[selinux-policy: 1495/3172] packets
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:14:33 UTC 2010
commit 3d03a4f40f6af5d6d3b86b49b4b033ed8ecbc6b6
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Jun 2 15:06:45 2006 +0000
packets
refpolicy/policy/modules/services/automount.te | 3 ++-
refpolicy/policy/modules/services/bluetooth.te | 4 ++--
refpolicy/policy/modules/services/djbdns.if | 2 ++
refpolicy/policy/modules/services/djbdns.te | 2 +-
refpolicy/policy/modules/services/dovecot.te | 4 +++-
refpolicy/policy/modules/services/fetchmail.te | 3 ++-
refpolicy/policy/modules/services/mailman.if | 1 +
refpolicy/policy/modules/services/mailman.te | 2 +-
refpolicy/policy/modules/services/nis.te | 24 +++++++++++-------------
refpolicy/policy/modules/services/postfix.te | 17 +++++++----------
refpolicy/policy/modules/services/razor.if | 3 +--
refpolicy/policy/modules/services/razor.te | 4 ++--
refpolicy/policy/modules/services/stunnel.te | 7 ++-----
refpolicy/policy/modules/services/telnet.te | 8 ++------
refpolicy/policy/modules/services/ucspitcp.te | 14 ++++++++++++--
refpolicy/policy/modules/services/zebra.te | 4 +++-
16 files changed, 54 insertions(+), 48 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te
index eebbb1d..adc123f 100644
--- a/refpolicy/policy/modules/services/automount.te
+++ b/refpolicy/policy/modules/services/automount.te
@@ -1,5 +1,5 @@
-policy_module(automount,1.2.4)
+policy_module(automount,1.2.5)
########################################
#
@@ -81,6 +81,7 @@ corenet_udp_bind_all_nodes(automount_t)
corenet_tcp_connect_portmap_port(automount_t)
corenet_tcp_connect_all_ports(automount_t)
corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t)
+corenet_sendrecv_all_client_packets(automount_t)
# Automount execs showmount when you browse /net. This is required until
# Someone writes a showmount policy
corenet_tcp_bind_reserved_port(automount_t)
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
index d2f4750..2bb2b31 100644
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -1,5 +1,5 @@
-policy_module(bluetooth,1.2.6)
+policy_module(bluetooth,1.2.7)
########################################
#
@@ -49,7 +49,7 @@ allow bluetooth_t self:shm create_shm_perms;
allow bluetooth_t self:socket create_stream_socket_perms;
allow bluetooth_t self:unix_dgram_socket create_socket_perms;
allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
-allow bluetooth_t self:tcp_socket { create_stream_socket_perms connect };
+allow bluetooth_t self:tcp_socket create_stream_socket_perms;
allow bluetooth_t self:udp_socket create_socket_perms;
allow bluetooth_t bluetooth_conf_t:dir rw_dir_perms;
diff --git a/refpolicy/policy/modules/services/djbdns.if b/refpolicy/policy/modules/services/djbdns.if
index dcafb95..e8baf77 100644
--- a/refpolicy/policy/modules/services/djbdns.if
+++ b/refpolicy/policy/modules/services/djbdns.if
@@ -44,6 +44,8 @@ template(`djbdns_daemontools_domain_template',`
corenet_tcp_bind_dns_port(djbdns_$1_t)
corenet_udp_bind_dns_port(djbdns_$1_t)
corenet_udp_bind_generic_port(djbdns_$1_t)
+ corenet_sendrecv_dns_server_packets(djbdns_$1_t)
+ corenet_sendrecv_generic_server_packets(djbdns_$1_t)
files_search_var(djbdns_$1_t)
diff --git a/refpolicy/policy/modules/services/djbdns.te b/refpolicy/policy/modules/services/djbdns.te
index a51e8c6..0ca3670 100644
--- a/refpolicy/policy/modules/services/djbdns.te
