diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index 594dc0f..91737d4 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -383,6 +383,7 @@ interface(`gnome_read_gconf_home_files',`
type data_home_t;
')
+ userdom_search_user_home_dirs($1)
allow $1 gconf_home_t:dir list_dir_perms;
allow $1 data_home_t:dir list_dir_perms;
read_files_pattern($1, gconf_home_t, gconf_home_t)
diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
index 28b71f6..2b552c5 100644
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
@@ -7,7 +7,7 @@ HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t,s0)
/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0)
/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/jabber.fc b/policy/modules/services/jabber.fc
index 908eb91..deef4c7 100644
--- a/policy/modules/services/jabber.fc
+++ b/policy/modules/services/jabber.fc
@@ -4,9 +4,9 @@
# for new version of jabberd
/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
-/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index 5f8840f..e184dff 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -30,6 +30,52 @@ files_pid_file(jabberd_var_run_t)
permissive jabberd_router_t;
permissive jabberd_t;
+######################################
+#
+# Local policy for jabberd-router and c2s components
+#
+
+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
+
+corenet_tcp_bind_jabber_client_port(jabberd_router_t)
+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
+corenet_tcp_connect_jabber_router_port(jabberd_router_t)
+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
+corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
+
+fs_getattr_all_fs(jabberd_router_t)
+
+miscfiles_read_certs(jabberd_router_t)
+
+optional_policy(`
+ kerberos_use(jabberd_router_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(jabberd_router_t)
+')
+
+#####################################
+#
+# Local policy for other jabberd components
+#
+
+kernel_read_system_state(jabberd_t)
+
+corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_router_port(jabberd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
+userdom_dontaudit_search_user_home_dirs(jabberd_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(jabberd_t)
+')
+
+optional_policy(`
+ udev_read_db(jabberd_t)
+')
+
#######################################
#
# Local policy for jabberd domains
@@ -62,6 +108,7 @@ corenet_tcp_bind_generic_node(jabberd_domain)
dev_read_urand(jabberd_domain)
dev_read_urand(jabberd_domain)
+dev_read_sysfs(jabberd_domain)
files_read_etc_files(jabberd_domain)
files_read_etc_runtime_files(jabberd_domain)
@@ -71,59 +118,3 @@ logging_send_syslog_msg(jabberd_domain)
miscfiles_read_localization(jabberd_domain)
sysnet_read_config(jabberd_domain)
-
-######################################
-#
-# Local policy for jabberd-router
-#
-
-allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
-
-corenet_tcp_bind_jabber_router_port(jabberd_router_t)
-corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
-
-optional_policy(`
- kerberos_use(jabberd_router_t)
-')
-
-########################################
-#
-# Local policy for jabberd
-#
-
-allow jabberd_t self:capability dac_override;
-dontaudit jabberd_t self:capability sys_tty_config;
-
-kernel_read_kernel_sysctls(jabberd_t)
-kernel_read_proc_symlinks(jabberd_t)
-kernel_read_system_state(jabberd_t)
-
-corenet_tcp_connect_jabber_router_port(jabberd_t)
-corenet_tcp_bind_jabber_client_port(jabberd_t)
-corenet_tcp_bind_jabber_interserver_port(jabberd_t)
-corenet_sendrecv_jabber_client_server_packets(jabberd_t)
-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
-
-dev_read_sysfs(jabberd_t)
-# For SSL
-dev_read_rand(jabberd_t)
-
-domain_use_interactive_fds(jabberd_t)
-
-fs_getattr_all_fs(jabberd_t)
-fs_search_auto_mountpoints(jabberd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
-userdom_dontaudit_search_user_home_dirs(jabberd_t)
-
-optional_policy(`
- nis_use_ypbind(jabberd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(jabberd_t)
-')
-
-optional_policy(`
- udev_read_db(jabberd_t)
-')
diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
index eaa8706..f24c52e 100644
--- a/policy/modules/services/razor.te
+++ b/policy/modules/services/razor.te
@@ -6,16 +6,10 @@ policy_module(razor, 2.1.1)
#
ifdef(`distro_redhat',`
-
gen_require(`
- type spamc_t;
- type spamc_exec_t;
- type spamd_log_t;
- type spamd_spool_t;
- type spamd_var_lib_t;
- type spamd_etc_t;
- type spamc_home_t;
- type spamc_tmp_t;
+ type spamc_t, spamc_exec_t, spamd_log_t;
+ type spamd_spool_t, spamd_var_lib_t, spamd_etc_t;
+ type spamc_home_t, spamc_tmp_t;
')
typealias spamc_t alias razor_t;
@@ -28,126 +22,122 @@ ifdef(`distro_redhat',`
typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
-
',`
+ type razor_exec_t;
+ corecmd_executable_file(razor_exec_t)
-type razor_exec_t;
-corecmd_executable_file(razor_exec_t)
-
-type razor_etc_t;
-files_config_file(razor_etc_t)
+ type razor_etc_t;
+ files_config_file(razor_etc_t)
-type razor_home_t;
-typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
-typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
-files_poly_member(razor_home_t)
-userdom_user_home_content(razor_home_t)
+ type razor_home_t;
+ typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+ typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+ userdom_user_home_content(razor_home_t)
-type razor_log_t;
-logging_log_file(razor_log_t)
+ type razor_log_t;
+ logging_log_file(razor_log_t)
-type razor_tmp_t;
-typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
-typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
-files_tmp_file(razor_tmp_t)
-ubac_constrained(razor_tmp_t)
+ type razor_tmp_t;
+ typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+ typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+ files_tmp_file(razor_tmp_t)
+ ubac_constrained(razor_tmp_t)
-type razor_var_lib_t;
-files_type(razor_var_lib_t)
+ type razor_var_lib_t;
+ files_type(razor_var_lib_t)
-# these are here due to ordering issues:
-razor_common_domain_template(razor)
-typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
-typealias razor_t alias { auditadm_razor_t secadm_razor_t };
-ubac_constrained(razor_t)
+ # these are here due to ordering issues:
+ razor_common_domain_template(razor)
+ typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
+ typealias razor_t alias { auditadm_razor_t secadm_razor_t };
+ ubac_constrained(razor_t)
-razor_common_domain_template(system_razor)
-role system_r types system_razor_t;
-
-########################################
-#
-# System razor local policy
-#
+ razor_common_domain_template(system_razor)
+ role system_r types system_razor_t;
-# this version of razor is invoked typically
-# via the system spam filter
+ ########################################
+ #
+ # System razor local policy
+ #
-allow system_razor_t self:tcp_socket create_socket_perms;
+ # this version of razor is invoked typically
+ # via the system spam filter
-manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-files_search_etc(system_razor_t)
+ allow system_razor_t self:tcp_socket create_socket_perms;
-allow system_razor_t razor_log_t:file manage_file_perms;
-logging_log_filetrans(system_razor_t, razor_log_t, file)
+ manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+ manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+ manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+ files_search_etc(system_razor_t)
-manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
-files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
+ allow system_razor_t razor_log_t:file manage_file_perms;
+ logging_log_filetrans(system_razor_t, razor_log_t, file)
-corenet_all_recvfrom_unlabeled(system_razor_t)
-corenet_all_recvfrom_netlabel(system_razor_t)
-corenet_tcp_sendrecv_generic_if(system_razor_t)
-corenet_raw_sendrecv_generic_if(system_razor_t)
-corenet_tcp_sendrecv_generic_node(system_razor_t)
-corenet_raw_sendrecv_generic_node(system_razor_t)
-corenet_tcp_sendrecv_razor_port(system_razor_t)
-corenet_tcp_connect_razor_port(system_razor_t)
-corenet_sendrecv_razor_client_packets(system_razor_t)
+ manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
+ files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
-sysnet_read_config(system_razor_t)
+ corenet_all_recvfrom_unlabeled(system_razor_t)
+ corenet_all_recvfrom_netlabel(system_razor_t)
+ corenet_tcp_sendrecv_generic_if(system_razor_t)
+ corenet_raw_sendrecv_generic_if(system_razor_t)
+ corenet_tcp_sendrecv_generic_node(system_razor_t)
+ corenet_raw_sendrecv_generic_node(system_razor_t)
+ corenet_tcp_sendrecv_razor_port(system_razor_t)
+ corenet_tcp_connect_razor_port(system_razor_t)
+ corenet_sendrecv_razor_client_packets(system_razor_t)
-# cjp: this shouldn't be needed
-userdom_use_unpriv_users_fds(system_razor_t)
+ sysnet_read_config(system_razor_t)
-optional_policy(`
- logging_send_syslog_msg(system_razor_t)
-')
+ # cjp: this shouldn't be needed
+ userdom_use_unpriv_users_fds(system_razor_t)
-optional_policy(`
- nscd_socket_use(system_razor_t)
-')
+ optional_policy(`
+ logging_send_syslog_msg(system_razor_t)
+ ')
-########################################
-#
-# User razor local policy
-#
+ optional_policy(`
+ nscd_socket_use(system_razor_t)
+ ')
-# Allow razor to be run by hand. Needed by any action other than
-# invocation from a spam filter.
