diff --git a/refpolicy/policy/modules/apps/calamaris.te b/refpolicy/policy/modules/apps/calamaris.te index b73221e..a680581 100644 --- a/refpolicy/policy/modules/apps/calamaris.te +++ b/refpolicy/policy/modules/apps/calamaris.te @@ -42,17 +42,13 @@ kernel_read_system_state(calamaris_t) corecmd_exec_bin(calamaris_t) +corenet_non_ipsec_sendrecv(calamaris_t) corenet_tcp_sendrecv_generic_if(calamaris_t) corenet_udp_sendrecv_generic_if(calamaris_t) -corenet_raw_sendrecv_generic_if(calamaris_t) corenet_tcp_sendrecv_all_nodes(calamaris_t) corenet_udp_sendrecv_all_nodes(calamaris_t) -corenet_raw_sendrecv_all_nodes(calamaris_t) corenet_tcp_sendrecv_all_ports(calamaris_t) corenet_udp_sendrecv_all_ports(calamaris_t) -corenet_non_ipsec_sendrecv(calamaris_t) -corenet_tcp_bind_all_nodes(calamaris_t) -corenet_udp_bind_all_nodes(calamaris_t) dev_read_urand(calamaris_t) diff --git a/refpolicy/policy/modules/apps/evolution.if b/refpolicy/policy/modules/apps/evolution.if index 7bc383e..71d3a9f 100644 --- a/refpolicy/policy/modules/apps/evolution.if +++ b/refpolicy/policy/modules/apps/evolution.if @@ -188,31 +188,34 @@ template(`evolution_per_userdomain_template',` corecmd_exec_bin($1_evolution_t) corecmd_exec_sbin($1_evolution_t) + corenet_non_ipsec_sendrecv($1_evolution_t) corenet_tcp_sendrecv_generic_if($1_evolution_t) corenet_udp_sendrecv_generic_if($1_evolution_t) corenet_raw_sendrecv_generic_if($1_evolution_t) corenet_tcp_sendrecv_all_nodes($1_evolution_t) corenet_udp_sendrecv_all_nodes($1_evolution_t) - corenet_raw_sendrecv_all_nodes($1_evolution_t) corenet_tcp_sendrecv_pop_port($1_evolution_t) - corenet_tcp_sendrecv_smtp_port($1_evolution_t) - corenet_tcp_sendrecv_innd_port($1_evolution_t) - corenet_tcp_sendrecv_ldap_port($1_evolution_t) - ###corenet_tcp_sendrecv_ipp($1_evolution_t) corenet_udp_sendrecv_pop_port($1_evolution_t) + corenet_tcp_sendrecv_smtp_port($1_evolution_t) corenet_udp_sendrecv_smtp_port($1_evolution_t) + corenet_tcp_sendrecv_innd_port($1_evolution_t) corenet_udp_sendrecv_innd_port($1_evolution_t) + corenet_tcp_sendrecv_ldap_port($1_evolution_t) corenet_udp_sendrecv_ldap_port($1_evolution_t) - ###corenet_udp_sendrecv_ipp($1_evolution_t) - corenet_non_ipsec_sendrecv($1_evolution_t) - corenet_tcp_bind_all_nodes($1_evolution_t) - corenet_udp_bind_all_nodes($1_evolution_t) + corenet_tcp_sendrecv_ipp_port($1_evolution_t) + corenet_udp_sendrecv_ipp_port($1_evolution_t) corenet_tcp_connect_pop_port($1_evolution_t) corenet_tcp_connect_smtp_port($1_evolution_t) corenet_tcp_connect_innd_port($1_evolution_t) corenet_tcp_connect_ldap_port($1_evolution_t) - ###corenet_tcp_connect_ipp_port($1_evolution_t) + corenet_tcp_connect_ipp_port($1_evolution_t) + corenet_sendrecv_pop_client_packets($1_evolution_t) + corenet_sendrecv_smtp_client_packets($1_evolution_t) + corenet_sendrecv_innd_client_packets($1_evolution_t) + corenet_sendrecv_ldap_client_packets($1_evolution_t) + corenet_sendrecv_ipp_client_packets($1_evolution_t) # not