diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index 89935be..84732e5 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -131,6 +131,7 @@ interface(`samba_run_net',`
## The role to be allowed the samba_net domain.
## </summary>
## </param>
+## <rolecap/>
#
template(`samba_role_notrans',`
gen_require(`
@@ -483,15 +484,14 @@ interface(`samba_manage_var_files',`
## Execute a domain transition to run smbcontrol.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`samba_domtrans_smbcontrol',`
gen_require(`
- type smbcontrol_t;
- type smbcontrol_exec_t;
+ type smbcontrol_t, smbcontrol_exec_t;
')
domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
@@ -721,7 +721,9 @@ interface(`samba_stream_connect_winbind',`
template(`samba_helper_template',`
gen_require(`
type smbd_t;
+ role system_r;
')
+
#This type is for samba helper scripts
type samba_$1_script_t;
domain_type(samba_$1_script_t)
@@ -734,7 +736,6 @@ template(`samba_helper_template',`
domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
allow smbd_t samba_$1_script_exec_t:file ioctl;
-
')
########################################
@@ -756,20 +757,12 @@ template(`samba_helper_template',`
#
interface(`samba_admin',`
gen_require(`
- type nmbd_t, nmbd_var_run_t;
- type smbd_t, smbd_tmp_t;
- type smbd_var_run_t;
- type samba_initrc_exec_t;
-
- type samba_log_t, samba_var_t;
- type samba_etc_t, samba_share_t;
- type samba_secrets_t;
-
+ type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
+ type smbd_t, smbd_tmp_t, samba_secrets_t;
+ type samba_initrc_exec_t, samba_log_t, samba_var_t;
+ type samba_etc_t, samba_share_t, winbind_log_t;
type swat_var_run_t, swat_tmp_t;
-
type winbind_var_run_t, winbind_tmp_t;
- type winbind_log_t;
-
type samba_unconfined_script_t, samba_unconfined_script_exec_t;
')
@@ -779,9 +772,9 @@ interface(`samba_admin',`
allow $1 nmbd_t:process { ptrace signal_perms };
ps_process_pattern($1, nmbd_t)
- allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t)
-
+ allow $1 samba_unconfined_script_t:process { ptrace signal_perms };
+ ps_process_pattern($1, samba_unconfined_script_t)
+
samba_run_smbcontrol($1, $2, $3)
samba_run_winbind_helper($1, $2, $3)
samba_run_smbmount($1, $2, $3)
diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
index f1aea88..c3ffa9d 100644
--- a/policy/modules/services/sasl.if
+++ b/policy/modules/services/sasl.if
@@ -42,7 +42,7 @@ interface(`sasl_admin',`
type saslauthd_initrc_exec_t;
')
- allow $1 saslauthd_t:process { ptrace signal_perms getattr };
+ allow $1 saslauthd_t:process { ptrace signal_perms };
ps_process_pattern($1, saslauthd_t)
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if
index 4f7eb51..cf9fdcd 100644
--- a/policy/modules/services/sendmail.if
+++ b/policy/modules/services/sendmail.if
@@ -51,10 +51,6 @@ interface(`sendmail_domtrans',`
')
mta_sendmail_domtrans($1, sendmail_t)
-
- allow sendmail_t $1:fd use;
- allow sendmail_t $1:fifo_file rw_file_perms;
- allow sendmail_t $1:process sigchld;
')
#######################################
@@ -62,17 +58,17 @@ interface(`sendmail_domtrans',`
## Execute sendmail in the sendmail domain.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
-interface(`sendmail_initrc_domtrans', `
- gen_require(`
- type sendmail_initrc_exec_t;
- ')
+interface(`sendmail_initrc_domtrans',`
+ gen_require(`
+ type sendmail_initrc_exec_t;
+ ')
- init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
+ init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
')
########################################
@@ -170,7 +166,7 @@ interface(`sendmail_rw_unix_stream_sockets',`
type sendmail_t;
')
- allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+ allow $1 sendmail_t:unix_stream_socket rw_socket_perms;
')
########################################
@@ -189,7 +185,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
type sendmail_t;
')
- dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+ dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms;
')
########################################
@@ -338,11 +334,11 @@ interface(`sendmail_admin',`
type mail_spool_t;
')
- allow $1 sendmail_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, sendmail_t, sendmail_t)
+ allow $1 sendmail_t:process { ptrace signal_perms };
+ ps_process_pattern($1, sendmail_t)
- allow $1 unconfined_sendmail_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, unconfined_sendmail_t, unconfined_sendmail_t)
+ allow $1 unconfined_sendmail_t:process { ptrace signal_perms };
+ ps_process_pattern($1, unconfined_sendmail_t)
sendmail_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if
index 9dc4091..a7fbedc 100644
--- a/policy/modules/services/setroubleshoot.if
+++ b/policy/modules/services/setroubleshoot.if
@@ -109,7 +109,7 @@ interface(`setroubleshoot_dbus_chat_fixit',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if
index adea9f9..d5b2d93 100644
