diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 93c9ec1..794a0eb 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -222,7 +222,8 @@ ifdef(`distro_gentoo',` /usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/libsexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te index 61a3920..3b620e3 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te @@ -179,7 +179,7 @@ optional_policy(` # allow nrpe_t self:capability { setuid setgid }; -dontaudit nrpe_t self:capability {sys_tty_config sys_resource}; +dontaudit nrpe_t self:capability { sys_tty_config sys_resource }; allow nrpe_t self:process { setpgid signal_perms setsched setrlimit }; allow nrpe_t self:fifo_file rw_fifo_file_perms; allow nrpe_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te index ded9fb6..9d1e60a 100644 --- a/policy/modules/services/ntop.te +++ b/policy/modules/services/ntop.te @@ -51,7 +51,7 @@ files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir }) manage_dirs_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t) manage_files_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t) -files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir } ) +files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir }) manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t) files_pid_filetrans(ntop_t, ntop_var_run_t, file) diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te index c1825de..1c72c6e 100644 --- a/policy/modules/services/nx.te +++ b/policy/modules/services/nx.te @@ -39,7 +39,7 @@ allow nx_server_t self:fifo_file rw_fifo_file_perms; allow nx_server_t self:tcp_socket create_socket_perms; allow nx_server_t self:udp_socket create_socket_perms; -allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr }; +allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty(nx_server_t, nx_server_devpts_t) manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) @@ -89,10 +89,10 @@ seutil_dontaudit_search_config(nx_server_t) sysnet_read_config(nx_server_t) ifdef(`TODO',` -# clients already have create permissions; the nxclient wants to also have unlink rights -allow userdomain xdm_tmp_t:sock_file unlink; -# for a lockfile created by the client process -allow nx_server_t user_tmpfile:file getattr; + # clients already have create permissions; the nxclient wants to also have unlink rights + allow userdomain xdm_tmp_t:sock_file delete_sock_file_perms; + # for a lockfile created by the client process + allow nx_server_t user_tmpfile:file getattr_file_perms; ') ######################################## diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te index ef6919f..c8f4d64 100644 --- a/policy/modules/services/oddjob.te +++ b/policy/modules/services/oddjob.te @@ -7,7 +7,6 @@ policy_module(oddjob, 1.7.0) type oddjob_t; type oddjob_exec_t; -domain_type(oddjob_t) init_daemon_domain(oddjob_t, oddjob_exec_t) domain_obj_id_change_exemption(oddjob_t) domain_role_change_exemption(oddjob_t) @@ -15,7 +14,6 @@ domain_subj_id_change_exemption(oddjob_t) type oddjob_mkhomedir_t; type oddjob_mkhomedir_exec_t; -domain_type(oddjob_mkhomedir_t) domain_obj_id_change_exemption(oddjob_mkhomedir_t) init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) @@ -102,4 +100,3 @@ userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) userdom_manage_user_home_dirs(oddjob_mkhomedir_t) userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) userdom_manage_user_home_content(oddjob_mkhomedir_t) - diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te index 9097656..73c1fa5 100644 --- a/policy/modules/services/oident.te +++ b/policy/modules/services/oident.te @@ -1,4 +1,4 @@ -policy_module(oident, 2.1.0) +policy_module(oident, 2.1.0) ######################################## # @@ -26,10 +26,10 @@ files_config_file(oidentd_config_t) # allow oidentd_t self:capability { setuid setgid }; -allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; -allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read }; -allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen }; -allow oidentd_t self:udp_socket { write read create connect getattr ioctl }; +allow oidentd_t self:netlink_route_socket create_netlink_socket_perms; +allow oidentd_t self:netlink_tcpdiag_socket create_netlink_socket_perms; +allow oidentd_t self:tcp_socket create_stream_socket_perms; +allow oidentd_t self:udp_socket create_socket_perms; allow oidentd_t self:unix_dgram_socket { create connect }; allow oidentd_t oidentd_config_t:file read_file_perms; diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index ba7c06b..cb87bef 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0) # ## -##

