diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if index aa9d193..649099f 100644 --- a/policy/modules/admin/amanda.if +++ b/policy/modules/admin/amanda.if @@ -141,3 +141,23 @@ interface(`amanda_append_log_files',` allow $1 amanda_log_t:file { read_file_perms append_file_perms }; ') + +####################################### +## +## Search amanda var library directories. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`amanda_search_var_lib',` + gen_require(` + type amanda_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 amanda_var_lib_t:dir search_dir_perms; + +') diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te index 38eda34..9c9a23f 100644 --- a/policy/modules/admin/amanda.te +++ b/policy/modules/admin/amanda.te @@ -1,5 +1,5 @@ -policy_module(amanda,1.7.0) +policy_module(amanda,1.7.1) ####################################### # @@ -74,7 +74,6 @@ allow amanda_t self:unix_stream_socket create_stream_socket_perms; allow amanda_t self:unix_dgram_socket create_socket_perms; allow amanda_t self:tcp_socket create_stream_socket_perms; allow amanda_t self:udp_socket create_socket_perms; -allow amanda_t self:netlink_route_socket r_netlink_socket_perms; # access to amanda_amandates_t allow amanda_t amanda_amandates_t:file { getattr lock read write }; @@ -151,27 +150,17 @@ files_getattr_all_sockets(amanda_t) corecmd_exec_shell(amanda_t) corecmd_exec_bin(amanda_t) +auth_use_nsswitch(amanda_t) +auth_read_shadow(amanda_t) + libs_use_ld_so(amanda_t) libs_use_shared_libs(amanda_t) -sysnet_read_config(amanda_t) - -optional_policy(` - auth_read_shadow(amanda_t) -') optional_policy(` logging_send_syslog_msg(amanda_t) ') -optional_policy(` - nis_use_ypbind(amanda_t) -') - -optional_policy(` - nscd_socket_use(amanda_t) -') - ######################################## # # Amanda recover local policy @@ -228,6 +217,8 @@ files_read_etc_runtime_files(amanda_recover_t) files_search_tmp(amanda_recover_t) files_search_pids(amanda_recover_t) +auth_use_nsswitch(amanda_recover_t) + fstools_domtrans(amanda_t) libs_use_ld_so(amanda_recover_t) @@ -237,14 +228,4 @@ logging_search_logs(amanda_recover_t) miscfiles_read_localization(amanda_recover_t) -sysnet_read_config(amanda_recover_t) - userdom_search_sysadm_home_content_dirs(amanda_recover_t) - -optional_policy(` - nis_use_ypbind(amanda_recover_t) -') - -optional_policy(` - nscd_socket_use(amanda_recover_t) -') diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc index 510b2f8..a585a8a 100644 --- a/policy/modules/services/bind.fc +++ b/policy/modules/services/bind.fc @@ -44,5 +44,8 @@ ifdef(`distro_redhat',` /var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) /var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) /var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) /var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) +/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ') diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index d0626fa..21636a7 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -1,5 +1,5 @@ -policy_module(bind,1.5.1) +policy_module(bind,1.5.2) ######################################## # @@ -66,7 +66,6 @@ allow named_t self:unix_stream_socket create_stream_socket_perms; allow named_t self:unix_dgram_socket create_socket_perms; allow named_t self:tcp_socket create_stream_socket_perms; allow named_t self:udp_socket create_socket_perms; -allow named_t self:netlink_route_socket r_netlink_socket_perms; allow named_t dnssec_t:file { getattr read }; @@ -119,6 +118,7 @@ corenet_sendrecv_dns_server_packets(named_t) corenet_sendrecv_dns_client_packets(named_t) corenet_sendrecv_rndc_server_packets(named_t) corenet_sendrecv_rndc_client_packets(named_t) +corenet_udp_bind_all_unreserved_ports(named_t) dev_read_sysfs(named_t) dev_read_rand(named_t) @@ -135,6 +135,8 @@ domain_use_interactive_fds(named_t) files_read_etc_files(named_t) files_read_etc_runtime_files(named_t) +auth_use_nsswitch(named_t) + libs_use_ld_so(named_t) libs_use_shared_libs(named_t) @@ -175,6 +177,10 @@ optional_policy(` ') optional_policy(` + kerberos_use(named_t) +') + +optional_policy(` # this seems like fds that arent being # closed. these should probably be # dontaudits instead. @@ -184,14 +190,6 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(named_t) -') - -optional_policy(` - nscd_socket_use(named_t) -') - -optional_policy(` seutil_sigchld_newrole(named_t) ')