--- a/policy/modules/services/smartmon.if
+++ b/policy/modules/services/smartmon.if
@@ -15,6 +15,7 @@ interface(`smartmon_read_tmp_files',`
type fsdaemon_tmp_t;
')
+ files_search_tmp($1)
allow $1 fsdaemon_tmp_t:file read_file_perms;
')
@@ -41,7 +42,7 @@ interface(`smartmon_admin',`
type fsdaemon_initrc_exec_t;
')
- allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
+ allow $1 fsdaemon_t:process { ptrace signal_perms };
ps_process_pattern($1, fsdaemon_t)
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
diff --git a/policy/modules/services/smokeping.if b/policy/modules/services/smokeping.if
index 824d206..8265278 100644
--- a/policy/modules/services/smokeping.if
+++ b/policy/modules/services/smokeping.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run smokeping.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`smokeping_domtrans',`
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
index 275f9fb..6aa68d8 100644
--- a/policy/modules/services/snmp.if
+++ b/policy/modules/services/snmp.if
@@ -11,12 +11,12 @@
## </param>
#
interface(`snmp_stream_connect',`
- gen_require(`
+ gen_require(`
type snmpd_t, snmpd_var_lib_t;
- ')
+ ')
- files_search_var_lib($1)
- stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
+ files_search_var_lib($1)
+ stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
')
########################################
@@ -62,6 +62,7 @@ interface(`snmp_read_snmp_var_lib_files',`
type snmpd_var_lib_t;
')
+ files_search_var_lib($1)
allow $1 snmpd_var_lib_t:dir list_dir_perms;
read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
@@ -81,9 +82,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
gen_require(`
type snmpd_var_lib_t;
')
+
dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
dontaudit $1 snmpd_var_lib_t:file read_file_perms;
- dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
+ dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -128,7 +130,7 @@ interface(`snmp_admin',`
type snmpd_initrc_exec_t;
')
- allow $1 snmpd_t:process { ptrace signal_perms getattr };
+ allow $1 snmpd_t:process { ptrace signal_perms };
ps_process_pattern($1, snmpd_t)
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if
index c117e8b..215f425 100644
--- a/policy/modules/services/snort.if
+++ b/policy/modules/services/snort.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run snort.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`snort_domtrans',`
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index 76cfada..7f57f22 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -14,6 +14,7 @@
## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
interface(`spamassassin_role',`
gen_require(`
@@ -25,9 +26,13 @@ interface(`spamassassin_role',`
role $1 types { spamc_t spamassassin_t };
domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
+
+ allow $2 spamassassin_t:process { ptrace signal_perms };
ps_process_pattern($2, spamassassin_t)
domtrans_pattern($2, spamc_exec_t, spamc_t)
+
+ allow $2 spamc_t:process { ptrace signal_perms };
ps_process_pattern($2, spamc_t)
manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
@@ -55,7 +60,6 @@ interface(`spamassassin_exec',`
')
can_exec($1, spamassassin_exec_t)
-
')
########################################
@@ -147,6 +151,7 @@ interface(`spamassassin_manage_home_client',`
type spamc_home_t;
')
+ userdom_search_user_home_dirs($1)
manage_dirs_pattern($1, spamc_home_t, spamc_home_t)
manage_files_pattern($1, spamc_home_t, spamc_home_t)
manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
@@ -245,6 +250,7 @@ interface(`spamassassin_read_spamd_tmp_files',`
type spamd_tmp_t;
')
+ files_search_tmp($1)
allow $1 spamd_tmp_t:file read_file_perms;
')
@@ -264,7 +270,7 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
type spamd_tmp_t;
')
- dontaudit $1 spamd_tmp_t:sock_file getattr;
+ dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
')
########################################
@@ -279,9 +285,10 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
#
interface(`spamd_stream_connect',`
gen_require(`
- type spamd_t, spamd_var_run_t, spamd_spool_t;
+ type spamd_t, spamd_var_run_t;
')
+ files_search_pids($1)
stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
')
@@ -311,7 +318,7 @@ interface(`spamassassin_spamd_admin',`
allow $1 spamd_t:process { ptrace signal_perms };
ps_process_pattern($1, spamd_t)
-
+
init_labeled_script_domtrans($1, spamd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 spamd_initrc_exec_t system_r;
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
index d2496bd..dc4f590 100644
--- a/policy/modules/services/squid.if
+++ b/policy/modules/services/squid.if
@@ -71,7 +71,7 @@ interface(`squid_rw_stream_sockets',`
type squid_t;
')
- allow $1 squid_t:unix_stream_socket { getattr read write };
+ allow $1 squid_t:unix_stream_socket rw_socket_perms;
')