-## Allow openvpn to read home directories -##

+##

+## Allow openvpn to read home directories +##

##
gen_tunable(openvpn_enable_homedirs, false) @@ -46,7 +46,6 @@ files_pid_file(openvpn_var_run_t) allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config }; allow openvpn_t self:process { signal getsched }; allow openvpn_t self:fifo_file rw_fifo_file_perms; - allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow openvpn_t self:udp_socket create_socket_perms; @@ -129,12 +128,12 @@ tunable_policy(`openvpn_enable_homedirs',` ') tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(openvpn_t) -') + fs_read_nfs_files(openvpn_t) +') tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(openvpn_t) -') + fs_read_cifs_files(openvpn_t) +') optional_policy(` daemontools_service_domain(openvpn_t, openvpn_exec_t) diff --git a/policy/modules/services/pads.te b/policy/modules/services/pads.te index b246bdd..f414173 100644 --- a/policy/modules/services/pads.te +++ b/policy/modules/services/pads.te @@ -1,4 +1,4 @@ -policy_module(pads, 1.0.0) +policy_module(pads, 1.0.0) ######################################## # @@ -8,7 +8,6 @@ policy_module(pads, 1.0.0) type pads_t; type pads_exec_t; init_daemon_domain(pads_t, pads_exec_t) -role system_r types pads_t; type pads_initrc_exec_t; init_script_file(pads_initrc_exec_t) @@ -25,10 +24,10 @@ files_pid_file(pads_var_run_t) # allow pads_t self:capability { dac_override net_raw }; -allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; -allow pads_t self:packet_socket { ioctl setopt getopt read bind create }; -allow pads_t self:udp_socket { create ioctl }; -allow pads_t self:unix_dgram_socket { write create connect }; +allow pads_t self:netlink_route_socket create_netlink_socket_perms; +allow pads_t self:packet_socket create_socket_perms; +allow pads_t self:udp_socket create_socket_perms; +allow pads_t self:unix_dgram_socket create_socket_perms; allow pads_t pads_config_t:file manage_file_perms; files_etc_filetrans(pads_t, pads_config_t, file) diff --git a/policy/modules/services/passenger.te b/policy/modules/services/passenger.te index 9cb0d1c..ba9fdb9 100644 --- a/policy/modules/services/passenger.te +++ b/policy/modules/services/passenger.te @@ -1,5 +1,4 @@ - -policy_module(passanger,1.0.0) +policy_module(passanger, 1.0.0) ######################################## # @@ -30,7 +29,6 @@ permissive passenger_t; allow passenger_t self:capability { dac_override fsetid fowner chown setuid setgid }; allow passenger_t self:process signal; - allow passenger_t self:fifo_file rw_fifo_file_perms; allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto }; diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te index 3116191..df751a6 100644 --- a/policy/modules/services/pcscd.te +++ b/policy/modules/services/pcscd.te @@ -7,7 +7,6 @@ policy_module(pcscd, 1.6.1) type pcscd_t; type pcscd_exec_t; -domain_type(pcscd_t) init_daemon_domain(pcscd_t, pcscd_exec_t) # pid files diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te index e2e2f67..5322412 100644 --- a/policy/modules/services/pegasus.te +++ b/policy/modules/services/pegasus.te @@ -38,7 +38,7 @@ allow pegasus_t self:unix_stream_socket create_stream_socket_perms; allow pegasus_t self:tcp_socket create_stream_socket_perms; allow pegasus_t pegasus_conf_t:dir rw_dir_perms; -allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink }; +allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms }; allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -56,7 +56,7 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir }) -allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink }; +allow pegasus_t pegasus_var_run_t:sock_file { create_sock_file_perms setattr_sock_file_perms delete_sock_file_perms }; manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir }) diff --git a/policy/modules/services/pingd.te b/policy/modules/services/pingd.te index e9cf8a4..4a9d196 100644 --- a/policy/modules/services/pingd.te +++ b/policy/modules/services/pingd.te @@ -27,7 +27,7 @@ files_type(pingd_modules_t) allow pingd_t self:capability net_raw; allow pingd_t self:tcp_socket create_stream_socket_perms; -allow pingd_t self:rawip_socket { write read create bind }; +allow pingd_t self:rawip_socket create_socket_perms; read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t) diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te index 0a5f27d..6b69f38 100644 --- a/policy/modules/services/piranha.te +++ b/policy/modules/services/piranha.te @@ -1,4 +1,4 @@ -policy_module(piranha,1.0.0) +policy_module(piranha, 1.0.0) ######################################## # @@ -6,9 +6,9 @@ policy_module(piranha,1.0.0) # ## -##

