diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 6d12e3f..1478299 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -30,6 +30,7 @@ allow hald_t self:unix_dgram_socket create_socket_perms; allow hald_t self:netlink_route_socket r_netlink_socket_perms; allow hald_t self:netlink_kobject_uevent_socket create_socket_perms; allow hald_t self:tcp_socket create_stream_socket_perms; +allow hald_t self:udp_socket create_socket_perms; # For backwards compatibility with older kernels allow hald_t self:netlink_socket create_socket_perms; @@ -52,7 +53,9 @@ corenet_tcp_sendrecv_all_nodes(hald_t) corenet_udp_sendrecv_all_nodes(hald_t) corenet_raw_sendrecv_all_nodes(hald_t) corenet_tcp_sendrecv_all_ports(hald_t) +corenet_udp_sendrecv_all_ports(hald_t) corenet_tcp_bind_all_nodes(hald_t) +corenet_udp_bind_all_nodes(hald_t) dev_read_sysfs(hald_t) dev_rw_usbfs(hald_t) diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index f8169bd..d24fa6c 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -169,6 +169,7 @@ optional_policy(`rhgb.te',` allow inetd_child_t self:process signal_perms; allow inetd_child_t self:fifo_file rw_file_perms; allow inetd_child_t self:tcp_socket { listen accept connected_socket_perms }; +allow inetd_child_t self:udp_socket connected_socket_perms; # for identd allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms; @@ -197,6 +198,7 @@ corenet_raw_sendrecv_all_nodes(inetd_child_t) corenet_tcp_sendrecv_all_ports(inetd_child_t) corenet_udp_sendrecv_all_ports(inetd_child_t) corenet_tcp_bind_all_nodes(inetd_child_t) +corenet_udp_bind_all_nodes(inetd_child_t) dev_read_urand(inetd_child_t) diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te index 6701465..1bc3da6 100644 --- a/refpolicy/policy/modules/services/kerberos.te +++ b/refpolicy/policy/modules/services/kerberos.te @@ -85,11 +85,15 @@ kernel_list_proc(kadmind_t) kernel_read_proc_symlinks(kadmind_t) corenet_tcp_sendrecv_all_if(kadmind_t) +corenet_udp_sendrecv_all_if(kadmind_t) corenet_raw_sendrecv_all_if(kadmind_t) corenet_tcp_sendrecv_all_nodes(kadmind_t) +corenet_udp_sendrecv_all_nodes(kadmind_t) corenet_raw_sendrecv_all_nodes(kadmind_t) corenet_tcp_sendrecv_all_ports(kadmind_t) +corenet_udp_sendrecv_all_ports(kadmind_t) corenet_tcp_bind_all_nodes(kadmind_t) +corenet_udp_bind_all_nodes(kadmind_t) corenet_tcp_bind_kerberos_admin_port(kadmind_t) corenet_udp_bind_kerberos_admin_port(kadmind_t) corenet_tcp_bind_reserved_port(kadmind_t) @@ -186,11 +190,15 @@ kernel_list_proc(krb5kdc_t) kernel_read_proc_symlinks(krb5kdc_t) corenet_tcp_sendrecv_all_if(krb5kdc_t) +corenet_udp_sendrecv_all_if(krb5kdc_t) corenet_raw_sendrecv_all_if(krb5kdc_t) corenet_tcp_sendrecv_all_nodes(krb5kdc_t) +corenet_udp_sendrecv_all_nodes(krb5kdc_t) corenet_raw_sendrecv_all_nodes(krb5kdc_t) corenet_tcp_sendrecv_all_ports(krb5kdc_t) +corenet_udp_sendrecv_all_ports(krb5kdc_t) corenet_tcp_bind_all_nodes(krb5kdc_t) +corenet_udp_bind_all_nodes(krb5kdc_t) corenet_tcp_bind_kerberos_port(krb5kdc_t) corenet_udp_bind_kerberos_port(krb5kdc_t) diff --git a/refpolicy/policy/modules/services/ktalk.te b/refpolicy/policy/modules/services/ktalk.te index 48af1d1..baeff9f 100644 --- a/refpolicy/policy/modules/services/ktalk.te +++ b/refpolicy/policy/modules/services/ktalk.te @@ -25,6 +25,7 @@ files_pid_file(ktalkd_var_run_t) allow ktalkd_t self:process signal_perms; allow ktalkd_t self:fifo_file rw_file_perms; allow ktalkd_t self:tcp_socket connected_stream_socket_perms; +allow ktalkd_t self:udp_socket connected_socket_perms; # for identd # cjp: this should probably only be inetd_child rules? allow ktalkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; @@ -49,11 +50,15 @@ kernel_read_system_state(ktalkd_t) kernel_read_network_state(ktalkd_t) corenet_tcp_sendrecv_all_if(ktalkd_t) +corenet_udp_sendrecv_all_if(ktalkd_t) corenet_raw_sendrecv_all_if(ktalkd_t) corenet_tcp_sendrecv_all_nodes(ktalkd_t) +corenet_udp_sendrecv_all_nodes(ktalkd_t) corenet_raw_sendrecv_all_nodes(ktalkd_t) -corenet_tcp_bind_all_nodes(ktalkd_t) corenet_tcp_sendrecv_all_ports(ktalkd_t) +corenet_udp_sendrecv_all_ports(ktalkd_t) +corenet_tcp_bind_all_nodes(ktalkd_t) +corenet_udp_bind_all_nodes(ktalkd_t) dev_read_urand(ktalkd_t) diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te index aa54016..1ab1ea0 100644 --- a/refpolicy/policy/modules/services/rsync.te +++ b/refpolicy/policy/modules/services/rsync.te @@ -30,6 +30,7 @@ allow rsync_t self:capability sys_chroot; allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_file_perms; allow rsync_t self:tcp_socket { listen accept connected_socket_perms }; +allow rsync_t self:udp_socket connected_socket_perms; # for identd # cjp: this should probably only be inetd_child_t rules? @@ -54,11 +55,15 @@ kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) corenet_tcp_sendrecv_all_if(rsync_t) +corenet_udp_sendrecv_all_if(rsync_t) corenet_raw_sendrecv_all_if(rsync_t) corenet_tcp_sendrecv_all_nodes(rsync_t) +corenet_udp_sendrecv_all_nodes(rsync_t) corenet_raw_sendrecv_all_nodes(rsync_t) corenet_tcp_sendrecv_all_ports(rsync_t) +corenet_udp_sendrecv_all_ports(rsync_t) corenet_tcp_bind_all_nodes(rsync_t) +corenet_udp_bind_all_nodes(rsync_t) dev_read_urand(rsync_t) diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te index 9505b71..3149ccc 100644 --- a/refpolicy/policy/modules/services/snmp.te +++ b/refpolicy/policy/modules/services/snmp.te @@ -30,6 +30,7 @@ allow snmpd_t self:fifo_file rw_file_perms; allow snmpd_t self:unix_dgram_socket create_socket_perms; allow snmpd_t self:unix_stream_socket create_stream_socket_perms; allow snmpd_t self:tcp_socket create_stream_socket_perms; +allow snmpd_t self:udp_socket connected_stream_socket_perms; allow snmpd_t snmpd_etc_t:file { getattr read }; @@ -55,11 +56,15 @@ kernel_read_network_state(snmpd_t) kernel_tcp_recvfrom(snmpd_t) corenet_tcp_sendrecv_all_if(snmpd_t) +corenet_udp_sendrecv_all_if(snmpd_t) corenet_raw_sendrecv_all_if(snmpd_t) corenet_tcp_sendrecv_all_nodes(snmpd_t) +corenet_udp_sendrecv_all_nodes(snmpd_t) corenet_raw_sendrecv_all_nodes(snmpd_t) corenet_tcp_sendrecv_all_ports(snmpd_t) +corenet_udp_sendrecv_all_ports(snmpd_t) corenet_tcp_bind_all_nodes(snmpd_t) +corenet_udp_bind_all_nodes(snmpd_t) corenet_tcp_bind_snmp_port(snmpd_t) corenet_udp_bind_snmp_port(snmpd_t) diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te index dd8b86d..a97532e 100644 --- a/refpolicy/policy/modules/services/spamassassin.te +++ b/refpolicy/policy/modules/services/spamassassin.te @@ -65,9 +65,10 @@ corenet_raw_sendrecv_all_if(spamd_t) corenet_tcp_sendrecv_all_nodes(spamd_t) corenet_udp_sendrecv_all_nodes(spamd_t) corenet_raw_sendrecv_all_nodes(spamd_t) +corenet_tcp_sendrecv_all_ports(spamd_t) +corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_all_nodes(spamd_t) corenet_udp_bind_all_nodes(spamd_t) -corenet_tcp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_spamd_port(spamd_t) dev_read_sysfs(spamd_t) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index db79172..1f1a6c8 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -176,6 +176,10 @@ optional_policy(`authlogin.te',` auth_rw_login_records(init_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(init_t) +') + optional_policy(`portmap.te',` portmap_udp_sendto(init_t) ')