diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if
index 733dc77..311aaed 100644
--- a/policy/modules/services/mpd.if
+++ b/policy/modules/services/mpd.if
@@ -258,7 +258,6 @@ interface(`mpd_admin',`
files_list_var_lib($1)
admin_pattern($1, mpd_var_lib_t)
- mpd_list_lib($1)
admin_pattern($1, mpd_data_t)
admin_pattern($1, mpd_log_t)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index aed3720..7391f7e 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -710,8 +710,8 @@ interface(`postfix_admin',`
allow $1 postfix_smtpd_t:process { ptrace signal_perms };
ps_process_pattern($1, postfix_smtpd_t)
- postfix_run_map($1,$2)
- postfix_run_postdrop($1,$2)
+ postfix_run_map($1, $2)
+ postfix_run_postdrop($1, $2)
postfix_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/postfixpolicyd.if b/policy/modules/services/postfixpolicyd.if
index feae93b..d960d3f 100644
--- a/policy/modules/services/postfixpolicyd.if
+++ b/policy/modules/services/postfixpolicyd.if
@@ -20,8 +20,7 @@
interface(`postfixpolicyd_admin',`
gen_require(`
type postfix_policyd_t, postfix_policyd_conf_t;
- type postfix_policyd_var_run_t;
- type postfix_policyd_initrc_exec_t;
+ type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
')
allow $1 postfix_policyd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index fd75d3d..4782bdb 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -10,7 +10,7 @@
## </summary>
## </param>
## <param name="user_domain">
-## <summary>
+## <summary>
## The type of the user domain.
## </summary>
## </param>
@@ -45,14 +45,6 @@ interface(`postgresql_role',`
# Client local policy
#
- tunable_policy(`sepgsql_enable_users_ddl',`
- allow $2 user_sepgsql_table_t:db_table { create drop setattr };
- allow $2 user_sepgsql_table_t:db_column { create drop setattr };
-
- allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
- allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
- ')
-
allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock };
allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
@@ -69,6 +61,14 @@ interface(`postgresql_role',`
allow $2 sepgsql_trusted_proc_t:process transition;
type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
+
+ tunable_policy(`sepgsql_enable_users_ddl',`
+ allow $2 user_sepgsql_table_t:db_table { create drop setattr };
+ allow $2 user_sepgsql_table_t:db_column { create drop setattr };
+
+ allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
+ allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+ ')
')
########################################
@@ -195,7 +195,7 @@ interface(`postgresql_search_db',`
type postgresql_db_t;
')
- allow $1 postgresql_db_t:dir search;
+ allow $1 postgresql_db_t:dir search_dir_perms;
')
########################################
@@ -207,6 +207,7 @@ interface(`postgresql_search_db',`
## Domain allowed access.
## </summary>
## </param>
+#
interface(`postgresql_manage_db',`
gen_require(`
type postgresql_db_t;
@@ -214,7 +215,7 @@ interface(`postgresql_manage_db',`
allow $1 postgresql_db_t:dir rw_dir_perms;
allow $1 postgresql_db_t:file rw_file_perms;
- allow $1 postgresql_db_t:lnk_file { getattr read };
+ allow $1 postgresql_db_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -304,7 +305,6 @@ interface(`postgresql_tcp_connect',`
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
interface(`postgresql_stream_connect',`
gen_require(`
@@ -313,7 +313,7 @@ interface(`postgresql_stream_connect',`
files_search_pids($1)
files_search_tmp($1)
- stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t}, { postgresql_var_run_t postgresql_tmp_t}, postgresql_t)
+ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t)
')
########################################
@@ -359,13 +359,6 @@ interface(`postgresql_unpriv_client',`
type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
allow $1 sepgsql_trusted_proc_t:process transition;
- tunable_policy(`sepgsql_enable_users_ddl',`
- allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
- allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
- allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
- allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
- ')
-
allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
@@ -379,6 +372,13 @@ interface(`postgresql_unpriv_client',`
allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
+
+ tunable_policy(`sepgsql_enable_users_ddl',`
+ allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
+ allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
+ allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
+ allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+ ')
')
########################################
@@ -418,13 +418,10 @@ interface(`postgresql_unconfined',`
#
interface(`postgresql_admin',`
gen_require(`
- attribute sepgsql_admin_type;
- attribute sepgsql_client_type;
-
- type postgresql_t, postgresql_var_run_t;
- type postgresql_tmp_t, postgresql_db_t;
- type postgresql_etc_t, postgresql_log_t;
- type postgresql_initrc_exec_t;
+ attribute sepgsql_admin_type, sepgsql_client_type;
+ type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t;
+ type postgresql_tmp_t, postgresql_db_t, postgresql_log_t;
+ type postgresql_etc_t;
')
typeattribute $1 sepgsql_admin_type;
@@ -437,6 +434,7 @@ interface(`postgresql_admin',`
role_transition $2 postgresql_initrc_exec_t system_r;
allow $2 system_r;
+ files_list_pids($1)
admin_pattern($1, postgresql_var_run_t)
files_list_var_lib($1)
@@ -448,6 +446,7 @@ interface(`postgresql_admin',`
logging_list_logs($1)
admin_pattern($1, postgresql_log_t)
+ files_list_tmp($1)
admin_pattern($1, postgresql_tmp_t)
postgresql_tcp_connect($1)
diff --git a/policy/modules/services/postgrey.if b/policy/modules/services/postgrey.if
index ad15fde..6f55445 100644
--- a/policy/modules/services/postgrey.if
+++ b/policy/modules/services/postgrey.if
@@ -15,9 +15,9 @@ interface(`postgrey_stream_connect',`
type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
')
- stream_connect_pattern($1, postgrey_var_run_t, postgrey_var_run_t, postgrey_t)
- stream_connect_pattern($1, postgrey_spool_t, postgrey_spool_t, postgrey_t)
+ stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
files_search_pids($1)
+ files_search_spool($1)
')
########################################
@@ -35,6 +35,7 @@ interface(`postgrey_search_spool',`
type postgrey_spool_t;
')
+ files_search_spool($1)
allow $1 postgrey_spool_t:dir search_dir_perms;
')
@@ -57,9 +58,8 @@ interface(`postgrey_search_spool',`
#
interface(`postgrey_admin',`
gen_require(`
- type postgrey_t, postgrey_etc_t;
+ type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t;
type postgrey_var_lib_t, postgrey_var_run_t;
- type postgrey_initrc_exec_t;
')
allow $1 postgrey_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index f916c76..09699d1 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -66,7 +66,6 @@ interface(`ppp_sigchld',`
## </summary>
## </param>
#
-#
interface(`ppp_kill',`
gen_require(`
type pppd_t;
@@ -180,8 +179,7 @@ interface(`ppp_run',`
')
ppp_domtrans($1)
- role $2 types pppd_t;
- role $2 types pptp_t;
+ role $2 types { pppd_t pptp_t };
optional_policy(`
ddclient_run(pppd_t, $2)
@@ -281,6 +279,7 @@ interface(`ppp_read_pid_files',`
type pppd_var_run_t;
')
+ files_search_pids($1)
allow $1 pppd_var_run_t:file read_file_perms;
')
@@ -299,6 +298,7 @@ interface(`ppp_manage_pid_files',`
type pppd_var_run_t;
')
+ files_search_pids($1)
allow $1 pppd_var_run_t:file manage_file_perms;
')
@@ -353,16 +353,17 @@ interface(`ppp_initrc_domtrans',`
interface(`ppp_admin',`
gen_require(`
type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
- type pppd_etc_t, pppd_secret_t;
- type pppd_etc_rw_t, pppd_var_run_t;
-
+ type pppd_etc_t, pppd_secret_t, pppd_var_run_t;
type pptp_t, pptp_log_t, pptp_var_run_t;
- type pppd_initrc_exec_t;
+ type pppd_initrc_exec_t, pppd_etc_rw_t;
')
allow $1 pppd_t:process { ptrace signal_perms };
ps_process_pattern($1, pppd_t)
+ allow $1 pptp_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pptp_t)
+
ppp_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 pppd_initrc_exec_t system_r;
@@ -374,6 +375,7 @@ interface(`ppp_admin',`
logging_list_logs($1)
admin_pattern($1, pppd_log_t)
+ files_list_locks($1)
admin_pattern($1, pppd_lock_t)
files_list_etc($1)
@@ -386,9 +388,6 @@ interface(`ppp_admin',`
files_list_pids($1)
admin_pattern($1, pppd_var_run_t)
- allow $1 pptp_t:process { ptrace signal_perms };
- ps_process_pattern($1, pptp_t)
-
admin_pattern($1, pptp_log_t)
admin_pattern($1, pptp_var_run_t)
diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if
index 1bf96b0..77ef768 100644
--- a/policy/modules/services/prelude.if
+++ b/policy/modules/services/prelude.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run prelude.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`prelude_domtrans',`
@@ -23,9 +23,9 @@ interface(`prelude_domtrans',`
## Execute a domain transition to run prelude_audisp.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`prelude_domtrans_audisp',`