-## Allow piranha-lvs domain to connect to the network using TCP. -##

+##

+## Allow piranha-lvs domain to connect to the network using TCP. +##

##
gen_tunable(piranha_lvs_can_network_connect, false) @@ -65,7 +65,6 @@ init_domtrans_script(piranha_fos_t) allow piranha_web_t self:capability { setuid sys_nice kill setgid }; allow piranha_web_t self:process { getsched setsched signal signull ptrace }; allow piranha_web_t self:rawip_socket create_socket_perms; - allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms; allow piranha_web_t self:sem create_sem_perms; allow piranha_web_t self:shm create_shm_perms; @@ -80,7 +79,7 @@ rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t) manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t) manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t) -logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file } ) +logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file }) can_exec(piranha_web_t, piranha_web_tmp_t) manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t) @@ -119,7 +118,7 @@ optional_policy(` ') optional_policy(` - sasl_connect(piranha_web_t) + sasl_connect(piranha_web_t) ') ###################################### @@ -129,9 +128,7 @@ optional_policy(` # neede by nanny allow piranha_lvs_t self:capability { net_raw sys_nice }; - allow piranha_lvs_t self:process signal; - allow piranha_lvs_t self:unix_dgram_socket create_socket_perms; allow piranha_lvs_t self:rawip_socket create_socket_perms; @@ -145,7 +142,7 @@ sysnet_dns_name_resolve(piranha_lvs_t) # needed by nanny tunable_policy(`piranha_lvs_can_network_connect',` - corenet_tcp_connect_all_ports(piranha_lvs_t) + corenet_tcp_connect_all_ports(piranha_lvs_t) ') # needed by ipvsadm @@ -176,7 +173,7 @@ optional_policy(` ') optional_policy(` - sysnet_domtrans_ifconfig(piranha_pulse_t) + sysnet_domtrans_ifconfig(piranha_pulse_t) ') #################################### @@ -210,9 +207,6 @@ files_read_etc_files(piranha_domain) corecmd_exec_bin(piranha_domain) corecmd_exec_shell(piranha_domain) -libs_use_ld_so(piranha_domain) -libs_use_shared_libs(piranha_domain) - logging_send_syslog_msg(piranha_domain) miscfiles_read_localization(piranha_domain) diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te index c30505a..836e2e2 100644 --- a/policy/modules/services/plymouthd.te +++ b/policy/modules/services/plymouthd.te @@ -92,7 +92,7 @@ sysnet_read_config(plymouth_t) plymouthd_stream_connect(plymouth_t) -ifdef(`hide_broken_symptoms', ` +ifdef(`hide_broken_symptoms',` optional_policy(` hal_dontaudit_write_log(plymouth_t) hal_dontaudit_rw_pipes(plymouth_t) diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te index e731afa..7385ecf 100644 --- a/policy/modules/services/policykit.te +++ b/policy/modules/services/policykit.te @@ -41,7 +41,6 @@ files_pid_file(policykit_var_run_t) allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace }; allow policykit_t self:process { getsched getattr signal }; allow policykit_t self:fifo_file rw_fifo_file_perms; - allow policykit_t self:unix_dgram_socket create_socket_perms; allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -275,4 +274,3 @@ optional_policy(` kernel_search_proc(policykit_resolve_t) hal_read_state(policykit_resolve_t) ') - diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te index 333a1fe..d1cf513 100644 --- a/policy/modules/services/portmap.te +++ b/policy/modules/services/portmap.te @@ -12,7 +12,6 @@ init_daemon_domain(portmap_t, portmap_exec_t) type portmap_helper_t; type portmap_helper_exec_t; init_system_domain(portmap_helper_t, portmap_helper_exec_t) -role system_r types portmap_helper_t; type portmap_tmp_t; files_tmp_file(portmap_tmp_t) diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 87043e1..628fcda 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -6,10 +6,9 @@ policy_module(postfix, 1.12.0) # ## -##

-## Allow postfix_local domain full write access to mail_spool directories -## -##