+ ########################################
+ #
+ # User razor local policy
+ #
-allow razor_t self:unix_stream_socket create_stream_socket_perms;
+ # Allow razor to be run by hand. Needed by any action other than
+ # invocation from a spam filter.
-manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
-manage_files_pattern(razor_t, razor_home_t, razor_home_t)
-manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
-userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
+ allow razor_t self:unix_stream_socket create_stream_socket_perms;
-manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
-manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
-files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
+ manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
+ manage_files_pattern(razor_t, razor_home_t, razor_home_t)
+ manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
+ userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
-auth_use_nsswitch(razor_t)
+ manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+ manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+ files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
-logging_send_syslog_msg(razor_t)
+ auth_use_nsswitch(razor_t)
-userdom_search_user_home_dirs(razor_t)
-userdom_use_user_terminals(razor_t)
+ logging_send_syslog_msg(razor_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(razor_t)
- fs_manage_nfs_files(razor_t)
- fs_manage_nfs_symlinks(razor_t)
-')
+ userdom_search_user_home_dirs(razor_t)
+ userdom_use_user_terminals(razor_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(razor_t)
- fs_manage_cifs_files(razor_t)
- fs_manage_cifs_symlinks(razor_t)
-')
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(razor_t)
+ fs_manage_nfs_files(razor_t)
+ fs_manage_nfs_symlinks(razor_t)
+ ')
-optional_policy(`
- milter_manage_spamass_state(razor_t)
-')
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(razor_t)
+ fs_manage_cifs_files(razor_t)
+ fs_manage_cifs_symlinks(razor_t)
+ ')
+ optional_policy(`
+ milter_manage_spamass_state(razor_t)
+ ')
')
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
index 9ab1d80..612e4e4 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -6,15 +6,14 @@ policy_module(rgmanager, 1.0.0)
#
##
-##
-## Allow rgmanager domain to connect to the network using TCP.
-##
+##
+## Allow rgmanager domain to connect to the network using TCP.
+##
##
gen_tunable(rgmanager_can_network_connect, false)
type rgmanager_t;
type rgmanager_exec_t;
-domain_type(rgmanager_t)
init_daemon_domain(rgmanager_t, rgmanager_exec_t)
type rgmanager_initrc_exec_t;
@@ -40,7 +39,7 @@ files_pid_file(rgmanager_var_run_t)
allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
dontaudit rgmanager_t self:capability { sys_ptrace };
allow rgmanager_t self:process { setsched signal };
-dontaudit rgmanager_t self:process { ptrace };
+dontaudit rgmanager_t self:process ptrace;
allow rgmanager_t self:fifo_file rw_fifo_file_perms;
allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
index 1ebc84d..8d40ec9 100644
--- a/policy/modules/services/rhcs.te
+++ b/policy/modules/services/rhcs.te
@@ -6,9 +6,9 @@ policy_module(rhcs, 1.1.0)
#
##
-##
-## Allow fenced domain to connect to the network using TCP.
-##
+##
+## Allow fenced domain to connect to the network using TCP.
+##
##
gen_tunable(fenced_can_network_connect, false)
@@ -111,7 +111,7 @@ tunable_policy(`fenced_can_network_connect',`
# needed by fence_scsi
optional_policy(`
- corosync_exec(fenced_t)
+ corosync_exec(fenced_t)
')
optional_policy(`
@@ -129,7 +129,6 @@ optional_policy(`
#
allow gfs_controld_t self:capability { net_admin sys_resource };
-
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -159,7 +158,6 @@ optional_policy(`
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
-
allow groupd_t self:shm create_shm_perms;
dev_list_sysfs(groupd_t)
@@ -174,7 +172,6 @@ init_rw_script_tmp_files(groupd_t)
#
allow qdiskd_t self:capability { ipc_lock sys_boot };
-
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
@@ -224,9 +221,8 @@ optional_policy(`
# rhcs domains common policy
#
-allow cluster_domain self:capability { sys_nice };
+allow cluster_domain self:capability sys_nice;
allow cluster_domain self:process setsched;
-
allow cluster_domain self:sem create_sem_perms;
allow cluster_domain self:fifo_file rw_fifo_file_perms;
allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index 0f262a7..4d10897 100644
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -30,7 +30,7 @@ allow rhgb_t self:tcp_socket create_socket_perms;
allow rhgb_t self:udp_socket create_socket_perms;
allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
-allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr };
+allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(rhgb_t, rhgb_devpts_t)
manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
index e2434cb..29e7311 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -7,7 +7,6 @@ policy_module(ricci, 1.7.0)
type ricci_t;
type ricci_exec_t;
-domain_type(ricci_t)
init_daemon_domain(ricci_t, ricci_exec_t)
type ricci_initrc_exec_t;
@@ -42,7 +41,6 @@ files_pid_file(ricci_modcluster_var_run_t)
type ricci_modclusterd_t;
type ricci_modclusterd_exec_t;
-domain_type(ricci_modclusterd_t)
init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
type ricci_modclusterd_tmpfs_t;
@@ -101,7 +99,7 @@ manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })
-allow ricci_t ricci_var_log_t:dir setattr;
+allow ricci_t ricci_var_log_t:dir setattr_dir_perms;
manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
index 29a5d0d..0155ca7 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
# Local policy
#
-allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override };
+allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
allow rlogind_t self:process signal_perms;
allow rlogind_t self:fifo_file rw_fifo_file_perms;
allow rlogind_t self:tcp_socket connected_stream_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow rlogind_t self:capability { setuid setgid };
-allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
+allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(rlogind_t, rlogind_devpts_t)
# for /usr/lib/telnetlogin
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index ea2c0f0..288e6cc 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
#
##
-##
-## Allow gssd to read temp directory. For access to kerberos tgt.
