diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te index 33faf8b..b3a0541 100644 --- a/policy/modules/services/cachefilesd.te +++ b/policy/modules/services/cachefilesd.te @@ -100,7 +100,7 @@ allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms; # Allow access to cache superstructure allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms }; -allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms}; +allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms }; # Permit statfs on the backing filesystem fs_getattr_xattr_fs(cachefilesd_t) diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te index 112dc77..8d7e14e 100644 --- a/policy/modules/services/ccs.te +++ b/policy/modules/services/ccs.te @@ -107,7 +107,7 @@ sysnet_dns_name_resolve(ccs_t) userdom_manage_unpriv_user_shared_mem(ccs_t) userdom_manage_unpriv_user_semaphores(ccs_t) -ifdef(`hide_broken_symptoms', ` +ifdef(`hide_broken_symptoms',` corecmd_dontaudit_write_bin_dirs(ccs_t) files_manage_isid_type_files(ccs_t) ') diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te index 4aef864..dbfd0a6 100644 --- a/policy/modules/services/certmaster.te +++ b/policy/modules/services/certmaster.te @@ -43,12 +43,12 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir }) # log files manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) -logging_log_filetrans(certmaster_t, certmaster_var_log_t, file ) +logging_log_filetrans(certmaster_t, certmaster_var_log_t, file) # pid file manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t) manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t) -files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file }) +files_pid_filetrans(certmaster_t, certmaster_var_run_t, { file sock_file }) # read meminfo kernel_read_system_state(certmaster_t) diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te index 1a65b5e..1c87fb3 100644 --- a/policy/modules/services/certmonger.te +++ b/policy/modules/services/certmonger.te @@ -32,7 +32,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms; manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) -files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } ) +files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir }) manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te index ae2656a..bf47a16 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -1,9 +1,9 @@ policy_module(clamav, 1.8.1) ## -##

-## Allow clamd to use JIT compiler -##

+##

+## Allow clamd to use JIT compiler +##

##
gen_tunable(clamd_use_jit, false) @@ -150,7 +150,7 @@ optional_policy(` tunable_policy(`clamd_use_jit',` allow clamd_t self:process execmem; allow clamscan_t self:process execmem; -', ` +',` dontaudit clamd_t self:process execmem; dontaudit clamscan_t self:process execmem; ') @@ -226,7 +226,7 @@ optional_policy(` tunable_policy(`clamd_use_jit',` allow freshclam_t self:process execmem; -', ` +',` dontaudit freshclam_t self:process execmem; ') diff --git a/policy/modules/services/clogd.te b/policy/modules/services/clogd.te index 6077339..b1edc92 100644 --- a/policy/modules/services/clogd.te +++ b/policy/modules/services/clogd.te @@ -23,7 +23,6 @@ files_pid_file(clogd_var_run_t) allow clogd_t self:capability { net_admin mknod }; allow clogd_t self:process signal; - allow clogd_t self:sem create_sem_perms; allow clogd_t self:shm create_shm_perms; allow clogd_t self:netlink_socket create_socket_perms; diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te index bb7d429..9b581ae 100644 --- a/policy/modules/services/cmirrord.te +++ b/policy/modules/services/cmirrord.te @@ -1,4 +1,4 @@ -policy_module(cmirrord,1.0.0) +policy_module(cmirrord, 1.0.0) ######################################## # @@ -26,9 +26,7 @@ files_pid_file(cmirrord_var_run_t) allow cmirrord_t self:capability { net_admin kill }; dontaudit cmirrord_t self:capability sys_tty_config; allow cmirrord_t self:process signal; - allow cmirrord_t self:fifo_file rw_fifo_file_perms; - allow cmirrord_t self:sem create_sem_perms; allow cmirrord_t self:shm create_shm_perms; allow cmirrord_t self:netlink_socket create_socket_perms; @@ -51,5 +49,5 @@ logging_send_syslog_msg(cmirrord_t) miscfiles_read_localization(cmirrord_t) optional_policy(` - corosync_stream_connect(cmirrord_t) + corosync_stream_connect(cmirrord_t) ') diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te index 6a6d7d7..c4d678b 100644 --- a/policy/modules/services/cobbler.te +++ b/policy/modules/services/cobbler.te @@ -6,32 +6,32 @@ policy_module(cobbler, 1.1.0) # ## -##

