diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te index 95c6dc3..b1446c9 100644 --- a/policy/modules/services/varnishd.te +++ b/policy/modules/services/varnishd.te @@ -6,10 +6,10 @@ policy_module(varnishd, 1.1.0) # ## -##

-## Allow varnishd to connect to all ports, -## not just HTTP. -##

+##

+## Allow varnishd to connect to all ports, +## not just HTTP. +##

##
gen_tunable(varnishd_connect_any, false) diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index af8a03e..9930bcb 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -4,54 +4,55 @@ policy_module(virt, 1.4.0) # # Declarations # + attribute virsh_transition_domain; ## -##

-## Allow virt to use serial/parallell communication ports -##

+##

+## Allow virt to use serial/parallell communication ports +##

##
gen_tunable(virt_use_comm, false) ## -##

-## Allow virt to read fuse files -##

+##

+## Allow virt to read fuse files +##

##
gen_tunable(virt_use_fusefs, false) ## -##

-## Allow virt to manage nfs files -##

+##

+## Allow virt to manage nfs files +##

##
gen_tunable(virt_use_nfs, false) ## -##

-## Allow virt to manage cifs files -##

+##

+## Allow virt to manage cifs files +##

##
gen_tunable(virt_use_samba, false) ## -##

-## Allow virt to manage device configuration, (pci) -##

+##

+## Allow virt to manage device configuration, (pci) +##

##
gen_tunable(virt_use_sysfs, false) ## -##

-## Allow virtual machine to interact with the xserver -##

+##

+## Allow virtual machine to interact with the xserver +##

##
gen_tunable(virt_use_xserver, false) ## -##

-## Allow virt to use usb devices -##

+##

+## Allow virt to use usb devices +##

##
gen_tunable(virt_use_usb, true) @@ -205,7 +206,6 @@ optional_policy(` allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; - allow virtd_t self:fifo_file rw_fifo_file_perms; allow virtd_t self:unix_stream_socket create_stream_socket_perms; allow virtd_t self:tcp_socket create_stream_socket_perms; @@ -577,8 +577,6 @@ typealias virsh_exec_t alias xm_exec_t; allow virsh_t self:capability { dac_override ipc_lock sys_tty_config }; allow virsh_t self:process { getcap getsched setcap signal }; - -# internal communication is often done using fifo and unix sockets. allow virsh_t self:fifo_file rw_fifo_file_perms; allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow virsh_t self:tcp_socket create_stream_socket_perms; @@ -646,7 +644,7 @@ optional_policy(` optional_policy(` vhostmd_rw_tmpfs_files(virsh_t) - vhostmd_stream_connect(virsh_t) + vhostmd_stream_connect(virsh_t) vhostmd_dontaudit_rw_stream_connect(virsh_t) ') @@ -671,4 +669,3 @@ optional_policy(` userdom_search_admin_dir(virsh_ssh_t) ') - diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te index db526e6..d2bb9c8 100644 --- a/policy/modules/services/vnstatd.te +++ b/policy/modules/services/vnstatd.te @@ -1,4 +1,4 @@ -policy_module(vnstatd,1.0.0) +policy_module(vnstatd, 1.0.0) ######################################## # @@ -24,13 +24,12 @@ cron_system_entry(vnstat_t, vnstat_exec_t) # vnstatd local policy # allow vnstatd_t self:process { fork signal }; - allow vnstatd_t self:fifo_file rw_fifo_file_perms; allow vnstatd_t self:unix_stream_socket create_stream_socket_perms; manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file } ) +files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file }) domain_use_interactive_fds(vnstatd_t) @@ -45,13 +44,12 @@ miscfiles_read_localization(vnstatd_t) # vnstat local policy # allow vnstat_t self:process { signal }; - allow vnstat_t self:fifo_file rw_fifo_file_perms; allow vnstat_t self:unix_stream_socket create_stream_socket_perms; manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file } ) +files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file }) kernel_read_network_state(vnstat_t) kernel_read_system_state(vnstat_t) @@ -65,5 +63,3 @@ fs_getattr_xattr_fs(vnstat_t) logging_send_syslog_msg(vnstat_t) miscfiles_read_localization(vnstat_t) - - diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 29d5384..2c08270 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,44 +26,43 @@ gen_require(` # ## -##