-##
+##
+## Allow gssd to read temp directory. For access to kerberos tgt.
+##
##
gen_tunable(allow_gssd_read_tmp, true)
##
-##
-## Allow nfs servers to modify public files
-## used for public file transfer services. Files/Directories must be
-## labeled public_content_rw_t.
-##
+##
+## Allow nfs servers to modify public files
+## used for public file transfer services. Files/Directories must be
+## labeled public_content_rw_t.
+##
##
gen_tunable(allow_nfsd_anon_write, false)
@@ -62,7 +62,7 @@ allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
allow rpcd_t self:process { getcap setcap };
allow rpcd_t self:fifo_file rw_fifo_file_perms;
-allow rpcd_t rpcd_var_run_t:dir setattr;
+allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms;
manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir })
@@ -162,6 +162,8 @@ storage_raw_read_removable_device(nfsd_t)
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
+userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
+
# Write access to public_content_t and public_content_rw_t
tunable_policy(`allow_nfsd_anon_write',`
miscfiles_manage_public_files(nfsd_t)
@@ -174,7 +176,6 @@ tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
')
-userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
tunable_policy(`nfs_export_all_ro',`
dev_getattr_all_blk_files(nfsd_t)
@@ -196,7 +197,7 @@ tunable_policy(`nfs_export_all_ro',`
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
allow gssd_t self:process { getsched setsched };
-allow gssd_t self:fifo_file rw_file_perms;
+allow gssd_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index b5cd366..0927db4 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
#
# Declarations
#
+
type snmpd_t;
type snmpd_exec_t;
init_daemon_domain(snmpd_t, snmpd_exec_t)
@@ -24,6 +25,7 @@ files_type(snmpd_var_lib_t)
#
# Local policy
#
+
allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config };
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
allow snmpd_t self:process { signal_perms getsched setsched };
@@ -117,7 +119,7 @@ sysnet_read_config(snmpd_t)
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
userdom_dontaudit_search_user_home_dirs(snmpd_t)
-ifdef(`distro_redhat', `
+ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(snmpd_t)
rpm_dontaudit_manage_db(snmpd_t)
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
index d7f4bd4..012723c 100644
--- a/policy/modules/services/snort.te
+++ b/policy/modules/services/snort.te
@@ -32,17 +32,17 @@ files_pid_file(snort_var_run_t)
allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
dontaudit snort_t self:capability sys_tty_config;
allow snort_t self:process signal_perms;
-allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow snort_t self:netlink_route_socket create_netlink_socket_perms;
allow snort_t self:tcp_socket create_stream_socket_perms;
allow snort_t self:udp_socket create_socket_perms;
allow snort_t self:packet_socket create_socket_perms;
allow snort_t self:socket create_socket_perms;
# Snort IPS node. unverified.
-allow snort_t self:netlink_firewall_socket { bind create getattr };
+allow snort_t self:netlink_firewall_socket create_socket_perms;
allow snort_t snort_etc_t:dir list_dir_perms;
allow snort_t snort_etc_t:file read_file_perms;
-allow snort_t snort_etc_t:lnk_file { getattr read };
+allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
manage_files_pattern(snort_t, snort_log_t, snort_log_t)
create_dirs_pattern(snort_t, snort_log_t, snort_log_t)
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 9ad4eff..56e4c2e 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -6,85 +6,83 @@ policy_module(spamassassin, 2.3.1)
#
##
-##
-## Allow user spamassassin clients to use the network.
-##
+##
+## Allow user spamassassin clients to use the network.
+##
##
gen_tunable(spamassassin_can_network, false)
##
-##
-## Allow spamd to read/write user home directories.
-##
+##
+## Allow spamd to read/write user home directories.
+##
##
gen_tunable(spamd_enable_home_dirs, true)
ifdef(`distro_redhat',`
-# spamassassin client executable
-type spamc_t;
-type spamc_exec_t;
-application_domain(spamc_t, spamc_exec_t)
-role system_r types spamc_t;
-
-type spamd_etc_t;
-files_config_file(spamd_etc_t)
-
-typealias spamc_exec_t alias spamassassin_exec_t;
-typealias spamc_t alias spamassassin_t;
-
-type spamc_home_t;
-userdom_user_home_content(spamc_home_t)
-typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
-typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
-typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
-typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
-
-type spamc_tmp_t;
-files_tmp_file(spamc_tmp_t)
-typealias spamc_tmp_t alias spamassassin_tmp_t;
-typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
-typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
-
-typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
-typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
-', `
-type spamassassin_t;
-type spamassassin_exec_t;
-typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
-typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
-application_domain(spamassassin_t, spamassassin_exec_t)
-ubac_constrained(spamassassin_t)
-
-type spamassassin_home_t;
-typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
-typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
-userdom_user_home_content(spamassassin_home_t)
-files_poly_member(spamassassin_home_t)
-
-type spamassassin_tmp_t;
-typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
-typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
-files_tmp_file(spamassassin_tmp_t)
-ubac_constrained(spamassassin_tmp_t)
-
-type spamc_t;
-type spamc_exec_t;
-typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
-typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
-application_domain(spamc_t, spamc_exec_t)
-ubac_constrained(spamc_t)
-
-type spamc_tmp_t;
-typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
-typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
-files_tmp_file(spamc_tmp_t)
-ubac_constrained(spamc_tmp_t)
+ # spamassassin client executable
+ type spamc_t;
+ type spamc_exec_t;
+ application_domain(spamc_t, spamc_exec_t)
+ role system_r types spamc_t;
+
+ type spamd_etc_t;
+ files_config_file(spamd_etc_t)
+
+ typealias spamc_exec_t alias spamassassin_exec_t;
+ typealias spamc_t alias spamassassin_t;
+
+ type spamc_home_t;
+ userdom_user_home_content(spamc_home_t)
+ typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+ typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+ typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
+ typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
+
+ type spamc_tmp_t;
+ files_tmp_file(spamc_tmp_t)
+ typealias spamc_tmp_t alias spamassassin_tmp_t;
+ typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+
+ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
+',`
+ type spamassassin_t;
+ type spamassassin_exec_t;
+ typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
+ typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
+ application_domain(spamassassin_t, spamassassin_exec_t)
+ ubac_constrained(spamassassin_t)
+
+ type spamassassin_home_t;
+ typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+ typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+ userdom_user_home_content(spamassassin_home_t)
+
+ type spamassassin_tmp_t;
+ typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+ typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+ files_tmp_file(spamassassin_tmp_t)
+ ubac_constrained(spamassassin_tmp_t)
+
+ type spamc_t;
+ type spamc_exec_t;
+ typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
+ typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
+ application_domain(spamc_t, spamc_exec_t)
+ ubac_constrained(spamc_t)
+
+ type spamc_tmp_t;
+ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
+ files_tmp_file(spamc_tmp_t)
+ ubac_constrained(spamc_tmp_t)
')
type spamd_t;
type spamd_exec_t;
init_daemon_domain(spamd_t, spamd_exec_t)
-can_exec(spamd_t, spamd_exec_t)
type spamd_compiled_t;
files_type(spamd_compiled_t)
@@ -252,11 +250,6 @@ allow spamc_t self:unix_dgram_socket sendto;
allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
-corenet_all_recvfrom_unlabeled(spamc_t)
-corenet_all_recvfrom_netlabel(spamc_t)
-corenet_tcp_sendrecv_generic_if(spamc_t)
-corenet_tcp_sendrecv_generic_node(spamc_t)
-corenet_tcp_connect_spamd_port(spamc_t)
can_exec(spamc_t, spamc_exec_t)
@@ -272,6 +265,9 @@ manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
userdom_append_user_home_content_files(spamc_t)
+list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+
# Allow connecting to a local spamd
allow spamc_t spamd_t:unix_stream_socket connectto;
allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
@@ -290,6 +286,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
corenet_udp_sendrecv_all_ports(spamc_t)
corenet_tcp_connect_all_ports(spamc_t)
corenet_sendrecv_all_client_packets(spamc_t)
+corenet_tcp_connect_spamd_port(spamc_t)
fs_search_auto_mountpoints(spamc_t)
@@ -309,8 +306,6 @@ files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
files_list_var_lib(spamc_t)
-list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
-read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
fs_search_auto_mountpoints(spamc_t)
@@ -413,6 +408,8 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
+can_exec(spamd_t, spamd_exec_t)
+
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
@@ -508,9 +505,7 @@ optional_policy(`
')
optional_policy(`
- corenet_tcp_connect_mysqld_port(spamd_t)
- corenet_sendrecv_mysqld_client_packets(spamd_t)
-
+ mysql_tcp_connect(spamd_t)
mysql_search_db(spamd_t)
mysql_stream_connect(spamd_t)
')
@@ -520,9 +515,7 @@ optional_policy(`
')
optional_policy(`
- corenet_tcp_connect_postgresql_port(spamd_t)
- corenet_sendrecv_postgresql_client_packets(spamd_t)
-
+ postgresql_tcp_connect(spamd_t)
postgresql_stream_connect(spamd_t)
')
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index 4b2230e..744b172 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -6,17 +6,17 @@ policy_module(squid, 1.10.0)
#
##
-##
-## Allow squid to connect to all ports, not just
-## HTTP, FTP, and Gopher ports.