########################################
@@ -83,7 +83,6 @@ interface(`squid_rw_stream_sockets',`
## Domain to not audit.
## </summary>
## </param>
-## <rolecap/>
#
interface(`squid_dontaudit_search_cache',`
gen_require(`
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 3061e83..784c363 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,7 +32,6 @@
## </param>
#
template(`ssh_basic_client_template',`
-
gen_require(`
attribute ssh_server;
type ssh_exec_t, sshd_key_t, sshd_tmp_t;
@@ -167,7 +166,7 @@ template(`ssh_basic_client_template',`
## </summary>
## </param>
#
-template(`ssh_server_template', `
+template(`ssh_server_template',`
type $1_t, ssh_server;
auth_login_pgm_domain($1_t)
@@ -189,7 +188,7 @@ template(`ssh_server_template', `
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:shm create_shm_perms;
- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
term_create_pty($1_t, $1_devpts_t)
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
@@ -248,7 +247,6 @@ template(`ssh_server_template', `
miscfiles_read_localization($1_t)
userdom_dontaudit_relabelfrom_user_ptys($1_t)
- userdom_search_user_home_dirs($1_t)
userdom_read_user_home_content_files($1_t)
# Allow checking users mail at login
@@ -302,11 +300,11 @@ template(`ssh_server_template', `
## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
template(`ssh_role_template',`
gen_require(`
attribute ssh_server, ssh_agent_type;
-
type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
type ssh_agent_tmp_t;
@@ -339,7 +337,7 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
- allow $3 ssh_t:process signal;
+ allow $3 ssh_t:process { ptrace signal_perms };
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
@@ -372,7 +370,7 @@ template(`ssh_role_template',`
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
- allow $3 $1_ssh_agent_t:process signal;
+ allow $3 $1_ssh_agent_t:process { ptrace signal_perms };
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
@@ -394,7 +392,6 @@ template(`ssh_role_template',`
files_read_etc_files($1_ssh_agent_t)
files_read_etc_runtime_files($1_ssh_agent_t)
- files_search_home($1_ssh_agent_t)
libs_read_lib_files($1_ssh_agent_t)
@@ -411,9 +408,6 @@ template(`ssh_role_template',`
# for the transition back to normal privs upon exec
userdom_search_user_home_content($1_ssh_agent_t)
userdom_user_home_domtrans($1_ssh_agent_t, $3)
- allow $3 $1_ssh_agent_t:fd use;
- allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
- allow $3 $1_ssh_agent_t:process sigchld;
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
@@ -490,8 +484,9 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
- allow $1 sshd_t:fifo_file { getattr read };
+ allow $1 sshd_t:fifo_file read_fifo_file_perms;
')
+
########################################
## <summary>
## Read and write a ssh server unnamed pipe.
@@ -507,7 +502,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
- allow $1 sshd_t:fifo_file { write read getattr ioctl };
+ allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
@@ -597,7 +592,6 @@ interface(`ssh_domtrans',`
domtrans_pattern($1, sshd_exec_t, sshd_t)
')
-
########################################
## <summary>
## Execute sshd server in the sshd domain.
@@ -650,7 +644,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
- allow $1 sshd_key_t:file setattr;
+ allow $1 sshd_key_t:file setattr_file_perms;
files_search_pids($1)
')
@@ -727,7 +721,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
- dontaudit $1 sshd_key_t:file { getattr read };
+ dontaudit $1 sshd_key_t:file read_file_perms;
')
######################################
@@ -785,4 +779,3 @@ interface(`ssh_signull',`
allow $1 sshd_t:process signull;
')
-
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
index 941380a..6dbfc01 100644
--- a/policy/modules/services/sssd.if
+++ b/policy/modules/services/sssd.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run sssd.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`sssd_domtrans',`
@@ -89,6 +89,7 @@ interface(`sssd_manage_pids',`
type sssd_var_run_t;
')
+ files_search_pids($1)
manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
')
@@ -128,7 +129,6 @@ interface(`sssd_dontaudit_search_lib',`
')
dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
- files_search_var_lib($1)
')
########################################
@@ -225,21 +225,15 @@ interface(`sssd_stream_connect',`
## The role to be allowed to manage the sssd domain.
## </summary>
## </param>
-## <param name="terminal">
-## <summary>
-## The type of the user terminal.