-## Allow Cobbler to modify public files -## used for public file transfer services. -##

+##

+## Allow Cobbler to modify public files +## used for public file transfer services. +##

##
gen_tunable(cobbler_anon_write, false) - + ## -##

-## Allow Cobbler to connect to the -## network using TCP. -##

+##

+## Allow Cobbler to connect to the +## network using TCP. +##

##
gen_tunable(cobbler_can_network_connect, false) ## -##

-## Allow Cobbler to access cifs file systems. -##

+##

+## Allow Cobbler to access cifs file systems. +##

##
gen_tunable(cobbler_use_cifs, false) ## -##

-## Allow Cobbler to access nfs file systems. -##

+##

+## Allow Cobbler to access nfs file systems. +##

##
gen_tunable(cobbler_use_nfs, false) diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te index cc2058b..16c0746 100644 --- a/policy/modules/services/consolekit.te +++ b/policy/modules/services/consolekit.te @@ -113,7 +113,7 @@ optional_policy(` ') optional_policy(` - policykit_dbus_chat(consolekit_t) + policykit_dbus_chat(consolekit_t) policykit_domtrans_auth(consolekit_t) policykit_read_lib(consolekit_t) policykit_read_reload(consolekit_t) diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index eb079a2..6dfdc3f 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` # ## -##

-## Allow system cron jobs to relabel filesystem -## for restoring file contexts. -##

+##

+## Allow system cron jobs to relabel filesystem +## for restoring file contexts. +##

##
gen_tunable(cron_can_relabel, false) ## -##

-## Enable extra rules in the cron domain -## to support fcron. -##

+##

+## Enable extra rules in the cron domain +## to support fcron. +##

##
gen_tunable(fcron_crond, false) @@ -138,7 +138,7 @@ selinux_compute_create_context(admin_crontab_t) selinux_compute_relabel_context(admin_crontab_t) selinux_compute_user_contexts(admin_crontab_t) -tunable_policy(`fcron_crond', ` +tunable_policy(`fcron_crond',` # fcron wants an instant update of a crontab change for the administrator # also crontab does a security check for crontab -u allow admin_crontab_t self:process setfscreate; @@ -251,7 +251,7 @@ ifdef(`distro_debian',` ') ') -ifdef(`distro_redhat', ` +ifdef(`distro_redhat',` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. optional_policy(` @@ -268,8 +268,8 @@ optional_policy(` ') optional_policy(` - djbdns_search_tinydns_keys(crond_t) - djbdns_link_tinydns_keys(crond_t) + djbdns_search_tinydns_keys(crond_t) + djbdns_link_tinydns_keys(crond_t) ') optional_policy(` @@ -287,7 +287,7 @@ optional_policy(` mono_domtrans(crond_t) ') -tunable_policy(`fcron_crond', ` +tunable_policy(`fcron_crond',` allow crond_t system_cron_spool_t:file manage_file_perms; ') @@ -472,7 +472,7 @@ miscfiles_manage_man_pages(system_cronjob_t) seutil_read_config(system_cronjob_t) -ifdef(`distro_redhat', ` +ifdef(`distro_redhat',` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files allow crond_t system_cron_spool_t:file manage_file_perms; @@ -687,7 +687,7 @@ read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) allow crond_t user_cron_spool_t:file manage_lnk_file_perms; -tunable_policy(`fcron_crond', ` +tunable_policy(`fcron_crond',` allow crond_t user_cron_spool_t:file manage_file_perms; ') diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index 6160cea..4dd87b8 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -163,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) allow cupsd_t hplip_var_run_t:file read_file_perms; stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) -allow cupsd_t ptal_var_run_t : sock_file setattr_sock_file_perms; +allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; kernel_read_system_state(cupsd_t) kernel_read_network_state(cupsd_t) @@ -657,7 +657,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) -files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) +files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file) manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te index 9e8d14b..0216eb4 100644 --- a/policy/modules/services/cvs.te +++ b/policy/modules/services/cvs.te @@ -6,9 +6,9 @@ policy_module(cvs, 1.9.0) # ## -##