@@ -41,9 +41,9 @@ interface(`prelude_domtrans_audisp',`
## Signal the prelude_audisp domain.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed acccess.
-## </summary>
+## </summary>
## </param>
#
interface(`prelude_signal_audisp',`
@@ -78,9 +78,9 @@ interface(`prelude_read_spool',`
## Manage to prelude-manager spool files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`prelude_manage_spool',`
@@ -112,13 +112,10 @@ interface(`prelude_manage_spool',`
#
interface(`prelude_admin',`
gen_require(`
- type prelude_t, prelude_spool_t;
- type prelude_var_run_t, prelude_var_lib_t;
- type prelude_audisp_t, prelude_audisp_var_run_t;
- type prelude_initrc_exec_t;
-
- type prelude_lml_t, prelude_lml_tmp_t;
- type prelude_lml_var_run_t;
+ type prelude_t, prelude_spool_t, prelude_initrc_exec_t;
+ type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t;
+ type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t;
+ type prelude_lml_t;
')
allow $1 prelude_t:process { ptrace signal_perms };
@@ -144,9 +141,8 @@ interface(`prelude_admin',`
files_list_pids($1)
admin_pattern($1, prelude_var_run_t)
admin_pattern($1, prelude_audisp_var_run_t)
+ admin_pattern($1, prelude_lml_var_run_t)
files_list_tmp($1)
admin_pattern($1, prelude_lml_tmp_t)
-
- admin_pattern($1, prelude_lml_var_run_t)
')
diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if
index c8f6cb5..7221526 100644
--- a/policy/modules/services/privoxy.if
+++ b/policy/modules/services/privoxy.if
@@ -19,9 +19,8 @@
#
interface(`privoxy_admin',`
gen_require(`
- type privoxy_t, privoxy_log_t;
+ type privoxy_t, privoxy_log_t, privoxy_initrc_exec_t;
type privoxy_etc_rw_t, privoxy_var_run_t;
- type privoxy_initrc_exec_t;
')
allow $1 privoxy_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if
index 5bfbd7b..166e9c3 100644
--- a/policy/modules/services/procmail.if
+++ b/policy/modules/services/procmail.if
@@ -93,7 +93,6 @@ interface(`procmail_read_home_files',`
type procmail_home_t;
')
- userdom_search_user_home_dirs($1)
+ userdom_search_user_home_dirs($1)
read_files_pattern($1, procmail_home_t, procmail_home_t)
')
-
diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if
index 96440db..d1a3745 100644
--- a/policy/modules/services/psad.if
+++ b/policy/modules/services/psad.if
@@ -91,7 +91,6 @@ interface(`psad_manage_config',`
files_search_etc($1)
manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
manage_files_pattern($1, psad_etc_t, psad_etc_t)
-
')
########################################
@@ -115,7 +114,7 @@ interface(`psad_read_pid_files',`
########################################
## <summary>
-## Read psad PID files.
+## Read and write psad PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -253,8 +252,8 @@ interface(`psad_rw_tmp_files',`
interface(`psad_admin',`
gen_require(`
type psad_t, psad_var_run_t, psad_var_log_t;
- type psad_initrc_exec_t, psad_var_lib_t;
- type psad_tmp_t, psad_etc_t;
+ type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t;
+ type psad_tmp_t;
')
allow $1 psad_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if
index 2855a44..0456b11 100644
--- a/policy/modules/services/puppet.if
+++ b/policy/modules/services/puppet.if
@@ -21,7 +21,7 @@
## </summary>
## </param>
#
-interface(`puppet_rw_tmp', `
+interface(`puppet_rw_tmp',`
gen_require(`
type puppet_tmp_t;
')
diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if
index 6443f30..aa3d0b4 100644
--- a/policy/modules/services/pyzor.if
+++ b/policy/modules/services/pyzor.if
@@ -14,6 +14,7 @@
## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
interface(`pyzor_role',`
gen_require(`
@@ -28,7 +29,7 @@ interface(`pyzor_role',`
# allow ps to show pyzor and allow the user to kill it
ps_process_pattern($2, pyzor_t)
- allow $2 pyzor_t:process signal;
+ allow $2 pyzor_t:process { ptrace signal_perms };
')
########################################
@@ -109,13 +110,12 @@ interface(`pyzor_exec',`
interface(`pyzor_admin',`
gen_require(`
type pyzord_t, pyzor_tmp_t, pyzord_log_t;
- type pyzor_etc_t, pyzor_var_lib_t;
- type pyzord_initrc_exec_t;
+ type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t;
')
allow $1 pyzord_t:process { ptrace signal_perms };
ps_process_pattern($1, pyzord_t)
-
+
init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 pyzord_initrc_exec_t system_r;
@@ -133,5 +133,3 @@ interface(`pyzor_admin',`
files_list_var_lib($1)
admin_pattern($1, pyzor_var_lib_t)
')
-
-
diff --git a/policy/modules/services/qpidd.if b/policy/modules/services/qpidd.if
index 5dbca44..c403abc 100644
--- a/policy/modules/services/qpidd.if
+++ b/policy/modules/services/qpidd.if
@@ -1,4 +1,3 @@
-
## <summary>policy for qpidd</summary>
########################################
@@ -6,9 +5,9 @@
## Execute a domain transition to run qpidd.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`qpidd_domtrans',`
@@ -19,7 +18,6 @@ interface(`qpidd_domtrans',`
domtrans_pattern($1, qpidd_exec_t, qpidd_t)
')