-## </summary>
-## </param>
## <rolecap/>
#
interface(`sssd_admin',`
gen_require(`
- type sssd_t, sssd_public_t;
- type sssd_initrc_exec_t;
+ type sssd_t, sssd_public_t, sssd_initrc_exec_t;
')
- allow $1 sssd_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, sssd_t, sssd_t)
+ allow $1 sssd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, sssd_t)
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/stunnel.if b/policy/modules/services/stunnel.if
index 6073656..eaf49b2 100644
--- a/policy/modules/services/stunnel.if
+++ b/policy/modules/services/stunnel.if
@@ -20,6 +20,6 @@ interface(`stunnel_service_domain',`
type stunnel_t;
')
- domtrans_pattern(stunnel_t,$2,$1)
+ domtrans_pattern(stunnel_t, $2, $1)
allow $1 stunnel_t:tcp_socket rw_socket_perms;
')
diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if
index 4d10dda..1427b54 100644
--- a/policy/modules/services/tftp.if
+++ b/policy/modules/services/tftp.if
@@ -64,19 +64,19 @@ interface(`tftp_manage_rw_content',`
## with specified types.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
## <param name="file_type">
-## <summary>
+## <summary>
## Private file type.
-## </summary>
+## </summary>
## </param>
## <param name="object_class">
-## <summary>
+## <summary>
## Class of the object being created.
-## </summary>
+## </summary>
## </param>
#
interface(`tftp_filetrans_tftpdir',`
@@ -105,9 +105,10 @@ interface(`tftp_admin',`
type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
')
- allow $1 tftpd_t:process { ptrace signal_perms getattr };
+ allow $1 tftpd_t:process { ptrace signal_perms };
ps_process_pattern($1, tftpd_t)
+ files_list_var_lib($1)
admin_pattern($1, tftpdir_rw_t)
admin_pattern($1, tftpdir_t)
diff --git a/policy/modules/services/tgtd.if b/policy/modules/services/tgtd.if
index 74beaaa..c2ed23a 100644
--- a/policy/modules/services/tgtd.if
+++ b/policy/modules/services/tgtd.if
@@ -11,36 +11,36 @@
#####################################
## <summary>
-## Allow read and write access to tgtd semaphores.
+## Allow read and write access to tgtd semaphores.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`tgtd_rw_semaphores',`
- gen_require(`
- type tgtd_t;
- ')
+ gen_require(`
+ type tgtd_t;
+ ')
- allow $1 tgtd_t:sem rw_sem_perms;
+ allow $1 tgtd_t:sem rw_sem_perms;
')
######################################
## <summary>
-## Manage tgtd sempaphores.
+## Manage tgtd sempaphores.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`tgtd_manage_semaphores',`
- gen_require(`
- type tgtd_t;
- ')
+ gen_require(`
+ type tgtd_t;
+ ')
- allow $1 tgtd_t:sem create_sem_perms;
+ allow $1 tgtd_t:sem create_sem_perms;
')
diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if
index 904f13e..464347f 100644
--- a/policy/modules/services/tor.if
+++ b/policy/modules/services/tor.if
@@ -42,7 +42,7 @@ interface(`tor_admin',`
type tor_initrc_exec_t;
')
- allow $1 tor_t:process { ptrace signal_perms getattr };
+ allow $1 tor_t:process { ptrace signal_perms };
ps_process_pattern($1, tor_t)
init_labeled_script_domtrans($1, tor_initrc_exec_t)
diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if
index 54b8605..329f139 100644
--- a/policy/modules/services/tuned.if
+++ b/policy/modules/services/tuned.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run tuned.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`tuned_domtrans',`
@@ -112,8 +112,7 @@ interface(`tuned_initrc_domtrans',`
#
interface(`tuned_admin',`
gen_require(`
- type tuned_t, tuned_var_run_t;
- type tuned_initrc_exec_t;
+ type tuned_t, tuned_var_run_t, tuned_initrc_exec_t;
')
allow $1 tuned_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ucspitcp.if b/policy/modules/services/ucspitcp.if
index c1feba4..1f6f55b 100644
--- a/policy/modules/services/ucspitcp.if
+++ b/policy/modules/services/ucspitcp.if
@@ -20,7 +20,7 @@
## </summary>
## </param>
#
-interface(`ucspitcp_service_domain', `
+interface(`ucspitcp_service_domain',`
gen_require(`
type ucspitcp_t;
role system_r;
@@ -31,8 +31,5 @@ interface(`ucspitcp_service_domain', `
role system_r types $1;
- domain_auto_trans(ucspitcp_t, $2, $1)
- allow $1 ucspitcp_t:fd use;
- allow $1 ucspitcp_t:process sigchld;
- allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms;
+ domtrans_pattern(ucspitcp_t, $2, $1)
')
diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if
index b078bf7..e3c66d8 100644
--- a/policy/modules/services/ulogd.if
+++ b/policy/modules/services/ulogd.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run ulogd.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`ulogd_domtrans',`
@@ -65,9 +65,9 @@ interface(`ulogd_read_log',`
## Allow the specified domain to search ulogd's log files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`ulogd_search_log',`
@@ -119,9 +119,8 @@ interface(`ulogd_append_log',`
#
interface(`ulogd_admin',`
gen_require(`
- type ulogd_t, ulogd_etc_t;
+ type ulogd_t, ulogd_etc_t, ulogd_modules_t;
type ulogd_var_log_t, ulogd_initrc_exec_t;
- type ulogd_modules_t;
')
allow $1 ulogd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/usbmuxd.if b/policy/modules/services/usbmuxd.if
