[selinux-policy: 1485/3172] updates for nfs, squid, and mta
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:13:42 UTC 2010
commit b8373ee1194916ec55ab853fc4af4372099ea99e
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri May 26 20:29:51 2006 +0000
updates for nfs, squid, and mta
refpolicy/policy/modules/kernel/kernel.te | 4 +++-
refpolicy/policy/modules/services/mta.if | 6 ++----
refpolicy/policy/modules/services/mta.te | 2 +-
refpolicy/policy/modules/services/portmap.te | 4 ++--
refpolicy/policy/modules/services/rpc.if | 3 +++
refpolicy/policy/modules/services/rpc.te | 11 +----------
refpolicy/policy/modules/services/sendmail.te | 13 +++++--------
refpolicy/policy/modules/services/squid.te | 15 ++++++++-------
refpolicy/policy/modules/system/sysnetwork.te | 3 ++-
9 files changed, 27 insertions(+), 34 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 0ec50e2..7a8b553 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel,1.3.8)
+policy_module(kernel,1.3.9)
########################################
#
@@ -287,6 +287,8 @@ optional_policy(`
corenet_udp_sendrecv_all_nodes(kernel_t)
corenet_udp_sendrecv_all_ports(kernel_t)
corenet_udp_bind_all_nodes(kernel_t)
+ corenet_sendrecv_portmap_client_packets(kernel_t)
+ corenet_sendrecv_generic_packets(kernel_t)
auth_dontaudit_getattr_shadow(kernel_t)
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 46037c0..0aeaf6e 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -67,15 +67,13 @@ template(`mta_base_mail_template',`
kernel_read_kernel_sysctls($1_mail_t)
+ corenet_non_ipsec_sendrecv($1_mail_t)
corenet_tcp_sendrecv_all_if($1_mail_t)
- corenet_raw_sendrecv_all_if($1_mail_t)
corenet_tcp_sendrecv_all_nodes($1_mail_t)
- corenet_raw_sendrecv_all_nodes($1_mail_t)
corenet_tcp_sendrecv_all_ports($1_mail_t)
- corenet_non_ipsec_sendrecv($1_mail_t)
- corenet_tcp_bind_all_nodes($1_mail_t)
corenet_tcp_connect_all_ports($1_mail_t)
corenet_tcp_connect_smtp_port($1_mail_t)
+ corenet_sendrecv_smtp_client_packets($1_mail_t)
corecmd_exec_bin($1_mail_t)
corecmd_search_sbin($1_mail_t)
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 35bf0cd..8003968 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
-policy_module(mta,1.3.4)
+policy_module(mta,1.3.5)
########################################
#
diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te
index 803db19..edd777b 100644
--- a/refpolicy/policy/modules/services/portmap.te
+++ b/refpolicy/policy/modules/services/portmap.te
@@ -1,5 +1,5 @@
-policy_module(portmap,1.2.2)
+policy_module(portmap,1.2.3)
########################################
#
@@ -60,7 +60,7 @@ corenet_tcp_bind_portmap_port(portmap_t)
corenet_udp_bind_portmap_port(portmap_t)
corenet_tcp_connect_all_ports(portmap_t)
corenet_sendrecv_portmap_client_packets(portmap_t)
-corenet_receive_portmap_server_packets(portmap_t)
+corenet_sendrecv_portmap_server_packets(portmap_t)
# portmap binds to arbitary ports
corenet_tcp_bind_generic_port(portmap_t)
corenet_udp_bind_generic_port(portmap_t)
diff --git a/refpolicy/policy/modules/services/rpc.if b/refpolicy/policy/modules/services/rpc.if
index e68cc84..93e340d 100644
--- a/refpolicy/policy/modules/services/rpc.if
+++ b/refpolicy/policy/modules/services/rpc.if
@@ -70,6 +70,9 @@ template(`rpc_domain_template', `
corenet_dontaudit_udp_bind_all_reserved_ports($1_t)
# bind to arbitary unused ports
corenet_tcp_bind_generic_port($1_t)
+ corenet_udp_bind_generic_port($1_t)
+ corenet_udp_bind_reserved_port($1_t)
+ corenet_sendrecv_generic_packets($1_t)
fs_search_auto_mountpoints($1_t)
diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te
index efb242f..7857d27 100644
--- a/refpolicy/policy/modules/services/rpc.te
+++ b/refpolicy/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
-policy_module(rpc,1.2.5)
+policy_module(rpc,1.2.6)
########################################
#
@@ -49,9 +49,6 @@ kernel_search_network_state(rpcd_t)
# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
-corenet_udp_bind_generic_port(rpcd_t)
-corenet_udp_bind_reserved_port(rpcd_t)
-
dev_read_urand(rpcd_t)