-
########################################
## <summary>
## Execute qpidd server in the qpidd domain.
@@ -72,12 +70,12 @@ interface(`qpidd_manage_var_run',`
type qpidd_var_run_t;
')
- manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
- manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
- manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+ files_search_pids($1)
+ manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+ manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+ manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
')
-
########################################
## <summary>
## Search qpidd lib directories.
@@ -113,7 +111,7 @@ interface(`qpidd_read_lib_files',`
')
files_search_var_lib($1)
- read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
')
########################################
@@ -133,7 +131,7 @@ interface(`qpidd_manage_lib_files',`
')
files_search_var_lib($1)
- manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
')
########################################
@@ -151,12 +149,12 @@ interface(`qpidd_manage_var_lib',`
type qpidd_var_lib_t;
')
- manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
- manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
- manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
')
-
########################################
## <summary>
## All of the rules required to administrate
@@ -176,16 +174,11 @@ interface(`qpidd_manage_var_lib',`
#
interface(`qpidd_admin',`
gen_require(`
- type qpidd_t;
+ type qpidd_t, qpidd_initrc_exec_t;
')
allow $1 qpidd_t:process { ptrace signal_perms };
ps_process_pattern($1, qpidd_t)
-
-
- gen_require(`
- type qpidd_initrc_exec_t;
- ')
# Allow qpidd_t to restart the apache service
qpidd_initrc_domtrans($1)
@@ -196,41 +189,40 @@ interface(`qpidd_admin',`
qpidd_manage_var_run($1)
qpidd_manage_var_lib($1)
-
')
#####################################
## <summary>
-## Allow read and write access to qpidd semaphores.
+## Allow read and write access to qpidd semaphores.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`qpidd_rw_semaphores',`
- gen_require(`
- type qpidd_t;
- ')
+ gen_require(`
+ type qpidd_t;
+ ')
- allow $1 qpidd_t:sem rw_sem_perms;
+ allow $1 qpidd_t:sem rw_sem_perms;
')
########################################
## <summary>
-## Read and write to qpidd shared memory.
+## Read and write to qpidd shared memory.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`qpidd_rw_shm',`
- gen_require(`
- type qpidd_t;
- ')
+ gen_require(`
+ type qpidd_t;
+ ')
- allow $1 qpidd_t:shm rw_shm_perms;
+ allow $1 qpidd_t:shm rw_shm_perms;
')
diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if
index be05bff..2bd662a 100644
--- a/policy/modules/services/radvd.if
+++ b/policy/modules/services/radvd.if
@@ -19,8 +19,8 @@
#
interface(`radvd_admin',`
gen_require(`
- type radvd_t, radvd_etc_t;
- type radvd_var_run_t, radvd_initrc_exec_t;
+ type radvd_t, radvd_etc_t, radvd_initrc_exec_t;
+ type radvd_var_run_t;
')
allow $1 radvd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
index 028e3fd..3203212 100644
--- a/policy/modules/services/razor.if
+++ b/policy/modules/services/razor.if
@@ -26,6 +26,7 @@ template(`razor_common_domain_template',`
gen_require(`
type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
')
+
type $1_t;
domain_type($1_t)
domain_entry_file($1_t, razor_exec_t)
@@ -46,7 +47,7 @@ template(`razor_common_domain_template',`
# Read system config file
allow $1_t razor_etc_t:dir list_dir_perms;
allow $1_t razor_etc_t:file read_file_perms;
- allow $1_t razor_etc_t:lnk_file { getattr read };
+ allow $1_t razor_etc_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
manage_files_pattern($1_t, razor_log_t, razor_log_t)
@@ -117,6 +118,7 @@ template(`razor_common_domain_template',`
## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
interface(`razor_role',`
gen_require(`
@@ -130,7 +132,7 @@ interface(`razor_role',`
# allow ps to show razor and allow the user to kill it
ps_process_pattern($2, razor_t)
- allow $2 razor_t:process signal;
+ allow $2 razor_t:process { ptrace signal_perms };
manage_dirs_pattern($2, razor_home_t, razor_home_t)
manage_files_pattern($2, razor_home_t, razor_home_t)
@@ -197,4 +199,3 @@ interface(`razor_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
')
-
diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if
index 7ef312e..9c2c963 100644
--- a/policy/modules/services/rgmanager.if
+++ b/policy/modules/services/rgmanager.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run rgmanager.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`rgmanager_domtrans',`
@@ -78,20 +78,20 @@ interface(`rgmanager_manage_tmpfs_files',`
#######################################
## <summary>
-## Allow read and write access to rgmanager semaphores.
