb_t) -corenet_raw_sendrecv_generic_if(rhgb_t) corenet_tcp_sendrecv_all_nodes(rhgb_t) corenet_udp_sendrecv_all_nodes(rhgb_t) -corenet_raw_sendrecv_all_nodes(rhgb_t) corenet_tcp_sendrecv_all_ports(rhgb_t) corenet_udp_sendrecv_all_ports(rhgb_t) -corenet_non_ipsec_sendrecv(rhgb_t) -corenet_tcp_bind_all_nodes(rhgb_t) -corenet_udp_bind_all_nodes(rhgb_t) corenet_tcp_connect_all_ports(rhgb_t) +corenet_sendrecv_all_client_packets(rhgb_t) dev_read_sysfs(rhgb_t) diff --git a/refpolicy/policy/modules/services/rlogin.te b/refpolicy/policy/modules/services/rlogin.te index 028e5be..191ac11 100644 --- a/refpolicy/policy/modules/services/rlogin.te +++ b/refpolicy/policy/modules/services/rlogin.te @@ -1,5 +1,5 @@ -policy_module(rlogin,1.1.0) +policy_module(rlogin,1.1.1) ######################################## # @@ -51,17 +51,13 @@ kernel_read_kernel_sysctls(rlogind_t) kernel_read_system_state(rlogind_t) kernel_read_network_state(rlogind_t) +corenet_non_ipsec_sendrecv(rlogind_t) corenet_tcp_sendrecv_all_if(rlogind_t) corenet_udp_sendrecv_all_if(rlogind_t) -corenet_raw_sendrecv_all_if(rlogind_t) corenet_tcp_sendrecv_all_nodes(rlogind_t) corenet_udp_sendrecv_all_nodes(rlogind_t) -corenet_raw_sendrecv_all_nodes(rlogind_t) corenet_tcp_sendrecv_all_ports(rlogind_t) corenet_udp_sendrecv_all_ports(rlogind_t) -corenet_non_ipsec_sendrecv(rlogind_t) -corenet_tcp_bind_all_nodes(rlogind_t) -corenet_udp_bind_all_nodes(rlogind_t) dev_read_urand(rlogind_t) diff --git a/refpolicy/policy/modules/services/roundup.te b/refpolicy/policy/modules/services/roundup.te index 609ac11..1a9d03c 100644 --- a/refpolicy/policy/modules/services/roundup.te +++ b/refpolicy/policy/modules/services/roundup.te @@ -1,5 +1,5 @@ -policy_module(roundup,1.0.0) +policy_module(roundup,1.0.1) ######################################## # @@ -55,9 +55,10 @@ corenet_raw_sendrecv_all_nodes(roundup_t) corenet_tcp_sendrecv_all_ports(roundup_t) corenet_udp_sendrecv_all_ports(roundup_t) corenet_tcp_bind_all_nodes(roundup_t) -corenet_udp_bind_all_nodes(roundup_t) corenet_tcp_bind_http_cache_port(roundup_t) corenet_tcp_connect_smtp_port(roundup_t) +corenet_sendrecv_http_cache_server_packets(roundup_t) +corenet_sendrecv_smtp_client_packets(roundup_t) # /usr/share/mysql/charsets/Index.xml dev_read_urand(roundup_t) diff --git a/refpolicy/policy/modules/services/rshd.te b/refpolicy/policy/modules/services/rshd.te index f432bb4..aaf4950 100644 --- a/refpolicy/policy/modules/services/rshd.te +++ b/refpolicy/policy/modules/services/rshd.te @@ -1,5 +1,5 @@ -policy_module(rshd,1.1.0) +policy_module(rshd,1.1.1) ######################################## # @@ -16,24 +16,23 @@ role system_r types rshd_t; # # Local policy # -allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override}; +allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override }; allow rshd_t self:process { signal_perms fork setsched setpgid setexec }; allow rshd_t self:fifo_file rw_file_perms; allow rshd_t self:tcp_socket