-##
+##
+## Allow squid to connect to all ports, not just
+## HTTP, FTP, and Gopher ports.
+##
##
gen_tunable(squid_connect_any, false)
##
-##
-## Allow squid to run as a transparent proxy (TPROXY)
-##
+##
+## Allow squid to run as a transparent proxy (TPROXY)
+##
##
gen_tunable(squid_use_tproxy, false)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 68c3057..c7efe5d 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,23 +6,23 @@ policy_module(ssh, 2.2.0)
#
##
-##
-## allow host key based authentication
-##
+##
+## allow host key based authentication
+##
##
gen_tunable(allow_ssh_keysign, false)
##
-##
-## Allow ssh logins as sysadm_r:sysadm_t
-##
+##
+## Allow ssh logins as sysadm_r:sysadm_t
+##
##
gen_tunable(ssh_sysadm_login, false)
##
-##
-## allow sshd to forward port connections
-##
+##
+## allow sshd to forward port connections
+##
##
gen_tunable(sshd_forward_ports, false)
@@ -32,7 +32,6 @@ attribute ssh_agent_type;
type ssh_keygen_t;
type ssh_keygen_exec_t;
init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
-role system_r types ssh_keygen_t;
type sshd_exec_t;
corecmd_executable_file(sshd_exec_t)
@@ -46,10 +45,6 @@ init_script_file(sshd_initrc_exec_t)
type sshd_key_t;
files_type(sshd_key_t)
-ifdef(`enable_mcs',`
- init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
-')
-
type ssh_t;
type ssh_exec_t;
typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
@@ -82,9 +77,12 @@ ubac_constrained(ssh_tmpfs_t)
type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
-files_type(ssh_home_t)
userdom_user_home_content(ssh_home_t)
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
+')
+
##############################
#
# SSH client local policy
@@ -180,10 +178,7 @@ userdom_write_user_tmp_files(ssh_t)
userdom_read_user_home_content_symlinks(ssh_t)
tunable_policy(`allow_ssh_keysign',`
- domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
- allow ssh_keysign_t ssh_t:fd use;
- allow ssh_keysign_t ssh_t:process sigchld;
- allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
+ domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
')
tunable_policy(`use_nfs_home_dirs',`
@@ -217,7 +212,6 @@ optional_policy(`
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
-
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
@@ -264,7 +258,7 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
- allow ssh_keysign_t sshd_key_t:file { getattr read };
+ allow ssh_keysign_t sshd_key_t:file read_file_perms;
dev_read_urand(ssh_keysign_t)
@@ -287,7 +281,6 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
-
allow sshd_t self:process setcurrent;
kernel_search_key(sshd_t)
@@ -303,15 +296,17 @@ term_use_ptmx(sshd_t)
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
-tunable_policy(`sshd_forward_ports', `
- corenet_tcp_bind_all_unreserved_ports(sshd_t)
- corenet_tcp_connect_all_ports(sshd_t)
-')
-
userdom_read_user_home_content_files(sshd_t)
userdom_read_user_home_content_symlinks(sshd_t)
userdom_search_admin_dir(sshd_t)
userdom_manage_tmp_role(system_r, sshd_t)
+userdom_spec_domtrans_unpriv_users(sshd_t)
+userdom_signal_unpriv_users(sshd_t)
+
+tunable_policy(`sshd_forward_ports',`
+ corenet_tcp_bind_all_unreserved_ports(sshd_t)
+ corenet_tcp_connect_all_ports(sshd_t)
+')
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
@@ -321,9 +316,6 @@ tunable_policy(`ssh_sysadm_login',`
userdom_signal_all_users(sshd_t)
')
-userdom_spec_domtrans_unpriv_users(sshd_t)
-userdom_signal_unpriv_users(sshd_t)
-
optional_policy(`
daemontools_service_domain(sshd_t, sshd_exec_t)
')
@@ -373,26 +365,26 @@ optional_policy(`
')
ifdef(`TODO',`
-tunable_policy(`ssh_sysadm_login',`
- # Relabel and access ptys created by sshd
- # ioctl is necessary for logout() processing for utmp entry and for w to
- # display the tty.
- # some versions of sshd on the new SE Linux require setattr
- allow sshd_t ptyfile:chr_file relabelto;
-
- optional_policy(`
- domain_trans(sshd_t, xauth_exec_t, userdomain)
- ')
-',`
- optional_policy(`
- domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
+ tunable_policy(`ssh_sysadm_login',`
+ # Relabel and access ptys created by sshd
+ # ioctl is necessary for logout() processing for utmp entry and for w to
+ # display the tty.
+ # some versions of sshd on the new SE Linux require setattr
+ allow sshd_t ptyfile:chr_file relabelto;
+
+ optional_policy(`
+ domain_trans(sshd_t, xauth_exec_t, userdomain)
+ ')
+ ',`
+ optional_policy(`
+ domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
+ ')
+ # Relabel and access ptys created by sshd
+ # ioctl is necessary for logout() processing for utmp entry and for w to
+ # display the tty.
+ # some versions of sshd on the new SE Linux require setattr
+ allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
')
- # Relabel and access ptys created by sshd
- # ioctl is necessary for logout() processing for utmp entry and for w to
- # display the tty.