+## Allow read and write access to rgmanager semaphores.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`rgmanager_rw_semaphores',`
- gen_require(`
- type rgmanager_t;
- ')
+ gen_require(`
+ type rgmanager_t;
+ ')
- allow $1 rgmanager_t:sem { unix_read unix_write associate read write };
+ allow $1 rgmanager_t:sem rw_sem_perms;
')
######################################
@@ -100,9 +100,9 @@ interface(`rgmanager_rw_semaphores',`
## an rgmanager environment
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
## <param name="role">
## <summary>
@@ -115,7 +115,7 @@ interface(`rgmanager_admin',`
gen_require(`
type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t;
type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
- ')
+ ')
allow $1 rgmanager_t:process { ptrace signal_perms };
ps_process_pattern($1, rgmanager_t)
diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if
index d8b97c2..229a3c7 100644
--- a/policy/modules/services/rhcs.if
+++ b/policy/modules/services/rhcs.if
@@ -13,9 +13,7 @@
#
template(`rhcs_domain_template',`
gen_require(`
- attribute cluster_domain;
- attribute cluster_tmpfs;
- attribute cluster_pid;
+ attribute cluster_domain, cluster_tmpfs, cluster_pid;
')
##############################
@@ -53,7 +51,6 @@ template(`rhcs_domain_template',`
manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
-
')
######################################
@@ -61,9 +58,9 @@ template(`rhcs_domain_template',`
## Execute a domain transition to run dlm_controld.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`rhcs_domtrans_dlm_controld',`
@@ -171,9 +168,8 @@ interface(`rhcs_stream_connect_fenced',`
type fenced_var_run_t, fenced_t;
')
- allow $1 fenced_t:unix_stream_socket connectto;
- allow $1 fenced_var_run_t:sock_file { getattr write };
files_search_pids($1)
+ stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
')
#####################################
@@ -349,8 +345,7 @@ interface(`rhcs_rw_groupd_shm',`
#
interface(`rhcs_rw_cluster_shm',`
gen_require(`
- attribute cluster_domain;
- attribute cluster_tmpfs;
+ attribute cluster_domain, cluster_tmpfs;
')
allow $1 cluster_domain:shm { rw_shm_perms destroy };
@@ -361,41 +356,40 @@ interface(`rhcs_rw_cluster_shm',`
####################################
## <summary>
-## Read and write access to cluster domains semaphores.
+## Read and write access to cluster domains semaphores.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`rhcs_rw_cluster_semaphores',`
- gen_require(`
+ gen_require(`
attribute cluster_domain;
- ')
+ ')
- allow $1 cluster_domain:sem { rw_sem_perms destroy };
+ allow $1 cluster_domain:sem { rw_sem_perms destroy };
')
####################################
## <summary>
-## Connect to cluster domains over a unix domain
-## stream socket.
+## Connect to cluster domains over a unix domain
+## stream socket.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`rhcs_stream_connect_cluster',`
- gen_require(`
- attribute cluster_domain;
- attribute cluster_pid;
- ')
+ gen_require(`
+ attribute cluster_domain, cluster_pid;
+ ')
- files_search_pids($1)
- stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
+ files_search_pids($1)
+ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
')
######################################
@@ -432,24 +426,25 @@ interface(`rhcs_read_qdiskd_tmpfs_files',`
type qdiskd_tmpfs_t;
')
+ fs_search_tmpfs($1)
allow $1 qdiskd_tmpfs_t:file read_file_perms;
')
######################################
## <summary>
-## Allow domain to read cluster lib files
+## Allow domain to read cluster lib files
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`rhcs_read_cluster_lib_files',`
- gen_require(`
- type cluster_var_lib_t;
- ')
+ gen_require(`
+ type cluster_var_lib_t;
+ ')
- files_search_var_lib($1)
- read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+ files_search_var_lib($1)
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
')
diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if
index 96efae7..793a29f 100644
--- a/policy/modules/services/rhgb.if
+++ b/policy/modules/services/rhgb.if
@@ -194,5 +194,6 @@ interface(`rhgb_rw_tmpfs_files',`
type rhgb_tmpfs_t;
')
+ fs_search_tmpfs($1)
allow $1 rhgb_tmpfs_t:file rw_file_perms;
')
diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if
index 8a28c31..3128dd8 100644
--- a/policy/modules/services/ricci.if
+++ b/policy/modules/services/ricci.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run ricci.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`ricci_domtrans',`
@@ -20,20 +20,20 @@ interface(`ricci_domtrans',`
#######################################
## <summary>
-## Execute ricci server in the ricci domain.
