[selinux-policy: 950/3172] changed rules fixes
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:27:08 UTC 2010
commit 2e0a88016512e2218cd71580069f6f31937a07c9
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Nov 10 21:37:54 2005 +0000
changed rules fixes
refpolicy/policy/modules/admin/netutils.te | 2 +-
refpolicy/policy/modules/admin/su.if | 1 +
refpolicy/policy/modules/kernel/kernel.if | 2 +-
refpolicy/policy/modules/kernel/storage.if | 3 +--
refpolicy/policy/modules/services/apache.if | 1 +
refpolicy/policy/modules/services/cups.te | 1 +
refpolicy/policy/modules/services/dovecot.te | 2 +-
refpolicy/policy/modules/services/inetd.te | 4 ++--
refpolicy/policy/modules/services/inn.te | 2 +-
refpolicy/policy/modules/services/kerberos.te | 2 ++
refpolicy/policy/modules/services/ktalk.te | 2 +-
refpolicy/policy/modules/services/lpd.te | 1 +
refpolicy/policy/modules/services/mysql.te | 4 ++--
refpolicy/policy/modules/services/rpc.te | 4 ++++
refpolicy/policy/modules/system/logging.te | 7 ++++---
refpolicy/policy/modules/system/selinuxutil.te | 2 +-
16 files changed, 25 insertions(+), 15 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 98a5ecb..641012c 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -35,7 +35,7 @@ allow netutils_t self:process { sigkill sigstop signull signal };
allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
-allow netutils_t self:tcp_socket create_socket_perms;
+allow netutils_t self:tcp_socket create_stream_socket_perms;
allow netutils_t netutils_tmp_t:dir create_dir_perms;
allow netutils_t netutils_tmp_t:file create_file_perms;
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index cca5d2c..f52bae5 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -21,6 +21,7 @@ template(`su_restricted_domain_template', `
allow $1_su_t self:process { setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_file_perms;
allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+ allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
# Transition from the user domain to this domain.
domain_auto_trans($2, su_exec_t, $1_su_t)
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 2b238ee..5933549 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -564,7 +564,7 @@ interface(`kernel_write_proc_file',`
')
allow $1 proc_t:dir search;
- allow $1 proc_t:file write;
+ allow $1 proc_t:file { append write };
')
########################################
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index 3f581a7..a437aee 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -68,10 +68,9 @@ interface(`storage_setattr_fixed_disk',`
interface(`storage_dontaudit_setattr_fixed_disk',`
gen_require(`
type fixed_disk_device_t;
- class blk_file getattr;
')
- dontaudit $1 fixed_disk_device_t:blk_file getattr;
+ dontaudit $1 fixed_disk_device_t:blk_file setattr;
')
########################################
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 7f96e01..b836c9c 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -53,6 +53,7 @@ template(`apache_content_template',`
allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };
allow httpd_$1_script_t self:fifo_file rw_file_perms;
+ allow httpd_$1_script_t self:unix_stream_socket connectto;
allow httpd_$1_script_t httpd_t:fifo_file write;
# apache should set close-on-exec
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 281f875..2a08f29 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -401,6 +401,7 @@ allow initrc_t ptal_var_run_t:fifo_file unlink;
#
dontaudit hplip_t self:capability sys_tty_config;
+allow hplip_t self:process signal_perms;
allow hplip_t self:unix_dgram_socket create_socket_perms;
allow hplip_t self:unix_stream_socket create_socket_perms;
allow hplip_t self:tcp_socket create_stream_socket_perms;
diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te
index 85611b6..e6693a7 100644
--- a/refpolicy/policy/modules/services/dovecot.te
+++ b/refpolicy/policy/modules/services/dovecot.te
@@ -40,7 +40,7 @@ allow dovecot_t self:process { setrlimit signal_perms };
allow dovecot_t self:fifo_file rw_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
-allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
+allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
domain_auto_trans(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
allow dovecot_t dovecot_auth_t:fd use;
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 9c55937..6fb22da 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -168,8 +168,8 @@ optional_policy(`rhgb.te',`
allow inetd_child_t self:process signal_perms;
allow inetd_child_t self:fifo_file rw_file_perms;
-allow inetd_child_t self:tcp_socket { listen accept connected_socket_perms };
-allow inetd_child_t self:udp_socket connected_socket_perms;
+allow inetd_child_t self:tcp_socket connected_stream_socket_perms;
+allow inetd_child_t self:udp_socket create_socket_perms;
# for identd
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te
index 83655c1..a6ea6fe 100644
--- a/refpolicy/policy/modules/services/inn.te
+++ b/refpolicy/policy/modules/services/inn.te
@@ -44,7 +44,7 @@ allow innd_t innd_etc_t:lnk_file { getattr read };
can_exec(innd_t, innd_exec_t)
allow innd_t innd_log_t:file manage_file_perms;
-allow innd_t innd_log_t:dir { setattr ra_dir_perms };
+allow innd_t innd_log_t:dir { setattr rw_dir_perms };
logging_create_log(innd_t,innd_log_t)
allow innd_t innd_var_lib_t:dir create_dir_perms;
diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te
index fccdc21..98e8e01 100644
--- a/refpolicy/policy/modules/services/kerberos.te
+++ b/refpolicy/policy/modules/services/kerberos.te
@@ -55,6 +55,7 @@ files_pid_file(krb5kdc_var_run_t)
