[selinux-policy: 749/3172] more merging
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:09:34 UTC 2010
commit 1f11ac90eea851f7aff95327b345855e35ff6c74
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Oct 14 20:03:50 2005 +0000
more merging
strict/domains/program/dovecot.te | 4 +++-
strict/domains/program/pppd.te | 8 +++++---
strict/file_contexts/program/pppd.fc | 2 +-
3 files changed, 9 insertions(+), 5 deletions(-)
---
diff --git a/strict/domains/program/dovecot.te b/strict/domains/program/dovecot.te
index 07f0f6f..eb7a30e 100644
--- a/strict/domains/program/dovecot.te
+++ b/strict/domains/program/dovecot.te
@@ -43,7 +43,9 @@ allow dovecot_t self:fifo_file rw_file_perms;
can_kerberos(dovecot_t)
allow dovecot_t tmp_t:dir search;
-rw_dir_file(dovecot_t, mail_spool_t)
+rw_dir_create_file(dovecot_t, mail_spool_t)
+
+
create_dir_file(dovecot_t, dovecot_spool_t)
create_dir_file(mta_delivery_agent, dovecot_spool_t)
allow dovecot_t mail_spool_t:lnk_file read;
diff --git a/strict/domains/program/pppd.te b/strict/domains/program/pppd.te
index c2dc6e7..8499da7 100644
--- a/strict/domains/program/pppd.te
+++ b/strict/domains/program/pppd.te
@@ -14,7 +14,7 @@
#
bool pppd_for_user false;
-daemon_domain(pppd, `, privmail')
+daemon_domain(pppd, `, privmail, privsysmod, nscd_client_domain')
type pppd_secret_t, file_type, sysadmfile;
# Define a separate type for /etc/ppp
@@ -36,7 +36,7 @@ can_network_server(pppd_t)
can_ypbind(pppd_t)
# Use capabilities.
-allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
+allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override sys_module };
lock_domain(pppd)
# Access secret files
@@ -54,6 +54,7 @@ allow postfix_postqueue_t pppd_t:process sigchld;
can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
allow pppd_t { bin_t sbin_t }:dir search;
allow pppd_t { sbin_t bin_t }:lnk_file read;
+allow ifconfig_t pppd_t:fd use;
# Access /dev/ppp.
allow pppd_t ppp_device_t:chr_file rw_file_perms;
@@ -111,7 +112,7 @@ domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
')
}
-daemon_domain(pptp)
+daemon_domain(pptp, `, nscd_client_domain')
can_network_client_tcp(pptp_t)
allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
can_exec(pptp_t, hostname_exec_t)
@@ -144,3 +145,4 @@ dontaudit ndc_t pppd_t:fd use;
# Allow /etc/ppp/ip-{up,down} to run most anything
type pppd_script_exec_t, file_type, sysadmfile;
domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
+allow pppd_t initrc_t:process noatsecure;
diff --git a/strict/file_contexts/program/pppd.fc b/strict/file_contexts/program/pppd.fc
index a16da2a..02ae668 100644
--- a/strict/file_contexts/program/pppd.fc
+++ b/strict/file_contexts/program/pppd.fc
@@ -20,6 +20,6 @@
/etc/ppp/plugins/rp-pppoe\.so -- system_u:object_r:shlib_t
/etc/ppp/resolv\.conf -- system_u:object_r:pppd_etc_rw_t
# Fix pptp sockets
-/var/run/pptp(/.*)? -- system_u:object_r:pptp_var_run_t
+/var/run/pptp(/.*)? system_u:object_r:pptp_var_run_t
# Fix /etc/ppp {up,down} family scripts (see man pppd)
/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- system_u:object_r:pppd_script_exec_t
More information about the scm-commits
mailing list