+## Execute ricci server in the ricci domain.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
-interface(`ricci_initrc_domtrans', `
- gen_require(`
- type ricci_initrc_exec_t;
- ')
+interface(`ricci_initrc_domtrans',`
+ gen_require(`
+ type ricci_initrc_exec_t;
+ ')
- init_labeled_script_domtrans($1, ricci_initrc_exec_t)
+ init_labeled_script_domtrans($1, ricci_initrc_exec_t)
')
########################################
@@ -41,9 +41,9 @@ interface(`ricci_initrc_domtrans', `
## Execute a domain transition to run ricci_modcluster.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`ricci_domtrans_modcluster',`
@@ -89,7 +89,7 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',`
type ricci_modcluster_t;
')
- dontaudit $1 ricci_modcluster_t:fifo_file { read write };
+ dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
@@ -126,6 +126,7 @@ interface(`ricci_rw_modclusterd_tmpfs_files',`
type ricci_modcluserd_tmpfs_t;
')
+ fs_search_tmpfs($1)
allow $1 ricci_modcluserd_tmpfs_t:file rw_file_perms;
')
@@ -134,9 +135,9 @@ interface(`ricci_rw_modclusterd_tmpfs_files',`
## Execute a domain transition to run ricci_modlog.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`ricci_domtrans_modlog',`
@@ -152,9 +153,9 @@ interface(`ricci_domtrans_modlog',`
## Execute a domain transition to run ricci_modrpm.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`ricci_domtrans_modrpm',`
@@ -170,9 +171,9 @@ interface(`ricci_domtrans_modrpm',`
## Execute a domain transition to run ricci_modservice.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`ricci_domtrans_modservice',`
@@ -188,9 +189,9 @@ interface(`ricci_domtrans_modservice',`
## Execute a domain transition to run ricci_modstorage.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`ricci_domtrans_modstorage',`
@@ -203,22 +204,22 @@ interface(`ricci_domtrans_modstorage',`
####################################
## <summary>
-## Allow the specified domain to manage ricci's lib files.
+## Allow the specified domain to manage ricci's lib files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`ricci_manage_lib_files',`
- gen_require(`
- type ricci_var_lib_t;
- ')
+ gen_require(`
+ type ricci_var_lib_t;
+ ')
- files_search_var_lib($1)
- manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
- manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
+ manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
')
########################################
@@ -254,7 +255,7 @@ interface(`ricci_admin',`
files_list_tmp($1)
admin_pattern($1, ricci_tmp_t)
-
+
files_list_var_lib($1)
admin_pattern($1, ricci_var_lib_t)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index b65be0c..28e7576 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -32,7 +32,11 @@ interface(`rpc_stub',`
## </summary>
## </param>
#
-template(`rpc_domain_template', `
+template(`rpc_domain_template',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
########################################
#
# Declarations
@@ -152,7 +156,7 @@ interface(`rpc_dontaudit_getattr_exports',`
type exports_t;
')
- dontaudit $1 exports_t:file getattr;
+ dontaudit $1 exports_t:file getattr_file_perms;
')
########################################
@@ -188,7 +192,7 @@ interface(`rpc_write_exports',`
type exports_t;
')
- allow $1 exports_t:file write;
+ allow $1 exports_t:file write_file_perms;
')
########################################
@@ -302,7 +306,7 @@ interface(`rpc_read_nfs_content',`
allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
- allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read };
+ allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms;
')
########################################
@@ -395,7 +399,7 @@ interface(`rpc_search_nfs_state_data',`
')
files_search_var_lib($1)
- allow $1 var_lib_nfs_t:dir search;
+ allow $1 var_lib_nfs_t:dir search_dir_perms;
')
########################################
diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if
index 14173f7..0458ba7 100644
--- a/policy/modules/services/rpcbind.if
+++ b/policy/modules/services/rpcbind.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run rpcbind.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`rpcbind_domtrans',`
diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if
index eefa329..b28cae5 100644
--- a/policy/modules/services/rsync.if
+++ b/policy/modules/services/rsync.if
@@ -109,9 +109,9 @@ interface(`rsync_exec',`
## Read rsync config files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`rsync_read_config',`
@@ -128,9 +128,9 @@ interface(`rsync_read_config',`
## Write to rsync config files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`rsync_write_config',`
@@ -147,9 +147,9 @@ interface(`rsync_write_config',`
## Manage rsync config files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`rsync_manage_config',`
diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if
index 21079f8..d632bc0 100644
--- a/policy/modules/services/rtkit.if
+++ b/policy/modules/services/rtkit.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run rtkit_daemon.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`rtkit_daemon_domtrans',`
@@ -46,7 +46,7 @@ interface(`rtkit_daemon_dbus_chat',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -75,6 +75,7 @@ interface(`rtkit_scheduled',`
type rtkit_daemon_t;
')
+ kernel_search_proc($1)
ps_process_pattern(rtkit_daemon_t, $1)
allow rtkit_daemon_t $1:process { getsched setsched };
rtkit_daemon_dbus_chat($1)
diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if
index 71ea0ea..664e68e 100644
--- a/policy/modules/services/rwho.if
+++ b/policy/modules/services/rwho.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run rwho.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`rwho_domtrans',`
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index fd5a17e..9e72970 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -83,7 +83,7 @@ interface(`samba_domtrans_net',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
#
@@ -148,7 +148,7 @@ interface(`samba_role_notrans',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