index 5015043..53792d3 100644
--- a/policy/modules/services/usbmuxd.if
+++ b/policy/modules/services/usbmuxd.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run usbmuxd.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`usbmuxd_domtrans',`
diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if
index 0e4774c..a717e2d 100644
--- a/policy/modules/services/uucp.if
+++ b/policy/modules/services/uucp.if
@@ -99,7 +99,7 @@ interface(`uucp_admin',`
type uucpd_var_run_t;
')
- allow $1 uucpd_t:process { ptrace signal_perms getattr };
+ allow $1 uucpd_t:process { ptrace signal_perms };
ps_process_pattern($1, uucpd_t)
logging_list_logs($1)
diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if
index 9214237..e0f819e 100644
--- a/policy/modules/services/varnishd.if
+++ b/policy/modules/services/varnishd.if
@@ -21,7 +21,7 @@ interface(`varnishd_domtrans',`
#######################################
## <summary>
-## Execute varnishd
+## Execute varnishd
## </summary>
## <param name="domain">
## <summary>
@@ -61,18 +61,18 @@ interface(`varnishd_read_config',`
## Read varnish lib files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`varnishd_read_lib_files',`
- gen_require(`
- type varnishd_var_lib_t;
- ')
+ gen_require(`
+ type varnishd_var_lib_t;
+ ')
- files_search_var_lib($1)
- read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t)
+ files_search_var_lib($1)
+ read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t)
')
#######################################
@@ -151,9 +151,8 @@ interface(`varnishd_manage_log',`
#
interface(`varnishd_admin_varnishlog',`
gen_require(`
- type varnishlog_t;
+ type varnishlog_t, varnishlog_initrc_exec_t;
type varnishlog_var_run_t, varnishlog_log_t;
- type varnishlog_initrc_exec_t;
')
allow $1 varnishlog_t:process { ptrace signal_perms };
@@ -165,11 +164,10 @@ interface(`varnishd_admin_varnishlog',`
allow $2 system_r;
files_search_pids($1)
- admin_pattern($1, varnishlog_var_run_t)
+ admin_pattern($1, varnishlog_var_run_t)
logging_list_logs($1)
admin_pattern($1, varnishlog_log_t)
-
')
#######################################
@@ -192,7 +190,7 @@ interface(`varnishd_admin_varnishlog',`
interface(`varnishd_admin',`
gen_require(`
type varnishd_t, varnishd_var_lib_t, varnishd_etc_t;
- type varnishd_var_run_t, varnishd_tmp_t;
+ type varnishd_var_run_t, varnishd_tmp_t;
type varnishd_initrc_exec_t;
')
@@ -215,5 +213,4 @@ interface(`varnishd_admin',`
files_search_tmp($1)
admin_pattern($1, varnishd_tmp_t)
-
')
diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if
index dadae8e..da605ba 100644
--- a/policy/modules/services/vhostmd.if
+++ b/policy/modules/services/vhostmd.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run vhostmd.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`vhostmd_domtrans',`
@@ -52,7 +52,7 @@ interface(`vhostmd_read_tmpfs_files',`
')
allow $1 vhostmd_tmpfs_t:file read_file_perms;
- files_search_tmp($1)
+ fs_search_tmpfs($1)
')
########################################
@@ -90,7 +90,7 @@ interface(`vhostmd_rw_tmpfs_files',`
')
rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
- files_search_tmp($1)
+ fs_search_tmpfs($1)
')
########################################
@@ -109,7 +109,7 @@ interface(`vhostmd_manage_tmpfs_files',`
')
manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
- files_search_tmp($1)
+ fs_search_tmpfs($1)
')
########################################
@@ -146,7 +146,8 @@ interface(`vhostmd_manage_pid_files',`
type vhostmd_var_run_t;
')
- manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
+ files_search_pids($1)
+ manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
')
########################################
@@ -220,5 +221,4 @@ interface(`vhostmd_admin',`
vhostmd_manage_tmpfs_files($1)
vhostmd_manage_pid_files($1)
-
')
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index 1a0701b..e584e21 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -14,8 +14,7 @@
template(`virt_domain_template',`
gen_require(`
type virtd_t;
- attribute virt_image_type;
- attribute virt_domain;
+ attribute virt_image_type, virt_domain;
')
type $1_t, virt_domain;
@@ -38,7 +37,7 @@ template(`virt_domain_template',`
dev_node($1_image_t)
dev_associate_sysfs($1_image_t)
- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty($1_t, $1_devpts_t)
manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
@@ -91,9 +90,9 @@ interface(`virt_image',`
## Execute a domain transition to run virt.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`virt_domtrans',`
@@ -154,8 +153,7 @@ interface(`virt_attach_tun_iface',`
#
interface(`virt_read_config',`
gen_require(`
- type virt_etc_t;
- type virt_etc_rw_t;
+ type virt_etc_t, virt_etc_rw_t;
')
files_search_etc($1)
@@ -176,8 +174,7 @@ interface(`virt_read_config',`
#
interface(`virt_manage_config',`
gen_require(`
- type virt_etc_t;
- type virt_etc_rw_t;
+ type virt_etc_t, virt_etc_rw_t;
')
files_search_etc($1)
@@ -227,7 +224,7 @@ interface(`virt_read_content',`
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -380,9 +377,9 @@ interface(`virt_read_log',`