-## Allow cvs daemon to read shadow -##

+##

+## Allow cvs daemon to read shadow +##

##
gen_tunable(allow_cvs_read_shadow, false) diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index c725cae..d9416fc 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -152,7 +152,7 @@ optional_policy(` ') optional_policy(` - policykit_dbus_chat(system_dbusd_t) + policykit_dbus_chat(system_dbusd_t) policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) ') diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te index d53ee7e..b10da2c 100644 --- a/policy/modules/services/denyhosts.te +++ b/policy/modules/services/denyhosts.te @@ -77,5 +77,5 @@ optional_policy(` ') optional_policy(` - gnome_dontaudit_search_config(denyhosts_t) + gnome_dontaudit_search_config(denyhosts_t) ') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te index 6cee08f..58416a0 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -309,4 +309,3 @@ optional_policy(` optional_policy(` vbetool_domtrans(devicekit_power_t) ') - diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index 64bc566..aff2296 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -164,8 +164,8 @@ optional_policy(` ') optional_policy(` - postfix_manage_private_sockets(dovecot_t) - postfix_search_spool(dovecot_t) + postfix_manage_private_sockets(dovecot_t) + postfix_search_spool(dovecot_t) ') optional_policy(` diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te index 6c819a3..18c3c33 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te @@ -6,24 +6,24 @@ policy_module(exim, 1.5.0) # ## -##

-## Allow exim to connect to databases (postgres, mysql) -##

+##

+## Allow exim to connect to databases (postgres, mysql) +##

##
gen_tunable(exim_can_connect_db, false) ## -##

-## Allow exim to read unprivileged user files. -##

+##

+## Allow exim to read unprivileged user files. +##

##
gen_tunable(exim_read_user_files, false) ## -##

-## Allow exim to create, read, write, and delete -## unprivileged user files. -##

+##

+## Allow exim to create, read, write, and delete +## unprivileged user files. +##

##
gen_tunable(exim_manage_user_files, false) @@ -174,7 +174,7 @@ optional_policy(` ') optional_policy(` - nagios_search_spool(exim_t) + nagios_search_spool(exim_t) ') optional_policy(` diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te index e09b9df..7c5bf19 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te @@ -94,7 +94,7 @@ optional_policy(` ') optional_policy(` - gnome_dontaudit_search_config(fail2ban_t) + gnome_dontaudit_search_config(fail2ban_t) ') optional_policy(` diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te index 6033c3b..37de4be 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -6,82 +6,82 @@ policy_module(ftp, 1.12.0) # ## -##

-## Allow ftp servers to upload files, used for public file -## transfer services. Directories must be labeled -## public_content_rw_t. -##

+##

+## Allow ftp servers to upload files, used for public file +## transfer services. Directories must be labeled +## public_content_rw_t. +##

##
gen_tunable(allow_ftpd_anon_write, false) ## -##

-## Allow ftp servers to login to local users and -## read/write all files on the system, governed by DAC. -##

+##

+## Allow ftp servers to login to local users and +## read/write all files on the system, governed by DAC. +##

##
gen_tunable(allow_ftpd_full_access, false) ## -##

-## Allow ftp servers to use cifs -## used for public file transfer services. -##

+##

+## Allow ftp servers to use cifs +## used for public file transfer services. +##

##
gen_tunable(allow_ftpd_use_cifs, false) ## -##

-## Allow ftp servers to use nfs -## used for public file transfer services. -##

+##

+## Allow ftp servers to use nfs +## used for public file transfer services. +##

##
gen_tunable(allow_ftpd_use_nfs, false) ## -##

-## Allow ftp servers to use connect to mysql database -##

+##

+## Allow ftp servers to use connect to mysql database +##

##
gen_tunable(ftpd_connect_db, false) ## -##

-## Allow ftp to read and write files in the user home directories -##

+##

+## Allow ftp to read and write files in the user home directories +##

##
gen_tunable(ftp_home_dir, false) ## -##

-## Allow anon internal-sftp to upload files, used for -## public file transfer services. Directories must be labeled -## public_content_rw_t. -##