+++ b/refpolicy/policy/modules/services/djbdns.te
@@ -1,5 +1,5 @@
-policy_module(djbdns,1.0.0)
+policy_module(djbdns,1.0.1)
########################################
#
diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te
index f3b47a6..630e27c 100644
--- a/refpolicy/policy/modules/services/dovecot.te
+++ b/refpolicy/policy/modules/services/dovecot.te
@@ -1,5 +1,5 @@
-policy_module(dovecot,1.2.2)
+policy_module(dovecot,1.2.3)
########################################
#
@@ -78,6 +78,8 @@ corenet_tcp_bind_all_nodes(dovecot_t)
corenet_tcp_bind_pop_port(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
+corenet_sendrecv_pop_server_packets(dovecot_t)
+corenet_sendrecv_all_client_packets(dovecot_t)
dev_read_sysfs(dovecot_t)
dev_read_urand(dovecot_t)
diff --git a/refpolicy/policy/modules/services/fetchmail.te b/refpolicy/policy/modules/services/fetchmail.te
index 2ef238f..bac61a5 100644
--- a/refpolicy/policy/modules/services/fetchmail.te
+++ b/refpolicy/policy/modules/services/fetchmail.te
@@ -1,5 +1,5 @@
-policy_module(fetchmail,1.1.1)
+policy_module(fetchmail,1.1.2)
########################################
#
@@ -57,6 +57,7 @@ corenet_udp_sendrecv_dns_port(fetchmail_t)
corenet_tcp_sendrecv_pop_port(fetchmail_t)
corenet_tcp_sendrecv_smtp_port(fetchmail_t)
corenet_tcp_connect_all_ports(fetchmail_t)
+corenet_sendrecv_all_client_packets(fetchmail_t)
dev_read_sysfs(fetchmail_t)
dev_read_rand(fetchmail_t)
diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if
index c6b2e65..8e3360f 100644
--- a/refpolicy/policy/modules/services/mailman.if
+++ b/refpolicy/policy/modules/services/mailman.if
@@ -62,6 +62,7 @@ template(`mailman_domain_template', `
corenet_tcp_bind_all_nodes(mailman_$1_t)
corenet_udp_bind_all_nodes(mailman_$1_t)
corenet_tcp_connect_smtp_port(mailman_$1_t)
+ corenet_sendrecv_smtp_client_packets(mailman_$1_t)
fs_getattr_xattr_fs(mailman_$1_t)
diff --git a/refpolicy/policy/modules/services/mailman.te b/refpolicy/policy/modules/services/mailman.te
index 4c29812..ad12df5 100644
--- a/refpolicy/policy/modules/services/mailman.te
+++ b/refpolicy/policy/modules/services/mailman.te
@@ -1,5 +1,5 @@
-policy_module(mailman,1.1.3)
+policy_module(mailman,1.1.4)
########################################
#
diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te
index 738b863..31dfc8f 100644
--- a/refpolicy/policy/modules/services/nis.te
+++ b/refpolicy/policy/modules/services/nis.te
@@ -1,5 +1,5 @@
-policy_module(nis,1.1.3)
+policy_module(nis,1.1.4)
########################################
#
@@ -72,15 +72,13 @@ kernel_list_proc(ypbind_t)
kernel_read_proc_symlinks(ypbind_t)
kernel_tcp_recvfrom(ypbind_t)
+corenet_non_ipsec_sendrecv(ypbind_t)
corenet_tcp_sendrecv_all_if(ypbind_t)
corenet_udp_sendrecv_all_if(ypbind_t)
-corenet_raw_sendrecv_all_if(ypbind_t)
corenet_tcp_sendrecv_all_nodes(ypbind_t)
corenet_udp_sendrecv_all_nodes(ypbind_t)
-corenet_raw_sendrecv_all_nodes(ypbind_t)
corenet_tcp_sendrecv_all_ports(ypbind_t)
corenet_udp_sendrecv_all_ports(ypbind_t)
-corenet_non_ipsec_sendrecv(ypbind_t)
corenet_tcp_bind_all_nodes(ypbind_t)
corenet_udp_bind_all_nodes(ypbind_t)
corenet_tcp_bind_generic_port(ypbind_t)
@@ -91,6 +89,8 @@ corenet_tcp_bind_all_rpc_ports(ypbind_t)
corenet_tcp_connect_all_ports(ypbind_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
+corenet_sendrecv_all_client_packets(ypbind_t)
+corenet_sendrecv_generic_server_packets(ypbind_t)