## virt log files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`virt_append_log',`
@@ -578,6 +575,7 @@ interface(`virt_admin',`
## The role to be allowed the sandbox domain.
## </summary>
## </param>
+## <rolecap/>
#
interface(`virt_transition_svirt',`
gen_require(`
@@ -609,4 +607,3 @@ interface(`virt_dontaudit_write_pipes',`
dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
')
-
diff --git a/policy/modules/services/xfs.if b/policy/modules/services/xfs.if
index aa6e5a8..42a0efb 100644
--- a/policy/modules/services/xfs.if
+++ b/policy/modules/services/xfs.if
@@ -1,4 +1,4 @@
-## <summary>X Windows Font Server </summary>
+## <summary>X Windows Font Server</summary>
########################################
## <summary>
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 4bc9fff..f34a53f 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -59,10 +59,6 @@ interface(`xserver_restricted_role',`
domtrans_pattern($2, iceauth_exec_t, iceauth_t)
-ifdef(`hide_broken_symptoms', `
- dontaudit iceauth_t $2:socket_class_set { read write };
-')
-
allow $2 iceauth_home_t:file read_file_perms;
domtrans_pattern($2, xauth_exec_t, xauth_t)
@@ -77,11 +73,11 @@ ifdef(`hide_broken_symptoms', `
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
- allow $2 xdm_t:fifo_file { getattr read write ioctl };
+ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
allow $2 xdm_tmp_t:dir search_dir_perms;
- allow $2 xdm_tmp_t:sock_file { read write };
+ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
dontaudit $2 xdm_t:tcp_socket { read write };
- dontaudit $2 xdm_tmp_t:dir setattr;
+ dontaudit $2 xdm_tmp_t:dir setattr_dir_perms;
allow $2 xdm_t:dbus send_msg;
allow xdm_t $2:dbus send_msg;
@@ -91,7 +87,7 @@ ifdef(`hide_broken_symptoms', `
allow $2 xserver_tmpfs_t:file read_file_perms;
# Read /tmp/.X0-lock
- allow $2 xserver_tmp_t:file { getattr read };
+ allow $2 xserver_tmp_t:file read_inherited_file_perms;
dev_rw_xserver_misc($2)
dev_rw_power_management($2)
@@ -100,9 +96,6 @@ ifdef(`hide_broken_symptoms', `
dev_write_misc($2)
# open office is looking for the following
dev_getattr_agp_dev($2)
- tunable_policy(`user_direct_dri',`
- dev_rw_dri($2)
- ')
# GNOME checks for usb and other devices:
dev_rw_usbfs($2)
@@ -121,11 +114,19 @@ ifdef(`hide_broken_symptoms', `
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
+ ifdef(`hide_broken_symptoms',`
+ dontaudit iceauth_t $2:socket_class_set { read write };
+ ')
+
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
+
+ tunable_policy(`user_direct_dri',`
+ dev_rw_dri($2)
+ ')
')
########################################
@@ -157,10 +158,10 @@ interface(`xserver_role',`
allow $2 xserver_tmpfs_t:file rw_file_perms;
allow $2 iceauth_home_t:file manage_file_perms;
- allow $2 iceauth_home_t:file { relabelfrom relabelto };
+ allow $2 iceauth_home_t:file relabel_file_perms;
allow $2 xauth_home_t:file manage_file_perms;
- allow $2 xauth_home_t:file { relabelfrom relabelto };
+ allow $2 xauth_home_t:file relabel_file_perms;
mls_xwin_read_to_clearance($2)
manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
@@ -178,7 +179,6 @@ interface(`xserver_role',`
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
-
')
#######################################
@@ -363,9 +363,8 @@ template(`xserver_common_x_domain_template',`
type xevent_t, client_xevent_t;
type input_xevent_t, $1_input_xevent_t;
- attribute x_domain;
+ attribute x_domain, input_xevent_type;
attribute xdrawable_type, xcolormap_type;
- attribute input_xevent_type;
class x_drawable all_x_drawable_perms;
class x_property all_x_property_perms;
@@ -489,9 +488,9 @@ template(`xserver_user_x_domain_template',`
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
- allow $2 xdm_t:fifo_file { getattr read write ioctl };
+ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
allow $2 xdm_tmp_t:dir search_dir_perms;
- allow $2 xdm_tmp_t:sock_file { read write };
+ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
@@ -503,7 +502,7 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
- xserver_ro_session($2,$3)
+ xserver_ro_session($2, $3)
xserver_use_user_fonts($2)
xserver_read_xdm_tmp_files($2)
@@ -511,17 +510,17 @@ template(`xserver_user_x_domain_template',`
# X object manager
xserver_object_types_template($1)
- xserver_common_x_domain_template($1,$2)
-
- tunable_policy(`user_direct_dri',`
- dev_rw_dri($2)
- ')
+ xserver_common_x_domain_template($1, $2)
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
+
+ tunable_policy(`user_direct_dri',`
+ dev_rw_dri($2)
+ ')
')
########################################
@@ -582,7 +581,8 @@ interface(`xserver_domtrans_xauth',`