@@ -391,7 +391,6 @@ interface(`samba_search_var',`
type samba_var_t;
')
- files_search_var($1)
files_search_var_lib($1)
allow $1 samba_var_t:dir search_dir_perms;
')
@@ -412,7 +411,6 @@ interface(`samba_read_var_files',`
type samba_var_t;
')
- files_search_var($1)
files_search_var_lib($1)
read_files_pattern($1, samba_var_t, samba_var_t)
')
@@ -452,7 +450,6 @@ interface(`samba_rw_var_files',`
type samba_var_t;
')
- files_search_var($1)
files_search_var_lib($1)
rw_files_pattern($1, samba_var_t, samba_var_t)
')
@@ -473,7 +470,6 @@ interface(`samba_manage_var_files',`
type samba_var_t;
')
- files_search_var($1)
files_search_var_lib($1)
manage_files_pattern($1, samba_var_t, samba_var_t)
manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
@@ -761,9 +757,8 @@ interface(`samba_admin',`
type smbd_t, smbd_tmp_t, samba_secrets_t;
type samba_initrc_exec_t, samba_log_t, samba_var_t;
type samba_etc_t, samba_share_t, winbind_log_t;
- type swat_var_run_t, swat_tmp_t;
- type winbind_var_run_t, winbind_tmp_t;
- type samba_unconfined_script_t, samba_unconfined_script_exec_t;
+ type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t;
+ type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t;
')
allow $1 smbd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if
index a7fbedc..d9f5dbc 100644
--- a/policy/modules/services/setroubleshoot.if
+++ b/policy/modules/services/setroubleshoot.if
@@ -136,8 +136,8 @@ interface(`setroubleshoot_fixit_dontaudit_leaks',`
#
interface(`setroubleshoot_admin',`
gen_require(`
- type setroubleshootd_t, setroubleshoot_var_log_t;
- type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
+ type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t;
+ type setroubleshoot_var_lib_t;
')
allow $1 setroubleshootd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
index 6aa68d8..bfdf197 100644
--- a/policy/modules/services/snmp.if
+++ b/policy/modules/services/snmp.if
@@ -125,9 +125,8 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
#
interface(`snmp_admin',`
gen_require(`
- type snmpd_t, snmpd_log_t;
+ type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t;
type snmpd_var_lib_t, snmpd_var_run_t;
- type snmpd_initrc_exec_t;
')
allow $1 snmpd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/soundserver.if b/policy/modules/services/soundserver.if
index 93fe7bf..4a15633 100644
--- a/policy/modules/services/soundserver.if
+++ b/policy/modules/services/soundserver.if
@@ -33,9 +33,8 @@ interface(`soundserver_tcp_connect',`
#
interface(`soundserver_admin',`
gen_require(`
- type soundd_t, soundd_etc_t;
+ type soundd_t, soundd_etc_t, soundd_initrc_exec_t;
type soundd_tmp_t, soundd_var_run_t;
- type soundd_initrc_exec_t;
')
allow $1 soundd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
index dc4f590..1d0c078 100644
--- a/policy/modules/services/squid.if
+++ b/policy/modules/services/squid.if
@@ -206,8 +206,7 @@ interface(`squid_use',`
interface(`squid_admin',`
gen_require(`
type squid_t, squid_cache_t, squid_conf_t;
- type squid_log_t, squid_var_run_t;
- type squid_initrc_exec_t;
+ type squid_log_t, squid_var_run_t, squid_initrc_exec_t;
')
allow $1 squid_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if
index 0f8e213..fe5ce10 100644
--- a/policy/modules/services/varnishd.if
+++ b/policy/modules/services/varnishd.if
@@ -58,7 +58,7 @@ interface(`varnishd_read_config',`
#####################################
## <summary>
-## Read varnish lib files.
+## Read varnish lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -151,8 +151,8 @@ interface(`varnishd_manage_log',`
#
interface(`varnishd_admin_varnishlog',`
gen_require(`
- type varnishlog_t, varnishlog_initrc_exec_t;
- type varnishlog_var_run_t, varnishlog_log_t;
+ type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t;
+ type varnishlog_var_run_t;
')
allow $1 varnishlog_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index e584e21..f98efcb 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -596,7 +596,7 @@ interface(`virt_transition_svirt',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if
index 6144fb1..14f8906 100644
--- a/policy/modules/services/vnstatd.if
+++ b/policy/modules/services/vnstatd.if
@@ -1,15 +1,13 @@
-
## <summary>policy for vnstatd</summary>
-
########################################
## <summary>
## Execute a domain transition to run vnstatd.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`vnstatd_domtrans',`
@@ -20,16 +18,14 @@ interface(`vnstatd_domtrans',`
domtrans_pattern($1, vnstatd_exec_t, vnstatd_t)
')
-
-
########################################
## <summary>
## Execute a domain transition to run vnstat.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`vnstatd_domtrans_vnstat',`
@@ -75,7 +71,7 @@ interface(`vnstatd_read_lib_files',`
')
files_search_var_lib($1)
- read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+ read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
')
########################################
@@ -95,7 +91,7 @@ interface(`vnstatd_manage_lib_files',`
')
files_search_var_lib($1)
- manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+ manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
')
########################################
@@ -114,7 +110,7 @@ interface(`vnstatd_manage_lib_dirs',`
')
files_search_var_lib($1)
- manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+ manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
')
@@ -137,8 +133,7 @@ interface(`vnstatd_manage_lib_dirs',`
#
interface(`vnstatd_admin',`
gen_require(`
- type vnstatd_t;
- type vnstatd_var_lib_t;
+ type vnstatd_t, vnstatd_var_lib_t;
')
allow $1 vnstatd_t:process { ptrace signal_perms };
@@ -146,5 +141,4 @@ interface(`vnstatd_admin',`
files_list_var_lib($1)
admin_pattern($1, vnstatd_var_lib_t)
-
')
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 9328c63..999066e 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -47,7 +47,7 @@ interface(`xserver_restricted_role',`
manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
- allow $2 xserver_tmp_t:sock_file unlink;
+ allow $2 xserver_tmp_t:sock_file delete_sock_file_perms;
files_search_tmp($2)