+##

+## Allow anon internal-sftp to upload files, used for +## public file transfer services. Directories must be labeled +## public_content_rw_t. +##

##
gen_tunable(sftpd_anon_write, false) ## -##

-## Allow sftp-internal to read and write files -## in the user home directories -##

+##

+## Allow sftp-internal to read and write files +## in the user home directories +##

##
gen_tunable(sftpd_enable_homedirs, false) ## -##

-## Allow sftp-internal to login to local users and -## read/write all files on the system, governed by DAC. -##

+##

+## Allow sftp-internal to login to local users and +## read/write all files on the system, governed by DAC. +##

##
gen_tunable(sftpd_full_access, false) ## -##

-## Allow interlnal-sftp to read and write files -## in the user ssh home directories. -##

+##

+## Allow interlnal-sftp to read and write files +## in the user ssh home directories. +##

##
gen_tunable(sftpd_write_ssh_home, false) @@ -181,7 +181,7 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) -files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} ) +files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) # proftpd requires the client side to bind a socket so that # it can stat the socket to perform access control decisions, @@ -291,10 +291,10 @@ tunable_policy(`ftp_home_dir',` userdom_manage_user_home_content(ftpd_t) userdom_manage_user_tmp_files(ftpd_t) userdom_tmp_filetrans_user_tmp(ftpd_t, file) -', ` - # Needed for permissive mode, to make sure everything gets labeled correctly - userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file }) - files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) +',` + # Needed for permissive mode, to make sure everything gets labeled correctly + userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file }) + files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) ') tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` @@ -400,6 +400,7 @@ userdom_use_user_terminals(ftpdctl_t) # # sftpd local policy # + files_read_etc_files(sftpd_t) # allow read access to /home by default @@ -408,13 +409,13 @@ userdom_read_user_home_content_symlinks(sftpd_t) userdom_dontaudit_list_admin_dir(sftpd_t) tunable_policy(`sftpd_full_access',` - allow sftpd_t self:capability { dac_override dac_read_search }; - fs_read_noxattr_fs_files(sftpd_t) - auth_manage_all_files_except_shadow(sftpd_t) + allow sftpd_t self:capability { dac_override dac_read_search }; + fs_read_noxattr_fs_files(sftpd_t) + auth_manage_all_files_except_shadow(sftpd_t) ') tunable_policy(`sftpd_write_ssh_home',` - ssh_manage_home_files(sftpd_t) + ssh_manage_home_files(sftpd_t) ') tunable_policy(`sftpd_enable_homedirs',` @@ -424,9 +425,9 @@ tunable_policy(`sftpd_enable_homedirs',` files_list_home(sftpd_t) userdom_read_user_home_content_files(sftpd_t) userdom_manage_user_home_content(sftpd_t) -', ` - # Needed for permissive mode, to make sure everything gets labeled correctly - userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file }) +',` + # Needed for permissive mode, to make sure everything gets labeled correctly + userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file }) ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te index cf17085..cebb167 100644 --- a/policy/modules/services/git.te +++ b/policy/modules/services/git.te @@ -1,23 +1,23 @@ policy_module(git, 1.0.3) ## -##

-## Allow Git daemon system to search home directories. -##

+##

+## Allow Git daemon system to search home directories. +##

##
gen_tunable(git_system_enable_homedirs, false) ## -##

-## Allow Git daemon system to access cifs file systems. -##

+##

+## Allow Git daemon system to access cifs file systems. +##

##
gen_tunable(git_system_use_cifs, false) ## -##

-## Allow Git daemon system to access nfs file systems. -##

+##

+## Allow Git daemon system to access nfs file systems. +##

##
gen_tunable(git_system_use_nfs, false) @@ -51,10 +51,10 @@ typealias git_system_content_t alias git_data_t; # ## -##

-## Allow Git daemon session to bind -## tcp sockets to all unreserved ports. -##

+##

+## Allow Git daemon session to bind +## tcp sockets to all unreserved ports. +##

