From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id AB6B7139694 for ; Fri, 17 Feb 2017 08:51:37 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E06BB21C0AA; Fri, 17 Feb 2017 08:51:34 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 8F53921C0AA for ; Fri, 17 Feb 2017 08:51:19 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 8EC0E34105A for ; Fri, 17 Feb 2017 08:50:59 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 112B74AD6 for ; Fri, 17 Feb 2017 08:50:56 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1487320892.6c4f7f44b8475c05327146520cc4f3e196f9574c.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/accountsd.te policy/modules/contrib/afs.te policy/modules/contrib/aisexec.te policy/modules/contrib/alsa.te policy/modules/contrib/amanda.te policy/modules/contrib/amavis.te policy/modules/contrib/apache.te policy/modules/contrib/apm.te policy/modules/contrib/asterisk.te policy/modules/contrib/automount.te policy/modules/contrib/avahi.te policy/modules/contrib/bacula.te policy/modules/contrib/bluetooth.te policy/modules/contrib/boinc.te policy/modules/contrib/cachefilesd.te policy/modules/contrib/callweaver.te policy/modules/contrib/canna.te policy/modules/contrib/ccs.te policy/modules/contrib/cdrecord.te policy/modules/contrib/certmaster.te policy/modules/contrib/certmonger.te policy/modules/contrib/cgroup.te policy/modules/contrib/chronyd.te policy/modules/contrib/cipe.te policy/modules/contrib/clamav.te policy/modules/contrib/clockspeed.te policy/modules/contrib/clogd.te policy/modules/contrib/cmirrord.te policy/modules/contrib/colord.te policy/ modules/contrib/comsat.te policy/modules/contrib/condor.te policy/modules/contrib/consolekit.te policy/modules/contrib/corosync.te policy/modules/contrib/courier.te policy/modules/contrib/cron.te policy/modules/contrib/cups.te policy/modules/contrib/cvs.te policy/modules/contrib/daemontools.te policy/modules/contrib/dante.te policy/modules/contrib/dbus.te policy/modules/contrib/dcc.te policy/modules/contrib/ddcprobe.te policy/modules/contrib/devicekit.te policy/modules/contrib/dhcp.te policy/modules/contrib/dictd.te policy/modules/contrib/dnsmasq.te policy/modules/contrib/dovecot.te policy/modules/contrib/dpkg.te policy/modules/contrib/evolution.te policy/modules/contrib/exim.te policy/modules/contrib/fail2ban.te policy/modules/contrib/finger.te policy/modules/contrib/ftp.te policy/modules/contrib/gdomap.te policy/modules/contrib/glusterfs.te policy/modules/contrib/gpm.te policy/modules/contrib/gpsd.te policy/modules/contrib/hadoop.te policy/modules/contrib/hal.te policy/modules/con trib/ifplugd.te policy/modules/contrib/inetd.te policy/modules/contrib/iodine.te policy/modules/contrib/kdump.te policy/modules/contrib/kerberos.te policy/modules/contrib/kismet.te policy/modules/contrib/kudzu.te policy/modules/contrib/ldap.te policy/modules/contrib/likewise.te policy/modules/contrib/logrotate.te policy/modules/contrib/logwatch.te policy/modules/contrib/lpd.te policy/modules/contrib/mailman.te policy/modules/contrib/mailscanner.te policy/modules/contrib/mandb.te policy/modules/contrib/memcached.te policy/modules/contrib/milter.te policy/modules/contrib/minissdpd.te policy/modules/contrib/mozilla.te policy/modules/contrib/mrtg.te policy/modules/contrib/mta.te policy/modules/contrib/nagios.te policy/modules/contrib/networkmanager.te policy/modules/contrib/nslcd.te policy/modules/contrib/ntop.te policy/modules/contrib/ntp.te policy/modules/contrib/nut.te policy/modules/contrib/oddjob.te policy/modules/contrib/oident.te policy/modules/contrib/openvpn.te policy/modules/c ontrib/openvswitch.te policy/modules/contrib/pacemaker.te policy/modules/contrib/passenger.te policy/modules/contrib/pcmcia.te policy/modules/contrib/pegasus.te policy/modules/contrib/pkcs.te policy/modules/contrib/podsleuth.te policy/modules/contrib/portage.if policy/modules/contrib/portage.te policy/modules/contrib/portmap.te policy/modules/contrib/portreserve.te policy/modules/contrib/portslave.te policy/modules/contrib/postfix.te policy/modules/contrib/postfixpolicyd.te policy/modules/contrib/ppp.te policy/modules/contrib/procmail.te policy/modules/contrib/psad.te policy/modules/contrib/pulseaudio.te policy/modules/contrib/puppet.te policy/modules/contrib/qemu.if policy/modules/contrib/qmail.te policy/modules/contrib/quota.te policy/modules/contrib/radvd.te policy/modules/contrib/raid.te policy/modules/contrib/readahead.te policy/modules/contrib/remotelogin.te policy/modules/contrib/rgmanager.te policy/modules/contrib/rhcs.te policy/modules/contrib/ricci.te policy/modules/contri b/rlogin.te policy/modules/contrib/rpc.te policy/modules/contrib/rpm.te policy/modules/contrib/rshd.te policy/modules/contrib/rssh.te policy/modules/contrib/rsync.te policy/modules/contrib/samba.te policy/modules/contrib/samhain.te policy/modules/contrib/screen.te policy/modules/contrib/sendmail.te policy/modules/contrib/shorewall.te policy/modules/contrib/slocate.te policy/modules/contrib/smartmon.te policy/modules/contrib/smokeping.te policy/modules/contrib/snmp.te policy/modules/contrib/snort.te policy/modules/contrib/sosreport.te policy/modules/contrib/spamassassin.te policy/modules/contrib/squid.te policy/modules/contrib/sssd.te policy/modules/contrib/sxid.te policy/modules/contrib/systemtap.te policy/modules/contrib/telnet.te policy/modules/contrib/tripwire.te policy/modules/contrib/ulogd.te policy/modules/contrib/userhelper.te policy/modules/contrib/usernetctl.te policy/modules/contrib/uucp.te policy/modules/contrib/varnishd.te policy/modules/contrib/vbetool.te policy/modules /contrib/vhostmd.te policy/modules/contrib/virt.te policy/modules/contrib/vlock.te policy/modules/contrib/vmware.te policy/modules/contrib/vpn.te policy/modules/contrib/watchdog.te policy/modules/contrib/wdmd.te policy/modules/contrib/xen.te policy/modules/contrib/yam.te policy/modules/contrib/zabbix.te policy/modules/contrib/zarafa.te policy/modules/contrib/zebra.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 6c4f7f44b8475c05327146520cc4f3e196f9574c X-VCS-Branch: next Date: Fri, 17 Feb 2017 08:50:56 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 51c53fb7-49c4-4863-9e73-26a828a37e12 X-Archives-Hash: a67734d383fa867a59248c70f417eba3 commit: 6c4f7f44b8475c05327146520cc4f3e196f9574c Author: Chris PeBenito ieee org> AuthorDate: Wed Feb 15 23:47:07 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Fri Feb 17 08:41:32 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6c4f7f44 Sort capabilities permissions from Russell Coker. policy/modules/contrib/accountsd.te | 2 +- policy/modules/contrib/afs.te | 2 +- policy/modules/contrib/aisexec.te | 2 +- policy/modules/contrib/alsa.te | 2 +- policy/modules/contrib/amanda.te | 4 ++-- policy/modules/contrib/amavis.te | 2 +- policy/modules/contrib/apache.te | 2 +- policy/modules/contrib/apm.te | 4 ++-- policy/modules/contrib/asterisk.te | 2 +- policy/modules/contrib/automount.te | 2 +- policy/modules/contrib/avahi.te | 2 +- policy/modules/contrib/bacula.te | 2 +- policy/modules/contrib/bluetooth.te | 2 +- policy/modules/contrib/boinc.te | 2 +- policy/modules/contrib/cachefilesd.te | 2 +- policy/modules/contrib/callweaver.te | 2 +- policy/modules/contrib/canna.te | 2 +- policy/modules/contrib/ccs.te | 2 +- policy/modules/contrib/cdrecord.te | 2 +- policy/modules/contrib/certmaster.te | 2 +- policy/modules/contrib/certmonger.te | 2 +- policy/modules/contrib/cgroup.te | 6 +++--- policy/modules/contrib/chronyd.te | 2 +- policy/modules/contrib/cipe.te | 2 +- policy/modules/contrib/clamav.te | 6 +++--- policy/modules/contrib/clockspeed.te | 2 +- policy/modules/contrib/clogd.te | 2 +- policy/modules/contrib/cmirrord.te | 2 +- policy/modules/contrib/colord.te | 2 +- policy/modules/contrib/comsat.te | 2 +- policy/modules/contrib/condor.te | 12 ++++++------ policy/modules/contrib/consolekit.te | 2 +- policy/modules/contrib/corosync.te | 4 ++-- policy/modules/contrib/courier.te | 4 ++-- policy/modules/contrib/cron.te | 6 +++--- policy/modules/contrib/cups.te | 10 +++++----- policy/modules/contrib/cvs.te | 2 +- policy/modules/contrib/daemontools.te | 2 +- policy/modules/contrib/dante.te | 2 +- policy/modules/contrib/dbus.te | 2 +- policy/modules/contrib/dcc.te | 4 ++-- policy/modules/contrib/ddcprobe.te | 2 +- policy/modules/contrib/devicekit.te | 4 ++-- policy/modules/contrib/dhcp.te | 2 +- policy/modules/contrib/dictd.te | 2 +- policy/modules/contrib/dnsmasq.te | 2 +- policy/modules/contrib/dovecot.te | 2 +- policy/modules/contrib/dpkg.te | 4 ++-- policy/modules/contrib/evolution.te | 2 +- policy/modules/contrib/exim.te | 2 +- policy/modules/contrib/fail2ban.te | 2 +- policy/modules/contrib/finger.te | 2 +- policy/modules/contrib/ftp.te | 2 +- policy/modules/contrib/gdomap.te | 2 +- policy/modules/contrib/glusterfs.te | 2 +- policy/modules/contrib/gpm.te | 2 +- policy/modules/contrib/gpsd.te | 4 ++-- policy/modules/contrib/hadoop.te | 2 +- policy/modules/contrib/hal.te | 2 +- policy/modules/contrib/ifplugd.te | 2 +- policy/modules/contrib/inetd.te | 4 ++-- policy/modules/contrib/iodine.te | 2 +- policy/modules/contrib/kdump.te | 2 +- policy/modules/contrib/kerberos.te | 4 ++-- policy/modules/contrib/kismet.te | 2 +- policy/modules/contrib/kudzu.te | 2 +- policy/modules/contrib/ldap.te | 2 +- policy/modules/contrib/likewise.te | 4 ++-- policy/modules/contrib/logrotate.te | 2 +- policy/modules/contrib/logwatch.te | 2 +- policy/modules/contrib/lpd.te | 6 +++--- policy/modules/contrib/mailman.te | 2 +- policy/modules/contrib/mailscanner.te | 2 +- policy/modules/contrib/mandb.te | 2 +- policy/modules/contrib/memcached.te | 2 +- policy/modules/contrib/milter.te | 2 +- policy/modules/contrib/minissdpd.te | 2 +- policy/modules/contrib/mozilla.te | 4 ++-- policy/modules/contrib/mrtg.te | 2 +- policy/modules/contrib/mta.te | 2 +- policy/modules/contrib/nagios.te | 8 ++++---- policy/modules/contrib/networkmanager.te | 4 ++-- policy/modules/contrib/nslcd.te | 2 +- policy/modules/contrib/ntop.te | 2 +- policy/modules/contrib/ntp.te | 4 ++-- policy/modules/contrib/nut.te | 2 +- policy/modules/contrib/oddjob.te | 2 +- policy/modules/contrib/oident.te | 2 +- policy/modules/contrib/openvpn.te | 2 +- policy/modules/contrib/openvswitch.te | 2 +- policy/modules/contrib/pacemaker.te | 2 +- policy/modules/contrib/passenger.te | 2 +- policy/modules/contrib/pcmcia.te | 2 +- policy/modules/contrib/pegasus.te | 2 +- policy/modules/contrib/pkcs.te | 2 +- policy/modules/contrib/podsleuth.te | 2 +- policy/modules/contrib/portage.if | 2 +- policy/modules/contrib/portage.te | 4 ++-- policy/modules/contrib/portmap.te | 2 +- policy/modules/contrib/portreserve.te | 2 +- policy/modules/contrib/portslave.te | 2 +- policy/modules/contrib/postfix.te | 8 ++++---- policy/modules/contrib/postfixpolicyd.te | 2 +- policy/modules/contrib/ppp.te | 4 ++-- policy/modules/contrib/procmail.te | 2 +- policy/modules/contrib/psad.te | 2 +- policy/modules/contrib/pulseaudio.te | 2 +- policy/modules/contrib/puppet.te | 4 ++-- policy/modules/contrib/qemu.if | 2 +- policy/modules/contrib/qmail.te | 2 +- policy/modules/contrib/quota.te | 2 +- policy/modules/contrib/radvd.te | 2 +- policy/modules/contrib/raid.te | 2 +- policy/modules/contrib/readahead.te | 2 +- policy/modules/contrib/remotelogin.te | 2 +- policy/modules/contrib/rgmanager.te | 2 +- policy/modules/contrib/rhcs.te | 2 +- policy/modules/contrib/ricci.te | 2 +- policy/modules/contrib/rlogin.te | 2 +- policy/modules/contrib/rpc.te | 4 ++-- policy/modules/contrib/rpm.te | 4 ++-- policy/modules/contrib/rshd.te | 2 +- policy/modules/contrib/rssh.te | 2 +- policy/modules/contrib/rsync.te | 2 +- policy/modules/contrib/samba.te | 8 ++++---- policy/modules/contrib/samhain.te | 2 +- policy/modules/contrib/screen.te | 2 +- policy/modules/contrib/sendmail.te | 2 +- policy/modules/contrib/shorewall.te | 2 +- policy/modules/contrib/slocate.te | 2 +- policy/modules/contrib/smartmon.te | 2 +- policy/modules/contrib/smokeping.te | 2 +- policy/modules/contrib/snmp.te | 2 +- policy/modules/contrib/snort.te | 2 +- policy/modules/contrib/sosreport.te | 2 +- policy/modules/contrib/spamassassin.te | 2 +- policy/modules/contrib/squid.te | 2 +- policy/modules/contrib/sssd.te | 2 +- policy/modules/contrib/sxid.te | 2 +- policy/modules/contrib/systemtap.te | 2 +- policy/modules/contrib/telnet.te | 2 +- policy/modules/contrib/tripwire.te | 2 +- policy/modules/contrib/ulogd.te | 2 +- policy/modules/contrib/userhelper.te | 4 ++-- policy/modules/contrib/usernetctl.te | 2 +- policy/modules/contrib/uucp.te | 4 ++-- policy/modules/contrib/varnishd.te | 2 +- policy/modules/contrib/vbetool.te | 2 +- policy/modules/contrib/vhostmd.te | 2 +- policy/modules/contrib/virt.te | 12 ++++++------ policy/modules/contrib/vlock.te | 2 +- policy/modules/contrib/vmware.te | 4 ++-- policy/modules/contrib/vpn.te | 2 +- policy/modules/contrib/watchdog.te | 2 +- policy/modules/contrib/wdmd.te | 2 +- policy/modules/contrib/xen.te | 4 ++-- policy/modules/contrib/yam.te | 2 +- policy/modules/contrib/zabbix.te | 4 ++-- policy/modules/contrib/zarafa.te | 2 +- policy/modules/contrib/zebra.te | 2 +- 160 files changed, 215 insertions(+), 215 deletions(-) diff --git a/policy/modules/contrib/accountsd.te b/policy/modules/contrib/accountsd.te index 3593510d..d435a2d6 100644 --- a/policy/modules/contrib/accountsd.te +++ b/policy/modules/contrib/accountsd.te @@ -21,7 +21,7 @@ files_type(accountsd_var_lib_t) # Local policy # -allow accountsd_t self:capability { chown dac_override setuid setgid sys_ptrace }; +allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace }; allow accountsd_t self:process signal; allow accountsd_t self:fifo_file rw_fifo_file_perms; allow accountsd_t self:passwd { rootok passwd chfn chsh }; diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te index e685b5d3..b95757a5 100644 --- a/policy/modules/contrib/afs.te +++ b/policy/modules/contrib/afs.te @@ -147,7 +147,7 @@ seutil_read_config(afs_bosserver_t) # fileserver local policy # -allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice }; +allow afs_fsserver_t self:capability { chown dac_override fowner kill sys_nice }; dontaudit afs_fsserver_t self:capability fsetid; allow afs_fsserver_t self:process { setsched signal_perms }; allow afs_fsserver_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/aisexec.te b/policy/modules/contrib/aisexec.te index d89a243e..06b61940 100644 --- a/policy/modules/contrib/aisexec.te +++ b/policy/modules/contrib/aisexec.te @@ -32,7 +32,7 @@ files_pid_file(aisexec_var_run_t) # Local policy # -allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner }; +allow aisexec_t self:capability { ipc_lock ipc_owner sys_nice sys_resource }; allow aisexec_t self:process { setrlimit setsched signal }; allow aisexec_t self:fifo_file rw_fifo_file_perms; allow aisexec_t self:sem create_sem_perms; diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te index 19046676..f82e39ca 100644 --- a/policy/modules/contrib/alsa.te +++ b/policy/modules/contrib/alsa.te @@ -38,7 +38,7 @@ userdom_user_home_content(alsa_home_t) # Local policy # -allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner }; +allow alsa_t self:capability { dac_override dac_read_search ipc_owner setgid setuid }; dontaudit alsa_t self:capability sys_admin; allow alsa_t self:sem create_sem_perms; allow alsa_t self:shm create_shm_perms; diff --git a/policy/modules/contrib/amanda.te b/policy/modules/contrib/amanda.te index 65fa3975..ecf15211 100644 --- a/policy/modules/contrib/amanda.te +++ b/policy/modules/contrib/amanda.te @@ -59,7 +59,7 @@ optional_policy(` # Local policy # -allow amanda_t self:capability { chown dac_override setuid kill }; +allow amanda_t self:capability { chown dac_override kill setuid }; allow amanda_t self:process { setpgid signal }; allow amanda_t self:fifo_file rw_fifo_file_perms; allow amanda_t self:unix_stream_socket { accept listen }; @@ -141,7 +141,7 @@ logging_send_syslog_msg(amanda_t) # Recover local policy # -allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override }; +allow amanda_recover_t self:capability { chown dac_override fowner fsetid kill setgid setuid }; allow amanda_recover_t self:process { sigkill sigstop signal }; allow amanda_recover_t self:fifo_file rw_fifo_file_perms; allow amanda_recover_t self:unix_stream_socket create_socket_perms; diff --git a/policy/modules/contrib/amavis.te b/policy/modules/contrib/amavis.te index 2f66a812..44913b37 100644 --- a/policy/modules/contrib/amavis.te +++ b/policy/modules/contrib/amavis.te @@ -46,7 +46,7 @@ files_type(amavis_spool_t) # Local policy # -allow amavis_t self:capability { kill chown dac_override setgid setuid }; +allow amavis_t self:capability { chown dac_override kill setgid setuid }; dontaudit amavis_t self:capability sys_tty_config; allow amavis_t self:process signal_perms; allow amavis_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te index 12b80554..2f724b68 100644 --- a/policy/modules/contrib/apache.te +++ b/policy/modules/contrib/apache.te @@ -920,7 +920,7 @@ tunable_policy(`httpd_tty_comm',` # Suexec local policy # -allow httpd_suexec_t self:capability { setuid setgid }; +allow httpd_suexec_t self:capability { setgid setuid }; allow httpd_suexec_t self:process signal_perms; allow httpd_suexec_t self:fifo_file rw_fifo_file_perms; allow httpd_suexec_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te index f5692d58..c5647460 100644 --- a/policy/modules/contrib/apm.te +++ b/policy/modules/contrib/apm.te @@ -62,8 +62,8 @@ logging_send_syslog_msg(apm_t) # Server local policy # -allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; -dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config }; +allow apmd_t self:capability { kill mknod sys_admin sys_nice sys_time }; +dontaudit apmd_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config }; allow apmd_t self:process { signal_perms getsession }; allow apmd_t self:fifo_file rw_fifo_file_perms; allow apmd_t self:netlink_socket create_socket_perms; diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te index db0efef0..9c6a947f 100644 --- a/policy/modules/contrib/asterisk.te +++ b/policy/modules/contrib/asterisk.te @@ -39,7 +39,7 @@ init_daemon_pid_file(asterisk_var_run_t, dir, "asterisk") # Local policy # -allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin }; +allow asterisk_t self:capability { chown dac_override net_admin setgid setuid sys_nice }; dontaudit asterisk_t self:capability { sys_module sys_tty_config }; allow asterisk_t self:process { getsched setsched signal_perms getcap setcap }; allow asterisk_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te index ae421061..09b82b0c 100644 --- a/policy/modules/contrib/automount.te +++ b/policy/modules/contrib/automount.te @@ -33,7 +33,7 @@ files_pid_file(automount_var_run_t) # Local policy # -allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin }; +allow automount_t self:capability { dac_override setgid setuid sys_admin sys_nice sys_resource }; dontaudit automount_t self:capability sys_tty_config; allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit }; allow automount_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te index d5d87ee3..b2e43eed 100644 --- a/policy/modules/contrib/avahi.te +++ b/policy/modules/contrib/avahi.te @@ -27,7 +27,7 @@ files_pid_file(avahi_var_run_t) # Local policy # -allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot }; +allow avahi_t self:capability { chown dac_override fowner kill net_admin net_raw setgid setuid sys_chroot }; dontaudit avahi_t self:capability sys_tty_config; allow avahi_t self:process { setrlimit signal_perms getcap setcap }; allow avahi_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/bacula.te b/policy/modules/contrib/bacula.te index 2050984c..20b92c3f 100644 --- a/policy/modules/contrib/bacula.te +++ b/policy/modules/contrib/bacula.te @@ -43,7 +43,7 @@ role bacula_admin_roles types bacula_admin_t; # Local policy # -allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid}; +allow bacula_t self:capability { chown dac_override dac_read_search fowner fsetid }; allow bacula_t self:process signal; allow bacula_t self:fifo_file rw_fifo_file_perms; allow bacula_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te index ceb79e63..75d739da 100644 --- a/policy/modules/contrib/bluetooth.te +++ b/policy/modules/contrib/bluetooth.te @@ -57,7 +57,7 @@ files_pid_file(bluetooth_var_run_t) # Local policy # -allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock }; +allow bluetooth_t self:capability { dac_override ipc_lock net_admin net_bind_service net_raw setpcap sys_admin sys_tty_config }; dontaudit bluetooth_t self:capability sys_tty_config; allow bluetooth_t self:process { getcap setcap getsched signal_perms }; allow bluetooth_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/boinc.te b/policy/modules/contrib/boinc.te index 64803206..ed1aaf34 100644 --- a/policy/modules/contrib/boinc.te +++ b/policy/modules/contrib/boinc.te @@ -168,7 +168,7 @@ optional_policy(` # Project local policy # -allow boinc_project_t self:capability { setuid setgid }; +allow boinc_project_t self:capability { setgid setuid }; allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms }; manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te index 14fcf67c..c92149d1 100644 --- a/policy/modules/contrib/cachefilesd.te +++ b/policy/modules/contrib/cachefilesd.te @@ -27,7 +27,7 @@ role system_r types cachefiles_kernel_t; # Cachefilesd local policy # -allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override }; +allow cachefilesd_t self:capability { dac_override setgid setuid sys_admin }; allow cachefilesd_t cachefiles_kernel_t:kernel_service use_as_override; diff --git a/policy/modules/contrib/callweaver.te b/policy/modules/contrib/callweaver.te index d67ad9b8..f9443343 100644 --- a/policy/modules/contrib/callweaver.te +++ b/policy/modules/contrib/callweaver.te @@ -29,7 +29,7 @@ files_type(callweaver_spool_t) # Local policy # -allow callweaver_t self:capability { setuid sys_nice setgid }; +allow callweaver_t self:capability { setgid setuid sys_nice }; allow callweaver_t self:process { setsched signal }; allow callweaver_t self:fifo_file rw_fifo_file_perms; allow callweaver_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/canna.te b/policy/modules/contrib/canna.te index 6738527a..ea8f64b5 100644 --- a/policy/modules/contrib/canna.te +++ b/policy/modules/contrib/canna.te @@ -26,7 +26,7 @@ files_pid_file(canna_var_run_t) # Local policy # -allow canna_t self:capability { setgid setuid net_bind_service }; +allow canna_t self:capability { net_bind_service setgid setuid }; dontaudit canna_t self:capability sys_tty_config; allow canna_t self:process signal_perms; allow canna_t self:unix_stream_socket { accept connectto listen }; diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te index eacec0bf..bc766e74 100644 --- a/policy/modules/contrib/ccs.te +++ b/policy/modules/contrib/ccs.te @@ -35,7 +35,7 @@ files_pid_file(ccs_var_run_t) # Local policy # -allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin }; +allow ccs_t self:capability { ipc_lock ipc_owner sys_admin sys_nice sys_resource }; allow ccs_t self:process { signal setrlimit setsched }; dontaudit ccs_t self:process ptrace; allow ccs_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/cdrecord.te b/policy/modules/contrib/cdrecord.te index 16883c9c..4af7717a 100644 --- a/policy/modules/contrib/cdrecord.te +++ b/policy/modules/contrib/cdrecord.te @@ -29,7 +29,7 @@ role cdrecord_roles types cdrecord_t; # Local policy # -allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio }; +allow cdrecord_t self:capability { dac_override ipc_lock setuid sys_nice sys_rawio }; allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill }; allow cdrecord_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/certmaster.te b/policy/modules/contrib/certmaster.te index 16420ae9..daeb417d 100644 --- a/policy/modules/contrib/certmaster.te +++ b/policy/modules/contrib/certmaster.te @@ -29,7 +29,7 @@ files_pid_file(certmaster_var_run_t) # Local policy # -allow certmaster_t self:capability { dac_read_search dac_override sys_tty_config }; +allow certmaster_t self:capability { dac_override dac_read_search sys_tty_config }; allow certmaster_t self:tcp_socket { accept listen }; list_dirs_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te index defc3467..f6c9d20d 100644 --- a/policy/modules/contrib/certmonger.te +++ b/policy/modules/contrib/certmonger.te @@ -23,7 +23,7 @@ files_pid_file(certmonger_var_run_t) # Local policy # -allow certmonger_t self:capability { chown dac_override dac_read_search setgid setuid kill sys_nice }; +allow certmonger_t self:capability { chown dac_override dac_read_search kill setgid setuid sys_nice }; dontaudit certmonger_t self:capability sys_tty_config; allow certmonger_t self:capability2 block_suspend; allow certmonger_t self:process { getsched setsched sigkill signal }; diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te index 5d600a9f..3599d7a2 100644 --- a/policy/modules/contrib/cgroup.te +++ b/policy/modules/contrib/cgroup.te @@ -40,7 +40,7 @@ files_config_file(cgconfig_etc_t) # cgclear local policy # -allow cgclear_t self:capability { dac_read_search dac_override sys_admin }; +allow cgclear_t self:capability { dac_override dac_read_search sys_admin }; allow cgclear_t cgconfig_etc_t:file read_file_perms; @@ -57,7 +57,7 @@ fs_unmount_cgroup(cgclear_t) # cgconfig local policy # -allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config }; +allow cgconfig_t self:capability { chown dac_override fowner fsetid sys_admin sys_tty_config }; allow cgconfig_t cgconfig_etc_t:file read_file_perms; @@ -77,7 +77,7 @@ fs_unmount_cgroup(cgconfig_t) # cgred local policy # -allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; +allow cgred_t self:capability { chown dac_override fsetid net_admin sys_admin sys_ptrace }; allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:unix_dgram_socket { write create connect }; diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te index 97c541c6..618f6cf5 100644 --- a/policy/modules/contrib/chronyd.te +++ b/policy/modules/contrib/chronyd.te @@ -35,7 +35,7 @@ files_pid_file(chronyd_var_run_t) # Local policy # -allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time }; +allow chronyd_t self:capability { dac_override ipc_lock setgid setuid sys_resource sys_time }; allow chronyd_t self:process { getcap setcap setrlimit signal }; allow chronyd_t self:shm create_shm_perms; allow chronyd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/cipe.te b/policy/modules/contrib/cipe.te index e2a5c13c..729d7820 100644 --- a/policy/modules/contrib/cipe.te +++ b/policy/modules/contrib/cipe.te @@ -17,7 +17,7 @@ init_script_file(ciped_initrc_exec_t) # Local policy # -allow ciped_t self:capability { net_admin ipc_lock sys_tty_config }; +allow ciped_t self:capability { ipc_lock net_admin sys_tty_config }; dontaudit ciped_t self:capability sys_tty_config; allow ciped_t self:process signal_perms; allow ciped_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te index 0940e437..f2664e82 100644 --- a/policy/modules/contrib/clamav.te +++ b/policy/modules/contrib/clamav.te @@ -73,7 +73,7 @@ logging_log_file(freshclam_var_log_t) # Clamd local policy # -allow clamd_t self:capability { kill setgid setuid dac_override }; +allow clamd_t self:capability { dac_override kill setgid setuid }; dontaudit clamd_t self:capability sys_tty_config; allow clamd_t self:process signal; allow clamd_t self:fifo_file rw_fifo_file_perms; @@ -173,7 +173,7 @@ optional_policy(` # Freshclam local policy # -allow freshclam_t self:capability { setgid setuid dac_override }; +allow freshclam_t self:capability { dac_override setgid setuid }; allow freshclam_t self:fifo_file rw_fifo_file_perms; allow freshclam_t self:unix_stream_socket { accept listen }; allow freshclam_t self:tcp_socket { accept listen }; @@ -252,7 +252,7 @@ optional_policy(` # Clamscam local policy # -allow clamscan_t self:capability { setgid setuid dac_override }; +allow clamscan_t self:capability { dac_override setgid setuid }; allow clamscan_t self:fifo_file rw_fifo_file_perms; allow clamscan_t self:unix_stream_socket create_stream_socket_perms; allow clamscan_t self:unix_dgram_socket create_socket_perms; diff --git a/policy/modules/contrib/clockspeed.te b/policy/modules/contrib/clockspeed.te index d3e2a67e..6544d006 100644 --- a/policy/modules/contrib/clockspeed.te +++ b/policy/modules/contrib/clockspeed.te @@ -49,7 +49,7 @@ userdom_use_user_terminals(clockspeed_cli_t) # Server local policy # -allow clockspeed_srv_t self:capability { sys_time net_bind_service }; +allow clockspeed_srv_t self:capability { net_bind_service sys_time }; allow clockspeed_srv_t self:udp_socket create_socket_perms; allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms; allow clockspeed_srv_t self:unix_stream_socket create_socket_perms; diff --git a/policy/modules/contrib/clogd.te b/policy/modules/contrib/clogd.te index 356ef465..b9a57b18 100644 --- a/policy/modules/contrib/clogd.te +++ b/policy/modules/contrib/clogd.te @@ -20,7 +20,7 @@ files_pid_file(clogd_var_run_t) # Local policy # -allow clogd_t self:capability { net_admin mknod }; +allow clogd_t self:capability { mknod net_admin }; allow clogd_t self:process signal; allow clogd_t self:sem create_sem_perms; allow clogd_t self:shm create_shm_perms; diff --git a/policy/modules/contrib/cmirrord.te b/policy/modules/contrib/cmirrord.te index d916d65c..ece1a1ce 100644 --- a/policy/modules/contrib/cmirrord.te +++ b/policy/modules/contrib/cmirrord.te @@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t) # Local policy # -allow cmirrord_t self:capability { net_admin kill }; +allow cmirrord_t self:capability { kill net_admin }; dontaudit cmirrord_t self:capability sys_tty_config; allow cmirrord_t self:process { setfscreate signal }; allow cmirrord_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te index b7a2b96f..0236b279 100644 --- a/policy/modules/contrib/colord.te +++ b/policy/modules/contrib/colord.te @@ -23,7 +23,7 @@ files_type(colord_var_lib_t) # Local policy # -allow colord_t self:capability { dac_read_search dac_override }; +allow colord_t self:capability { dac_override dac_read_search }; dontaudit colord_t self:capability sys_admin; allow colord_t self:process signal; allow colord_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/comsat.te b/policy/modules/contrib/comsat.te index c63cf855..9b7b3706 100644 --- a/policy/modules/contrib/comsat.te +++ b/policy/modules/contrib/comsat.te @@ -20,7 +20,7 @@ files_pid_file(comsat_var_run_t) # Local policy # -allow comsat_t self:capability { setuid setgid }; +allow comsat_t self:capability { setgid setuid }; allow comsat_t self:process signal_perms; allow comsat_t self:fifo_file rw_fifo_file_perms; allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te index 33937669..fbb70249 100644 --- a/policy/modules/contrib/condor.te +++ b/policy/modules/contrib/condor.te @@ -130,7 +130,7 @@ optional_policy(` # Master local policy # -allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace }; +allow condor_master_t self:capability { dac_override setgid setuid sys_ptrace }; allow condor_master_t condor_domain:process { sigkill signal }; @@ -167,7 +167,7 @@ optional_policy(` # Collector local policy # -allow condor_collector_t self:capability { setuid setgid }; +allow condor_collector_t self:capability { setgid setuid }; allow condor_collector_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; @@ -179,7 +179,7 @@ kernel_read_network_state(condor_collector_t) # Negotiator local policy # -allow condor_negotiator_t self:capability { setuid setgid }; +allow condor_negotiator_t self:capability { setgid setuid }; allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_negotiator_t condor_master_t:udp_socket getattr; @@ -188,7 +188,7 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr; # Procd local policy # -allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace }; +allow condor_procd_t self:capability { chown dac_override fowner kill sys_ptrace }; allow condor_procd_t condor_domain:process sigkill; @@ -199,7 +199,7 @@ domain_read_all_domains_state(condor_procd_t) # Schedd local policy # -allow condor_schedd_t self:capability { setuid chown setgid dac_override }; +allow condor_schedd_t self:capability { chown dac_override setgid setuid }; allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_schedd_t condor_master_t:udp_socket getattr; @@ -219,7 +219,7 @@ files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) # Startd local policy # -allow condor_startd_t self:capability { setuid net_admin setgid dac_override }; +allow condor_startd_t self:capability { dac_override net_admin setgid setuid }; allow condor_startd_t self:process execmem; manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t) diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te index 5b11390c..a2a51ba8 100644 --- a/policy/modules/contrib/consolekit.te +++ b/policy/modules/contrib/consolekit.te @@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit") # Local policy # -allow consolekit_t self:capability { chown fowner setuid setgid sys_admin sys_tty_config dac_override sys_nice sys_ptrace }; +allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config }; allow consolekit_t self:process { getsched signal setfscreate }; allow consolekit_t self:fifo_file rw_fifo_file_perms; allow consolekit_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/corosync.te b/policy/modules/contrib/corosync.te index 43ec8c61..771582f0 100644 --- a/policy/modules/contrib/corosync.te +++ b/policy/modules/contrib/corosync.te @@ -33,9 +33,9 @@ files_pid_file(corosync_var_run_t) # Local policy # -allow corosync_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock }; +allow corosync_t self:capability { dac_override fowner ipc_lock setgid setuid sys_admin sys_nice sys_resource }; # for hearbeat -allow corosync_t self:capability { net_raw chown }; +allow corosync_t self:capability { chown net_raw }; allow corosync_t self:process { setpgid setrlimit setsched signal signull }; allow corosync_t self:fifo_file rw_fifo_file_perms; allow corosync_t self:sem create_sem_perms; diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te index 35ba8d89..176bd5c2 100644 --- a/policy/modules/contrib/courier.te +++ b/policy/modules/contrib/courier.te @@ -85,7 +85,7 @@ optional_policy(` # Authdaemon local policy # -allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config }; +allow courier_authdaemon_t self:capability { setgid setuid sys_tty_config }; allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen }; create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) @@ -123,7 +123,7 @@ userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t) # Calendar (PCP) local policy # -allow courier_pcp_t self:capability { setuid setgid }; +allow courier_pcp_t self:capability { setgid setuid }; dev_read_rand(courier_pcp_t) diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te index 1c6f3867..905deb16 100644 --- a/policy/modules/contrib/cron.te +++ b/policy/modules/contrib/cron.te @@ -141,7 +141,7 @@ ifdef(`enable_mcs',` # Common crontab local policy # -allow crontab_domain self:capability { fowner setuid setgid chown dac_override }; +allow crontab_domain self:capability { chown dac_override fowner setgid setuid }; allow crontab_domain self:process { getcap setsched signal_perms }; allow crontab_domain self:fifo_file rw_fifo_file_perms; @@ -217,7 +217,7 @@ tunable_policy(`fcron_crond',` # Daemon local policy # -allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search }; +allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice }; dontaudit crond_t self:capability { sys_resource sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; @@ -425,7 +425,7 @@ optional_policy(` # System local policy # -allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice }; allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fd use; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te index c90e2120..8fdd713f 100644 --- a/policy/modules/contrib/cups.te +++ b/policy/modules/contrib/cups.te @@ -109,8 +109,8 @@ ifdef(`enable_mls',` # Cups local policy # -allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config }; -dontaudit cupsd_t self:capability { sys_tty_config net_admin }; +allow cupsd_t self:capability { chown dac_override dac_override dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_admin sys_rawio sys_resource sys_tty_config }; +dontaudit cupsd_t self:capability { net_admin sys_tty_config }; allow cupsd_t self:capability2 block_suspend; allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; allow cupsd_t self:fifo_file rw_fifo_file_perms; @@ -357,7 +357,7 @@ optional_policy(` # Configuration daemon local policy # -allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid }; +allow cupsd_config_t self:capability { chown dac_override setgid setuid sys_tty_config }; dontaudit cupsd_config_t self:capability sys_tty_config; allow cupsd_config_t self:process { getsched signal_perms }; allow cupsd_config_t self:fifo_file rw_fifo_file_perms; @@ -500,7 +500,7 @@ optional_policy(` # Lpd local policy # -allow cupsd_lpd_t self:capability { setuid setgid }; +allow cupsd_lpd_t self:capability { setgid setuid }; allow cupsd_lpd_t self:process signal_perms; allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms; allow cupsd_lpd_t self:tcp_socket { accept listen }; @@ -562,7 +562,7 @@ optional_policy(` # Pdf local policy # -allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; +allow cups_pdf_t self:capability { chown dac_override fowner fsetid setgid setuid }; allow cups_pdf_t self:fifo_file rw_fifo_file_perms; allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te index ab055c99..f090b62a 100644 --- a/policy/modules/contrib/cvs.te +++ b/policy/modules/contrib/cvs.te @@ -39,7 +39,7 @@ files_pid_file(cvs_var_run_t) # Local policy # -allow cvs_t self:capability { setuid setgid }; +allow cvs_t self:capability { setgid setuid }; allow cvs_t self:process signal_perms; allow cvs_t self:fifo_file rw_fifo_file_perms; allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms; diff --git a/policy/modules/contrib/daemontools.te b/policy/modules/contrib/daemontools.te index 78a01e75..d355befc 100644 --- a/policy/modules/contrib/daemontools.te +++ b/policy/modules/contrib/daemontools.te @@ -55,7 +55,7 @@ logging_manage_generic_logs(svc_multilog_t) # ie. softlimit, setuidgid, envuidgid, envdir, fghack .. # -allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource }; +allow svc_run_t self:capability { chown fsetid setgid setuid sys_resource }; allow svc_run_t self:process setrlimit; allow svc_run_t self:fifo_file rw_fifo_file_perms; allow svc_run_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/contrib/dante.te b/policy/modules/contrib/dante.te index 4ed8790f..124f2c58 100644 --- a/policy/modules/contrib/dante.te +++ b/policy/modules/contrib/dante.te @@ -23,7 +23,7 @@ files_pid_file(dante_var_run_t) # Local policy # -allow dante_t self:capability { setuid setgid }; +allow dante_t self:capability { setgid setuid }; dontaudit dante_t self:capability sys_tty_config; allow dante_t self:process signal_perms; allow dante_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te index 42c7d4fe..78de2022 100644 --- a/policy/modules/contrib/dbus.te +++ b/policy/modules/contrib/dbus.te @@ -60,7 +60,7 @@ ifdef(`enable_mls',` # Local policy # -allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid }; +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource }; dontaudit system_dbusd_t self:capability sys_tty_config; allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; allow system_dbusd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/dcc.te b/policy/modules/contrib/dcc.te index 0a6abd4b..9b1c25e7 100644 --- a/policy/modules/contrib/dcc.te +++ b/policy/modules/contrib/dcc.te @@ -82,7 +82,7 @@ files_pid_file(dccm_var_run_t) # Daemon controller local policy # -allow cdcc_t self:capability { setuid setgid }; +allow cdcc_t self:capability { setgid setuid }; manage_dirs_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t) manage_files_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t) @@ -109,7 +109,7 @@ userdom_use_user_terminals(cdcc_t) # Procmail interface local policy # -allow dcc_client_t self:capability { setuid setgid }; +allow dcc_client_t self:capability { setgid setuid }; allow dcc_client_t dcc_client_map_t:file rw_file_perms; diff --git a/policy/modules/contrib/ddcprobe.te b/policy/modules/contrib/ddcprobe.te index 8fa4bb99..8d1263ae 100644 --- a/policy/modules/contrib/ddcprobe.te +++ b/policy/modules/contrib/ddcprobe.te @@ -18,7 +18,7 @@ role ddcprobe_roles types ddcprobe_t; # Local policy # -allow ddcprobe_t self:capability { sys_rawio sys_admin }; +allow ddcprobe_t self:capability { sys_admin sys_rawio }; allow ddcprobe_t self:process execmem; kernel_read_system_state(ddcprobe_t) diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te index a5926c4a..82ce25c3 100644 --- a/policy/modules/contrib/devicekit.te +++ b/policy/modules/contrib/devicekit.te @@ -64,7 +64,7 @@ optional_policy(` # Disk local policy # -allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; +allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio }; allow devicekit_disk_t self:process { getsched signal_perms }; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -197,7 +197,7 @@ optional_policy(` # Power local policy # -allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; +allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_nice sys_ptrace sys_tty_config }; allow devicekit_power_t self:capability2 wake_alarm; allow devicekit_power_t self:process { getsched signal_perms }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te index a5f6ecd8..2fbf84ed 100644 --- a/policy/modules/contrib/dhcp.te +++ b/policy/modules/contrib/dhcp.te @@ -37,7 +37,7 @@ files_pid_file(dhcpd_var_run_t) # Local policy # -allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource }; +allow dhcpd_t self:capability { chown dac_override net_raw setgid setuid sys_chroot sys_resource }; dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; allow dhcpd_t self:process { getcap setcap signal_perms }; allow dhcpd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te index 74b38850..c390b549 100644 --- a/policy/modules/contrib/dictd.te +++ b/policy/modules/contrib/dictd.te @@ -26,7 +26,7 @@ files_pid_file(dictd_var_run_t) # Local policy # -allow dictd_t self:capability { setuid setgid }; +allow dictd_t self:capability { setgid setuid }; dontaudit dictd_t self:capability sys_tty_config; allow dictd_t self:process { signal_perms setpgid }; allow dictd_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te index 23fdaa0d..ee961ce2 100644 --- a/policy/modules/contrib/dnsmasq.te +++ b/policy/modules/contrib/dnsmasq.te @@ -32,7 +32,7 @@ files_pid_file(dnsmasq_var_run_t) # Local policy # -allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_raw }; +allow dnsmasq_t self:capability { chown dac_override net_admin net_raw setgid setuid }; dontaudit dnsmasq_t self:capability sys_tty_config; allow dnsmasq_t self:process { getcap setcap signal_perms }; allow dnsmasq_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te index fcfcf3c2..1701e3f0 100644 --- a/policy/modules/contrib/dovecot.te +++ b/policy/modules/contrib/dovecot.te @@ -92,7 +92,7 @@ miscfiles_read_localization(dovecot_domain) # Local policy # -allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot }; +allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot }; dontaudit dovecot_t self:capability sys_tty_config; allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched }; allow dovecot_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te index 9bb9d6f6..84dd6ba1 100644 --- a/policy/modules/contrib/dpkg.te +++ b/policy/modules/contrib/dpkg.te @@ -49,7 +49,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t) # Local policy # -allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; +allow dpkg_t self:capability { chown dac_override fowner fsetid kill linux_immutable mknod setgid setuid sys_nice sys_resource sys_tty_config }; allow dpkg_t self:process { setpgid fork getsched setfscreate }; allow dpkg_t self:fd use; allow dpkg_t self:fifo_file rw_fifo_file_perms; @@ -202,7 +202,7 @@ optional_policy(` # Script Local policy # -allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; +allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod setgid setuid sys_chroot sys_nice }; allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow dpkg_script_t self:fd use; allow dpkg_script_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te index b2376d6d..d717829a 100644 --- a/policy/modules/contrib/evolution.te +++ b/policy/modules/contrib/evolution.te @@ -110,7 +110,7 @@ userdom_user_tmpfs_file(evolution_webcal_tmpfs_t) # Local policy # -allow evolution_t self:capability { setuid setgid sys_nice }; +allow evolution_t self:capability { setgid setuid sys_nice }; allow evolution_t self:process { signal getsched setsched }; allow evolution_t self:fifo_file rw_file_perms; diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te index 97dff0ac..66421ff3 100644 --- a/policy/modules/contrib/exim.te +++ b/policy/modules/contrib/exim.te @@ -73,7 +73,7 @@ ifdef(`distro_debian',` # Local policy # -allow exim_t self:capability { chown dac_override fowner setuid setgid sys_resource }; +allow exim_t self:capability { chown dac_override fowner setgid setuid sys_resource }; allow exim_t self:process { setrlimit setpgid }; allow exim_t self:fifo_file rw_fifo_file_perms; allow exim_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te index 6f34502d..215d0935 100644 --- a/policy/modules/contrib/fail2ban.te +++ b/policy/modules/contrib/fail2ban.te @@ -36,7 +36,7 @@ role fail2ban_client_roles types fail2ban_client_t; # Server Local policy # -allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config }; +allow fail2ban_t self:capability { dac_override dac_read_search sys_tty_config }; allow fail2ban_t self:process signal; allow fail2ban_t self:fifo_file rw_fifo_file_perms; allow fail2ban_t self:unix_stream_socket { accept connectto listen }; diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/finger.te index 0de8ac23..d7fdd5eb 100644 --- a/policy/modules/contrib/finger.te +++ b/policy/modules/contrib/finger.te @@ -25,7 +25,7 @@ files_pid_file(fingerd_var_run_t) # allow fingerd_t self:capability { setgid setuid }; -dontaudit fingerd_t self:capability { sys_tty_config fsetid }; +dontaudit fingerd_t self:capability { fsetid sys_tty_config }; allow fingerd_t self:process signal_perms; allow fingerd_t self:fifo_file rw_fifo_file_perms; allow fingerd_t self:tcp_socket connected_stream_socket_perms; diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te index faf6863a..7e81e249 100644 --- a/policy/modules/contrib/ftp.te +++ b/policy/modules/contrib/ftp.te @@ -170,7 +170,7 @@ ifdef(`enable_mls',` # Local policy # -allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_chroot sys_admin sys_nice sys_resource }; +allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_admin sys_chroot sys_nice sys_resource }; dontaudit ftpd_t self:capability sys_tty_config; allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms }; allow ftpd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/gdomap.te b/policy/modules/contrib/gdomap.te index 3227543f..e710d356 100644 --- a/policy/modules/contrib/gdomap.te +++ b/policy/modules/contrib/gdomap.te @@ -23,7 +23,7 @@ files_pid_file(gdomap_var_run_t) # Local policy # -allow gdomap_t self:capability { setuid sys_chroot net_bind_service setgid }; +allow gdomap_t self:capability { net_bind_service setgid setuid sys_chroot }; allow gdomap_t self:tcp_socket { listen accept }; allow gdomap_t gdomap_var_run_t:file manage_file_perms; diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te index 83a5806a..07bd10d7 100644 --- a/policy/modules/contrib/glusterfs.te +++ b/policy/modules/contrib/glusterfs.te @@ -32,7 +32,7 @@ files_type(glusterd_var_lib_t) # Local policy # -allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner }; +allow glusterd_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_resource }; allow glusterd_t self:process { setrlimit signal }; allow glusterd_t self:fifo_file rw_fifo_file_perms; allow glusterd_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te index 5cbfa3a6..4e2b5f9c 100644 --- a/policy/modules/contrib/gpm.te +++ b/policy/modules/contrib/gpm.te @@ -29,7 +29,7 @@ files_type(gpmctl_t) # Local policy # -allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config }; +allow gpm_t self:capability { dac_override setpcap setuid sys_admin sys_tty_config }; allow gpm_t self:process { signal signull getcap setcap }; allow gpm_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/gpsd.te b/policy/modules/contrib/gpsd.te index bd09110f..6f4e8b79 100644 --- a/policy/modules/contrib/gpsd.te +++ b/policy/modules/contrib/gpsd.te @@ -27,8 +27,8 @@ files_pid_file(gpsd_var_run_t) # Local policy # -allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config }; -dontaudit gpsd_t self:capability { dac_read_search dac_override }; +allow gpsd_t self:capability { fowner fsetid setgid setuid sys_nice sys_time sys_tty_config }; +dontaudit gpsd_t self:capability { dac_override dac_read_search }; allow gpsd_t self:process { setsched signal_perms }; allow gpsd_t self:shm create_shm_perms; allow gpsd_t self:unix_dgram_socket sendto; diff --git a/policy/modules/contrib/hadoop.te b/policy/modules/contrib/hadoop.te index f22683e3..9f333bfd 100644 --- a/policy/modules/contrib/hadoop.te +++ b/policy/modules/contrib/hadoop.te @@ -246,7 +246,7 @@ optional_policy(` # Common hadoop_initrc_domain local policy # -allow hadoop_initrc_domain self:capability { setuid setgid }; +allow hadoop_initrc_domain self:capability { setgid setuid }; dontaudit hadoop_initrc_domain self:capability sys_tty_config; allow hadoop_initrc_domain self:process setsched; allow hadoop_initrc_domain self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te index d3296e28..31035d15 100644 --- a/policy/modules/contrib/hal.te +++ b/policy/modules/contrib/hal.te @@ -72,7 +72,7 @@ hal_stream_connect(hald_domain) # Local policy # -allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config }; +allow hald_t self:capability { chown dac_override dac_read_search kill mknod net_admin setgid setuid sys_admin sys_nice sys_rawio sys_tty_config }; dontaudit hald_t self:capability { sys_ptrace sys_tty_config }; allow hald_t self:process { getsched getattr signal_perms }; allow hald_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/ifplugd.te b/policy/modules/contrib/ifplugd.te index addcca5a..4f1223db 100644 --- a/policy/modules/contrib/ifplugd.te +++ b/policy/modules/contrib/ifplugd.te @@ -23,7 +23,7 @@ files_pid_file(ifplugd_var_run_t) # Local policy # -allow ifplugd_t self:capability { net_admin sys_nice net_bind_service }; +allow ifplugd_t self:capability { net_admin net_bind_service sys_nice }; dontaudit ifplugd_t self:capability sys_tty_config; allow ifplugd_t self:process { signal signull }; allow ifplugd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/inetd.te b/policy/modules/contrib/inetd.te index 1974c112..66c15680 100644 --- a/policy/modules/contrib/inetd.te +++ b/policy/modules/contrib/inetd.te @@ -37,7 +37,7 @@ ifdef(`enable_mcs',` # Local policy # -allow inetd_t self:capability { setuid setgid sys_resource }; +allow inetd_t self:capability { setgid setuid sys_resource }; dontaudit inetd_t self:capability sys_tty_config; allow inetd_t self:process { setsched setexec setrlimit }; allow inetd_t self:fifo_file rw_fifo_file_perms; @@ -204,7 +204,7 @@ optional_policy(` # Child local policy # -allow inetd_child_t self:capability { setuid setgid }; +allow inetd_child_t self:capability { setgid setuid }; allow inetd_child_t self:process signal_perms; allow inetd_child_t self:fifo_file rw_fifo_file_perms; allow inetd_child_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te index 6eb84095..c35fc069 100644 --- a/policy/modules/contrib/iodine.te +++ b/policy/modules/contrib/iodine.te @@ -17,7 +17,7 @@ init_script_file(iodined_initrc_exec_t) # Local policy # -allow iodined_t self:capability { net_admin net_raw sys_chroot setgid setuid }; +allow iodined_t self:capability { net_admin net_raw setgid setuid sys_chroot }; allow iodined_t self:rawip_socket create_socket_perms; allow iodined_t self:tun_socket create_socket_perms; allow iodined_t self:udp_socket connected_socket_perms; diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te index e758c15f..9981dc55 100644 --- a/policy/modules/contrib/kdump.te +++ b/policy/modules/contrib/kdump.te @@ -31,7 +31,7 @@ files_tmp_file(kdumpctl_tmp_t) # Local policy # -allow kdump_t self:capability { sys_boot dac_override }; +allow kdump_t self:capability { dac_override sys_boot }; allow kdump_t kdump_etc_t:file read_file_perms; diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te index 38532d33..d226156e 100644 --- a/policy/modules/contrib/kerberos.te +++ b/policy/modules/contrib/kerberos.te @@ -74,7 +74,7 @@ files_pid_file(krb5kdc_var_run_t) # kadmind local policy # -allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; +allow kadmind_t self:capability { chown dac_override fowner setgid setuid sys_nice }; dontaudit kadmind_t self:capability sys_tty_config; allow kadmind_t self:capability2 block_suspend; allow kadmind_t self:process { setfscreate setsched getsched signal_perms }; @@ -174,7 +174,7 @@ optional_policy(` # Krb5kdc local policy # -allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; +allow krb5kdc_t self:capability { chown dac_override fowner net_admin setgid setuid sys_nice }; dontaudit krb5kdc_t self:capability sys_tty_config; allow krb5kdc_t self:capability2 block_suspend; allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; diff --git a/policy/modules/contrib/kismet.te b/policy/modules/contrib/kismet.te index 30c8c689..a581ece2 100644 --- a/policy/modules/contrib/kismet.te +++ b/policy/modules/contrib/kismet.te @@ -38,7 +38,7 @@ files_pid_file(kismet_var_run_t) # Local policy # -allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid }; +allow kismet_t self:capability { dac_override kill net_admin net_raw setgid setuid }; allow kismet_t self:process signal_perms; allow kismet_t self:fifo_file rw_fifo_file_perms; allow kismet_t self:packet_socket create_socket_perms; diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te index 4116d008..00b43648 100644 --- a/policy/modules/contrib/kudzu.te +++ b/policy/modules/contrib/kudzu.te @@ -26,7 +26,7 @@ files_pid_file(kudzu_var_run_t) # Local policy # -allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; +allow kudzu_t self:capability { dac_override mknod net_admin sys_admin sys_rawio sys_tty_config }; dontaudit kudzu_t self:capability sys_tty_config; allow kudzu_t self:process { signal_perms execmem }; allow kudzu_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te index b740c730..023884ab 100644 --- a/policy/modules/contrib/ldap.te +++ b/policy/modules/contrib/ldap.te @@ -50,7 +50,7 @@ files_pid_file(slapd_var_run_t) # Local policy # -allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search }; +allow slapd_t self:capability { dac_override dac_read_search kill net_raw setgid setuid }; dontaudit slapd_t self:capability sys_tty_config; allow slapd_t self:process setsched; allow slapd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/likewise.te b/policy/modules/contrib/likewise.te index 58c05712..21d18a3c 100644 --- a/policy/modules/contrib/likewise.te +++ b/policy/modules/contrib/likewise.te @@ -102,7 +102,7 @@ corenet_tcp_sendrecv_epmap_port(eventlogd_t) # lsassd local policy # -allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time }; +allow lsassd_t self:capability { chown dac_override fowner fsetid sys_time }; allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms; @@ -165,7 +165,7 @@ optional_policy(` # lwiod local policy # -allow lwiod_t self:capability { fowner chown fsetid dac_override sys_resource }; +allow lwiod_t self:capability { chown dac_override fowner fsetid sys_resource }; allow lwiod_t self:process setrlimit; allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms; diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te index e2daa42d..1179568b 100644 --- a/policy/modules/contrib/logrotate.te +++ b/policy/modules/contrib/logrotate.te @@ -36,7 +36,7 @@ role system_r types logrotate_mail_t; # Local policy # -allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice }; +allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource }; allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; allow logrotate_t self:fd use; allow logrotate_t self:key manage_key_perms; diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te index 353a5311..24f1c17b 100644 --- a/policy/modules/contrib/logwatch.te +++ b/policy/modules/contrib/logwatch.te @@ -173,7 +173,7 @@ optional_policy(` # Mail local policy # -allow logwatch_mail_t self:capability { dac_read_search dac_override }; +allow logwatch_mail_t self:capability { dac_override dac_read_search }; allow logwatch_mail_t logwatch_t:fd use; allow logwatch_mail_t logwatch_t:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te index fc70ff9e..8ebe2435 100644 --- a/policy/modules/contrib/lpd.te +++ b/policy/modules/contrib/lpd.te @@ -62,7 +62,7 @@ files_config_file(printconf_t) # Checkpc local policy # -allow checkpc_t self:capability { setgid setuid dac_override }; +allow checkpc_t self:capability { dac_override setgid setuid }; allow checkpc_t self:process signal_perms; allow checkpc_t self:unix_stream_socket create_socket_perms; allow checkpc_t self:tcp_socket create_socket_perms; @@ -126,7 +126,7 @@ optional_policy(` # Lpd local policy # -allow lpd_t self:capability { setgid setuid dac_read_search dac_override chown fowner }; +allow lpd_t self:capability { chown dac_override dac_read_search fowner setgid setuid }; dontaudit lpd_t self:capability sys_tty_config; allow lpd_t self:process signal_perms; allow lpd_t self:fifo_file rw_fifo_file_perms; @@ -214,7 +214,7 @@ optional_policy(` # Lpr local policy # -allow lpr_t self:capability { setuid dac_override net_bind_service chown }; +allow lpr_t self:capability { chown dac_override net_bind_service setuid }; allow lpr_t self:unix_stream_socket { accept listen }; allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms }; diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te index 46d98e79..7421ce3a 100644 --- a/policy/modules/contrib/mailman.te +++ b/policy/modules/contrib/mailman.te @@ -115,7 +115,7 @@ optional_policy(` # Mail local policy # -allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; +allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config }; allow mailman_mail_t self:process { signal signull }; manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) diff --git a/policy/modules/contrib/mailscanner.te b/policy/modules/contrib/mailscanner.te index 14840eda..d8dcb317 100644 --- a/policy/modules/contrib/mailscanner.te +++ b/policy/modules/contrib/mailscanner.te @@ -29,7 +29,7 @@ files_pid_file(mscan_var_run_t) # Local policy # -allow mscan_t self:capability { setuid chown setgid dac_override }; +allow mscan_t self:capability { chown dac_override setgid setuid }; allow mscan_t self:process signal; allow mscan_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te index ce0ac3c8..142e7e07 100644 --- a/policy/modules/contrib/mandb.te +++ b/policy/modules/contrib/mandb.te @@ -21,7 +21,7 @@ init_unit_file(mandb_unit_t) # Local policy # -allow mandb_t self:capability { setuid setgid }; +allow mandb_t self:capability { setgid setuid }; allow mandb_t self:process { setsched signal }; allow mandb_t self:fifo_file rw_fifo_file_perms; allow mandb_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/contrib/memcached.te b/policy/modules/contrib/memcached.te index 570035ef..c90c632f 100644 --- a/policy/modules/contrib/memcached.te +++ b/policy/modules/contrib/memcached.te @@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t) # Local policy # -allow memcached_t self:capability { setuid setgid }; +allow memcached_t self:capability { setgid setuid }; dontaudit memcached_t self:capability sys_tty_config; allow memcached_t self:process { setrlimit signal_perms }; allow memcached_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te index c25488c9..7c4b347d 100644 --- a/policy/modules/contrib/milter.te +++ b/policy/modules/contrib/milter.te @@ -82,7 +82,7 @@ optional_policy(` # regex local policy # -allow regex_milter_t self:capability { setuid setgid dac_override }; +allow regex_milter_t self:capability { dac_override setgid setuid }; files_search_spool(regex_milter_t) diff --git a/policy/modules/contrib/minissdpd.te b/policy/modules/contrib/minissdpd.te index f1a37029..d16cdb1b 100644 --- a/policy/modules/contrib/minissdpd.te +++ b/policy/modules/contrib/minissdpd.te @@ -23,7 +23,7 @@ files_pid_file(minissdpd_var_run_t) # Local policy # -allow minissdpd_t self:capability { sys_module net_admin }; +allow minissdpd_t self:capability { net_admin sys_module }; allow minissdpd_t self:netlink_route_socket r_netlink_socket_perms; allow minissdpd_t self:udp_socket create_socket_perms; allow minissdpd_t self:unix_dgram_socket create_socket_perms; diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te index fa651ed4..85d6bda1 100644 --- a/policy/modules/contrib/mozilla.te +++ b/policy/modules/contrib/mozilla.te @@ -81,7 +81,7 @@ userdom_user_tmpfs_file(mozilla_tmpfs_t) # Local policy # -allow mozilla_t self:capability { sys_nice setgid setuid }; +allow mozilla_t self:capability { setgid setuid sys_nice }; allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; allow mozilla_t self:fifo_file rw_fifo_file_perms; allow mozilla_t self:shm create_shm_perms; @@ -533,7 +533,7 @@ optional_policy(` # Plugin config local policy # -allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; +allow mozilla_plugin_config_t self:capability { dac_override dac_read_search setgid setuid sys_nice }; allow mozilla_plugin_config_t self:process { setsched signal_perms getsched }; allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms; allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te index 42b484c0..5126d9d5 100644 --- a/policy/modules/contrib/mrtg.te +++ b/policy/modules/contrib/mrtg.te @@ -32,7 +32,7 @@ files_pid_file(mrtg_var_run_t) # Local policy # -allow mrtg_t self:capability { setgid setuid chown }; +allow mrtg_t self:capability { chown setgid setuid }; dontaudit mrtg_t self:capability sys_tty_config; allow mrtg_t self:process signal_perms; allow mrtg_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te index f0c4b92c..9a3ee20e 100644 --- a/policy/modules/contrib/mta.te +++ b/policy/modules/contrib/mta.te @@ -55,7 +55,7 @@ userdom_user_tmp_file(user_mail_tmp_t) # Common base mail policy # -allow user_mail_domain self:capability { setuid setgid chown }; +allow user_mail_domain self:capability { chown setgid setuid }; allow user_mail_domain self:process { signal_perms setrlimit }; allow user_mail_domain self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te index 3f1a7b95..44c2abcd 100644 --- a/policy/modules/contrib/nagios.te +++ b/policy/modules/contrib/nagios.te @@ -216,8 +216,8 @@ optional_policy(` # Nrpe local policy # -allow nrpe_t self:capability { setuid setgid }; -dontaudit nrpe_t self:capability { sys_tty_config sys_resource }; +allow nrpe_t self:capability { setgid setuid }; +dontaudit nrpe_t self:capability { sys_resource sys_tty_config }; allow nrpe_t self:process { setpgid signal_perms setsched setrlimit }; allow nrpe_t self:fifo_file rw_fifo_file_perms; allow nrpe_t self:tcp_socket { accept listen }; @@ -311,7 +311,7 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) # Mail local policy # -allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; +allow nagios_mail_plugin_t self:capability { dac_override setgid setuid }; allow nagios_mail_plugin_t self:tcp_socket { accept listen }; kernel_read_kernel_sysctls(nagios_mail_plugin_t) @@ -405,7 +405,7 @@ optional_policy(` # allow nagios_system_plugin_t self:capability dac_override; -dontaudit nagios_system_plugin_t self:capability { setuid setgid }; +dontaudit nagios_system_plugin_t self:capability { setgid setuid }; read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t) diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te index 27b92658..cde12ad5 100644 --- a/policy/modules/contrib/networkmanager.te +++ b/policy/modules/contrib/networkmanager.te @@ -47,8 +47,8 @@ ifdef(`distro_gentoo',` # Local policy # -allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock }; -dontaudit NetworkManager_t self:capability { sys_tty_config sys_module sys_ptrace }; +allow NetworkManager_t self:capability { chown dac_override fowner fsetid ipc_lock kill net_admin net_raw setgid setuid sys_nice }; +dontaudit NetworkManager_t self:capability { sys_module sys_ptrace sys_tty_config }; allow NetworkManager_t self:capability2 wake_alarm; allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; allow NetworkManager_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/nslcd.te b/policy/modules/contrib/nslcd.te index 40682ca2..30639e64 100644 --- a/policy/modules/contrib/nslcd.te +++ b/policy/modules/contrib/nslcd.te @@ -23,7 +23,7 @@ files_config_file(nslcd_conf_t) # Local policy # -allow nslcd_t self:capability { setgid setuid dac_override }; +allow nslcd_t self:capability { dac_override setgid setuid }; allow nslcd_t self:process signal; allow nslcd_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/ntop.te b/policy/modules/contrib/ntop.te index a3503716..025f5d4a 100644 --- a/policy/modules/contrib/ntop.te +++ b/policy/modules/contrib/ntop.te @@ -29,7 +29,7 @@ files_pid_file(ntop_var_run_t) # Local Policy # -allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin }; +allow ntop_t self:capability { net_admin net_raw setgid setuid sys_admin }; dontaudit ntop_t self:capability sys_tty_config; allow ntop_t self:process signal_perms; allow ntop_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te index c7c27be5..2fcf0a40 100644 --- a/policy/modules/contrib/ntp.te +++ b/policy/modules/contrib/ntp.te @@ -47,8 +47,8 @@ init_system_domain(ntpd_t, ntpdate_exec_t) # Local policy # -allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; -dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; +allow ntpd_t self:capability { chown dac_override ipc_lock ipc_owner kill setgid setuid sys_chroot sys_nice sys_resource sys_time }; +dontaudit ntpd_t self:capability { fsetid net_admin sys_nice sys_tty_config }; allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; allow ntpd_t self:fifo_file rw_fifo_file_perms; allow ntpd_t self:shm create_shm_perms; diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te index 8086281f..d38ced7b 100644 --- a/policy/modules/contrib/nut.te +++ b/policy/modules/contrib/nut.te @@ -34,7 +34,7 @@ init_daemon_pid_file(nut_var_run_t, dir, "nut") # Common nut domain local policy # -allow nut_domain self:capability { setgid