create_stream_socket_perms; kernel_read_kernel_sysctls(rshd_t) +corenet_non_ipsec_sendrecv(rshd_t) corenet_tcp_sendrecv_generic_if(rshd_t) corenet_udp_sendrecv_generic_if(rshd_t) -corenet_raw_sendrecv_generic_if(rshd_t) corenet_tcp_sendrecv_all_nodes(rshd_t) corenet_udp_sendrecv_all_nodes(rshd_t) -corenet_raw_sendrecv_all_nodes(rshd_t) corenet_tcp_sendrecv_all_ports(rshd_t) corenet_udp_sendrecv_all_ports(rshd_t) -corenet_non_ipsec_sendrecv(rshd_t) corenet_tcp_bind_all_nodes(rshd_t) corenet_tcp_bind_rsh_port(rshd_t) +corenet_sendrecv_rsh_server_packets(rshd_t) dev_read_urand(rshd_t) diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te index ec48525..5ba24bb 100644 --- a/refpolicy/policy/modules/services/rsync.te +++ b/refpolicy/policy/modules/services/rsync.te @@ -1,5 +1,5 @@ -policy_module(rsync,1.2.3) +policy_module(rsync,1.2.4) ######################################## # @@ -28,7 +28,7 @@ files_pid_file(rsync_var_run_t) allow rsync_t self:capability sys_chroot; allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_file_perms; -allow rsync_t self:tcp_socket { listen accept connected_socket_perms }; +allow rsync_t self:tcp_socket create_stream_socket_perms; allow rsync_t self:udp_socket connected_socket_perms; # for identd @@ -54,18 +54,16 @@ kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) +corenet_non_ipsec_sendrecv(rsync_t) corenet_tcp_sendrecv_all_if(rsync_t) corenet_udp_sendrecv_all_if(rsync_t) -corenet_raw_sendrecv_all_if(rsync_t) corenet_tcp_sendrecv_all_nodes(rsync_t) corenet_udp_sendrecv_all_nodes(rsync_t) -corenet_raw_sendrecv_all_nodes(rsync_t) corenet_tcp_sendrecv_all_ports(rsync_t) corenet_udp_sendrecv_all_ports(rsync_t) -corenet_non_ipsec_sendrecv(rsync_t) corenet_tcp_bind_all_nodes(rsync_t) -corenet_udp_bind_all_nodes(rsync_t) corenet_tcp_bind_rsync_port(rsync_t) +corenet_sendrecv_rsync_server_packets(rsync_t) dev_read_urand(rsync_t) diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te index 5d0e609..7e858d2 100644 --- a/refpolicy/policy/modules/services/sasl.te +++ b/refpolicy/policy/modules/services/sasl.te @@ -1,5 +1,5 @@ -policy_module(sasl,1.2.0) +policy_module(sasl,1.2.1) ######################################## # @@ -34,14 +34,12 @@ files_pid_filetrans(saslauthd_t,saslauthd_var_run_t,file) kernel_read_kernel_sysctls(saslauthd_t) kernel_read_system_state(saslauthd_t) +corenet_non_ipsec_sendrecv(saslauthd_t) corenet_tcp_sendrecv_all_if(saslauthd_t) -corenet_raw_sendrecv_all_if(saslauthd_t) corenet_tcp_sendrecv_all_nodes(saslauthd_t) -corenet_raw_sendrecv_all_nodes(saslauthd_t) corenet_tcp_sendrecv_all_ports(saslauthd_t) -corenet_non_ipsec_sendrecv(saslauthd_t) -corenet_tcp_bind_all_nodes(saslauthd_t) corenet_tcp_connect_pop_port(saslauthd_t) +corenet_sendrecv_pop_client_packets(saslauthd_t) dev_read_sysfs(saslauthd_t) dev_read_urand(saslauthd_t) diff --git a/refpolicy/policy/modules/services/smartmon.te b/refpolicy/policy/modules/services/smartmon.te index 47debff..3edc67a 100644 --- a/refpolicy/policy/modules/services/smartmon.te +++ b/refpolicy/policy/modules/services/smartmon.te @@ -1,5 +1,5 @@ -policy_module(smartmon,1.0.1) +policy_module(smartmon,1.0.2) ######################################## # @@ -45,11 +45,8 @@ corecmd_exec_all_executables(fsdaemon_t) corenet_non_ipsec_sendrecv(fsdaemon_t) corenet_udp_sendrecv_generic_if(fsdaemon_t) -corenet_raw_sendrecv_generic_if(fsdaemon_t) corenet_udp_sendrecv_all_nodes(fsdaemon_t) -corenet_raw_sendrecv_all_nodes(fsdaemon_t) corenet_udp_sendrecv_all_ports(fsdaemon_t) -corenet_udp_bind_all_nodes(fsdaemon_t) dev_read_sysfs(fsdaemon_t) diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te