+##

+## Allow postfix_local domain full write access to mail_spool directories +##

##
gen_tunable(allow_postfix_local_write_mail_spool, false) @@ -21,7 +20,7 @@ attribute postfix_user_domtrans; postfix_server_domain_template(bounce) -type postfix_spool_bounce_t, postfix_spool_type; +type postfix_spool_bounce_t, postfix_spool_type; files_type(postfix_spool_bounce_t) postfix_server_domain_template(cleanup) @@ -35,21 +34,12 @@ application_executable_file(postfix_exec_t) postfix_server_domain_template(local) mta_mailserver_delivery(postfix_local_t) -# Handle vacation script -mta_send_mail(postfix_local_t) - -userdom_read_user_home_content_files(postfix_local_t) - -tunable_policy(`allow_postfix_local_write_mail_spool',` - mta_manage_spool(postfix_local_t) -') - # Program for creating database files type postfix_map_t; type postfix_map_exec_t; application_domain(postfix_map_t, postfix_map_exec_t) role system_r types postfix_map_t; - + type postfix_map_tmp_t; files_tmp_file(postfix_map_tmp_t) @@ -116,10 +106,10 @@ mta_mailserver_delivery(postfix_virtual_t) # chown is to set the correct ownership of queue dirs allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; +allow postfix_master_t self:process setrlimit; allow postfix_master_t self:fifo_file rw_fifo_file_perms; allow postfix_master_t self:tcp_socket create_stream_socket_perms; allow postfix_master_t self:udp_socket create_socket_perms; -allow postfix_master_t self:process setrlimit; allow postfix_master_t postfix_etc_t:dir rw_dir_perms; allow postfix_master_t postfix_etc_t:file rw_file_perms; @@ -130,11 +120,11 @@ can_exec(postfix_master_t, postfix_exec_t) allow postfix_master_t postfix_data_t:dir manage_dir_perms; allow postfix_master_t postfix_data_t:file manage_file_perms; -allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock }; +allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock }; -allow postfix_master_t postfix_postdrop_exec_t:file getattr; +allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms; -allow postfix_master_t postfix_postqueue_exec_t:file getattr; +allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms; manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) @@ -154,7 +144,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) files_spool_filetrans(postfix_master_t, postfix_spool_t, dir) allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms; -allow postfix_master_t postfix_spool_bounce_t:file getattr; +allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms; manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) @@ -249,7 +239,7 @@ allow postfix_bounce_t self:capability dac_read_search; allow postfix_bounce_t self:tcp_socket create_socket_perms; allow postfix_bounce_t postfix_public_t:sock_file write; -allow postfix_bounce_t postfix_public_t:dir search; +allow postfix_bounce_t postfix_public_t:dir search_dir_perms; manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) @@ -293,8 +283,8 @@ optional_policy(` # Postfix local local policy # -allow postfix_local_t self:fifo_file rw_fifo_file_perms; allow postfix_local_t self:process { setsched setrlimit }; +allow postfix_local_t self:fifo_file rw_fifo_file_perms; # connect to master process stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) @@ -302,6 +292,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post # for .forward - maybe we need a new type for it? rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) +domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) + allow postfix_local_t postfix_spool_t:file rw_file_perms; corecmd_exec_shell(postfix_local_t) @@ -315,10 +307,14 @@ mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin mta_read_config(postfix_local_t) +# Handle vacation script +mta_send_mail(postfix_local_t) -domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) -# Might be a leak, but I need a postfix expert to explain -allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; +userdom_read_user_home_content_files(postfix_local_t) + +tunable_policy(`allow_postfix_local_write_mail_spool',` + mta_manage_spool(postfix_local_t) +') optional_policy(` clamav_search_lib(postfix_local_t) @@ -427,8 +423,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m # Postfix pipe local policy # -allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; allow postfix_pipe_t self:process setrlimit; +allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) @@ -476,6 +472,9 @@ allow postfix_postdrop_t self:capability sys_resource; allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:udp_socket create_socket_perms; +# Might be a leak, but I need a postfix expert to explain +allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; + rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) postfix_list_spool(postfix_postdrop_t) @@ -559,7 +558,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; -allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read }; +allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms; corecmd_exec_bin(postfix_qmgr_t) @@ -579,7 +578,7 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; -allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read }; +allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) @@ -656,8 +655,8 @@ optional_policy(` # Postfix virtual local policy # -allow postfix_virtual_t self:fifo_file rw_fifo_file_perms; allow postfix_virtual_t self:process { setsched setrlimit }; +allow postfix_virtual_t self:fifo_file rw_fifo_file_perms; allow postfix_virtual_t postfix_spool_t:file rw_file_perms; diff --git a/policy/modules/services/postfixpolicyd.te b/policy/modules/services/postfixpolicyd.te index 7257526..7d73656 100644 --- a/policy/modules/services/postfixpolicyd.te +++ b/policy/modules/services/postfixpolicyd.te @@ -23,14 +23,14 @@ files_pid_file(postfix_policyd_var_run_t) # Local Policy # -allow postfix_policyd_t self:tcp_socket create_stream_socket_perms; allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid }; allow postfix_policyd_t self:process setrlimit; -allow postfix_policyd_t self:unix_dgram_socket { connect create write}; +allow postfix_policyd_t self:tcp_socket create_stream_socket_perms; +allow postfix_policyd_t self:unix_dgram_socket create_socket_perms; allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms; allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms; -allow postfix_policyd_t postfix_policyd_conf_t:lnk_file { getattr read }; +allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms; manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t) files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 4a85c12..b4101fa 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -15,16 +15,16 @@ gen_require(` # ## -##