dev_read_rand(rpcd_t)
@@ -94,9 +91,6 @@ kernel_read_network_state(nfsd_t)
kernel_udp_send(nfsd_t)
kernel_tcp_recvfrom(nfsd_t)
-corenet_udp_bind_generic_port(nfsd_t)
-corenet_udp_bind_reserved_port(nfsd_t)
-
fs_mount_nfsd_fs(nfsd_t)
fs_search_nfsd_fs(nfsd_t)
fs_getattr_all_fs(nfsd_t)
@@ -147,9 +141,6 @@ files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
-corenet_udp_bind_generic_port(gssd_t)
-corenet_udp_bind_reserved_port(gssd_t)
-
dev_read_urand(gssd_t)
fs_list_rpc(gssd_t)
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 1139497..66ae8fe 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -1,5 +1,5 @@
-policy_module(sendmail,1.2.1)
+policy_module(sendmail,1.2.2)
########################################
#
@@ -41,19 +41,15 @@ kernel_read_kernel_sysctls(sendmail_t)
# for piping mail to a command
kernel_read_system_state(sendmail_t)
+corenet_non_ipsec_sendrecv(sendmail_t)
corenet_tcp_sendrecv_all_if(sendmail_t)
-corenet_raw_sendrecv_all_if(sendmail_t)
-corenet_udp_sendrecv_all_if(sendmail_t)
corenet_tcp_sendrecv_all_nodes(sendmail_t)
-corenet_raw_sendrecv_all_nodes(sendmail_t)
-corenet_udp_sendrecv_all_nodes(sendmail_t)
corenet_tcp_sendrecv_all_ports(sendmail_t)
-corenet_udp_sendrecv_all_ports(sendmail_t)
-corenet_non_ipsec_sendrecv(sendmail_t)
corenet_tcp_bind_all_nodes(sendmail_t)
-corenet_udp_bind_all_nodes(sendmail_t)
corenet_tcp_bind_smtp_port(sendmail_t)
corenet_tcp_connect_all_ports(sendmail_t)
+corenet_sendrecv_smtp_server_packets(sendmail_t)
+corenet_sendrecv_smtp_client_packets(sendmail_t)
dev_read_urand(sendmail_t)
dev_read_sysfs(sendmail_t)
@@ -89,6 +85,7 @@ logging_send_syslog_msg(sendmail_t)
miscfiles_read_localization(sendmail_t)
+sysnet_dns_name_resolve(sendmail_t)
sysnet_read_config(sendmail_t)
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te
index 93d2cbe..ee011ae 100644
--- a/refpolicy/policy/modules/services/squid.te
+++ b/refpolicy/policy/modules/services/squid.te
@@ -1,5 +1,5 @@
-policy_module(squid,1.1.0)
+policy_module(squid,1.1.1)
########################################
#
@@ -70,26 +70,26 @@ kernel_tcp_recvfrom(squid_t)
files_dontaudit_getattr_boot_dirs(squid_t)
+corenet_non_ipsec_sendrecv(squid_t)
corenet_tcp_sendrecv_all_if(squid_t)
-corenet_raw_sendrecv_all_if(squid_t)
corenet_udp_sendrecv_all_if(squid_t)
corenet_tcp_sendrecv_all_nodes(squid_t)
corenet_udp_sendrecv_all_nodes(squid_t)
-corenet_raw_sendrecv_all_nodes(squid_t)
corenet_tcp_sendrecv_all_ports(squid_t)
corenet_udp_sendrecv_all_ports(squid_t)
-corenet_non_ipsec_sendrecv(squid_t)
corenet_tcp_bind_all_nodes(squid_t)
corenet_udp_bind_all_nodes(squid_t)
corenet_tcp_bind_http_cache_port(squid_t)
-corenet_udp_bind_http_cache_port(squid_t)
corenet_tcp_bind_ftp_port(squid_t)
-corenet_udp_bind_ftp_port(squid_t)
corenet_tcp_bind_gopher_port(squid_t)
-corenet_udp_bind_gopher_port(squid_t)
corenet_tcp_connect_ftp_port(squid_t)
corenet_tcp_connect_gopher_port(squid_t)
corenet_tcp_connect_http_port(squid_t)
+corenet_sendrecv_http_client_packets(squid_t)
+corenet_sendrecv_ftp_client_packets(squid_t)
+corenet_sendrecv_gopher_client_packets(squid_t)
+corenet_sendrecv_http_cache_server_packets(squid_t)
+corenet_sendrecv_http_cache_client_packets(squid_t)
dev_read_sysfs(squid_t)
dev_read_urand(squid_t)
@@ -129,6 +129,7 @@ logging_send_syslog_msg(squid_t)
miscfiles_read_certs(squid_t)
miscfiles_read_localization(squid_t)
+sysnet_dns_name_resolve(squid_t)
sysnet_read_config(squid_t)
userdom_use_unpriv_users_fds(squid_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 42411bb..3c65a45 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -1,5 +1,5 @@
-policy_module(sysnetwork,1.1.6)
+policy_module(sysnetwork,1.1.7)
########################################
#
@@ -105,6 +105,7 @@ corenet_udp_bind_all_nodes(dhcpc_t)
corenet_udp_bind_dhcpc_port(dhcpc_t)
corenet_tcp_connect_all_ports(dhcpc_t)
corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
+corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
dev_read_sysfs(dhcpc_t)
# for SSP:
More information about the scm-commits
mailing list