sure about this bind + corenet_udp_bind_all_nodes($1_evolution_t) corenet_udp_bind_generic_port($1_evolution_t) dev_read_urand($1_evolution_t) @@ -635,25 +638,15 @@ template(`evolution_per_userdomain_template',` corecmd_exec_shell($1_evolution_server_t) # Obtain weather data via http (read server name from xml file in /usr) + corenet_non_ipsec_sendrecv($1_evolution_server_t) corenet_tcp_sendrecv_generic_if($1_evolution_server_t) - corenet_raw_sendrecv_generic_if($1_evolution_server_t) corenet_tcp_sendrecv_all_nodes($1_evolution_server_t) - corenet_raw_sendrecv_all_nodes($1_evolution_server_t) corenet_tcp_sendrecv_http_port($1_evolution_server_t) corenet_tcp_sendrecv_http_cache_port($1_evolution_server_t) - corenet_non_ipsec_sendrecv($1_evolution_server_t) - corenet_tcp_bind_all_nodes($1_evolution_server_t) corenet_tcp_connect_http_cache_port($1_evolution_server_t) corenet_tcp_connect_http_port($1_evolution_server_t) - # Talk to ldap (address book) - corenet_tcp_sendrecv_generic_if($1_evolution_server_t) - corenet_raw_sendrecv_generic_if($1_evolution_server_t) - corenet_tcp_sendrecv_all_nodes($1_evolution_server_t) - corenet_raw_sendrecv_all_nodes($1_evolution_server_t) - corenet_tcp_sendrecv_ldap_port($1_evolution_server_t) - corenet_non_ipsec_sendrecv($1_evolution_server_t) - corenet_tcp_bind_all_nodes($1_evolution_server_t) - corenet_tcp_connect_ldap_port($1_evolution_server_t) + corenet_sendrecv_http_client_packets($1_evolution_server_t) + corenet_sendrecv_http_cache_client_packets($1_evolution_server_t) files_read_etc_files($1_evolution_server_t) # Obtain weather data via http (read server name from xml file in /usr) @@ -668,9 +661,9 @@ template(`evolution_per_userdomain_template',` miscfiles_read_certs($1_evolution_server_t) # Talk to ldap (address book) - # Obtain weather data via http (read server name from xml file in /usr) sysnet_read_config($1_evolution_server_t) sysnet_dns_name_resolve($1_evolution_server_t) + sysnet_use_ldap($1_evolution_server_t) # Access evolution home userdom_search_user_home_dirs($1,$1_evolution_server_t) @@ -720,16 +713,17 @@ template(`evolution_per_userdomain_template',` # Transition from user type domain_auto_trans($2, evolution_webcal_exec_t, $1_evolution_webcal_t) + corenet_non_ipsec_sendrecv($1_evolution_webcal_t) corenet_tcp_sendrecv_generic_if($1_evolution_webcal_t) corenet_raw_sendrecv_generic_if($1_evolution_webcal_t) corenet_tcp_sendrecv_all_nodes($1_evolution_webcal_t) corenet_raw_sendrecv_all_nodes($1_evolution_webcal_t) corenet_tcp_sendrecv_http_port($1_evolution_webcal_t) corenet_tcp_sendrecv_http_cache_port($1_evolution_webcal_t) - corenet_non_ipsec_sendrecv($1_evolution_webcal_t) - corenet_tcp_bind_all_nodes($1_evolution_webcal_t) corenet_tcp_connect_http_cache_port($1_evolution_webcal_t) corenet_tcp_connect_http_port($1_evolution_webcal_t) + corenet_sendrecv_http_client_packets($1_evolution_webcal_t) + corenet_sendrecv_http_cache_client_packets($1_evolution_webcal_t) # Networking