##
gen_tunable(git_session_bind_all_unreserved_ports, false) @@ -119,26 +119,26 @@ list_dirs_pattern(git_system_t, git_content, git_content) read_files_pattern(git_system_t, git_content, git_content) files_search_var_lib(git_system_t) -tunable_policy(`git_system_enable_homedirs', ` +tunable_policy(`git_system_enable_homedirs',` userdom_search_user_home_dirs(git_system_t) ') -tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', ` +tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',` fs_list_nfs(git_system_t) fs_read_nfs_files(git_system_t) ') -tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', ` +tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',` fs_list_cifs(git_system_t) fs_read_cifs_files(git_system_t) ') -tunable_policy(`git_system_use_cifs', ` +tunable_policy(`git_system_use_cifs',` fs_list_cifs(git_system_t) fs_read_cifs_files(git_system_t) ') -tunable_policy(`git_system_use_nfs', ` +tunable_policy(`git_system_use_nfs',` fs_list_nfs(git_system_t) fs_read_nfs_files(git_system_t) ') @@ -156,17 +156,17 @@ userdom_search_user_home_dirs(git_session_t) userdom_use_user_terminals(git_session_t) -tunable_policy(`git_session_bind_all_unreserved_ports', ` +tunable_policy(`git_session_bind_all_unreserved_ports',` corenet_tcp_bind_all_unreserved_ports(git_session_t) corenet_sendrecv_generic_server_packets(git_session_t) ') -tunable_policy(`use_nfs_home_dirs', ` +tunable_policy(`use_nfs_home_dirs',` fs_list_nfs(git_session_t) fs_read_nfs_files(git_session_t) ') -tunable_policy(`use_samba_home_dirs', ` +tunable_policy(`use_samba_home_dirs',` fs_list_cifs(git_session_t) fs_read_cifs_files(git_session_t) ') @@ -189,4 +189,3 @@ optional_policy(` git_role_template(git_shell) gen_user(git_shell_u, user, git_shell_r, s0, s0) - diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te index e72b063..b3fdcd5 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -316,7 +316,7 @@ optional_policy(` ') optional_policy(` - policykit_dbus_chat(hald_t) + policykit_dbus_chat(hald_t) policykit_domtrans_auth(hald_t) policykit_domtrans_resolve(hald_t) policykit_read_lib(hald_t) @@ -333,7 +333,7 @@ optional_policy(` optional_policy(` shutdown_domtrans(hald_t) -') +') optional_policy(` udev_domtrans(hald_t) @@ -411,7 +411,7 @@ logging_send_syslog_msg(hald_acl_t) miscfiles_read_localization(hald_acl_t) optional_policy(` - policykit_dbus_chat(hald_acl_t) + policykit_dbus_chat(hald_acl_t) policykit_domtrans_auth(hald_acl_t) policykit_read_lib(hald_acl_t) policykit_read_reload(hald_acl_t) @@ -493,7 +493,7 @@ files_read_usr_files(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) -# This is caused by a bug in hald and PolicyKit. +# This is caused by a bug in hald and PolicyKit. # Should be removed when this is fixed cron_read_system_job_lib_files(hald_t) diff --git a/policy/modules/services/hddtemp.te b/policy/modules/services/hddtemp.te index 267bb4c..1647fc4 100644 --- a/policy/modules/services/hddtemp.te +++ b/policy/modules/services/hddtemp.te @@ -46,4 +46,3 @@ storage_raw_read_fixed_disk(hddtemp_t) logging_send_syslog_msg(hddtemp_t) miscfiles_read_localization(hddtemp_t) - diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te index 80befb0..6bf7cc3 100644 --- a/policy/modules/services/icecast.te +++ b/policy/modules/services/icecast.te @@ -6,10 +6,10 @@ policy_module(icecast, 1.0.1) # ## -##