dev_read_sysfs(ypbind_t)
@@ -167,21 +167,20 @@ kernel_read_proc_symlinks(yppasswdd_t)
kernel_getattr_proc_files(yppasswdd_t)
kernel_read_kernel_sysctls(yppasswdd_t)
+corenet_non_ipsec_sendrecv(yppasswdd_t)
corenet_tcp_sendrecv_generic_if(yppasswdd_t)
corenet_udp_sendrecv_generic_if(yppasswdd_t)
-corenet_raw_sendrecv_generic_if(yppasswdd_t)
corenet_tcp_sendrecv_all_nodes(yppasswdd_t)
corenet_udp_sendrecv_all_nodes(yppasswdd_t)
-corenet_raw_sendrecv_all_nodes(yppasswdd_t)
corenet_tcp_sendrecv_all_ports(yppasswdd_t)
corenet_udp_sendrecv_all_ports(yppasswdd_t)
-corenet_non_ipsec_sendrecv(yppasswdd_t)
corenet_tcp_bind_all_nodes(yppasswdd_t)
corenet_udp_bind_all_nodes(yppasswdd_t)
corenet_tcp_bind_reserved_port(yppasswdd_t)
corenet_udp_bind_reserved_port(yppasswdd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
+corenet_sendrecv_generic_server_packets(yppasswdd_t)
dev_read_sysfs(yppasswdd_t)
@@ -273,21 +272,20 @@ kernel_read_kernel_sysctls(ypserv_t)
kernel_list_proc(ypserv_t)
kernel_read_proc_symlinks(ypserv_t)
+corenet_non_ipsec_sendrecv(ypserv_t)
corenet_tcp_sendrecv_all_if(ypserv_t)
corenet_udp_sendrecv_all_if(ypserv_t)
-corenet_raw_sendrecv_all_if(ypserv_t)
corenet_tcp_sendrecv_all_nodes(ypserv_t)
corenet_udp_sendrecv_all_nodes(ypserv_t)
-corenet_raw_sendrecv_all_nodes(ypserv_t)
corenet_tcp_sendrecv_all_ports(ypserv_t)
corenet_udp_sendrecv_all_ports(ypserv_t)
-corenet_non_ipsec_sendrecv(ypserv_t)
corenet_tcp_bind_all_nodes(ypserv_t)
corenet_udp_bind_all_nodes(ypserv_t)
corenet_tcp_bind_reserved_port(ypserv_t)
corenet_udp_bind_reserved_port(ypserv_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
+corenet_sendrecv_generic_server_packets(ypserv_t)
dev_read_sysfs(ypserv_t)
@@ -343,15 +341,13 @@ optional_policy(`
allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
+corenet_non_ipsec_sendrecv(ypxfr_t)
corenet_tcp_sendrecv_all_if(ypxfr_t)
corenet_udp_sendrecv_all_if(ypxfr_t)
-corenet_raw_sendrecv_all_if(ypxfr_t)
corenet_tcp_sendrecv_all_nodes(ypxfr_t)
corenet_udp_sendrecv_all_nodes(ypxfr_t)
-corenet_raw_sendrecv_all_nodes(ypxfr_t)
corenet_tcp_sendrecv_all_ports(ypxfr_t)
corenet_udp_sendrecv_all_ports(ypxfr_t)
-corenet_non_ipsec_sendrecv(ypxfr_t)
corenet_tcp_bind_all_nodes(ypxfr_t)
corenet_udp_bind_all_nodes(ypxfr_t)
corenet_tcp_bind_reserved_port(ypxfr_t)
@@ -359,5 +355,7 @@ corenet_udp_bind_reserved_port(ypxfr_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
corenet_tcp_connect_all_ports(ypxfr_t)
+corenet_sendrecv_generic_server_packets(ypxfr_t)
+corenet_sendrecv_all_client_packets(ypxfr_t)
files_read_etc_files(ypxfr_t)
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index 1df67a9..15167e7 100644
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -1,5 +1,5 @@
-policy_module(postfix,1.2.5)
+policy_module(postfix,1.2.6)
########################################
#
@@ -131,20 +131,20 @@ allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
kernel_read_all_sysctls(postfix_master_t)
+corenet_non_ipsec_sendrecv(postfix_master_t)
corenet_tcp_sendrecv_all_if(postfix_master_t)
corenet_udp_sendrecv_all_if(postfix_master_t)
-corenet_raw_sendrecv_all_if(postfix_master_t)
corenet_tcp_sendrecv_all_nodes(postfix_master_t)
corenet_udp_sendrecv_all_nodes(postfix_master_t)
-corenet_raw_sendrecv_all_nodes(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
-corenet_non_ipsec_sendrecv(postfix_master_t)