- # some versions of sshd on the new SE Linux require setattr
- allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
-')
') dnl endif TODO
########################################
@@ -405,7 +397,6 @@ tunable_policy(`ssh_sysadm_login',`
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
-
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
index 07d6748..7113802 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -28,9 +28,10 @@ files_pid_file(sssd_var_run_t)
#
# sssd local policy
#
+
allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid };
allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
-allow sssd_t self:fifo_file rw_file_perms;
+allow sssd_t self:fifo_file rw_fifo_file_perms;
allow sssd_t self:key manage_key_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -40,7 +41,7 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
-files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
+files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index 7ecb27b..296e5ba 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -6,17 +6,7 @@ policy_module(stunnel, 1.9.1)
#
type stunnel_t;
-domain_type(stunnel_t)
-role system_r types stunnel_t;
-
type stunnel_exec_t;
-domain_entry_file(stunnel_t, stunnel_exec_t)
-
-ifdef(`distro_gentoo',`
- init_daemon_domain(stunnel_t, stunnel_exec_t)
-',`
- inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
-')
type stunnel_etc_t;
files_config_file(stunnel_etc_t)
@@ -27,6 +17,12 @@ files_tmp_file(stunnel_tmp_t)
type stunnel_var_run_t;
files_pid_file(stunnel_var_run_t)
+ifdef(`distro_gentoo',`
+ init_daemon_domain(stunnel_t, stunnel_exec_t)
+',`
+ inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
+')
+
########################################
#
# Local policy
@@ -40,7 +36,7 @@ allow stunnel_t self:udp_socket create_socket_perms;
allow stunnel_t stunnel_etc_t:dir list_dir_perms;
allow stunnel_t stunnel_etc_t:file read_file_perms;
-allow stunnel_t stunnel_etc_t:lnk_file { getattr read };
+allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
@@ -77,7 +73,7 @@ miscfiles_read_localization(stunnel_t)
sysnet_read_config(stunnel_t)
-ifdef(`distro_gentoo', `
+ifdef(`distro_gentoo',`
dontaudit stunnel_t self:capability sys_tty_config;
allow stunnel_t self:udp_socket create_socket_perms;
@@ -120,4 +116,5 @@ ifdef(`distro_gentoo', `
gen_require(`
type stunnel_port_t;
')
+
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
index 111b041..3645a22 100644
--- a/policy/modules/services/sysstat.te
+++ b/policy/modules/services/sysstat.te
@@ -8,7 +8,6 @@ policy_module(sysstat, 1.6.0)
type sysstat_t;
type sysstat_exec_t;
init_system_domain(sysstat_t, sysstat_exec_t)
-role system_r types sysstat_t;
type sysstat_log_t;
logging_log_file(sysstat_log_t)
@@ -71,4 +70,3 @@ optional_policy(`
optional_policy(`
nscd_socket_use(sysstat_t)
')
-
diff --git a/policy/modules/services/tcpd.te b/policy/modules/services/tcpd.te
index 7038b55..4e84f23 100644
--- a/policy/modules/services/tcpd.te
+++ b/policy/modules/services/tcpd.te
@@ -7,7 +7,6 @@ policy_module(tcpd, 1.4.0)
type tcpd_t;
type tcpd_exec_t;
inetd_tcp_service_domain(tcpd_t, tcpd_exec_t)
-role system_r types tcpd_t;
type tcpd_tmp_t;
files_tmp_file(tcpd_tmp_t)
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
index a0eeea9..34c4c57 100644
--- a/policy/modules/services/telnet.te
+++ b/policy/modules/services/telnet.te
@@ -8,7 +8,6 @@ policy_module(telnet, 1.10.0)
type telnetd_t;
type telnetd_exec_t;
inetd_service_domain(telnetd_t, telnetd_exec_t)
-role system_r types telnetd_t;
type telnetd_devpts_t; #, userpty_type;
term_login_pty(telnetd_devpts_t)
@@ -24,16 +23,15 @@ files_pid_file(telnetd_var_run_t)
# Local policy
#
-allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override };
+allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
allow telnetd_t self:process signal_perms;
allow telnetd_t self:fifo_file rw_fifo_file_perms;
allow telnetd_t self:tcp_socket connected_stream_socket_perms;
allow telnetd_t self:udp_socket create_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow telnetd_t self:capability { setuid setgid };
-allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
+allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(telnetd_t, telnetd_devpts_t)
manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
@@ -69,8 +67,6 @@ corecmd_search_bin(telnetd_t)
files_read_usr_files(telnetd_t)
files_read_etc_files(telnetd_t)
files_read_etc_runtime_files(telnetd_t)
-# for identd; cjp: this should probably only be inetd_child rules?
-files_search_home(telnetd_t)
init_rw_utmp(telnetd_t)
@@ -87,11 +83,6 @@ userdom_setattr_user_ptys(telnetd_t)
userdom_manage_user_tmp_files(telnetd_t)
userdom_tmp_filetrans_user_tmp(telnetd_t, file)
-optional_policy(`
- kerberos_keytab_template(telnetd, telnetd_t)
- kerberos_manage_host_rcache(telnetd_t)
-')
-
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(telnetd_t)
')
@@ -99,3 +90,9 @@ tunable_policy(`use_nfs_home_dirs',`
tunable_policy(`use_samba_home_dirs',`
fs_search_cifs(telnetd_t)
')
+
+optional_policy(`
+ kerberos_keytab_template(telnetd, telnetd_t)
+ kerberos_manage_host_rcache(telnetd_t)
+')
+
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index 66bfd1c..97ce79e 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -6,10 +6,10 @@ policy_module(tftp, 1.12.0)
#
##
-##
-## Allow tftp to modify public files
-## used for public file transfer services.
-##
+##
+## Allow tftp to modify public files
+## used for public file transfer services.
+##
##
gen_tunable(tftp_anon_write, false)
@@ -32,15 +32,15 @@ files_type(tftpdir_rw_t)
#
allow tftpd_t self:capability { setgid setuid sys_chroot };
+dontaudit tftpd_t self:capability sys_tty_config;
allow tftpd_t self:tcp_socket create_stream_socket_perms;
allow tftpd_t self:udp_socket create_socket_perms;
allow tftpd_t self:unix_dgram_socket create_socket_perms;
allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
-dontaudit tftpd_t self:capability sys_tty_config;
allow tftpd_t tftpdir_t:dir list_dir_perms;
allow tftpd_t tftpdir_t:file read_file_perms;
-allow tftpd_t tftpdir_t:lnk_file { getattr read };
+allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
index 678ab90..44dfdc8 100644
--- a/policy/modules/services/tgtd.te
+++ b/policy/modules/services/tgtd.te
@@ -29,7 +29,7 @@ files_type(tgtd_var_lib_t)
allow tgtd_t self:capability sys_resource;
allow tgtd_t self:process { setrlimit signal };
allow tgtd_t self:fifo_file rw_fifo_file_perms;
-allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow tgtd_t self:netlink_route_socket create_netlink_socket_perms;
allow tgtd_t self:shm create_shm_perms;
allow tgtd_t self:sem create_sem_perms;
allow tgtd_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
index 0a0074c..7f0d9a9 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -6,10 +6,10 @@ policy_module(tor, 1.7.0)
#
##
-##
-## Allow tor daemon to bind
-## tcp sockets to all unreserved ports.
-##
+##
+## Allow tor daemon to bind
+## tcp sockets to all unreserved ports.