capability - connect to website and handle ics link sysnet_read_config($1_evolution_webcal_t) diff --git a/refpolicy/policy/modules/apps/games.if b/refpolicy/policy/modules/apps/games.if index 319a707..6270276 100644 --- a/refpolicy/policy/modules/apps/games.if +++ b/refpolicy/policy/modules/apps/games.if @@ -94,19 +94,18 @@ template(`games_per_userdomain_template',` corecmd_exec_bin($1_games_t) corecmd_exec_sbin($1_games_t) + corenet_non_ipsec_sendrecv($1_games_t) corenet_tcp_sendrecv_generic_if($1_games_t) corenet_udp_sendrecv_generic_if($1_games_t) - corenet_raw_sendrecv_generic_if($1_games_t) corenet_tcp_sendrecv_all_nodes($1_games_t) corenet_udp_sendrecv_all_nodes($1_games_t) - corenet_raw_sendrecv_all_nodes($1_games_t) corenet_tcp_sendrecv_all_ports($1_games_t) corenet_udp_sendrecv_all_ports($1_games_t) - corenet_non_ipsec_sendrecv($1_games_t) corenet_tcp_bind_all_nodes($1_games_t) - corenet_udp_bind_all_nodes($1_games_t) corenet_tcp_bind_generic_port($1_games_t) corenet_tcp_connect_generic_port($1_games_t) + corenet_sendrecv_generic_client_packets($1_games_t) + corenet_sendrecv_generic_server_packets($1_games_t) dev_read_sound($1_games_t) dev_write_sound($1_games_t) diff --git a/refpolicy/policy/modules/apps/gift.if b/refpolicy/policy/modules/apps/gift.if index 64b82b6..8ddc30c 100644 --- a/refpolicy/policy/modules/apps/gift.if +++ b/refpolicy/policy/modules/apps/gift.if @@ -104,12 +104,10 @@ template(`gift_per_userdomain_template',` # Connect to gift daemon corenet_non_ipsec_sendrecv($1_gift_t) corenet_tcp_sendrecv_generic_if($1_gift_t) - corenet_raw_sendrecv_generic_if($1_gift_t) corenet_tcp_sendrecv_all_nodes($1_gift_t) - corenet_raw_sendrecv_all_nodes($1_gift_t) corenet_tcp_sendrecv_giftd_port($1_gift_t) - corenet_tcp_bind_all_nodes($1_gift_t) corenet_tcp_connect_giftd_port($1_gift_t) + corenet_sendrecv_giftd_client_packets($1_gift_t) fs_search_auto_mountpoints($1_gift_t) @@ -169,10 +167,8 @@ template(`gift_per_userdomain_template',` corenet_non_ipsec_sendrecv($1_giftd_t) corenet_tcp_sendrecv_generic_if($1_giftd_t) corenet_udp_sendrecv_generic_if($1_giftd_t) - corenet_raw_sendrecv_generic_if($1_giftd_t) corenet_tcp_sendrecv_all_nodes($1_giftd_t) corenet_udp_sendrecv_all_nodes($1_giftd_t) - corenet_raw_sendrecv_all_nodes($1_giftd_t) corenet_tcp_sendrecv_all_ports($1_giftd_t) corenet_udp_sendrecv_all_ports($1_giftd_t) corenet_tcp_bind_all_nodes($1_giftd_t) @@ -180,6 +176,7 @@ template(`gift_per_userdomain_template',` corenet_tcp_bind_all_ports($1_giftd_t) corenet_udp_bind_all_ports($1_giftd_t) corenet_tcp_connect_all_ports($1_giftd_t) + corenet_sendrecv_all_client_packets($1_giftd_t) files_read_usr_files($1_giftd_t) # Read /etc/mtab diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index 7732182..d0a3bed 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -96,18 +96,15 @@ template(`gpg_per_userdomain_template',` allow $1_gpg_t $1_gpg_secret_t:file create_file_perms; allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms; + corenet_non_ipsec_sendrecv($1_gpg_t) corenet_tcp_sendrecv_all_if($1_gpg_t) - corenet_raw_sendrecv_all_if($1_gpg_t) corenet_udp_sendrecv_all_if($1_gpg_t) corenet_tcp_sendrecv_all_nodes($1_gpg_t) - corenet_raw_sendrecv_all_nodes($1_gpg_t) corenet_udp_sendrecv_all_nodes($1_gpg_t) corenet_tcp_sendrecv_all_ports($1_gpg_t) corenet_udp_sendrecv_all_ports($1_gpg_t) - corenet_non_ipsec_sendrecv($1_gpg_t) - corenet_tcp_bind_all_nodes($1_gpg_t) - corenet_udp_bind_all_nodes($1_gpg_t) corenet_tcp_connect_all_ports($1_gpg_t) + corenet_sendrecv_all_client_packets($1_gpg_t) dev_read_rand($1_gpg_t) dev_read_urand($1_gpg_t) diff --git a/refpolicy/policy/modules/apps/irc.if b/refpolicy/policy/modules/apps/irc.if index 67ab3ba..1cd0fbf 100644 --- a/refpolicy/policy/modules/apps/irc.if +++ b/refpolicy/policy/modules/apps/irc.if @@ -107,16 +107,14 @@ template(`irc_per_userdomain_template',` corenet_non_ipsec_sendrecv($1_irc_t) corenet_tcp_sendrecv_generic_if($1_irc_t) corenet_udp_sendrecv_generic_if($1_irc_t) - corenet_raw_sendrecv_generic_if($1_irc_t) corenet_tcp_sendrecv_all_nodes($1_irc_t) corenet_udp_sendrecv_all_nodes($1_irc_t) - corenet_raw_sendrecv_all_nodes($1_irc_t) corenet_tcp_sendrecv_all_ports($1_irc_t) corenet_udp_sendrecv_all_ports($1_irc_t) - corenet_tcp_bind_all_nodes($1_irc_t) - corenet_udp_bind_all_nodes($1_irc_t) + corenet_sendrecv_ircd_client_packets($1_irc_t) # cjp: this seems excessive: corenet_tcp_connect_all_ports($1_irc_t) + corenet_sendrecv_all_client_packets($1_irc_t) domain_use_interactive_fds($1_irc_t) diff --git a/refpolicy/policy/modules/apps/java.if b/refpolicy/policy/modules/apps/java.if index cd3d01a..c35bff5 100644 --- a/refpolicy/policy/modules/apps/java.if +++ b/refpolicy/policy/modules/apps/java.if @@ -103,15 +103,12 @@ template(`java_per_userdomain_template',` corenet_non_ipsec_sendrecv($1_javaplugin_t) corenet_tcp_sendrecv_generic_if($1_javaplugin_t) corenet_udp_sendrecv_generic_if($1_javaplugin_t) - corenet_raw_sendrecv_generic_if($1_javaplugin_t) corenet_tcp_sendrecv_all_nodes($1_javaplugin_t) corenet_udp_sendrecv_all_nodes($1_javaplugin_t) - corenet_raw_sendrecv_all_nodes($1_javaplugin_t) corenet_tcp_sendrecv_all_ports($1_javaplugin_t) corenet_udp_sendrecv_all_ports($1_javaplugin_t) - corenet_tcp_bind_all_nodes($1_javaplugin_t) - corenet_udp_bind_all_nodes($1_javaplugin_t) corenet_tcp_connect_all_ports($1_javaplugin_t) + corenet_sendrecv_all_client_packets($1_javaplugin_t) dev_read_sound($1_javaplugin_t) dev_write_sound($1_javaplugin_t) diff --git a/refpolicy/policy/modules/apps/mozilla.if b/refpolicy/policy/modules/apps/mozilla.if index 74bfc53..c4d489b 100644 --- a/refpolicy/policy/modules/apps/mozilla.if +++ b/refpolicy/policy/modules/apps/mozilla.if @@ -128,6 +128,7 @@ template(`mozilla_per_userdomain_template',` corecmd_exec_bin($1_mozilla_t) # Browse