# Use capabilities. Surplus capabilities may be allowed.
allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
dontaudit kadmind_t self:capability sys_tty_config;
+allow kadmind_t self:process signal_perms;
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
allow kadmind_t self:unix_dgram_socket { connect create write };
allow kadmind_t self:tcp_socket connected_stream_socket_perms;
@@ -161,6 +162,7 @@ optional_policy(`rhgb.te',`
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
dontaudit krb5kdc_t self:capability sys_tty_config;
+allow krb5kdc_t self:process signal_perms;
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
allow krb5kdc_t self:tcp_socket connected_stream_socket_perms;
allow krb5kdc_t self:udp_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/services/ktalk.te b/refpolicy/policy/modules/services/ktalk.te
index 81a80e3..d3d4529 100644
--- a/refpolicy/policy/modules/services/ktalk.te
+++ b/refpolicy/policy/modules/services/ktalk.te
@@ -25,7 +25,7 @@ files_pid_file(ktalkd_var_run_t)
allow ktalkd_t self:process signal_perms;
allow ktalkd_t self:fifo_file rw_file_perms;
allow ktalkd_t self:tcp_socket connected_stream_socket_perms;
-allow ktalkd_t self:udp_socket connected_socket_perms;
+allow ktalkd_t self:udp_socket create_socket_perms;
# for identd
# cjp: this should probably only be inetd_child rules?
allow ktalkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te
index d9ff6ed..d6c433a 100644
--- a/refpolicy/policy/modules/services/lpd.te
+++ b/refpolicy/policy/modules/services/lpd.te
@@ -119,6 +119,7 @@ optional_policy(`nis.te',`
allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
dontaudit lpd_t self:capability sys_tty_config;
+allow lpd_t self:process signal_perms;
allow lpd_t self:fifo_file rw_file_perms;
allow lpd_t self:unix_stream_socket create_stream_socket_perms;
allow lpd_t self:unix_dgram_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te
index db088a1..52d0770 100644
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@@ -30,9 +30,9 @@ files_tmp_file(mysqld_tmp_t)
# Local policy
#
-allow mysqld_t self:capability { dac_override setgid setuid };
+allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
dontaudit mysqld_t self:capability sys_tty_config;
-allow mysqld_t self:process { setsched getsched signal_perms };
+allow mysqld_t self:process { setsched getsched setrlimit signal_perms };
allow mysqld_t self:fifo_file { read write };
allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te
index b8ade12..0f207fb 100644
--- a/refpolicy/policy/modules/services/rpc.te
+++ b/refpolicy/policy/modules/services/rpc.te
@@ -90,6 +90,7 @@ kernel_udp_sendfrom(nfsd_t)
kernel_tcp_recvfrom(nfsd_t)
corenet_udp_bind_generic_port(nfsd_t)
+corenet_udp_bind_reserved_port(nfsd_t)
fs_mount_nfsd_fs(nfsd_t)
fs_search_nfsd_fs(nfsd_t)
@@ -130,6 +131,9 @@ files_create_tmp_files(gssd_t, gssd_tmp_t, { file dir })
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
+corenet_udp_bind_generic_port(gssd_t)
+corenet_udp_bind_reserved_port(gssd_t)
+
dev_read_urand(gssd_t)
fs_read_rpc_dirs(gssd_t)
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 2469a3a..e6f2fac 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -185,6 +185,10 @@ rhgb_domain(auditd_t)
# klogd local policy
#
+allow klogd_t self:capability sys_admin;
+dontaudit klogd_t self:capability { sys_resource sys_tty_config };
+allow klogd_t self:process signal_perms;
+
allow klogd_t klogd_tmp_t:file create_file_perms;
allow klogd_t klogd_tmp_t:dir create_dir_perms;
files_create_tmp_files(klogd_t,klogd_tmp_t,{ file dir })
@@ -193,9 +197,6 @@ allow klogd_t klogd_var_run_t:file create_file_perms;
allow klogd_t klogd_var_run_t:dir rw_dir_perms;
files_create_pid(klogd_t,klogd_var_run_t)
-allow klogd_t self:capability sys_admin;
-dontaudit klogd_t self:capability sys_resource;
-
kernel_read_system_state(klogd_t)
kernel_read_messages(klogd_t)
kernel_read_kernel_sysctl(klogd_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 0fd52e0..42022a2 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -208,7 +208,7 @@ allow newrole_t self:sem create_sem_perms;
allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
-allow newrole_t self:unix_stream_socket connectto;
+allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow newrole_t self:netlink_audit_socket { create bind write nlmsg_read read };
allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;
More information about the scm-commits
mailing list