-## Allow unprived users to execute DDL statement -##

+##

+## Allow unprived users to execute DDL statement +##

##
gen_tunable(sepgsql_enable_users_ddl, true) ## -##

-## Allow database admins to execute DML statement -##

+##

+## Allow database admins to execute DML statement +##

##
gen_tunable(sepgsql_unconfined_dbadm, true) @@ -185,7 +185,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms; read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) -allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; +allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms; can_exec(postgresql_t, postgresql_exec_t ) allow postgresql_t postgresql_lock_t:file manage_file_perms; diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te index 74f07f8..d32a0d2 100644 --- a/policy/modules/services/ppp.te +++ b/policy/modules/services/ppp.te @@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0) # ## -##

-## Allow pppd to load kernel modules for certain modems -##

+##

+## Allow pppd to load kernel modules for certain modems +##

##
gen_tunable(pppd_can_insmod, false) ## -##

-## Allow pppd to be run for a regular user -##

+##

+## Allow pppd to be run for a regular user +##

##
gen_tunable(pppd_for_user, false) @@ -84,11 +84,11 @@ allow pppd_t self:packet_socket create_socket_perms; domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) -allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr }; +allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; allow pppd_t pppd_etc_t:dir rw_dir_perms; allow pppd_t pppd_etc_t:file read_file_perms; -allow pppd_t pppd_etc_t:lnk_file { getattr read }; +allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms; manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t) # Automatically label newly created files under /etc/ppp with this type diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te index 7e84587..7a7310d 100644 --- a/policy/modules/services/prelude.te +++ b/policy/modules/services/prelude.te @@ -35,7 +35,6 @@ files_pid_file(prelude_audisp_var_run_t) type prelude_correlator_t; type prelude_correlator_exec_t; init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t) -role system_r types prelude_correlator_t; type prelude_correlator_config_t; files_config_file(prelude_correlator_config_t) @@ -210,8 +209,8 @@ prelude_manage_spool(prelude_correlator_t) # allow prelude_lml_t self:capability dac_override; -allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect }; -allow prelude_lml_t self:unix_dgram_socket { write create connect }; +allow prelude_lml_t self:tcp_socket { setopt create_socket_perms }; +allow prelude_lml_t self:unix_dgram_socket create_socket_perms; allow prelude_lml_t self:fifo_file rw_fifo_file_perms; allow prelude_lml_t self:unix_stream_socket connectto; diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te index 19138e1..2404ddc 100644 --- a/policy/modules/services/privoxy.te +++ b/policy/modules/services/privoxy.te @@ -6,10 +6,10 @@ policy_module(privoxy, 1.10.0) # ## -##

-## Allow privoxy to connect to all ports, not just -## HTTP, FTP, and Gopher ports. -##

+##

+## Allow privoxy to connect to all ports, not just +## HTTP, FTP, and Gopher ports. +##

##
gen_tunable(privoxy_connect_any, false) diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te index b558811..2a70dd1 100644 --- a/policy/modules/services/procmail.te +++ b/policy/modules/services/procmail.te @@ -35,7 +35,7 @@ allow procmail_t self:udp_socket create_socket_perms; can_exec(procmail_t, procmail_exec_t) # Write log to /var/log/procmail.log or /var/log/procmail/.* -allow procmail_t procmail_log_t:dir setattr; +allow procmail_t procmail_log_t:dir setattr_dir_perms; create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t) diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te index 9587224..80c1f5d 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -6,10 +6,10 @@ policy_module(puppet, 1.0.0) # ## -##