the web, connect to printer + corenet_non_ipsec_sendrecv($1_mozilla_t) corenet_tcp_sendrecv_generic_if($1_mozilla_t) corenet_raw_sendrecv_generic_if($1_mozilla_t) corenet_tcp_sendrecv_all_nodes($1_mozilla_t) @@ -136,13 +137,16 @@ template(`mozilla_per_userdomain_template',` corenet_tcp_sendrecv_http_cache_port($1_mozilla_t) corenet_tcp_sendrecv_ftp_port($1_mozilla_t) corenet_tcp_sendrecv_ipp_port($1_mozilla_t) - corenet_non_ipsec_sendrecv($1_mozilla_t) - corenet_tcp_bind_all_nodes($1_mozilla_t) corenet_tcp_connect_http_port($1_mozilla_t) corenet_tcp_connect_http_cache_port($1_mozilla_t) corenet_tcp_connect_ftp_port($1_mozilla_t) corenet_tcp_connect_ipp_port($1_mozilla_t) corenet_tcp_connect_generic_port($1_mozilla_t) + corenet_sendrecv_http_client_packets($1_mozilla_t) + corenet_sendrecv_http_cache_client_packets($1_mozilla_t) + corenet_sendrecv_ftp_client_packets($1_mozilla_t) + corenet_sendrecv_ipp_client_packets($1_mozilla_t) + corenet_sendrecv_generic_client_packets($1_mozilla_t) # Should not need other ports corenet_dontaudit_tcp_sendrecv_generic_port($1_mozilla_t) corenet_dontaudit_tcp_bind_generic_port($1_mozilla_t) diff --git a/refpolicy/policy/modules/apps/screen.if b/refpolicy/policy/modules/apps/screen.if index 111b585..fa61d05 100644 --- a/refpolicy/policy/modules/apps/screen.if +++ b/refpolicy/policy/modules/apps/screen.if @@ -116,16 +116,13 @@ template(`screen_per_userdomain_template',` corecmd_shell_domtrans($1_screen_t,$2) corecmd_bin_domtrans($1_screen_t,$2) + corenet_non_ipsec_sendrecv($1_screen_t) corenet_tcp_sendrecv_generic_if($1_screen_t) corenet_udp_sendrecv_generic_if($1_screen_t) - corenet_raw_sendrecv_generic_if($1_screen_t) corenet_tcp_sendrecv_all_nodes($1_screen_t) corenet_udp_sendrecv_all_nodes($1_screen_t) - corenet_raw_sendrecv_all_nodes($1_screen_t) corenet_tcp_sendrecv_all_ports($1_screen_t) corenet_udp_sendrecv_all_ports($1_screen_t) - corenet_tcp_bind_all_nodes($1_screen_t) - corenet_udp_bind_all_nodes($1_screen_t) corenet_tcp_connect_all_ports($1_screen_t) dev_dontaudit_getattr_all_chr_files($1_screen_t) diff --git a/refpolicy/policy/modules/apps/thunderbird.if b/refpolicy/policy/modules/apps/thunderbird.if index 54cee7e..4dab587 100644 --- a/refpolicy/policy/modules/apps/thunderbird.if +++ b/refpolicy/policy/modules/apps/thunderbird.if @@ -106,24 +106,27 @@ template(`thunderbird_per_userdomain_template',` # Startup shellscript corecmd_exec_bin($1_thunderbird_t) + corenet_non_ipsec_sendrecv($1_thunderbird_t) corenet_tcp_sendrecv_generic_if($1_thunderbird_t) - corenet_raw_sendrecv_generic_if($1_thunderbird_t) + corenet_tcp_sendrecv_all_nodes($1_thunderbird_t) corenet_tcp_sendrecv_ipp_port($1_thunderbird_t) corenet_tcp_sendrecv_ldap_port($1_thunderbird_t) corenet_tcp_sendrecv_innd_port($1_thunderbird_t) corenet_tcp_sendrecv_smtp_port($1_thunderbird_t) corenet_tcp_sendrecv_pop_port($1_thunderbird_t) corenet_tcp_sendrecv_http_