index ebda872..e00284d 100644 --- a/refpolicy/policy/modules/services/snmp.te +++ b/refpolicy/policy/modules/services/snmp.te @@ -1,5 +1,5 @@ -policy_module(snmp,1.1.1) +policy_module(snmp,1.1.2) ######################################## # @@ -61,19 +61,18 @@ corecmd_exec_bin(snmpd_t) corecmd_exec_sbin(snmpd_t) corecmd_exec_shell(snmpd_t) +corenet_non_ipsec_sendrecv(snmpd_t) corenet_tcp_sendrecv_all_if(snmpd_t) corenet_udp_sendrecv_all_if(snmpd_t) -corenet_raw_sendrecv_all_if(snmpd_t) corenet_tcp_sendrecv_all_nodes(snmpd_t) corenet_udp_sendrecv_all_nodes(snmpd_t) -corenet_raw_sendrecv_all_nodes(snmpd_t) corenet_tcp_sendrecv_all_ports(snmpd_t) corenet_udp_sendrecv_all_ports(snmpd_t) -corenet_non_ipsec_sendrecv(snmpd_t) corenet_tcp_bind_all_nodes(snmpd_t) corenet_udp_bind_all_nodes(snmpd_t) corenet_tcp_bind_snmp_port(snmpd_t) corenet_udp_bind_snmp_port(snmpd_t) +corenet_sendrecv_snmp_server_packets(snmpd_t) dev_list_sysfs(snmpd_t) dev_read_sysfs(snmpd_t) diff --git a/refpolicy/policy/modules/services/snort.te b/refpolicy/policy/modules/services/snort.te index a280d81..eea79d6 100644 --- a/refpolicy/policy/modules/services/snort.te +++ b/refpolicy/policy/modules/services/snort.te @@ -1,5 +1,5 @@ -policy_module(snort,1.0.0) +policy_module(snort,1.0.1) ######################################## # @@ -65,8 +65,6 @@ corenet_udp_sendrecv_all_nodes(snort_t) corenet_raw_sendrecv_all_nodes(snort_t) corenet_tcp_sendrecv_all_ports(snort_t) corenet_udp_sendrecv_all_ports(snort_t) -corenet_tcp_bind_all_nodes(snort_t) -corenet_udp_bind_all_nodes(snort_t) dev_read_sysfs(snort_t) diff --git a/refpolicy/policy/modules/services/soundserver.te b/refpolicy/policy/modules/services/soundserver.te index 7f3b4e7..22ba8e2 100644 --- a/refpolicy/policy/modules/services/soundserver.te +++ b/refpolicy/policy/modules/services/soundserver.te @@ -1,5 +1,5 @@ -policy_module(soundserver,1.0.0) +policy_module(soundserver,1.0.1) ######################################## # @@ -66,18 +66,16 @@ kernel_list_proc(soundd_t) kernel_read_proc_symlinks(soundd_t) kernel_tcp_recvfrom(soundd_t) +corenet_non_ipsec_sendrecv(soundd_t) corenet_tcp_sendrecv_generic_if(soundd_t) corenet_udp_sendrecv_generic_if(soundd_t) -corenet_raw_sendrecv_generic_if(soundd_t) corenet_tcp_sendrecv_all_nodes(soundd_t) corenet_udp_sendrecv_all_nodes(soundd_t) -corenet_raw_sendrecv_all_nodes(soundd_t) corenet_tcp_sendrecv_all_ports(soundd_t) corenet_udp_sendrecv_all_ports(soundd_t) -corenet_non_ipsec_sendrecv(soundd_t) corenet_tcp_bind_all_nodes(soundd_t) -corenet_udp_bind_all_nodes(soundd_t) corenet_tcp_bind_soundd_port(soundd_t) +corenet_sendrecv_soundd_server_packets(soundd_t) dev_read_sysfs(soundd_t) dev_read_sound(soundd_t) diff --git a/refpolicy/policy/modules/services/spamassassin.if b/refpolicy/policy/modules/services/spamassassin.if index f57fdca..1405466 100644 --- a/refpolicy/policy/modules/services/spamassassin.if +++ b/refpolicy/policy/modules/services/spamassassin.if @@ -99,18 +99,15 @@ template(`spamassassin_per_userdomain_template',` kernel_read_kernel_sysctls($1_spamc_t) kernel_tcp_recvfrom($1_spamc_t) + corenet_non_ipsec_sendrecv($1_spamc_t) corenet_tcp_sendrecv_generic_if($1_spamc_t) corenet_udp_sendrecv_generic_if($1_spamc_t) - corenet_raw_sendrecv_generic_if($1_spamc_t) corenet_tcp_sendrecv_all_nodes($1_spamc_t) corenet_udp_sendrecv_all_nodes($1_spamc_t) - corenet_raw_sendrecv_all_nodes($1_spamc_t) corenet_tcp_sendrecv_all_ports($1_spamc_t) corenet_udp_sendrecv_all_ports($1_spamc_t) - corenet_non_ipsec_sendrecv($1_spamc_t) - corenet_tcp_bind_all_nodes($1_spamc_t) - corenet_udp_bind_all_nodes($1_spamc_t) corenet_tcp_connect_all_ports($1_spamc_t) + corenet_sendrecv_all_client_packets($1_spamc_t) fs_search_auto_mountpoints($1_spamc_t) @@ -167,10 +164,6 @@ template(`spamassassin_per_userdomain_template',` ') optional_policy(` - mount_send_nfs_client_request($1_spamc_t) - ') - - optional_policy(` nis_use_ypbind($1_spamc_t) ') @@ -287,18 +280,15 @@ template(`spamassassin_per_userdomain_template',` allow $1_spamassassin_t self:tcp_socket create_stream_socket_perms; allow $1_spamassassin_t self:udp_socket create_socket_perms; + corenet_non_ipsec_sendrecv($1_spamassassin_t) corenet_tcp_sendrecv_generic_if($1_spamassassin_t) corenet_udp_sendrecv_generic_if($1_spamassassin_t) - corenet_raw_sendrecv_generic_if($1_spamassassin_t) corenet_tcp_sendrecv_all_nodes($1_spamassassin_t) corenet_udp_sendrecv_all_nodes($1_spamassassin_t) - corenet_raw_sendrecv_all_nodes($1_spamassassin_t) corenet_tcp_sendrecv_all_ports($1_spamassassin_t) corenet_udp_sendrecv_all_ports($1_spamassassin_t) - corenet_non_ipsec_sendrecv($1_spamassassin_t) - corenet_tcp_bind_all_nodes($1_spamassassin_t) - corenet_udp_bind_all_nodes($1_spamassassin_t) corenet_tcp_connect_all_ports($1_spamassassin_t) + corenet_sendrecv_all_client_packets($1_spamassassin_t) sysnet_read_config($1_spamassassin_t) ') diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te index 7f396ee..80cab9e 100644 --- a/refpolicy/policy/modules/services/spamassassin.te +++ b/refpolicy/policy/modules/services/spamassassin.te @@ -1,5 +1,5 @@ -policy_module(spamassassin,1.3.7) +policy_module(spamassassin,1.3.8) ######################################## # @@ -69,14 +69,18 @@ corenet_udp_sendrecv_all_nodes(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_all_nodes(spamd_t) -corenet_udp_bind_all_nodes(spamd_t) corenet_tcp_bind_spamd_port(spamd_t) corenet_tcp_connect_razor_port(spamd_t) +corenet_sendrecv_razor_client_packets(spamd_t) +corenet_sendrecv_spamd_server_packets(spamd_t) # spamassassin 3.1 needs this for its # DnsResolver.pm module which binds to # random ports >= 1024. +corenet_udp_bind_all_nodes(spamd_t) corenet_udp_bind_generic_port(spamd_t) corenet_udp_bind_imaze_port(spamd_t) +corenet_sendrecv_imaze_server_packets(spamd_t) +corenet_sendrecv_generic_server_packets(spamd_t) dev_read_sysfs(spamd_t) dev_read_urand(spamd_t) diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index eb5da0d..6296c6b 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -1,5 +1,5 @@ -policy_module(ssh,1.3.4) +policy_module(ssh,1.3.5) ######################################## # @@ -82,6 +82,7 @@ ifdef(`strict_policy',` # for X forwarding