# Communicate via System V shared memory.
@@ -243,7 +243,7 @@ interface(`xserver_rw_session',`
type xserver_t, xserver_tmpfs_t;
')
- xserver_ro_session($1,$2)
+ xserver_ro_session($1, $2)
allow $1 xserver_t:shm rw_shm_perms;
allow $1 xserver_tmpfs_t:file rw_file_perms;
')
@@ -271,7 +271,7 @@ interface(`xserver_non_drawing_client',`
allow $1 self:x_gc { create setattr };
- allow $1 xdm_var_run_t:dir search;
+ allow $1 xdm_var_run_t:dir search_dir_perms;
allow $1 xserver_t:unix_stream_socket connectto;
allow $1 xextension_t:x_extension { query use };
@@ -313,7 +313,7 @@ interface(`xserver_user_client',`
# for when /tmp/.X11-unix is created by the system
allow $1 xdm_t:fd use;
allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
- allow $1 xdm_tmp_t:dir search;
+ allow $1 xdm_tmp_t:dir search_dir_perms;
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
@@ -358,7 +358,7 @@ interface(`xserver_user_client',`
#
template(`xserver_common_x_domain_template',`
gen_require(`
- type root_xdrawable_t;
+ type root_xdrawable_t, xdm_t, xserver_t;
type xproperty_t, $1_xproperty_t;
type xevent_t, client_xevent_t;
type input_xevent_t, $1_input_xevent_t;
@@ -375,7 +375,6 @@ template(`xserver_common_x_domain_template',`
class x_screen { saver_setattr saver_hide saver_show };
class x_pointer { get_property set_property manage };
class x_keyboard { read manage };
- type xdm_t, xserver_t;
')
##############################
@@ -474,8 +473,8 @@ template(`xserver_object_types_template',`
#
template(`xserver_user_x_domain_template',`
gen_require(`
- type xdm_t, xdm_tmp_t;
- type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
+ type xdm_t, xdm_tmp_t, xserver_tmpfs_t;
+ type xauth_home_t, iceauth_home_t, xserver_t;
')
allow $2 self:shm create_shm_perms;
@@ -787,8 +786,7 @@ interface(`xserver_stream_connect_xdm',`
files_search_tmp($1)
files_search_pids($1)
- stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
- stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t)
+ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t)
')
########################################
diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
index 78fc104..4f2dde8 100644
--- a/policy/modules/services/zarafa.if
+++ b/policy/modules/services/zarafa.if
@@ -98,5 +98,5 @@ interface(`zarafa_stream_connect_server',`
')
files_search_var_lib($1)
- stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t)
+ stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
')
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
index 5860687..347f754 100644
--- a/policy/modules/services/zebra.if
+++ b/policy/modules/services/zebra.if
@@ -61,8 +61,7 @@ interface(`zebra_stream_connect',`
interface(`zebra_admin',`
gen_require(`
type zebra_t, zebra_tmp_t, zebra_log_t;
- type zebra_conf_t, zebra_var_run_t;
- type zebra_initrc_exec_t;
+ type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t;
')
allow $1 zebra_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if
index 1d24e1e..13f0eef 100644
--- a/policy/modules/services/zosremote.if
+++ b/policy/modules/services/zosremote.if
@@ -34,6 +34,7 @@ interface(`zosremote_domtrans',`
## Role allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`zosremote_run',`
gen_require(`
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 447aaec..666a58f 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1207,12 +1207,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
- read_files_pattern($1, initrc_t, initrc_t)
- read_lnk_files_pattern($1, initrc_t, initrc_t)
- list_dirs_pattern($1, initrc_t, initrc_t)
-
- # should move this to separate interface
- allow $1 initrc_t:process getattr;
+ ps_process_pattern($1, initrc_t)
')
########################################