port($1_thunderbird_t) - corenet_tcp_sendrecv_all_nodes($1_thunderbird_t) - corenet_raw_sendrecv_all_nodes($1_thunderbird_t) - corenet_non_ipsec_sendrecv($1_thunderbird_t) - corenet_tcp_bind_all_nodes($1_thunderbird_t) corenet_tcp_connect_ipp_port($1_thunderbird_t) corenet_tcp_connect_ldap_port($1_thunderbird_t) corenet_tcp_connect_innd_port($1_thunderbird_t) corenet_tcp_connect_smtp_port($1_thunderbird_t) corenet_tcp_connect_pop_port($1_thunderbird_t) corenet_tcp_connect_http_port($1_thunderbird_t) + corenet_sendrecv_ipp_client_packets($1_thunderbird_t) + corenet_sendrecv_ldap_client_packets($1_thunderbird_t) + corenet_sendrecv_innd_client_packets($1_thunderbird_t) + corenet_sendrecv_smtp_client_packets($1_thunderbird_t) + corenet_sendrecv_pop_client_packets($1_thunderbird_t) + corenet_sendrecv_http_client_packets($1_thunderbird_t) files_list_tmp($1_thunderbird_t) files_read_usr_files($1_thunderbird_t) diff --git a/refpolicy/policy/modules/apps/uml.if b/refpolicy/policy/modules/apps/uml.if index caf26dd..121b95f 100644 --- a/refpolicy/policy/modules/apps/uml.if +++ b/refpolicy/policy/modules/apps/uml.if @@ -65,7 +65,7 @@ template(`uml_per_userdomain_template',` # Local policy # allow $1_uml_t self:fifo_file rw_file_perms; - allow $1_uml_t self:process { fork signal_perms ptrace }; + allow $1_uml_t self:process { signal_perms ptrace }; allow $1_uml_t self:unix_stream_socket create_stream_socket_perms; allow $1_uml_t self:unix_dgram_socket create_socket_perms; # Use the network. @@ -147,18 +147,15 @@ template(`uml_per_userdomain_template',` corecmd_exec_bin($1_uml_t) corecmd_exec_sbin($1_uml_t) + corenet_non_ipsec_sendrecv($1_uml_t) corenet_tcp_sendrecv_generic_if($1_uml_t) corenet_udp_sendrecv_generic_if($1_uml_t) - corenet_raw_sendrecv_generic_if($1_uml_t) corenet_tcp_sendrecv_all_nodes($1_uml_t) corenet_udp_sendrecv_all_nodes($1_uml_t) - corenet_raw_sendrecv_all_nodes($1_uml_t) corenet_tcp_sendrecv_all_ports($1_uml_t) corenet_udp_sendrecv_all_ports($1_uml_t) - corenet_non_ipsec_sendrecv($1_uml_t) - corenet_tcp_bind_all_nodes($1_uml_t) - corenet_udp_bind_all_nodes($1_uml_t) corenet_tcp_connect_all_ports($1_uml_t) + corenet_sendrecv_all_client_packets($1_uml_t) corenet_rw_tun_tap_dev($1_uml_t) domain_use_interactive_fds($1_uml_t) diff --git a/refpolicy/policy/modules/apps/vmware.te b/refpolicy/policy/modules/apps/vmware.te index 151d2fa..43d6a2e 100644 --- a/refpolicy/policy/modules/apps/vmware.te +++ b/refpolicy/policy/modules/apps/vmware.te @@ -51,6 +51,9 @@ corenet_non_ipsec_sendrecv(vmware_host_t) corenet_raw_sendrecv_generic_if(vmware_host_t) corenet_raw_sendrecv_all_nodes(vmware_host_t) corenet_raw_bind_all_nodes(vmware_host_t) +corenet_tcp_sendrecv_all_ports(vmware_host_t) +corenet_tcp_connect_all_ports(vmware_host_t) +corenet_sendrecv_all_client_packets(vmware_host_t) dev_read_sysfs(vmware_host_t) dev_rw_vmware(vmware_host_t) diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te