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
- ifdef(`hide_broken_symptoms', `
+
+ ifdef(`hide_broken_symptoms',`
dontaudit xauth_t $1:socket_class_set { read write };
')
')
@@ -674,7 +674,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
- allow $1 xconsole_device_t:fifo_file setattr;
+ allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
')
########################################
@@ -710,7 +710,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
- allow $1 xdm_t:fd use;
+ allow $1 xdm_t:fd use;
')
########################################
@@ -729,7 +729,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
- dontaudit $1 xdm_t:fd use;
+ dontaudit $1 xdm_t:fd use;
')
########################################
@@ -747,7 +747,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
- allow $1 xdm_t:fifo_file { getattr read write };
+ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
@@ -762,12 +762,11 @@ interface(`xserver_rw_xdm_pipes',`
## </param>
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
-
gen_require(`
type xdm_t;
')
- dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
')
########################################
@@ -783,11 +782,11 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
- type xdm_t, xdm_tmp_t;
- type xdm_var_run_t;
+ type xdm_t, xdm_tmp_t, xdm_var_run_t;
')
files_search_tmp($1)
+ files_search_pids($1)
stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t)
')
@@ -826,7 +825,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
- allow $1 xdm_tmp_t:dir setattr;
+ allow $1 xdm_tmp_t:dir setattr_dir_perms;
')
########################################
@@ -958,7 +957,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
- allow $1 xserver_log_t:file getattr;
+ allow $1 xserver_log_t:file getattr_file_perms;
')
########################################
@@ -1037,7 +1036,7 @@ interface(`xserver_read_xdm_etc_files',`
type xdm_etc_t;
')
- files_search_etc($1)
+ files_search_etc($1)
read_files_pattern($1, xdm_etc_t, xdm_etc_t)
')
@@ -1056,7 +1055,7 @@ interface(`xserver_manage_xdm_etc_files',`
type xdm_etc_t;
')
- files_search_etc($1)
+ files_search_etc($1)
manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
')
@@ -1075,7 +1074,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
- files_search_tmp($1)
+ files_search_tmp($1)
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
@@ -1151,7 +1150,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
- dontaudit $1 xdm_tmp_t:sock_file getattr;
+ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
')
########################################
@@ -1169,7 +1168,7 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
- allow $1 xserver_t:process siginh;
+ allow $1 xserver_t:process siginh;
domtrans_pattern($1, xserver_exec_t, xserver_t)
allow xserver_t $1:process getpgid;
@@ -1312,7 +1311,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
-## virtual core keyboard and virtual core pointer devices.
+## virtual core keyboard and virtual core pointer devices.
## </summary>
## <param name="domain">
## <summary>
@@ -1322,13 +1321,12 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
- type xserver_t;
+ type xserver_t, root_xdrawable_t;
class x_device all_x_device_perms;
class x_pointer all_x_pointer_perms;
class x_keyboard all_x_keyboard_perms;
class x_screen all_x_screen_perms;
class x_drawable { manage };
- type root_xdrawable_t;
attribute x_domain;
class x_drawable { read manage setattr show };
class x_resource { write read };
@@ -1356,8 +1354,7 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
- attribute x_domain;
- attribute xserver_unconfined_type;
+ attribute x_domain, xserver_unconfined_type;
')
typeattribute $1 x_domain;
@@ -1376,8 +1373,7 @@ interface(`xserver_unconfined',`
#
interface(`xserver_dontaudit_append_xdm_home_files',`
gen_require(`
- type xdm_home_t;
- type xserver_tmp_t;
+ type xdm_home_t, xserver_tmp_t;
')
dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
@@ -1404,8 +1400,7 @@ interface(`xserver_dontaudit_append_xdm_home_files',`
#
interface(`xserver_append_xdm_home_files',`
gen_require(`
- type xdm_home_t;
- type xserver_tmp_t;
+ type xdm_home_t, xserver_tmp_t;
')
allow $1 xdm_home_t:file append_file_perms;
@@ -1566,12 +1561,10 @@ template(`xserver_read_user_iceauth',`
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
interface(`xserver_rw_inherited_user_fonts',`
gen_require(`
- type user_fonts_t;
- type user_fonts_config_t;
+ type user_fonts_t, user_fonts_config_t;
')
allow $1 user_fonts_t:file rw_inherited_file_perms;
@@ -1598,7 +1591,6 @@ interface(`xserver_search_xdm_lib',`
allow $1 xdm_var_lib_t:dir search_dir_perms;
')
