diff --git a/refpolicy/policy/modules/services/bind.if b/refpolicy/policy/modules/services/bind.if index e5469a9..e0f730b 100644 --- a/refpolicy/policy/modules/services/bind.if +++ b/refpolicy/policy/modules/services/bind.if @@ -11,9 +11,6 @@ interface(`bind_domtrans_ndc',` gen_require(` type ndc_t, ndc_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') domain_auto_trans($1,ndc_exec_t,ndc_t) @@ -42,7 +39,6 @@ interface(`bind_domtrans_ndc',` interface(`bind_run_ndc',` gen_require(` type ndc_t; - class chr_file rw_term_perms; ') bind_domtrans_ndc($1) @@ -61,9 +57,6 @@ interface(`bind_run_ndc',` interface(`bind_domtrans',` gen_require(` type named_t, named_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') domain_auto_trans($1,named_exec_t,named_t) @@ -85,8 +78,6 @@ interface(`bind_domtrans',` interface(`bind_read_dnssec_keys',` gen_require(` type named_conf_t, named_zone_t, dnssec_t; - class dir search; - class file { getattr read }; ') allow $1 { named_conf_t named_zone_t }:dir search; @@ -104,8 +95,6 @@ interface(`bind_read_dnssec_keys',` interface(`bind_read_config',` gen_require(` type named_conf_t; - class dir search; - class file { getattr read }; ') allow $1 named_conf_t:dir search; @@ -123,8 +112,6 @@ interface(`bind_read_config',` interface(`bind_write_config',` gen_require(` type named_conf_t; - class dir search; - class file { write setattr }; ') allow $1 named_conf_t:dir search; @@ -143,7 +130,6 @@ interface(`bind_write_config',` interface(`bind_manage_config_dir',` gen_require(` type named_conf_t; - class dir perms; ') allow $1 named_conf_t:dir create_dir_perms; @@ -161,7 +147,6 @@ interface(`bind_manage_config_dir',` interface(`bind_setattr_pid_dir',` gen_require(` type named_var_run_t; - class dir setattr; ') allow $1 named_var_run_t:dir setattr; diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 1faa732..7eaca38 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -105,7 +105,8 @@ ifdef(`targeted_policy',` allow system_mail_t mqueue_spool_t:file create_file_perms; allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms; - optional_policy(`postfix.te',`',` +# cjp: another require-in-else to resolve +# optional_policy(`postfix.te',`',` corecmd_exec_bin(system_mail_t) corecmd_exec_sbin(system_mail_t) @@ -117,7 +118,7 @@ ifdef(`targeted_policy',` libs_use_shared_libs(system_mail_t) libs_exec_ld_so(system_mail_t) libs_exec_lib_files(system_mail_t) - ') +# ') ') optional_policy(`apache.te',` diff --git a/refpolicy/policy/modules/services/mysql.if b/refpolicy/policy/modules/services/mysql.if index cbda7b4..a19f112 100644 --- a/refpolicy/policy/modules/services/mysql.if +++ b/refpolicy/policy/modules/services/mysql.if @@ -99,7 +99,7 @@ interface(`mysql_rw_db_dir',` # interface(`mysql_manage_db_dir',` gen_require(` - type mysql_db_t; + type mysqld_db_t; ') files_search_var_lib($1) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 7223e0a..740867d 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -1560,11 +1560,15 @@ interface(`userdom_read_staff_home_files',` ## # interface(`userdom_sigchld_sysadm',` - gen_require(` - type sysadm_t; - ') + ifdef(`targeted_policy',` + unconfined_sigchld($1) + ',` + gen_require(` + type sysadm_t; + ') - allow $1 sysadm_t:process sigchld; + allow $1 sysadm_t:process sigchld; + ') ') ########################################