-## Allows clients to write to the X server shared -## memory segments. -##

+##

+## Allows clients to write to the X server shared +## memory segments. +##

##
gen_tunable(allow_write_xshm, false) ## -##

-## Allows XServer to execute writable memory -##

+##

+## Allows XServer to execute writable memory +##

##
gen_tunable(allow_xserver_execmem, false) ## -##

-## Allow xdm logins as sysadm -##

+##

+## Allow xdm logins as sysadm +##

##
gen_tunable(xdm_sysadm_login, false) ## -##

-## Support X userspace object manager -##

+##

+## Support X userspace object manager +##

##
gen_tunable(xserver_object_manager, false) ## -##

-## Allow regular users direct dri device access -##

+##

+## Allow regular users direct dri device access +##

##
gen_tunable(user_direct_dri, false) attribute xdmhomewriter; attribute x_userdomain; - attribute x_domain; # X Events @@ -121,12 +120,12 @@ typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xeven type remote_t; xserver_object_types_template(remote) -xserver_common_x_domain_template(remote,remote_t) +xserver_common_x_domain_template(remote, remote_t) type user_fonts_t; typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; -typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t }; +typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t }; userdom_user_home_content(user_fonts_t) type user_fonts_cache_t; @@ -153,7 +152,7 @@ ubac_constrained(iceauth_t) type iceauth_home_t; typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; -typealias iceauth_home_t alias { xguest_iceauth_home_t }; +typealias iceauth_home_t alias { xguest_iceauth_home_t }; files_poly_member(iceauth_home_t) userdom_user_home_content(iceauth_home_t) @@ -292,13 +291,13 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(iceauth_t) ') -ifdef(`hide_broken_symptoms', ` +ifdef(`hide_broken_symptoms',` dev_dontaudit_read_urand(iceauth_t) dev_dontaudit_rw_dri(iceauth_t) dev_dontaudit_rw_generic_dev_nodes(iceauth_t) fs_dontaudit_list_inotifyfs(iceauth_t) fs_dontaudit_rw_anon_inodefs_files(iceauth_t) - term_dontaudit_use_unallocated_ttys(iceauth_t) + term_dontaudit_use_unallocated_ttys(iceauth_t) userdom_dontaudit_read_user_home_content_files(iceauth_t) userdom_dontaudit_write_user_home_content_files(iceauth_t) @@ -362,13 +361,13 @@ userdom_use_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) userdom_read_all_users_state(xauth_t) -ifdef(`hide_broken_symptoms', ` - fs_dontaudit_rw_anon_inodefs_files(xauth_t) - fs_dontaudit_list_inotifyfs(xauth_t) - userdom_manage_user_home_content_files(xauth_t) - userdom_manage_user_tmp_files(xauth_t) - dev_dontaudit_rw_generic_dev_nodes(xauth_t) - miscfiles_read_fonts(xauth_t) +ifdef(`hide_broken_symptoms',` + fs_dontaudit_rw_anon_inodefs_files(xauth_t) + fs_dontaudit_list_inotifyfs(xauth_t) + userdom_manage_user_home_content_files(xauth_t) + userdom_manage_user_tmp_files(xauth_t) + dev_dontaudit_rw_generic_dev_nodes(xauth_t) + miscfiles_read_fonts(xauth_t) ') xserver_rw_xdm_tmp_files(xauth_t) @@ -382,8 +381,8 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(xauth_t) ') -ifdef(`hide_broken_symptoms', ` - term_dontaudit_use_unallocated_ttys(xauth_t) +ifdef(`hide_broken_symptoms',` + term_dontaudit_use_unallocated_ttys(xauth_t) dev_dontaudit_rw_dri(xauth_t) ') @@ -470,7 +469,7 @@ manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t) manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t) files_spool_filetrans(xdm_t, xdm_spool_t, { file dir }) -manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) +manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) @@ -728,10 +727,8 @@ optional_policy(` optional_policy(` networkmanager_dbus_chat(xdm_t) ') - ') - optional_policy(` # Talk to the console mouse server. gpm_stream_connect(xdm_t) @@ -763,7 +760,7 @@ optional_policy(` ') optional_policy(` - policykit_dbus_chat(xdm_t) + policykit_dbus_chat(xdm_t) policykit_domtrans_auth(xdm_t) policykit_read_lib(xdm_t) policykit_read_reload(xdm_t) @@ -822,13 +819,13 @@ optional_policy(` unconfined_signal(xdm_t) ') - ifndef(`distro_redhat',` - allow xdm_t self:process { execheap execmem }; - ') +ifndef(`distro_redhat',` + allow xdm_t self:process { execheap execmem }; +') - ifdef(`distro_rhel4',` - allow xdm_t self:process { execheap execmem }; - ') +ifdef(`distro_rhel4',` + allow xdm_t self:process { execheap execmem }; +') optional_policy(` userhelper_dontaudit_search_config(xdm_t) @@ -912,11 +909,11 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) -manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) +manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir) -manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) +manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir }) diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te index 3509088..b72ec20 100644 --- a/policy/modules/services/zarafa.te +++ b/policy/modules/services/zarafa.te @@ -47,7 +47,7 @@ files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir }) # zarafa_server local policy # -allow zarafa_server_t self:capability { chown kill net_bind_service}; +allow zarafa_server_t self:capability { chown kill net_bind_service }; allow zarafa_server_t self:process { setrlimit signal }; corenet_tcp_bind_zarafa_port(zarafa_server_t) @@ -73,7 +73,7 @@ optional_policy(` # allow zarafa_spooler_t self:capability { chown kill }; -allow zarafa_spooler_t self:process { signal }; +allow zarafa_spooler_t self:process { signal }; corenet_tcp_connect_smtp_port(zarafa_spooler_t) @@ -110,7 +110,6 @@ allow zarafa_monitor_t self:capability chown; # bad permission on /etc/zarafa allow zarafa_domain self:capability { dac_override setgid setuid }; - allow zarafa_domain self:fifo_file rw_fifo_file_perms; allow zarafa_domain self:tcp_socket create_stream_socket_perms; allow zarafa_domain self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te index c349adc..24b60e7 100644 --- a/policy/modules/services/zebra.te +++ b/policy/modules/services/zebra.te @@ -6,9 +6,9 @@ policy_module(zebra, 1.11.1) # ## -##

-## Allow zebra daemon to write it configuration files -##

+##

+## Allow zebra daemon to write it configuration files +##

##
# gen_tunable(allow_zebra_write_config, false)