-## Allow icecast to connect to all ports, not just -## sound ports. -##

+##

+## Allow icecast to connect to all ports, not just +## sound ports. +##

##
gen_tunable(icecast_connect_any, false) @@ -39,7 +39,7 @@ allow icecast_t self:tcp_socket create_stream_socket_perms; manage_dirs_pattern(icecast_t, icecast_log_t, icecast_log_t) manage_files_pattern(icecast_t, icecast_log_t, icecast_log_t) -logging_log_filetrans(icecast_t, icecast_log_t, { file dir } ) +logging_log_filetrans(icecast_t, icecast_log_t, { file dir }) manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te index 61ea05e..dc7dd01 100644 --- a/policy/modules/services/inn.te +++ b/policy/modules/services/inn.te @@ -4,6 +4,7 @@ policy_module(inn, 1.9.0) # # Declarations # + type innd_t; type innd_exec_t; init_daemon_domain(innd_t, innd_exec_t) @@ -30,6 +31,7 @@ files_mountpoint(news_spool_t) # # Local policy # + allow innd_t self:capability { dac_override kill setgid setuid }; dontaudit innd_t self:capability sys_tty_config; allow innd_t self:process { setsched signal_perms }; diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te index 975bbcd..5f8840f 100644 --- a/policy/modules/services/jabber.te +++ b/policy/modules/services/jabber.te @@ -1,4 +1,3 @@ - policy_module(jabber, 1.8.0) ######################################## @@ -84,7 +83,7 @@ corenet_tcp_bind_jabber_router_port(jabberd_router_t) corenet_sendrecv_jabber_router_server_packets(jabberd_router_t) optional_policy(` - kerberos_use(jabberd_router_t) + kerberos_use(jabberd_router_t) ') ######################################## diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te index 4e39714..744e7d6 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te @@ -6,9 +6,9 @@ policy_module(kerberos, 1.11.0) # ## -##

-## Allow confined applications to run with kerberos. -##

+##

+## Allow confined applications to run with kerberos. +##

##
gen_tunable(allow_kerberos, false) diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te index ffe035c..01adbed 100644 --- a/policy/modules/services/ksmtuned.te +++ b/policy/modules/services/ksmtuned.te @@ -49,4 +49,3 @@ mls_file_read_to_clearance(ksmtuned_t) term_use_all_terms(ksmtuned_t) miscfiles_read_localization(ksmtuned_t) - diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te index ee5e345..10c2d54 100644 --- a/policy/modules/services/ldap.te +++ b/policy/modules/services/ldap.te @@ -82,7 +82,7 @@ manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t) -fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t,file) +fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file) manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index 2727020..1887c50 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0) # ## -##