+##
##
gen_tunable(tor_bind_all_unreserved_ports, false)
@@ -43,7 +43,6 @@ files_pid_file(tor_var_run_t)
allow tor_t self:capability { setgid setuid sys_tty_config };
allow tor_t self:process signal;
-
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
@@ -108,7 +107,7 @@ logging_send_syslog_msg(tor_t)
miscfiles_read_localization(tor_t)
-tunable_policy(`tor_bind_all_unreserved_ports', `
+tunable_policy(`tor_bind_all_unreserved_ports',`
corenet_tcp_bind_all_unreserved_ports(tor_t)
')
diff --git a/policy/modules/services/ucspitcp.te b/policy/modules/services/ucspitcp.te
index dd23a9c..37c056b 100644
--- a/policy/modules/services/ucspitcp.te
+++ b/policy/modules/services/ucspitcp.te
@@ -8,12 +8,10 @@ policy_module(ucspitcp, 1.3.0)
type rblsmtpd_t;
type rblsmtpd_exec_t;
init_system_domain(rblsmtpd_t, rblsmtpd_exec_t)
-role system_r types rblsmtpd_t;
type ucspitcp_t;
type ucspitcp_exec_t;
init_system_domain(ucspitcp_t, ucspitcp_exec_t)
-role system_r types ucspitcp_t;
########################################
#
@@ -89,10 +87,7 @@ sysnet_read_config(ucspitcp_t)
optional_policy(`
daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
+ daemontools_sigchld_run(ucspitcp_t)
daemontools_read_svc(ucspitcp_t)
')
-optional_policy(`
- daemontools_sigchld_run(ucspitcp_t)
-')
-
diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te
index eb4d8d5..ef97cb3 100644
--- a/policy/modules/services/ulogd.te
+++ b/policy/modules/services/ulogd.te
@@ -54,10 +54,11 @@ miscfiles_read_localization(ulogd_t)
sysnet_dns_name_resolve(ulogd_t)
optional_policy(`
- mysql_stream_connect(ulogd_t)
+ mysql_stream_connect(ulogd_t)
+ mysql_tcp_connect(ulogd_t)
')
optional_policy(`
- postgresql_stream_connect(ulogd_t)
+ postgresql_stream_connect(ulogd_t)
postgresql_tcp_connect(ulogd_t)
')
diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te
index c2cf97e..037a1e8 100644
--- a/policy/modules/services/uptime.te
+++ b/policy/modules/services/uptime.te
@@ -25,7 +25,7 @@ files_pid_file(uptimed_var_run_t)
dontaudit uptimed_t self:capability sys_tty_config;
allow uptimed_t self:process signal_perms;
-allow uptimed_t self:fifo_file write_file_perms;
+allow uptimed_t self:fifo_file write_fifo_file_perms;
allow uptimed_t uptimed_etc_t:file read_file_perms;
files_search_etc(uptimed_t)
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
index ec1562b..1e40c2a 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
@@ -7,7 +7,6 @@ policy_module(uucp, 1.11.0)
type uucpd_t;
type uucpd_exec_t;
inetd_tcp_service_domain(uucpd_t, uucpd_exec_t)
-role system_r types uucpd_t;
type uucpd_lock_t;
files_lock_file(uucpd_lock_t)
@@ -124,7 +123,7 @@ optional_policy(`
#
allow uux_t self:capability { setuid setgid };
-allow uux_t self:fifo_file write_file_perms;
+allow uux_t self:fifo_file write_fifo_file_perms;
uucp_append_log(uux_t)
uucp_manage_spool(uux_t)
diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te
index 95c6dc3..c6bf70e 100644
--- a/policy/modules/services/varnishd.te
+++ b/policy/modules/services/varnishd.te
@@ -6,10 +6,10 @@ policy_module(varnishd, 1.1.0)
#
##
-##
-## Allow varnishd to connect to all ports,
-## not just HTTP.
-##
+##
+## Allow varnishd to connect to all ports,
+## not just HTTP.
+##
##
gen_tunable(varnishd_connect_any, false)
@@ -70,7 +70,7 @@ manage_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
files_var_lib_filetrans(varnishd_t, varnishd_var_lib_t, { dir file })
manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t)
-files_pid_filetrans(varnishd_t, varnishd_var_run_t, { file })
+files_pid_filetrans(varnishd_t, varnishd_var_run_t, file)
kernel_read_system_state(varnishd_t)
@@ -108,7 +108,7 @@ tunable_policy(`varnishd_connect_any',`
#
manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t)
-files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, { file })
+files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, file)
manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te
index f56f51f..7baeb6f 100644
--- a/policy/modules/services/vhostmd.te
+++ b/policy/modules/services/vhostmd.te
@@ -25,7 +25,7 @@ files_pid_file(vhostmd_var_run_t)
allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
allow vhostmd_t self:process { setsched getsched };
-allow vhostmd_t self:fifo_file rw_file_perms;
+allow vhostmd_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 8dac607..62e349a 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -4,54 +4,55 @@ policy_module(virt, 1.4.0)
#
# Declarations
#
+
attribute virsh_transition_domain;
##
-##
-## Allow virt to use serial/parallell communication ports
-##
+##
+## Allow virt to use serial/parallell communication ports
+##
##
gen_tunable(virt_use_comm, false)
##
-##
-## Allow virt to read fuse files
-##
+##
+## Allow virt to read fuse files
+##
##
gen_tunable(virt_use_fusefs, false)
##
-##
-## Allow virt to manage nfs files
-##
+##
+## Allow virt to manage nfs files
+##
##
gen_tunable(virt_use_nfs, false)
##
-##
-## Allow virt to manage cifs files
-##
+##
+## Allow virt to manage cifs files
+##
##
gen_tunable(virt_use_samba, false)
##
-##
-## Allow virt to manage device configuration, (pci)
-##
+##
+## Allow virt to manage device configuration, (pci)
+##
##
gen_tunable(virt_use_sysfs, false)
##
-##
-## Allow virtual machine to interact with the xserver
-##
+##
+## Allow virtual machine to interact with the xserver
+##
##
gen_tunable(virt_use_xserver, false)
##
-##
-## Allow virt to use usb devices
-##
+##
+## Allow virt to use usb devices
+##
##
gen_tunable(virt_use_usb, true)
@@ -205,7 +206,6 @@ optional_policy(`
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
-
allow virtd_t self:fifo_file rw_fifo_file_perms;
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
allow virtd_t self:tcp_socket create_stream_socket_perms;
@@ -473,7 +473,7 @@ optional_policy(`
allow virt_domain self:capability { dac_read_search dac_override kill };
allow virt_domain self:process { execmem execstack signal getsched signull };
-allow virt_domain self:fifo_file rw_file_perms;
+allow virt_domain self:fifo_file rw_fifo_file_perms;
allow virt_domain self:shm create_shm_perms;
allow virt_domain self:unix_stream_socket create_stream_socket_perms;
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
@@ -571,15 +571,12 @@ optional_policy(`
#
type virsh_t;
type virsh_exec_t;
-domain_type(virsh_t)
init_system_domain(virsh_t, virsh_exec_t)
typealias virsh_t alias xm_t;
typealias virsh_exec_t alias xm_exec_t;
allow virsh_t self:capability { dac_override ipc_lock sys_tty_config };
allow virsh_t self:process { getcap getsched setcap signal };
-
-# internal communication is often done using fifo and unix sockets.