corenet_tcp_bind_all_nodes(postfix_master_t)
-corenet_udp_bind_all_nodes(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
corenet_tcp_connect_all_ports(postfix_master_t)
+corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
+corenet_sendrecv_smtp_server_packets(postfix_master_t)
+corenet_sendrecv_all_client_packets(postfix_master_t)
# for a find command
selinux_dontaudit_search_fs(postfix_master_t)
@@ -320,18 +320,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
+corenet_non_ipsec_sendrecv(postfix_map_t)
corenet_tcp_sendrecv_all_if(postfix_map_t)
corenet_udp_sendrecv_all_if(postfix_map_t)
-corenet_raw_sendrecv_all_if(postfix_map_t)
corenet_tcp_sendrecv_all_nodes(postfix_map_t)
corenet_udp_sendrecv_all_nodes(postfix_map_t)
-corenet_raw_sendrecv_all_nodes(postfix_map_t)
corenet_tcp_sendrecv_all_ports(postfix_map_t)
corenet_udp_sendrecv_all_ports(postfix_map_t)
-corenet_non_ipsec_sendrecv(postfix_map_t)
-corenet_tcp_bind_all_nodes(postfix_map_t)
-corenet_udp_bind_all_nodes(postfix_map_t)
corenet_tcp_connect_all_ports(postfix_map_t)
+corenet_sendrecv_all_client_packets(postfix_map_t)
corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t)
diff --git a/refpolicy/policy/modules/services/razor.if b/refpolicy/policy/modules/services/razor.if
index f78608c..26b3637 100644
--- a/refpolicy/policy/modules/services/razor.if
+++ b/refpolicy/policy/modules/services/razor.if
@@ -64,13 +64,12 @@ template(`razor_common_domain_template',`
corecmd_exec_bin($1_t)
+ corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_sendrecv_generic_if($1_t)
corenet_raw_sendrecv_generic_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
corenet_raw_sendrecv_all_nodes($1_t)
corenet_tcp_sendrecv_razor_port($1_t)
- corenet_non_ipsec_sendrecv($1_t)
- corenet_tcp_bind_all_nodes($1_t)
# mktemp and other randoms
dev_read_rand($1_t)
diff --git a/refpolicy/policy/modules/services/razor.te b/refpolicy/policy/modules/services/razor.te
index 8cddadd..08e7b72 100644
--- a/refpolicy/policy/modules/services/razor.te
+++ b/refpolicy/policy/modules/services/razor.te
@@ -1,5 +1,5 @@
-policy_module(razor,1.0.0)
+policy_module(razor,1.0.1)
########################################
#
@@ -47,8 +47,8 @@ corenet_raw_sendrecv_generic_if(razor_t)
corenet_tcp_sendrecv_all_nodes(razor_t)
corenet_raw_sendrecv_all_nodes(razor_t)
corenet_tcp_sendrecv_razor_port(razor_t)
-corenet_tcp_bind_all_nodes(razor_t)
corenet_tcp_connect_razor_port(razor_t)
+corenet_sendrecv_razor_client_packets(razor_t)
sysnet_read_config(razor_t)
diff --git a/refpolicy/policy/modules/services/stunnel.te b/refpolicy/policy/modules/services/stunnel.te
index 88bda4a..783fad6 100644
--- a/refpolicy/policy/modules/services/stunnel.te
+++ b/refpolicy/policy/modules/services/stunnel.te
@@ -1,5 +1,5 @@
-policy_module(stunnel,1.1.0)
+policy_module(stunnel,1.1.1)
########################################
#
@@ -55,17 +55,14 @@ kernel_read_kernel_sysctls(stunnel_t)
kernel_read_system_state(stunnel_t)
kernel_read_network_state(stunnel_t)
+corenet_non_ipsec_sendrecv(stunnel_t)
corenet_tcp_sendrecv_all_if(stunnel_t)
corenet_udp_sendrecv_all_if(stunnel_t)
-corenet_raw_sendrecv_all_if(stunnel_t)
corenet_tcp_sendrecv_all_nodes(stunnel_t)
corenet_udp_sendrecv_all_nodes(stunnel_t)
-corenet_raw_sendrecv_all_nodes(stunnel_t)
corenet_tcp_sendrecv_all_ports(stunnel_t)
corenet_udp_sendrecv_all_ports(stunnel_t)