-
########################################
## <summary>
## Make an X executable an entrypoint for the specified domain.
@@ -1632,6 +1624,7 @@ interface(`xserver_entry_type',`
## The role to be allowed the xserver domain.
## </summary>
## </param>
+## <rolecap/>
#
interface(`xserver_run',`
gen_require(`
@@ -1657,6 +1650,7 @@ interface(`xserver_run',`
## The role to be allowed the xserver domain.
## </summary>
## </param>
+## <rolecap/>
#
interface(`xserver_run_xauth',`
gen_require(`
@@ -1679,8 +1673,7 @@ interface(`xserver_run_xauth',`
#
interface(`xserver_manage_home_fonts',`
gen_require(`
- type user_fonts_t;
- type user_fonts_config_t;
+ type user_fonts_t, user_fonts_config_t;
')
manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
index d77e631..4776863 100644
--- a/policy/modules/services/zabbix.if
+++ b/policy/modules/services/zabbix.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run zabbix.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`zabbix_domtrans',`
@@ -44,9 +44,9 @@ interface(`zabbix_read_log',`
## zabbix log files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`zabbix_append_log',`
diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
index bba3124..78fc104 100644
--- a/policy/modules/services/zarafa.if
+++ b/policy/modules/services/zarafa.if
@@ -1,30 +1,28 @@
-
## <summary>policy for zarafa services</summary>
######################################
## <summary>
-## Creates types and rules for a basic
-## zararfa init daemon domain.
+## Creates types and rules for a basic
+## zararfa init daemon domain.
## </summary>
## <param name="prefix">
-## <summary>
-## Prefix for the domain.
-## </summary>
+## <summary>
+## Prefix for the domain.
+## </summary>
## </param>
#
template(`zarafa_domain_template',`
-
gen_require(`
attribute zarafa_domain;
')
##############################
- #
- # $1_t declarations
- #
+ #
+ # $1_t declarations
+ #
type zarafa_$1_t, zarafa_domain;
- type zarafa_$1_exec_t;
+ type zarafa_$1_exec_t;
init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t)
type zarafa_$1_log_t;
@@ -34,28 +32,28 @@ template(`zarafa_domain_template',`
files_pid_file(zarafa_$1_var_run_t)
##############################
- #
+ #
# $1_t local policy
- #
+ #
manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
- manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
- files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file })
+ manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
+ files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file })
#stream_connect_pattern(zarafa_$1_t, $1_var_run_t, $1_var_run_t, virtd_t)
manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t)
#manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t)
logging_log_filetrans(zarafa_$1_t,zarafa_$1_log_t,{ file })
-')
-
+')
+
########################################
## <summary>
## Execute a domain transition to run zarafa_server.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`zarafa_server_domtrans',`
@@ -66,15 +64,14 @@ interface(`zarafa_server_domtrans',`
domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t)
')
-
########################################
## <summary>
## Execute a domain transition to run zarafa_deliver.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`zarafa_deliver_domtrans',`
@@ -87,19 +84,19 @@ interface(`zarafa_deliver_domtrans',`
#######################################
## <summary>
-## Connect to zarafa-server unix domain stream socket.
+## Connect to zarafa-server unix domain stream socket.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
-## <rolecap/>
#
interface(`zarafa_stream_connect_server',`
- gen_require(`
- type zarafa_server_t, zarafa_server_var_run_t;
- ')
+ gen_require(`
+ type zarafa_server_t, zarafa_server_var_run_t;
+ ')
- stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t)
+ files_search_var_lib($1)
+ stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t)
')
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
index 6b87605..5860687 100644
--- a/policy/modules/services/zebra.if
+++ b/policy/modules/services/zebra.if
@@ -38,8 +38,7 @@ interface(`zebra_stream_connect',`
')
files_search_pids($1)
- allow $1 zebra_var_run_t:sock_file write;
- allow $1 zebra_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
')
########################################
diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if
index 702e768..1d24e1e 100644
--- a/policy/modules/services/zosremote.if
+++ b/policy/modules/services/zosremote.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run audispd-zos-remote.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`zosremote_domtrans',`