allow virsh_t self:fifo_file rw_fifo_file_perms;
allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow virsh_t self:tcp_socket create_stream_socket_perms;
@@ -647,7 +644,7 @@ optional_policy(`
optional_policy(`
vhostmd_rw_tmpfs_files(virsh_t)
- vhostmd_stream_connect(virsh_t)
+ vhostmd_stream_connect(virsh_t)
vhostmd_dontaudit_rw_stream_connect(virsh_t)
')
@@ -672,4 +669,3 @@ optional_policy(`
userdom_search_admin_dir(virsh_ssh_t)
')
-
diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if
index 14f8906..b9104b7 100644
--- a/policy/modules/services/vnstatd.if
+++ b/policy/modules/services/vnstatd.if
@@ -6,7 +6,7 @@
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
#
@@ -24,7 +24,7 @@ interface(`vnstatd_domtrans',`
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
#
diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
index db526e6..8ec07ff 100644
--- a/policy/modules/services/vnstatd.te
+++ b/policy/modules/services/vnstatd.te
@@ -1,4 +1,4 @@
-policy_module(vnstatd,1.0.0)
+policy_module(vnstatd, 1.0.0)
########################################
#
@@ -24,13 +24,12 @@ cron_system_entry(vnstat_t, vnstat_exec_t)
# vnstatd local policy
#
allow vnstatd_t self:process { fork signal };
-
allow vnstatd_t self:fifo_file rw_fifo_file_perms;
allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file } )
+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
domain_use_interactive_fds(vnstatd_t)
@@ -44,14 +43,13 @@ miscfiles_read_localization(vnstatd_t)
#
# vnstat local policy
#
-allow vnstat_t self:process { signal };
-
+allow vnstat_t self:process signal;
allow vnstat_t self:fifo_file rw_fifo_file_perms;
allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file } )
+files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
kernel_read_network_state(vnstat_t)
kernel_read_system_state(vnstat_t)
@@ -65,5 +63,3 @@ fs_getattr_xattr_fs(vnstat_t)
logging_send_syslog_msg(vnstat_t)
miscfiles_read_localization(vnstat_t)
-
-
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 29d5384..c80794b 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,44 +26,43 @@ gen_require(`
#
##
-##
-## Allows clients to write to the X server shared
-## memory segments.
-##
+##
+## Allows clients to write to the X server shared
+## memory segments.
+##
##
gen_tunable(allow_write_xshm, false)
##
-##
-## Allows XServer to execute writable memory
-##
+##
+## Allows XServer to execute writable memory
+##
##
gen_tunable(allow_xserver_execmem, false)
##
-##
-## Allow xdm logins as sysadm
-##
+##
+## Allow xdm logins as sysadm
+##
##
gen_tunable(xdm_sysadm_login, false)
##
-##
-## Support X userspace object manager
-##
+##
+## Support X userspace object manager
+##
##
gen_tunable(xserver_object_manager, false)
##
-##
-## Allow regular users direct dri device access
-##
+##
+## Allow regular users direct dri device access
+##
##
gen_tunable(user_direct_dri, false)
attribute xdmhomewriter;
attribute x_userdomain;
-
attribute x_domain;
# X Events
@@ -121,19 +120,18 @@ typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xeven
type remote_t;
xserver_object_types_template(remote)
-xserver_common_x_domain_template(remote,remote_t)
+xserver_common_x_domain_template(remote, remote_t)
type user_fonts_t;
typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
-typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t };
+typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t };
userdom_user_home_content(user_fonts_t)
type user_fonts_cache_t;
typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t };
typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t };
typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t };
-;
userdom_user_home_content(user_fonts_cache_t)
type user_fonts_config_t;
@@ -153,8 +151,7 @@ ubac_constrained(iceauth_t)
type iceauth_home_t;
typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
-typealias iceauth_home_t alias { xguest_iceauth_home_t };
-files_poly_member(iceauth_home_t)
+typealias iceauth_home_t alias { xguest_iceauth_home_t };
userdom_user_home_content(iceauth_home_t)
type xauth_t;
@@ -169,7 +166,6 @@ type xauth_home_t;
typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t };
-files_poly_member(xauth_home_t)
userdom_user_home_content(xauth_home_t)
type xauth_tmp_t;
@@ -292,13 +288,13 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(iceauth_t)
')
-ifdef(`hide_broken_symptoms', `
+ifdef(`hide_broken_symptoms',`
dev_dontaudit_read_urand(iceauth_t)
dev_dontaudit_rw_dri(iceauth_t)
dev_dontaudit_rw_generic_dev_nodes(iceauth_t)
fs_dontaudit_list_inotifyfs(iceauth_t)
fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
- term_dontaudit_use_unallocated_ttys(iceauth_t)
+ term_dontaudit_use_unallocated_ttys(iceauth_t)
userdom_dontaudit_read_user_home_content_files(iceauth_t)
userdom_dontaudit_write_user_home_content_files(iceauth_t)
@@ -362,17 +358,17 @@ userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
userdom_read_all_users_state(xauth_t)
-ifdef(`hide_broken_symptoms', `
- fs_dontaudit_rw_anon_inodefs_files(xauth_t)
- fs_dontaudit_list_inotifyfs(xauth_t)
- userdom_manage_user_home_content_files(xauth_t)
- userdom_manage_user_tmp_files(xauth_t)
- dev_dontaudit_rw_generic_dev_nodes(xauth_t)
- miscfiles_read_fonts(xauth_t)
-')
-
xserver_rw_xdm_tmp_files(xauth_t)
+ifdef(`hide_broken_symptoms',`
+ fs_dontaudit_rw_anon_inodefs_files(xauth_t)
+ fs_dontaudit_list_inotifyfs(xauth_t)
+ userdom_manage_user_home_content_files(xauth_t)
+ userdom_manage_user_tmp_files(xauth_t)
+ dev_dontaudit_rw_generic_dev_nodes(xauth_t)
+ miscfiles_read_fonts(xauth_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(xauth_t)
fs_read_nfs_symlinks(xauth_t)
@@ -382,8 +378,8 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(xauth_t)
')
-ifdef(`hide_broken_symptoms', `
- term_dontaudit_use_unallocated_ttys(xauth_t)
+ifdef(`hide_broken_symptoms',`
+ term_dontaudit_use_unallocated_ttys(xauth_t)
dev_dontaudit_rw_dri(xauth_t)
')
@@ -403,8 +399,7 @@ optional_policy(`
#
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate ptrace };
-allow xdm_t self:process { getattr getcap setcap };
+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched setsched setrlimit signal_perms setkeycreate ptrace };
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
@@ -419,7 +414,7 @@ allow xdm_t self:key { search link write };
allow xdm_t xauth_home_t:file manage_file_perms;
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
@@ -470,7 +465,7 @@ manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
files_spool_filetrans(xdm_t, xdm_spool_t, { file dir })
-manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
@@ -488,7 +483,7 @@ allow xdm_t xserver_t:process { signal signull };
allow xdm_t xserver_t:unix_stream_socket connectto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
+allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms };
# transition to the xdm xserver
domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
@@ -656,6 +651,14 @@ application_signal(xdm_t)
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
+ifndef(`distro_redhat',`
+ allow xdm_t self:process { execheap execmem };
+')
+
+ifdef(`distro_rhel4',`
+ allow xdm_t self:process { execheap execmem };
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
fs_manage_nfs_files(xdm_t)
@@ -728,10 +731,8 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(xdm_t)
')
-
')
-
optional_policy(`
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
@@ -763,7 +764,7 @@ optional_policy(`
')
optional_policy(`
- policykit_dbus_chat(xdm_t)
+ policykit_dbus_chat(xdm_t)
policykit_domtrans_auth(xdm_t)
policykit_read_lib(xdm_t)
policykit_read_reload(xdm_t)
@@ -822,14 +823,6 @@ optional_policy(`
unconfined_signal(xdm_t)
')
- ifndef(`distro_redhat',`
- allow xdm_t self:process { execheap execmem };