corenet_tcp_bind_xserver_port(sshd_t) + corenet_sendrecv_xserver_server_packets(sshd_t) mls_file_read_up(sshd_t) mls_file_write_down(sshd_t) diff --git a/refpolicy/policy/modules/services/tcpd.te b/refpolicy/policy/modules/services/tcpd.te index 5cf4f4e..a902b93 100644 --- a/refpolicy/policy/modules/services/tcpd.te +++ b/refpolicy/policy/modules/services/tcpd.te @@ -1,5 +1,5 @@ -policy_module(tcpd,1.0.2) +policy_module(tcpd,1.0.3) ######################################## # @@ -23,13 +23,10 @@ allow tcpd_t tcpd_tmp_t:dir create_dir_perms; allow tcpd_t tcpd_tmp_t:file create_file_perms; files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir }) -corenet_raw_sendrecv_all_if(tcpd_t) +corenet_non_ipsec_sendrecv(tcpd_t) corenet_tcp_sendrecv_all_if(tcpd_t) -corenet_raw_sendrecv_all_nodes(tcpd_t) corenet_tcp_sendrecv_all_nodes(tcpd_t) corenet_tcp_sendrecv_all_ports(tcpd_t) -corenet_non_ipsec_sendrecv(tcpd_t) -corenet_tcp_bind_all_nodes(tcpd_t) fs_getattr_xattr_fs(tcpd_t) diff --git a/refpolicy/policy/modules/services/tftp.te b/refpolicy/policy/modules/services/tftp.te index 9f3097c..4df1189 100644 --- a/refpolicy/policy/modules/services/tftp.te +++ b/refpolicy/policy/modules/services/tftp.te @@ -1,5 +1,5 @@ -policy_module(tftp,1.1.0) +policy_module(tftp,1.1.1) ######################################## # @@ -41,18 +41,17 @@ kernel_read_kernel_sysctls(tftpd_t) kernel_list_proc(tftpd_t) kernel_read_proc_symlinks(tftpd_t) +corenet_non_ipsec_sendrecv(tftpd_t) corenet_tcp_sendrecv_all_if(tftpd_t) corenet_udp_sendrecv_all_if(tftpd_t) -corenet_raw_sendrecv_all_if(tftpd_t) corenet_tcp_sendrecv_all_nodes(tftpd_t) corenet_udp_sendrecv_all_nodes(tftpd_t) -corenet_raw_sendrecv_all_nodes(tftpd_t) corenet_tcp_sendrecv_all_ports(tftpd_t) corenet_udp_sendrecv_all_ports(tftpd_t) -corenet_non_ipsec_sendrecv(tftpd_t) corenet_tcp_bind_all_nodes(tftpd_t) corenet_udp_bind_all_nodes(tftpd_t) corenet_udp_bind_tftp_port(tftpd_t) +corenet_sendrecv_tftp_server_packets(tftpd_t) dev_read_sysfs(tftpd_t) @@ -91,10 +90,6 @@ ifdef(`targeted_policy', ` ') optional_policy(` - mount_send_nfs_client_request(tftpd_t) -') - -optional_policy(` nscd_socket_use(tftpd_t) ') diff --git a/refpolicy/policy/modules/services/timidity.te b/refpolicy/policy/modules/services/timidity.te index cea6beb..86d9c26 100644 --- a/refpolicy/policy/modules/services/timidity.te +++ b/refpolicy/policy/modules/services/timidity.te @@ -1,5 +1,5 @@ -policy_module(timidity,1.1.0) +policy_module(timidity,1.1.1) # Note: You only need this policy if you want to run timidity as a server @@ -39,17 +39,13 @@ kernel_read_kernel_sysctls(timidity_t) # read /proc/cpuinfo kernel_read_system_state(timidity_t) +corenet_non_ipsec_sendrecv(timidity_t) corenet_tcp_sendrecv_generic_if(timidity_t) corenet_udp_sendrecv_generic_if(timidity_t) -corenet_raw_sendrecv_generic_if(timidity_t) corenet_tcp_sendrecv_all_nodes(timidity_t) corenet_udp_sendrecv_all_nodes(timidity_t) -corenet_raw_sendrecv_all_nodes(timidity_t) corenet_tcp_sendrecv_all_ports(timidity_t) corenet_udp_sendrecv_all_ports(timidity_t) -corenet_non_ipsec_sendrecv(timidity_t) -corenet_tcp_bind_all_nodes(timidity_t) -corenet_udp_bind_all_nodes(timidity_t) dev_read_sysfs(timidity_t) dev_read_sound(timidity_t) diff --git