-corenet_non_ipsec_sendrecv(stunnel_t)
corenet_tcp_bind_all_nodes(stunnel_t)
-corenet_udp_bind_all_nodes(stunnel_t)
#corenet_tcp_bind_stunnel_port(stunnel_t)
fs_getattr_all_fs(stunnel_t)
diff --git a/refpolicy/policy/modules/services/telnet.te b/refpolicy/policy/modules/services/telnet.te
index 3d4a2df..005992d 100644
--- a/refpolicy/policy/modules/services/telnet.te
+++ b/refpolicy/policy/modules/services/telnet.te
@@ -1,5 +1,5 @@
-policy_module(telnet,1.1.0)
+policy_module(telnet,1.1.1)
########################################
#
@@ -49,17 +49,13 @@ kernel_read_kernel_sysctls(telnetd_t)
kernel_read_system_state(telnetd_t)
kernel_read_network_state(telnetd_t)
+corenet_non_ipsec_sendrecv(telnetd_t)
corenet_tcp_sendrecv_all_if(telnetd_t)
corenet_udp_sendrecv_all_if(telnetd_t)
-corenet_raw_sendrecv_all_if(telnetd_t)
corenet_tcp_sendrecv_all_nodes(telnetd_t)
corenet_udp_sendrecv_all_nodes(telnetd_t)
-corenet_raw_sendrecv_all_nodes(telnetd_t)
corenet_tcp_sendrecv_all_ports(telnetd_t)
corenet_udp_sendrecv_all_ports(telnetd_t)
-corenet_non_ipsec_sendrecv(telnetd_t)
-corenet_tcp_bind_all_nodes(telnetd_t)
-corenet_udp_bind_all_nodes(telnetd_t)
dev_read_urand(telnetd_t)
diff --git a/refpolicy/policy/modules/services/ucspitcp.te b/refpolicy/policy/modules/services/ucspitcp.te
index 4689b48..26fed63 100644
--- a/refpolicy/policy/modules/services/ucspitcp.te
+++ b/refpolicy/policy/modules/services/ucspitcp.te
@@ -1,5 +1,5 @@
-policy_module(ucspitcp,1.0.1)
+policy_module(ucspitcp,1.0.2)
########################################
#
@@ -60,15 +60,18 @@ allow ucspitcp_t self:udp_socket create_socket_perms;
corecmd_search_bin(ucspitcp_t)
corecmd_search_sbin(ucspitcp_t)
+# base networking:
+corenet_non_ipsec_sendrecv(ucspitcp_t)
corenet_tcp_sendrecv_all_if(ucspitcp_t)
corenet_udp_sendrecv_all_if(ucspitcp_t)
corenet_tcp_sendrecv_all_nodes(ucspitcp_t)
corenet_udp_sendrecv_all_nodes(ucspitcp_t)
corenet_tcp_sendrecv_all_ports(ucspitcp_t)
corenet_udp_sendrecv_all_ports(ucspitcp_t)
-corenet_non_ipsec_sendrecv(ucspitcp_t)
corenet_tcp_bind_all_nodes(ucspitcp_t)
corenet_udp_bind_all_nodes(ucspitcp_t)
+
+# server ports:
corenet_tcp_bind_ftp_port(ucspitcp_t)
corenet_tcp_bind_ftp_data_port(ucspitcp_t)
corenet_tcp_bind_http_port(ucspitcp_t)
@@ -77,6 +80,13 @@ corenet_tcp_bind_dns_port(ucspitcp_t)
corenet_udp_bind_dns_port(ucspitcp_t)
corenet_udp_bind_generic_port(ucspitcp_t)
+# server packets:
+corenet_sendrecv_ftp_server_packets(ucspitcp_t)
+corenet_sendrecv_http_server_packets(ucspitcp_t)
+corenet_sendrecv_smtp_server_packets(ucspitcp_t)
+corenet_sendrecv_dns_server_packets(ucspitcp_t)
+corenet_sendrecv_generic_server_packets(ucspitcp_t)
+
files_search_var(ucspitcp_t)
files_read_etc_files(ucspitcp_t)
diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te
index 4ef0b02..3d331a3 100644
--- a/refpolicy/policy/modules/services/zebra.te
+++ b/refpolicy/policy/modules/services/zebra.te
@@ -1,5 +1,5 @@
-policy_module(zebra,1.2.1)
+policy_module(zebra,1.2.2)
########################################
#
@@ -74,6 +74,8 @@ corenet_tcp_bind_all_nodes(zebra_t)
corenet_udp_bind_all_nodes(zebra_t)
corenet_tcp_bind_zebra_port(zebra_t)
corenet_udp_bind_router_port(zebra_t)
+corenet_sendrecv_zebra_server_packets(zebra_t)
+corenet_sendrecv_router_server_packets(zebra_t)
dev_associate_usbfs(zebra_var_run_t)
dev_list_all_dev_nodes(zebra_t)
More information about the scm-commits
mailing list