diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te index f1438ed..e8ecba6 100644 --- a/refpolicy/policy/modules/services/dbus.te +++ b/refpolicy/policy/modules/services/dbus.te @@ -50,6 +50,7 @@ files_create_tmp_files(system_dbusd_t, system_dbusd_tmp_t, { file dir }) allow system_dbusd_t system_dbusd_var_run_t:file create_file_perms; allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms; +allow system_dbusd_t system_dbusd_var_run_t:dir rw_dir_perms; files_create_pid(system_dbusd_t,system_dbusd_var_run_t) kernel_read_system_state(system_dbusd_t) diff --git a/refpolicy/policy/modules/services/howl.te b/refpolicy/policy/modules/services/howl.te index ae49234..f1d0dbe 100644 --- a/refpolicy/policy/modules/services/howl.te +++ b/refpolicy/policy/modules/services/howl.te @@ -20,8 +20,10 @@ files_pid_file(howl_var_run_t) allow howl_t self:capability { kill net_admin }; dontaudit howl_t self:capability sys_tty_config; +allow howl_t self:process signal_perms; allow howl_t self:fifo_file rw_file_perms; allow howl_t self:tcp_socket create_stream_socket_perms; +allow howl_t self:udp_socket create_socket_perms; allow howl_t howl_var_run_t:file create_file_perms; files_create_pid(howl_t,howl_var_run_t) @@ -33,13 +35,16 @@ kernel_list_proc(howl_t) kernel_read_proc_symlinks(howl_t) corenet_tcp_sendrecv_all_if(howl_t) +corenet_udp_sendrecv_all_if(howl_t) corenet_raw_sendrecv_all_if(howl_t) corenet_tcp_sendrecv_all_nodes(howl_t) +corenet_udp_sendrecv_all_nodes(howl_t) corenet_raw_sendrecv_all_nodes(howl_t) corenet_tcp_sendrecv_all_ports(howl_t) +corenet_udp_sendrecv_all_ports(howl_t) corenet_tcp_bind_all_nodes(howl_t) +corenet_udp_bind_all_nodes(howl_t) corenet_tcp_bind_howl_port(howl_t) -# cjp: why udp bind if it has no other UDP perms? corenet_udp_bind_howl_port(howl_t) dev_read_sysfs(howl_t) diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 10118fe..b9e3310 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -9,7 +9,7 @@ policy_module(hotplug, 1.0) type hotplug_t; type hotplug_exec_t; kernel_userland_entry(hotplug_t,hotplug_exec_t) -init_system_domain(hotplug_t,hotplug_exec_t) +init_daemon_domain(hotplug_t,hotplug_exec_t) type hotplug_etc_t; #, usercanread; files_type(hotplug_etc_t) @@ -52,11 +52,15 @@ kernel_read_net_sysctl(hotplug_t) bootloader_read_kernel_modules(hotplug_t) corenet_tcp_sendrecv_all_if(hotplug_t) +corenet_udp_sendrecv_all_if(hotplug_t) corenet_raw_sendrecv_all_if(hotplug_t) corenet_tcp_sendrecv_all_nodes(hotplug_t) +corenet_udp_sendrecv_all_nodes(hotplug_t) corenet_raw_sendrecv_all_nodes(hotplug_t) corenet_tcp_sendrecv_all_ports(hotplug_t) +corenet_udp_sendrecv_all_ports(hotplug_t) corenet_tcp_bind_all_nodes(hotplug_t) +corenet_udp_bind_all_nodes(hotplug_t) dev_rw_sysfs(hotplug_t) dev_read_usbfs(hotplug_t)