- ')
-
- ifdef(`distro_rhel4',`
- allow xdm_t self:process { execheap execmem };
- ')
-
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
')
@@ -884,10 +877,6 @@ allow xserver_t self:udp_socket create_socket_perms;
allow xserver_t self:netlink_selinux_socket create_socket_perms;
allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
-# Device rules
-allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
-allow x_domain xserver_t:x_screen getattr;
-
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
@@ -912,11 +901,11 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
-manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
+manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir)
-manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
+manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir })
@@ -1126,7 +1115,7 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
allow xserver_t xdm_var_lib_t:file read_file_perms;
-dontaudit xserver_t xdm_var_lib_t:dir search;
+dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms;
read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
@@ -1136,7 +1125,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
-allow xserver_t xkb_var_lib_t:lnk_file read;
+allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms;
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
@@ -1153,10 +1142,6 @@ userdom_read_all_users_state(xserver_t)
xserver_use_user_fonts(xserver_t)
-optional_policy(`
- userhelper_search_config(xserver_t)
-')
-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
@@ -1186,6 +1171,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
+optional_policy(`
+ userhelper_search_config(xserver_t)
+')
+
########################################
#
# Rules common to all X window domains
@@ -1229,7 +1218,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
-allow x_domain self:x_drawable { blend };
+allow x_domain self:x_drawable blend;
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
@@ -1283,11 +1272,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
+# Device rules
+allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
+allow x_domain xserver_t:x_screen getattr;
+
########################################
#
# Rules for unconfined access to this module
#
+allow xserver_unconfined_type xserver_t:x_server *;
+allow xserver_unconfined_type xdrawable_type:x_drawable *;
+allow xserver_unconfined_type xserver_t:x_screen *;
+allow xserver_unconfined_type x_domain:x_gc *;
+allow xserver_unconfined_type xcolormap_type:x_colormap *;
+allow xserver_unconfined_type xproperty_type:x_property *;
+allow xserver_unconfined_type xselection_type:x_selection *;
+allow xserver_unconfined_type x_domain:x_cursor *;
+allow xserver_unconfined_type x_domain:x_client *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
+allow xserver_unconfined_type xextension_type:x_extension *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
+allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
+
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
@@ -1309,31 +1318,6 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
-allow xserver_unconfined_type xserver_t:x_server *;
-allow xserver_unconfined_type xdrawable_type:x_drawable *;
-allow xserver_unconfined_type xserver_t:x_screen *;
-allow xserver_unconfined_type x_domain:x_gc *;
-allow xserver_unconfined_type xcolormap_type:x_colormap *;
-allow xserver_unconfined_type xproperty_type:x_property *;
-allow xserver_unconfined_type xselection_type:x_selection *;
-allow xserver_unconfined_type x_domain:x_cursor *;
-allow xserver_unconfined_type x_domain:x_client *;
-allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
-allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
-allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
-allow xserver_unconfined_type xextension_type:x_extension *;
-allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
-allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
-
-optional_policy(`
- unconfined_rw_shm(xserver_t)
- unconfined_execmem_rw_shm(xserver_t)
-
- # xserver signals unconfined user on startx
- unconfined_signal(xserver_t)
- unconfined_getpgid(xserver_t)
-')
-
tunable_policy(`allow_xserver_execmem',`
allow xserver_t self:process { execheap execmem execstack };
')
@@ -1354,3 +1338,12 @@ tunable_policy(`use_nfs_home_dirs',`
tunable_policy(`use_samba_home_dirs',`
fs_append_cifs_files(xdmhomewriter)
')
+
+optional_policy(`
+ unconfined_rw_shm(xserver_t)
+ unconfined_execmem_rw_shm(xserver_t)
+
+ # xserver signals unconfined user on startx
+ unconfined_signal(xserver_t)
+ unconfined_getpgid(xserver_t)
+')
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
index b8dd21a..20d7cde 100644
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
@@ -26,11 +26,11 @@ files_pid_file(zabbix_var_run_t)
#
allow zabbix_t self:capability { setuid setgid };
-allow zabbix_t self:fifo_file rw_file_perms;
+allow zabbix_t self:fifo_file rw_fifo_file_perms;
allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
# log files
-allow zabbix_t zabbix_log_t:dir setattr;
+allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
logging_log_filetrans(zabbix_t, zabbix_log_t, file)
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
index 3509088..3ce4d86 100644
--- a/policy/modules/services/zarafa.te
+++ b/policy/modules/services/zarafa.te
@@ -47,7 +47,7 @@ files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
# zarafa_server local policy
#
-allow zarafa_server_t self:capability { chown kill net_bind_service};
+allow zarafa_server_t self:capability { chown kill net_bind_service };
allow zarafa_server_t self:process { setrlimit signal };
corenet_tcp_bind_zarafa_port(zarafa_server_t)
@@ -73,7 +73,7 @@ optional_policy(`
#
allow zarafa_spooler_t self:capability { chown kill };
-allow zarafa_spooler_t self:process { signal };
+allow zarafa_spooler_t self:process signal;
corenet_tcp_connect_smtp_port(zarafa_spooler_t)
@@ -110,7 +110,6 @@ allow zarafa_monitor_t self:capability chown;
# bad permission on /etc/zarafa
allow zarafa_domain self:capability { dac_override setgid setuid };
-
allow zarafa_domain self:fifo_file rw_fifo_file_perms;
allow zarafa_domain self:tcp_socket create_stream_socket_perms;
allow zarafa_domain self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index c349adc..f0b1201 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -6,11 +6,10 @@ policy_module(zebra, 1.11.1)
#
##
-##
-## Allow zebra daemon to write it configuration files
-##
+##
+## Allow zebra daemon to write it configuration files
+##
##
-#
gen_tunable(allow_zebra_write_config, false)
type zebra_t;
@@ -52,7 +51,7 @@ allow zebra_t zebra_conf_t:dir list_dir_perms;
read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
-allow zebra_t zebra_log_t:dir setattr;
+allow zebra_t zebra_log_t:dir setattr_dir_perms;
manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
diff --git a/policy/modules/services/zosremote.te b/policy/modules/services/zosremote.te
index f9a06d2..3d407c6 100644
--- a/policy/modules/services/zosremote.te
+++ b/policy/modules/services/zosremote.te
@@ -16,7 +16,7 @@ logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t)
#
allow zos_remote_t self:process signal;
-allow zos_remote_t self:fifo_file rw_file_perms;
+allow zos_remote_t self:fifo_file rw_fifo_file_perms;
allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
files_read_etc_files(zos_remote_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d7abdd1..00283ba 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -520,7 +520,7 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
-miscfiles_manage_cert_files(initrc_t)
+miscfiles_manage_generic_cert_files(initrc_t)
modutils_read_module_config(initrc_t)
modutils_domtrans_insmod(initrc_t)