diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in index 8a32138..48737a5 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.te.in +++ b/refpolicy/policy/modules/kernel/corenetwork.te.in @@ -46,7 +46,7 @@ network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0) network_port(auth, tcp,113,s0) -type biff_port_t, port_type; dnl network_port(biff) # no defined portcon in current strict +type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict network_port(clamd, tcp,3310,s0) network_port(clockspeed, udp,4041,s0) network_port(comsat, udp,512,s0) diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te index b78a809..90744c4 100644 --- a/refpolicy/policy/modules/kernel/devices.te +++ b/refpolicy/policy/modules/kernel/devices.te @@ -43,6 +43,7 @@ fs_associate_tmpfs(apm_bios_t) type cardmgr_dev_t, device_node; fs_associate(cardmgr_dev_t) fs_associate_tmpfs(cardmgr_dev_t) +files_tmp_file(cardmgr_dev_t) # # clock_device_t is the type of diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index 70f615d..206b873 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -53,9 +53,11 @@ allow configfs_t self:filesystem associate; genfscon configfs / gen_context(system_u:object_r:configfs_t,s0) type eventpollfs_t, filesystem_type; +allow eventpollfs_t self:filesystem associate; genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0) type futexfs_t, filesystem_type; +allow futexfs_t self:filesystem associate; genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) type hugetlbfs_t, filesystem_type; @@ -68,6 +70,7 @@ allow inotifyfs_t self:filesystem associate; genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) type nfsd_fs_t, filesystem_type; +allow nfsd_fs_t self:filesystem associate; genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) type ramfs_t, filesystem_type; @@ -80,6 +83,7 @@ genfscon romfs / gen_context(system_u:object_r:romfs_t,s0) genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0) type rpc_pipefs_t, filesystem_type; +allow rpc_pipefs_t self:filesystem associate; genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0) # @@ -144,6 +148,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) # type removable_t, filesystem_type, noxattrfs; allow removable_t noxattrfs:filesystem associate; +files_type(removable_t) # # nfs_t is the default type for NFS file systems diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index e553590..bfed2fb 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -221,6 +221,10 @@ ifdef(`targeted_policy',` unconfined_domain_template(kernel_t) ') +optional_policy(`nis.te',` + nis_use_ypbind(kernel_t) +') + optional_policy(`rpc.te',` # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. diff --git a/refpolicy/policy/modules/services/distcc.te b/refpolicy/policy/modules/services/distcc.te index 6e8c316..c0d09d8 100644 --- a/refpolicy/policy/modules/services/distcc.te +++ b/refpolicy/policy/modules/services/distcc.te @@ -57,7 +57,7 @@ corenet_tcp_sendrecv_all_ports(distccd_t) corenet_udp_sendrecv_all_ports(distccd_t) corenet_tcp_bind_all_nodes(distccd_t) corenet_udp_bind_all_nodes(distccd_t) -corenet_tcp_bind_distcc_port(distccd_t) +corenet_tcp_bind_distccd_port(distccd_t) dev_read_sysfs(distccd_t) diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index 8e5f692..8b8e950 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -91,6 +91,10 @@ logging_send_syslog_msg(getty_t) miscfiles_read_localization(getty_t) +optional_policy(`nscd.te',` + nscd_use_socket(getty_t) +') + optional_policy(`ppp.te',` ppp_domtrans(getty_t) ')