index 0800b1a..7211dd6 100644 --- a/refpolicy/policy/modules/apps/webalizer.te +++ b/refpolicy/policy/modules/apps/webalizer.te @@ -44,7 +44,6 @@ allow webalizer_t self:unix_stream_socket create_stream_socket_perms; allow webalizer_t self:unix_dgram_socket sendto; allow webalizer_t self:unix_stream_socket connectto; allow webalizer_t self:tcp_socket connected_stream_socket_perms; -allow webalizer_t self:udp_socket { connect connected_socket_perms }; allow webalizer_t webalizer_etc_t:file { getattr read }; @@ -59,17 +58,10 @@ files_var_lib_filetrans(webalizer_t,webalizer_var_lib_t,file) kernel_read_kernel_sysctls(webalizer_t) kernel_read_system_state(webalizer_t) +corenet_non_ipsec_sendrecv(webalizer_t) corenet_tcp_sendrecv_all_if(webalizer_t) -corenet_udp_sendrecv_all_if(webalizer_t) -corenet_raw_sendrecv_all_if(webalizer_t) -corenet_udp_sendrecv_all_nodes(webalizer_t) corenet_tcp_sendrecv_all_nodes(webalizer_t) -corenet_raw_sendrecv_all_nodes(webalizer_t) corenet_tcp_sendrecv_all_ports(webalizer_t) -corenet_udp_sendrecv_all_ports(webalizer_t) -corenet_non_ipsec_sendrecv(webalizer_t) -corenet_tcp_bind_all_nodes(webalizer_t) -corenet_udp_bind_all_nodes(webalizer_t) fs_search_auto_mountpoints(webalizer_t) @@ -84,6 +76,7 @@ logging_send_syslog_msg(webalizer_t) miscfiles_read_localization(webalizer_t) +sysnet_dns_name_resolve(webalizer_t) sysnet_read_config(webalizer_t) userdom_use_unpriv_users_fds(webalizer_t) diff --git a/refpolicy/policy/modules/apps/yam.te b/refpolicy/policy/modules/apps/yam.te index 90e1c04..9181eba 100644 --- a/refpolicy/policy/modules/apps/yam.te +++ b/refpolicy/policy/modules/apps/yam.te @@ -37,7 +37,6 @@ allow yam_t self:sem create_sem_perms; allow yam_t self:msgq create_msgq_perms; allow yam_t self:msg { send receive }; allow yam_t self:tcp_socket create_socket_perms; -allow yam_t self:udp_socket create_socket_perms; # Update the content being managed by yam. allow yam_t yam_content_t:dir create_dir_perms; @@ -61,19 +60,14 @@ corecmd_exec_bin(yam_t) # Rsync and lftp need to network. They also set files attributes to # match whats on the remote server. +corenet_non_ipsec_sendrecv(yam_t) corenet_tcp_sendrecv_generic_if(yam_t) -corenet_udp_sendrecv_generic_if(yam_t) -corenet_raw_sendrecv_generic_if(yam_t) corenet_tcp_sendrecv_all_nodes(yam_t) -corenet_udp_sendrecv_all_nodes(yam_t) -corenet_raw_sendrecv_all_nodes(yam_t) corenet_tcp_sendrecv_all_ports(yam_t) -corenet_udp_sendrecv_all_ports(yam_t) -corenet_non_ipsec_sendrecv(yam_t) -corenet_tcp_bind_all_nodes(yam_t) -corenet_udp_bind_all_nodes(yam_t) corenet_tcp_connect_http_port(yam_t) corenet_tcp_connect_rsync_port(yam_t) +corenet_sendrecv_http_client_packets(yam_t) +corenet_sendrecv_rsync_client_packets(yam_t) # mktemp dev_read_urand(yam_t) @@ -101,6 +95,7 @@ miscfiles_read_localization(yam_t) seutil_read_config(yam_t) +sysnet_dns_name_resolve(yam_t) sysnet_read_config(yam_t) userdom_use_unpriv_users_fds(yam_t)