-## Allow Puppet client to manage all file -## types. -##

+##

+## Allow Puppet client to manage all file +## types. +##

##
gen_tunable(puppet_manage_all_files, false) @@ -176,8 +176,8 @@ allow puppetmaster_t self:udp_socket create_socket_perms; list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) -allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr }; -allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr }; +allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms }; +allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) allow puppetmaster_t puppet_log_t:file relabel_file_perms; diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te index 2f03bad..d455637 100644 --- a/policy/modules/services/pyzor.te +++ b/policy/modules/services/pyzor.te @@ -5,21 +5,12 @@ policy_module(pyzor, 2.1.0) # Declarations # - ifdef(`distro_redhat',` - gen_require(` - type spamc_t; - type spamc_exec_t; - type spamd_t; - type spamd_initrc_exec_t; - type spamd_exec_t; - type spamc_tmp_t; - type spamd_log_t; - type spamd_var_lib_t; - type spamd_etc_t; - type spamc_tmp_t; - type spamc_home_t; + type spamc_t, spamc_exec_t, spamd_t; + type spamd_initrc_exec_t, spamd_exec_t, spamc_tmp_t; + type spamd_log_t, spamd_var_lib_t, spamd_etc_t; + type spamc_tmp_t, spamc_home_t; ') typealias spamc_t alias pyzor_t; @@ -34,43 +25,41 @@ ifdef(`distro_redhat',` typealias spamd_etc_t alias pyzor_etc_t; typealias spamc_home_t alias pyzor_home_t; typealias spamc_home_t alias user_pyzor_home_t; - ',` - -type pyzor_t; -type pyzor_exec_t; -typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t }; -typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t }; -application_domain(pyzor_t, pyzor_exec_t) -ubac_constrained(pyzor_t) -role system_r types pyzor_t; - -type pyzor_etc_t; -files_type(pyzor_etc_t) - -type pyzor_home_t; -typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t }; -typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t }; -userdom_user_home_content(pyzor_home_t) - -type pyzor_tmp_t; -typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t }; -typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t }; -files_tmp_file(pyzor_tmp_t) -ubac_constrained(pyzor_tmp_t) - -type pyzor_var_lib_t; -typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t }; -typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t }; -files_type(pyzor_var_lib_t) -ubac_constrained(pyzor_var_lib_t) - -type pyzord_t; -type pyzord_exec_t; -init_daemon_domain(pyzord_t, pyzord_exec_t) - -type pyzord_log_t; -logging_log_file(pyzord_log_t) + type pyzor_t; + type pyzor_exec_t; + typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t }; + typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t }; + application_domain(pyzor_t, pyzor_exec_t) + ubac_constrained(pyzor_t) + role system_r types pyzor_t; + + type pyzor_etc_t; + files_type(pyzor_etc_t) + + type pyzor_home_t; + typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t }; + typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t }; + userdom_user_home_content(pyzor_home_t) + + type pyzor_tmp_t; + typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t }; + typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t }; + files_tmp_file(pyzor_tmp_t) + ubac_constrained(pyzor_tmp_t) + + type pyzor_var_lib_t; + typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t }; + typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t }; + files_type(pyzor_var_lib_t) + ubac_constrained(pyzor_var_lib_t) + + type pyzord_t; + type pyzord_exec_t; + init_daemon_domain(pyzord_t, pyzord_exec_t) + + type pyzord_log_t; + logging_log_file(pyzord_log_t) ') ######################################## @@ -148,8 +137,8 @@ allow pyzord_t pyzor_etc_t:dir list_dir_perms; can_exec(pyzord_t, pyzor_exec_t) manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) -allow pyzord_t pyzord_log_t:dir setattr; -logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir } ) +allow pyzord_t pyzord_log_t:dir setattr_dir_perms; +logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir }) kernel_read_kernel_sysctls(pyzord_t) kernel_read_system_state(pyzord_t) diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te index 1b01d75..54329f9 100644 --- a/policy/modules/services/qmail.te +++ b/policy/modules/services/qmail.te @@ -60,7 +60,7 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) ######################################## # # qmail-clean local policy -# this component cleans up the queue directory +# this component cleans up the queue directory # read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) @@ -69,11 +69,11 