-## Use lpd server instead of cups -##

+##

+## Use lpd server instead of cups +##

##
gen_tunable(use_lpd_server, false) diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te index 6ba48ff..f42a489 100644 --- a/policy/modules/services/milter.te +++ b/policy/modules/services/milter.te @@ -33,7 +33,6 @@ files_type(spamass_milter_state_t) # allow dkim_milter_t self:capability { kill setgid setuid }; - allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms; read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) @@ -47,8 +46,8 @@ mta_read_config(dkim_milter_t) ######################################## # # milter-greylist local policy -# ensure smtp clients retry mail like real MTAs and not spamware -# http://hcpnet.free.fr/milter-greylist/ +# ensure smtp clients retry mail like real MTAs and not spamware +# http://hcpnet.free.fr/milter-greylist/ # # It removes any existing socket (not owned by root) whilst running as root, @@ -76,8 +75,8 @@ mta_read_config(greylist_milter_t) ######################################## # # milter-regex local policy -# filter emails using regular expressions -# http://www.benzedrine.cx/milter-regex.html +# filter emails using regular expressions +# http://www.benzedrine.cx/milter-regex.html # # It removes any existing socket (not owned by root) whilst running as root @@ -96,8 +95,8 @@ mta_read_config(regex_milter_t) ######################################## # # spamass-milter local policy -# pipe emails through SpamAssassin -# http://savannah.nongnu.org/projects/spamass-milt/ +# pipe emails through SpamAssassin +# http://savannah.nongnu.org/projects/spamass-milt/ # # The milter runs from /var/lib/spamass-milter diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te index 6f8fda5..b05a9cd 100644 --- a/policy/modules/services/mock.te +++ b/policy/modules/services/mock.te @@ -27,6 +27,7 @@ files_type(mock_var_lib_t) # # mock local policy # + allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner }; allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid sigkill }; dontaudit mock_t self:process { siginh noatsecure rlimitinh }; @@ -40,14 +41,14 @@ files_var_filetrans(mock_t, mock_cache_t, { dir file } ) manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t) manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t) -files_tmp_filetrans(mock_t, mock_tmp_t, { dir file } ) +files_tmp_filetrans(mock_t, mock_tmp_t, { dir file }) can_exec(mock_t, mock_tmp_t) manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) -files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file } ) +files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file }) can_exec(mock_t, mock_var_lib_t) allow mock_t mock_var_lib_t:dir mounton; diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te index 71464f6..84bc8bb 100644 --- a/policy/modules/services/mpd.te +++ b/policy/modules/services/mpd.te @@ -1,4 +1,4 @@ -policy_module(mpd,1.0.0) +policy_module(mpd, 1.0.0) ######################################## # @@ -41,7 +41,6 @@ files_type(mpd_var_lib_t) #cjp: dac_override bug in mpd relating to mpd.log file allow mpd_t self:capability { dac_override kill setgid setuid }; allow mpd_t self:process { getsched setsched setrlimit signal signull }; - allow mpd_t self:fifo_file rw_fifo_file_perms; allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow mpd_t self:tcp_socket create_stream_socket_perms; @@ -102,10 +101,10 @@ optional_policy(` optional_policy(` pulseaudio_exec(mpd_t) - pulseaudio_stream_connect(mpd_t) - pulseaudio_signull(mpd_t) + pulseaudio_stream_connect(mpd_t) + pulseaudio_signull(mpd_t) ') optional_policy(` - udev_read_db(mpd_t) + udev_read_db(mpd_t) ') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index f99b9fc..36e64e9 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -93,7 +93,7 @@ optional_policy(` optional_policy(` arpwatch_manage_tmp_files(system_mail_t) - ifdef(`hide_broken_symptoms', ` + ifdef(`hide_broken_symptoms',` arpwatch_dontaudit_rw_packet_sockets(system_mail_t) ') ') @@ -194,7 +194,7 @@ optional_policy(` arpwatch_search_data(mailserver_delivery) arpwatch_manage_tmp_files(mta_user_agent) - ifdef(`hide_broken_symptoms', ` + ifdef(`hide_broken_symptoms',` arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) ') @@ -314,8 +314,6 @@ kernel_read_system_state(user_mail_domain) kernel_read_network_state(user_mail_domain) kernel_request_load_module(user_mail_domain) - - optional_policy(` # postfix needs this for newaliases files_getattr_tmp_dirs(user_mail_domain) diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te index 13d365d..6f8b0fd 100644 --- a/policy/modules/services/munin.te +++ b/policy/modules/services/munin.te @@ -193,7 +193,7 @@ optional_policy(` # local policy for disk plugins # -allow munin_disk_plugin_t self:capability { sys_admin sys_rawio }; +allow munin_disk_plugin_t self:capability { sys_admin sys_rawio }; allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te index 5e96c0a..ac63be9 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0) # ## -##

-## Allow mysqld to connect to all ports -##

+##

+## Allow mysqld to connect to all ports +##

##
gen_tunable(mysql_connect_any, false) diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te index 1029389..61a3920 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te @@ -141,6 +141,7 @@ optional_policy(` # # Nagios CGI local policy # + optional_policy(` apache_content_template(nagios) typealias httpd_nagios_script_t alias nagios_cgi_t; @@ -268,7 +269,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) # allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; - allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; allow nagios_mail_plugin_t self:udp_socket create_socket_perms; @@ -321,7 +321,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) allow nagios_services_plugin_t self:capability { net_bind_service net_raw }; allow nagios_services_plugin_t self:process { signal sigkill }; - allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; allow nagios_services_plugin_t self:udp_socket create_socket_perms; diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te index 6a174f5..6b54db7 100644 --- a/policy/modules/services/nscd.te +++ b/policy/modules/services/nscd.te @@ -5,9 +5,9 @@ gen_require(` ') ## -##

-## Allow confined applications to use nscd shared memory. -##

+##

+## Allow confined applications to use nscd shared memory. +##

##
gen_tunable(nscd_use_shm, false) @@ -146,6 +146,7 @@ optional_policy(` samba_append_log(nscd_t) samba_dontaudit_use_fds(nscd_t) ') + samba_read_config(nscd_t) samba_read_var_files(nscd_t) ')