a/refpolicy/policy/modules/services/tor.te b/refpolicy/policy/modules/services/tor.te index 901cd08..aa9c4a5 100644 --- a/refpolicy/policy/modules/services/tor.te +++ b/refpolicy/policy/modules/services/tor.te @@ -1,5 +1,5 @@ -policy_module(tor,1.0.2) +policy_module(tor,1.0.3) ######################################## # @@ -62,17 +62,19 @@ allow tor_t tor_var_run_t:dir rw_dir_perms; files_pid_filetrans(tor_t,tor_var_run_t, { file sock_file }) # networking basics +corenet_non_ipsec_sendrecv(tor_t) corenet_tcp_sendrecv_all_if(tor_t) corenet_tcp_sendrecv_all_nodes(tor_t) corenet_tcp_sendrecv_all_ports(tor_t) corenet_tcp_sendrecv_all_reserved_ports(tor_t) -corenet_non_ipsec_sendrecv(tor_t) +corenet_tcp_bind_all_nodes(tor_t) +corenet_tcp_bind_tor_port(tor_t) +corenet_sendrecv_tor_server_packets(tor_t) # TOR will need to connect to various ports corenet_tcp_connect_all_ports(tor_t) +corenet_sendrecv_all_client_packets(tor_t) # ... especially including port 80 and other privileged ports corenet_tcp_connect_all_reserved_ports(tor_t) -corenet_tcp_bind_tor_port(tor_t) -corenet_tcp_bind_all_nodes(tor_t) # tor uses crypto and needs random dev_read_urand(tor_t) diff --git a/refpolicy/policy/modules/services/transproxy.te b/refpolicy/policy/modules/services/transproxy.te index 8defe8c..91edbeb 100644 --- a/refpolicy/policy/modules/services/transproxy.te +++ b/refpolicy/policy/modules/services/transproxy.te @@ -1,5 +1,5 @@ -policy_module(transproxy,1.0.0) +policy_module(transproxy,1.0.1) ######################################## # @@ -33,12 +33,11 @@ kernel_read_proc_symlinks(transproxy_t) corenet_non_ipsec_sendrecv(transproxy_t) corenet_tcp_sendrecv_generic_if(transproxy_t) -corenet_raw_sendrecv_generic_if(transproxy_t) corenet_tcp_sendrecv_all_nodes(transproxy_t) -corenet_raw_sendrecv_all_nodes(transproxy_t) corenet_tcp_sendrecv_all_ports(transproxy_t) corenet_tcp_bind_all_nodes(transproxy_t) corenet_tcp_bind_transproxy_port(transproxy_t) +corenet_sendrecv_transproxy_server_packets(transproxy_t) dev_read_sysfs(transproxy_t) diff --git a/refpolicy/policy/modules/services/ucspitcp.te b/refpolicy/policy/modules/services/ucspitcp.te index 9d59602..4689b48 100644 --- a/refpolicy/policy/modules/services/ucspitcp.te +++ b/refpolicy/policy/modules/services/ucspitcp.te @@ -52,9 +52,8 @@ optional_policy(` # Local policy for tcpserver # -allow ucspitcp_t self:capability { net_bind_service setgid setuid }; +allow ucspitcp_t self:capability { setgid setuid }; allow ucspitcp_t self:fifo_file { read write }; -allow ucspitcp_t self:process { fork sigchld }; allow ucspitcp_t self:tcp_socket create_stream_socket_perms; allow ucspitcp_t self:udp_socket create_socket_perms; diff --git a/refpolicy/policy/modules/services/uucp.te b/refpolicy/policy/modules/services/uucp.te index bd62422..0b78f3e 100644 --- a/refpolicy/policy/modules/services/uucp.te +++ b/refpolicy/policy/modules/services/uucp.te @@ -1,5 +1,5 @@ -policy_module(uucp,1.1.0) +policy_module(uucp,1.1.1) ######################################## # @@ -67,17 +67,13 @@ kernel_read_kernel_sysctls(uucpd_t) kernel_read_system_state(uucpd_t) kernel_read_network_state(uucpd_t) +corenet_non_ipsec_sendrecv(uucpd_t) corenet_tcp_sendrecv_all_if(uucpd_t) corenet_udp_sendrecv_all_if(uucpd_t) -corenet_raw_sendrecv_all_if(uucpd_t) corenet_tcp_sendrecv_all_nodes(uucpd_t) corenet_udp_sendrecv_all_nodes(uucpd_t) -corenet_raw_sendrecv_all_nodes(uucpd_t) corenet_tcp_sendrecv_all_ports(uucpd_t) corenet_udp_sendrecv_all_ports(uucpd_t) -corenet_non_ipsec_sendrecv(uucpd_t) -corenet_tcp_bind_all_nodes(uucpd_t) -corenet_udp_bind_all_nodes(uucpd_t) dev_read_urand(uucpd_t) diff --git a/refpolicy/policy/modules/services/uwimap.te b/refpolicy/policy/modules/services/uwimap.te index 9f59e65..07ec96b 100644 --- a/refpolicy/policy/modules/services/uwimap.te +++ b/refpolicy/policy/modules/services/uwimap.te @@ -1,5 +1,5 @@ -policy_module(uwimap,1.0.0) +policy_module(uwimap,1.0.1) ######################################## # @@ -42,13 +42,13 @@ kernel_read_proc_symlinks(imapd_t) corenet_non_ipsec_sendrecv(imapd_t) corenet_tcp_sendrecv_generic_if(imapd_t) -corenet_raw_sendrecv_generic_if(imapd_t) corenet_tcp_sendrecv_all_nodes(imapd_t) -corenet_raw_sendrecv_all_nodes(imapd_t) corenet_tcp_sendrecv_all_ports(imapd_t) corenet_tcp_bind_all_nodes(imapd_t) corenet_tcp_bind_pop_port(imapd_t) corenet_tcp_connect_all_ports(imapd_t) +corenet_sendrecv_pop_server_packets(imapd_t) +corenet_sendrecv_all_client_packets(imapd_t) dev_read_sysfs(imapd_t) #urandom, for ssl diff --git a/refpolicy/policy/modules/services/watchdog.te b/refpolicy/policy/modules/services/watchdog.te index 77e8c19..f6928ff 100644 --- a/refpolicy/policy/modules/services/watchdog.te +++ b/refpolicy/policy/modules/services/watchdog.te @@ -1,5 +1,5 @@ -policy_module(watchdog,1.0.0) +policy_module(watchdog,1.0.1) ################################# # @@ -48,15 +48,12 @@ corecmd_exec_shell(watchdog_t) corenet_non_ipsec_sendrecv(watchdog_t) corenet_tcp_sendrecv_generic_if(watchdog_t) corenet_udp_sendrecv_generic_if(watchdog_t) -corenet_raw_sendrecv_generic_if(watchdog_t) corenet_tcp_sendrecv_all_nodes(watchdog_t) corenet_udp_sendrecv_all_nodes(watchdog_t) -corenet_raw_sendrecv_all_nodes(watchdog_t) corenet_tcp_sendrecv_all_ports(watchdog_t) corenet_udp_sendrecv_all_ports(watchdog_t) -corenet_tcp_bind_all_nodes(watchdog_t) -corenet_udp_bind_all_nodes(watchdog_t) corenet_tcp_connect_all_ports(watchdog_t) +corenet_sendrecv_all_client_packets(watchdog_t) dev_read_sysfs(watchdog_t) dev_write_watchdog(watchdog_t) diff --git a/refpolicy/policy/modules/services/xprint.te b/refpolicy/policy/modules/services/xprint.te index 37e5fe2..f74a498 100644 --- a/refpolicy/policy/modules/services/xprint.te +++ b/refpolicy/policy/modules/services/xprint.te @@ -1,5 +1,5 @@ -policy_module(xprint,1.0.0) +policy_module(xprint,1.0.1) ######################################## # @@ -39,14 +39,10 @@ corecmd_exec_shell(xprint_t) corenet_non_ipsec_sendrecv(xprint_t) corenet_tcp_sendrecv_generic_if(xprint_t) corenet_udp_sendrecv_generic_if(xprint_t) -corenet_raw_sendrecv_generic_if(xprint_t) corenet_tcp_sendrecv_all_nodes(xprint_t) corenet_udp_sendrecv_all_nodes(xprint_t) -corenet_raw_sendrecv_all_nodes(xprint_t) corenet_tcp_sendrecv_all_ports(xprint_t) corenet_udp_sendrecv_all_ports(xprint_t) -corenet_tcp_bind_all_nodes(xprint_t) -corenet_udp_bind_all_nodes(xprint_t) dev_read_sysfs(xprint_t) dev_read_urand(xprint_t) diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if