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) ######################################## # # qmail-inject local policy -# this component preprocesses mail from stdin and invokes qmail-queue +# this component preprocesses mail from stdin and invokes qmail-queue # -allow qmail_inject_t self:fifo_file write_fifo_file_perms; allow qmail_inject_t self:process signal_perms; +allow qmail_inject_t self:fifo_file write_fifo_file_perms; allow qmail_inject_t qmail_queue_exec_t:file read_file_perms; @@ -88,11 +88,11 @@ qmail_read_config(qmail_inject_t) ######################################## # # qmail-local local policy -# this component delivers a mail message +# this component delivers a mail message # -allow qmail_local_t self:fifo_file write_file_perms; allow qmail_local_t self:process signal_perms; +allow qmail_local_t self:fifo_file write_file_perms; allow qmail_local_t self:unix_stream_socket create_stream_socket_perms; manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) @@ -131,7 +131,7 @@ optional_policy(` ######################################## # # qmail-lspawn local policy -# this component schedules local deliveries +# this component schedules local deliveries # allow qmail_lspawn_t self:capability { setuid setgid }; @@ -154,15 +154,15 @@ files_search_tmp(qmail_lspawn_t) ######################################## # # qmail-queue local policy -# this component places a mail in a delivery queue, later to be processed by qmail-send +# this component places a mail in a delivery queue, later to be processed by qmail-send # allow qmail_queue_t qmail_lspawn_t:fd use; allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms; +allow qmail_queue_t qmail_smtpd_t:process sigchld; allow qmail_queue_t qmail_smtpd_t:fd use; allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms; -allow qmail_queue_t qmail_smtpd_t:process sigchld; manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) @@ -179,7 +179,7 @@ optional_policy(` ######################################## # # qmail-remote local policy -# this component sends mail via SMTP +# this component sends mail via SMTP # allow qmail_remote_t self:tcp_socket create_socket_perms; @@ -206,7 +206,7 @@ sysnet_read_config(qmail_remote_t) ######################################## # # qmail-rspawn local policy -# this component scedules remote deliveries +# this component scedules remote deliveries # allow qmail_rspawn_t self:process signal_perms; @@ -221,7 +221,7 @@ corecmd_search_bin(qmail_rspawn_t) ######################################## # # qmail-send local policy -# this component delivers mail messages from the queue +# this component delivers mail messages from the queue # allow qmail_send_t self:process signal_perms; @@ -240,7 +240,7 @@ optional_policy(` ######################################## # # qmail-smtpd local policy -# this component receives mails via SMTP +# this component receives mails via SMTP # allow qmail_smtpd_t self:process signal_perms; @@ -269,7 +269,7 @@ optional_policy(` ######################################## # # splogger local policy -# this component creates entries in syslog +# this component creates entries in syslog # allow qmail_splogger_t self:unix_dgram_socket create_socket_perms; @@ -283,13 +283,13 @@ miscfiles_read_localization(qmail_splogger_t) ######################################## # # qmail-start local policy -# this component starts up the mail delivery component +# this component starts up the mail delivery component # allow qmail_start_t self:capability { setgid setuid }; dontaudit qmail_start_t self:capability sys_tty_config; -allow qmail_start_t self:fifo_file rw_fifo_file_perms; allow qmail_start_t self:process signal_perms; +allow qmail_start_t self:fifo_file rw_fifo_file_perms; can_exec(qmail_start_t, qmail_start_exec_t) @@ -307,7 +307,7 @@ optional_policy(` ######################################## # # tcp-env local policy -# this component sets up TCP-related environment variables +# this component sets up TCP-related environment variables # allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms; diff --git a/policy/modules/services/qpidd.te b/policy/modules/services/qpidd.te index cf9a327..43639a0 100644 --- a/policy/modules/services/qpidd.te +++ b/policy/modules/services/qpidd.te @@ -1,4 +1,4 @@ -policy_module(qpidd,1.0.0) +policy_module(qpidd, 1.0.0) ######################################## # @@ -32,7 +32,7 @@ allow qpidd_t self:unix_stream_socket create_stream_socket_perms; manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) -files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir } ) +files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir }) manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)