index f807733..6f43494 100644 --- a/refpolicy/policy/modules/services/xserver.if +++ b/refpolicy/policy/modules/services/xserver.if @@ -99,16 +99,15 @@ template(`xserver_common_domain_template',` corenet_non_ipsec_sendrecv($1_xserver_t) corenet_tcp_sendrecv_generic_if($1_xserver_t) corenet_udp_sendrecv_generic_if($1_xserver_t) - corenet_raw_sendrecv_generic_if($1_xserver_t) corenet_tcp_sendrecv_all_nodes($1_xserver_t) corenet_udp_sendrecv_all_nodes($1_xserver_t) - corenet_raw_sendrecv_all_nodes($1_xserver_t) corenet_tcp_sendrecv_all_ports($1_xserver_t) corenet_udp_sendrecv_all_ports($1_xserver_t) corenet_tcp_bind_all_nodes($1_xserver_t) - corenet_udp_bind_all_nodes($1_xserver_t) corenet_tcp_bind_xserver_port($1_xserver_t) corenet_tcp_connect_all_ports($1_xserver_t) + corenet_sendrecv_xserver_server_packets($1_xserver_t) + corenet_sendrecv_all_client_packets($1_xserver_t) dev_read_sysfs($1_xserver_t) dev_rw_mouse($1_xserver_t) diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te index d4c0d7f..2e69e4d 100644 --- a/refpolicy/policy/modules/services/xserver.te +++ b/refpolicy/policy/modules/services/xserver.te @@ -1,5 +1,5 @@ -policy_module(xserver,1.1.6) +policy_module(xserver,1.1.7) ######################################## # @@ -109,18 +109,17 @@ corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) corecmd_exec_sbin(xdm_t) +corenet_non_ipsec_sendrecv(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -corenet_raw_sendrecv_generic_if(xdm_t) corenet_tcp_sendrecv_all_nodes(xdm_t) corenet_udp_sendrecv_all_nodes(xdm_t) -corenet_raw_sendrecv_all_nodes(xdm_t) corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) -corenet_non_ipsec_sendrecv(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t) corenet_tcp_connect_all_ports(xdm_t) +corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t corenet_dontaudit_tcp_bind_all_ports(xdm_t) diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te index 7124720..4ef0b02 100644 --- a/refpolicy/policy/modules/services/zebra.te +++ b/refpolicy/policy/modules/services/zebra.te @@ -1,5 +1,5 @@ -policy_module(zebra,1.2.0) +policy_module(zebra,1.2.1) ######################################## # @@ -27,7 +27,7 @@ files_pid_file(zebra_var_run_t) # Local policy # -allow zebra_t self:capability { setgid setuid net_admin net_raw net_bind_service }; +allow zebra_t self:capability { setgid setuid net_admin net_raw }; dontaudit zebra_t self:capability sys_tty_config; allow zebra_t self:process { signal_perms setcap }; allow zebra_t self:file { ioctl read write getattr lock append }; @@ -61,6 +61,7 @@ kernel_read_kernel_sysctls(zebra_t) kernel_tcp_recvfrom(zebra_t) kernel_rw_net_sysctls(zebra_t) +corenet_non_ipsec_sendrecv(zebra_t) corenet_tcp_sendrecv_all_if(zebra_t) corenet_udp_sendrecv_all_if(zebra_t) corenet_raw_sendrecv_all_if(zebra_t) @@ -69,7 +70,6 @@ corenet_udp_sendrecv_all_nodes(zebra_t) corenet_raw_sendrecv_all_nodes(zebra_t) corenet_tcp_sendrecv_all_ports(zebra_t) corenet_udp_sendrecv_all_ports(zebra_t) -corenet_non_ipsec_sendrecv(zebra_t) corenet_tcp_bind_all_nodes(zebra_t) corenet_udp_bind_all_nodes(zebra_t) corenet_tcp_bind_zebra_port(zebra_t)