setuid dac_override kill }; +allow nut_domain self:capability { dac_override kill setgid setuid }; allow nut_domain self:process signal_perms; allow nut_domain self:fifo_file rw_fifo_file_perms; allow nut_domain self:unix_dgram_socket sendto; diff --git a/policy/modules/contrib/oddjob.te b/policy/modules/contrib/oddjob.te index c01d4f62..507d6d24 100644 --- a/policy/modules/contrib/oddjob.te +++ b/policy/modules/contrib/oddjob.te @@ -74,7 +74,7 @@ optional_policy(` # Mkhomedir local policy # -allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; +allow oddjob_mkhomedir_t self:capability { chown dac_override fowner fsetid }; allow oddjob_mkhomedir_t self:process setfscreate; allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms; allow oddjob_mkhomedir_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/oident.te b/policy/modules/contrib/oident.te index 0cf6cfe3..c1f42dc1 100644 --- a/policy/modules/contrib/oident.te +++ b/policy/modules/contrib/oident.te @@ -25,7 +25,7 @@ files_config_file(oidentd_config_t) # Local policy # -allow oidentd_t self:capability { setuid setgid }; +allow oidentd_t self:capability { setgid setuid }; allow oidentd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow oidentd_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te index cce20317..465716f6 100644 --- a/policy/modules/contrib/openvpn.te +++ b/policy/modules/contrib/openvpn.te @@ -54,7 +54,7 @@ files_pid_file(openvpn_var_run_t) # Local policy # -allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_admin setgid setuid sys_chroot sys_tty_config sys_nice }; +allow openvpn_t self:capability { dac_override dac_read_search ipc_lock net_admin setgid setuid sys_chroot sys_nice sys_tty_config }; allow openvpn_t self:process { signal getsched setsched }; allow openvpn_t self:fifo_file rw_fifo_file_perms; allow openvpn_t self:unix_dgram_socket sendto; diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te index 04cbe909..b9790021 100644 --- a/policy/modules/contrib/openvswitch.te +++ b/policy/modules/contrib/openvswitch.te @@ -32,7 +32,7 @@ files_pid_file(openvswitch_var_run_t) # Local policy # -allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock }; +allow openvswitch_t self:capability { ipc_lock net_admin sys_nice sys_resource }; allow openvswitch_t self:process { setrlimit setsched signal }; allow openvswitch_t self:fifo_file rw_fifo_file_perms; allow openvswitch_t self:rawip_socket create_socket_perms; diff --git a/policy/modules/contrib/pacemaker.te b/policy/modules/contrib/pacemaker.te index 6d1b3c4d..218470bb 100644 --- a/policy/modules/contrib/pacemaker.te +++ b/policy/modules/contrib/pacemaker.te @@ -29,7 +29,7 @@ files_pid_file(pacemaker_var_run_t) # Local policy # -allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid }; +allow pacemaker_t self:capability { chown dac_override fowner fsetid kill setuid }; allow pacemaker_t self:process { setrlimit signal setpgid }; allow pacemaker_t self:fifo_file rw_fifo_file_perms; allow pacemaker_t self:unix_stream_socket { connectto accept listen }; diff --git a/policy/modules/contrib/passenger.te b/policy/modules/contrib/passenger.te index 85fb36db..b6181456 100644 --- a/policy/modules/contrib/passenger.te +++ b/policy/modules/contrib/passenger.te @@ -25,7 +25,7 @@ files_pid_file(passenger_var_run_t) # Local policy # -allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource }; +allow passenger_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace sys_resource }; allow passenger_t self:process { setpgid setsched sigkill signal }; allow passenger_t self:fifo_file rw_fifo_file_perms; allow passenger_t self:unix_stream_socket { accept connectto listen }; diff --git a/policy/modules/contrib/pcmcia.te b/policy/modules/contrib/pcmcia.te index ceab5763..230f1f00 100644 --- a/policy/modules/contrib/pcmcia.te +++ b/policy/modules/contrib/pcmcia.te @@ -29,7 +29,7 @@ role cardmgr_roles types cardmgr_t; # Local policy # -allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod }; +allow cardmgr_t self:capability { dac_override dac_read_search mknod net_admin setuid sys_admin sys_nice sys_tty_config }; dontaudit cardmgr_t self:capability sys_tty_config; allow cardmgr_t self:process signal_perms; allow cardmgr_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/pegasus.te b/policy/modules/contrib/pegasus.te index 6d8c0192..b2138295 100644 --- a/policy/modules/contrib/pegasus.te +++ b/policy/modules/contrib/pegasus.te @@ -35,7 +35,7 @@ files_pid_file(pegasus_var_run_t) # Local policy # -allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service }; +allow pegasus_t self:capability { chown dac_override ipc_lock kill net_admin net_bind_service setgid setuid sys_nice }; dontaudit pegasus_t self:capability sys_tty_config; allow pegasus_t self:process signal; allow pegasus_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te index 1d1635d4..b10f18e7 100644 --- a/policy/modules/contrib/pkcs.te +++ b/policy/modules/contrib/pkcs.te @@ -29,7 +29,7 @@ files_tmpfs_file(pkcs_slotd_tmpfs_t) # Local policy # -allow pkcs_slotd_t self:capability { fsetid kill chown }; +allow pkcs_slotd_t self:capability { chown fsetid kill }; allow pkcs_slotd_t self:fifo_file rw_fifo_file_perms; allow pkcs_slotd_t self:sem create_sem_perms; allow pkcs_slotd_t self:shm create_shm_perms; diff --git a/policy/modules/contrib/podsleuth.te b/policy/modules/contrib/podsleuth.te index 9123f715..83dc77b5 100644 --- a/policy/modules/contrib/podsleuth.te +++ b/policy/modules/contrib/podsleuth.te @@ -28,7 +28,7 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t) # Local policy # -allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio }; +allow podsleuth_t self:capability { dac_override kill sys_admin sys_rawio }; allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack }; allow podsleuth_t self:fifo_file rw_fifo_file_perms; allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if index e990d79a..cad9b9f1 100644 --- a/policy/modules/contrib/portage.if +++ b/policy/modules/contrib/portage.if @@ -72,7 +72,7 @@ interface(`portage_compile_domain',` type portage_tmp_t, portage_tmpfs_t; ') - allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw }; + allow $1 self:capability { chown dac_override fowner fsetid mknod net_raw setgid setuid }; dontaudit $1 self:capability sys_chroot; allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate }; allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te index 87ca0c6c..ef04131e 100644 --- a/policy/modules/contrib/portage.te +++ b/policy/modules/contrib/portage.te @@ -160,7 +160,7 @@ optional_policy(` # - setfscreate for merging to live fs allow portage_t self:process { setfscreate }; # - kill for mysql merging, at least -allow portage_t self:capability { sys_nice kill setfcap }; +allow portage_t self:capability { kill setfcap sys_nice }; dontaudit portage_t self:capability { dac_read_search }; dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms; @@ -247,7 +247,7 @@ dontaudit portage_t device_type:blk_file read_blk_file_perms; # allow portage_fetch_t self:process signal; -allow portage_fetch_t self:capability { dac_override fowner fsetid chown }; +allow portage_fetch_t self:capability { chown dac_override fowner fsetid }; allow portage_fetch_t self:fifo_file rw_fifo_file_perms; allow portage_fetch_t self:tcp_socket { accept listen }; allow portage_fetch_t self:unix_stream_socket create_socket_perms; diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te index 292b3aa8..2a8c850b 100644 --- a/policy/modules/contrib/portmap.te +++ b/policy/modules/contrib/portmap.te @@ -30,7 +30,7 @@ files_pid_file(portmap_var_run_t) # Local policy # -allow portmap_t self:capability { setuid setgid }; +allow portmap_t self:capability { setgid setuid }; dontaudit portmap_t self:capability sys_tty_config; allow portmap_t self:unix_stream_socket { accept listen }; allow portmap_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/portreserve.te b/policy/modules/contrib/portreserve.te index 7e05b61b..a09698ce 100644 --- a/policy/modules/contrib/portreserve.te +++ b/policy/modules/contrib/portreserve.te @@ -23,7 +23,7 @@ files_pid_file(portreserve_var_run_t) # Local policy # -allow portreserve_t self:capability { dac_read_search dac_override }; +allow portreserve_t self:capability { dac_override dac_read_search }; allow portreserve_t self:fifo_file rw_fifo_file_perms; allow portreserve_t self:unix_stream_socket create_stream_socket_perms; allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto }; diff --git a/policy/modules/contrib/portslave.te b/policy/modules/contrib/portslave.te index cbe36c1d..b34887c9 100644 --- a/policy/modules/contrib/portslave.te +++ b/policy/modules/contrib/portslave.te @@ -21,7 +21,7 @@ files_lock_file(portslave_lock_t) # Local policy # -allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config }; +allow portslave_t self:capability { fsetid net_admin net_bind_service setgid setuid sys_tty_config }; dontaudit portslave_t self:capability sys_admin; allow portslave_t self:process signal_perms; allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te index 1f1a396f..74cb3d7e 100644 --- a/policy/modules/contrib/postfix.te +++ b/policy/modules/contrib/postfix.te @@ -108,7 +108,7 @@ mta_mailserver_delivery(postfix_virtual_t) # Common postfix domain local policy # -allow postfix_domain self:capability { sys_nice sys_chroot }; +allow postfix_domain self:capability { sys_chroot sys_nice }; dontaudit postfix_domain self:capability sys_tty_config; allow postfix_domain self:process { signal_perms setpgid setsched }; allow postfix_domain self:fifo_file rw_fifo_file_perms; @@ -171,7 +171,7 @@ optional_policy(` # Common postfix server domain local policy # -allow postfix_server_domain self:capability { setuid setgid dac_override }; +allow postfix_server_domain self:capability { dac_override setgid setuid }; allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; @@ -198,7 +198,7 @@ domain_use_interactive_fds(postfix_user_domains) # Master local policy # -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config }; +allow postfix_master_t self:capability { chown dac_override fowner kill setgid setuid sys_tty_config }; allow postfix_master_t self:capability2 block_suspend; allow postfix_master_t self:process setrlimit; allow postfix_master_t self:tcp_socket create_stream_socket_perms; @@ -683,7 +683,7 @@ corecmd_exec_bin(postfix_qmgr_t) # Showq local policy # -allow postfix_showq_t self:capability { setuid setgid }; +allow postfix_showq_t self:capability { setgid setuid }; allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te index 153fb19c..621e1817 100644 --- a/policy/modules/contrib/postfixpolicyd.te +++ b/policy/modules/contrib/postfixpolicyd.te @@ -23,7 +23,7 @@ files_pid_file(postfix_policyd_var_run_t) # Local policy # -allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid }; +allow postfix_policyd_t self:capability { setgid setuid sys_chroot sys_resource }; allow postfix_policyd_t self:process setrlimit; allow postfix_policyd_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te index 27718824..1015b4ee 100644 --- a/policy/modules/contrib/ppp.te +++ b/policy/modules/contrib/ppp.te @@ -78,7 +78,7 @@ userdom_user_home_content(ppp_home_t) # PPPD local policy # -allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice }; +allow pppd_t self:capability { dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_admin sys_nice }; dontaudit pppd_t self:capability sys_tty_config; allow pppd_t self:process { getsched setsched signal }; allow pppd_t self:fifo_file rw_fifo_file_perms; @@ -224,7 +224,7 @@ optional_policy(` # PPTP local policy # -allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin }; +allow pptp_t self:capability { dac_override dac_read_search net_admin net_raw }; dontaudit pptp_t self:capability sys_tty_config; allow pptp_t self:process signal; allow pptp_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te index a4fa22b0..8a842661 100644 --- a/policy/modules/contrib/procmail.te +++ b/policy/modules/contrib/procmail.te @@ -24,7 +24,7 @@ files_tmp_file(procmail_tmp_t) # Local policy # -allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override }; +allow procmail_t self:capability { chown dac_override fsetid setgid setuid sys_nice }; allow procmail_t self:process { setsched signal signull }; allow procmail_t self:fifo_file rw_fifo_file_perms; allow procmail_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/psad.te b/policy/modules/contrib/psad.te index 3336ca7e..b94e44a9 100644 --- a/policy/modules/contrib/psad.te +++ b/policy/modules/contrib/psad.te @@ -32,7 +32,7 @@ files_tmp_file(psad_tmp_t) # Local policy # -allow psad_t self:capability { net_admin net_raw setuid setgid dac_override }; +allow psad_t self:capability { dac_override net_admin net_raw setgid setuid }; dontaudit psad_t self:capability sys_tty_config; allow psad_t self:process signal_perms; allow psad_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te index e9a4a507..ac9811ea 100644 --- a/policy/modules/contrib/pulseaudio.te +++ b/policy/modules/contrib/pulseaudio.te @@ -44,7 +44,7 @@ files_pid_file(pulseaudio_var_run_t) # Local policy # -allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config }; +allow pulseaudio_t self:capability { chown fowner fsetid setgid setuid sys_nice sys_resource sys_tty_config }; allow pulseaudio_t self:process { getcap getsched setcap setrlimit setsched signal signull }; allow pulseaudio_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te index 4f496964..0e8161a2 100644 --- a/policy/modules/contrib/puppet.te +++ b/policy/modules/contrib/puppet.te @@ -59,7 +59,7 @@ files_tmp_file(puppetmaster_tmp_t) # Local policy # -allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config }; +allow puppet_t self:capability { chown dac_override fowner fsetid setgid setuid sys_admin sys_nice sys_tty_config }; allow puppet_t self:process { signal signull getsched setsched }; allow puppet_t self:fifo_file rw_fifo_file_perms; allow puppet_t self:netlink_route_socket create_netlink_socket_perms; @@ -255,7 +255,7 @@ optional_policy(` # Master local policy # -allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; +allow puppetmaster_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config }; allow puppetmaster_t self:process { signal_perms getsched setsched }; allow puppetmaster_t self:fifo_file rw_fifo_file_perms; allow puppetmaster_t self:netlink_route_socket nlmsg_write; diff --git a/policy/modules/contrib/qemu.if b/policy/modules/contrib/qemu.if index 32b48657..efdc5286 100644 --- a/policy/modules/contrib/qemu.if +++ b/policy/modules/contrib/qemu.if @@ -27,7 +27,7 @@ template(`qemu_domain_template',` # Policy # - allow $1_t self:capability { dac_read_search dac_override }; + allow $1_t self:capability { dac_override dac_read_search }; allow $1_t self:process { execstack execmem signal getsched }; allow $1_t self:fifo_file rw_file_perms; allow $1_t self:shm create_shm_perms; diff --git a/policy/modules/contrib/qmail.te b/policy/modules/contrib/qmail.te index a40ba2a2..455f2c0e 100644 --- a/policy/modules/contrib/qmail.te +++ b/policy/modules/contrib/qmail.te @@ -145,7 +145,7 @@ optional_policy(` # Lspawn local policy # -allow qmail_lspawn_t self:capability { setuid setgid }; +allow qmail_lspawn_t self:capability { setgid setuid }; allow qmail_lspawn_t self:process signal_perms; allow qmail_lspawn_t self:fifo_file rw_fifo_file_perms; allow qmail_lspawn_t self:unix_stream_socket create_socket_perms; diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te index 9952f537..95fc0aa3 100644 --- a/policy/modules/contrib/quota.te +++ b/policy/modules/contrib/quota.te @@ -33,7 +33,7 @@ files_pid_file(quota_nld_var_run_t) # Local policy # -allow quota_t self:capability { sys_admin dac_override }; +allow quota_t self:capability { dac_override sys_admin }; dontaudit quota_t self:capability sys_tty_config; allow quota_t self:process signal_perms; diff --git a/policy/modules/contrib/radvd.te b/policy/modules/contrib/radvd.te index 1d7fbfe4..41df3b57 100644 --- a/policy/modules/contrib/radvd.te +++ b/policy/modules/contrib/radvd.te @@ -22,7 +22,7 @@ files_pid_file(radvd_var_run_t) # Local policy # -allow radvd_t self:capability { kill setgid setuid net_raw net_admin }; +allow radvd_t self:capability { kill net_admin net_raw setgid setuid }; dontaudit radvd_t self:capability sys_tty_config; allow radvd_t self:process signal_perms; allow radvd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te index ad21e093..49c7dbb4 100644 --- a/policy/modules/contrib/raid.te +++ b/policy/modules/contrib/raid.te @@ -27,7 +27,7 @@ dev_associate(mdadm_var_run_t) # Local policy # -allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; +allow mdadm_t self:capability { dac_override ipc_lock sys_admin }; dontaudit mdadm_t self:capability sys_tty_config; allow mdadm_t self:process { getsched setsched signal_perms }; allow mdadm_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/readahead.te b/policy/modules/contrib/readahead.te index 080c0ad0..ec587591 100644 --- a/policy/modules/contrib/readahead.te +++ b/policy/modules/contrib/readahead.te @@ -22,7 +22,7 @@ init_daemon_pid_file(readahead_var_run_t, dir, "readahead") # Local policy # -allow readahead_t self:capability { sys_admin fowner dac_override dac_read_search }; +allow readahead_t self:capability { dac_override dac_read_search fowner sys_admin }; dontaudit readahead_t self:capability { net_admin sys_tty_config }; allow readahead_t self:process { setsched signal_perms }; diff --git a/policy/modules/contrib/remotelogin.te b/policy/modules/contrib/remotelogin.te index ae308717..3130db86 100644 --- a/policy/modules/contrib/remotelogin.te +++ b/policy/modules/contrib/remotelogin.te @@ -18,7 +18,7 @@ files_tmp_file(remote_login_tmp_t) # Local policy # -allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; +allow remote_login_t self:capability { chown dac_override fowner fsetid kill net_bind_service setgid setuid sys_nice sys_resource sys_tty_config }; allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow remote_login_t self:process { setrlimit setexec }; allow remote_login_t self:fd use; diff --git a/policy/modules/contrib/rgmanager.te b/policy/modules/contrib/rgmanager.te index c533810f..905c3d44 100644 --- a/policy/modules/contrib/rgmanager.te +++ b/policy/modules/contrib/rgmanager.te @@ -37,7 +37,7 @@ files_pid_file(rgmanager_var_run_t) # Local policy # -allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; +allow rgmanager_t self:capability { dac_override ipc_lock net_raw sys_admin sys_nice sys_resource }; allow rgmanager_t self:process { setsched signal }; allow rgmanager_t self:fifo_file rw_fifo_file_perms; allow rgmanager_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te index 4c58d123..85a3a066 100644 --- a/policy/modules/contrib/rhcs.te +++ b/policy/modules/contrib/rhcs.te @@ -170,7 +170,7 @@ tunable_policy(`fenced_can_network_connect',` optional_policy(` tunable_policy(`fenced_can_ssh',` - allow fenced_t self:capability { setuid setgid }; + allow fenced_t self:capability { setgid setuid }; corenet_sendrecv_ssh_client_packets(fenced_t) corenet_tcp_connect_ssh_port(fenced_t) diff --git a/policy/modules/contrib/ricci.te b/policy/modules/contrib/ricci.te index 794dcd36..326d7b85 100644 --- a/policy/modules/contrib/ricci.te +++ b/policy/modules/contrib/ricci.te @@ -78,7 +78,7 @@ files_lock_file(ricci_modstorage_lock_t) # Local policy # -allow ricci_t self:capability { setuid sys_nice sys_boot }; +allow ricci_t self:capability { setuid sys_boot sys_nice }; allow ricci_t self:process setsched; allow ricci_t self:fifo_file rw_fifo_file_perms; allow ricci_t self:unix_stream_socket { accept connectto listen }; diff --git a/policy/modules/contrib/rlogin.te b/policy/modules/contrib/rlogin.te index 0714e380..94d41e81 100644 --- a/policy/modules/contrib/rlogin.te +++ b/policy/modules/contrib/rlogin.te @@ -31,7 +31,7 @@ files_pid_file(rlogind_var_run_t) # Local policy # -allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; +allow rlogind_t self:capability { chown dac_override fowner fsetid setgid setuid sys_tty_config }; allow rlogind_t self:process signal_perms; allow rlogind_t self:fifo_file rw_fifo_file_perms; allow rlogind_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te index cf1f775b..5123f079 100644 --- a/policy/modules/contrib/rpc.te +++ b/policy/modules/contrib/rpc.te @@ -145,7 +145,7 @@ optional_policy(` # Local policy # -allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid }; +allow rpcd_t self:capability { chown dac_override setgid setpcap setuid sys_admin }; allow rpcd_t self:capability2 block_suspend; allow rpcd_t self:process { getcap setcap }; allow rpcd_t self:fifo_file rw_fifo_file_perms; @@ -288,7 +288,7 @@ optional_policy(` # GSSD local policy # -allow gssd_t self:capability { dac_override dac_read_search setuid setgid sys_nice }; +allow gssd_t self:capability { dac_override dac_read_search setgid setuid sys_nice }; allow gssd_t self:process { getsched setsched }; allow gssd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te index 6ab5fd9e..1b36d097 100644 --- a/policy/modules/contrib/rpm.te +++ b/policy/modules/contrib/rpm.te @@ -73,7 +73,7 @@ files_tmpfs_file(rpm_script_tmpfs_t) # rpm Local policy # -allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; +allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config }; allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; allow rpm_t self:process { getattr setexec setfscreate setrlimit }; allow rpm_t self:fd use; @@ -241,7 +241,7 @@ optional_policy(` # rpm-script Local policy # -allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin }; +allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setgid setuid sys_admin sys_chroot sys_nice sys_rawio }; allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te index 5a5f6f71..dc327424 100644 --- a/policy/modules/contrib/rshd.te +++ b/policy/modules/contrib/rshd.te @@ -18,7 +18,7 @@ files_type(rshd_keytab_t) # Local policy # -allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override }; +allow rshd_t self:capability { chown dac_override fowner fsetid kill setgid setuid }; allow rshd_t self:process { signal_perms setsched setpgid setexec }; allow rshd_t self:fifo_file rw_fifo_file_perms; allow rshd_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/modules/contrib/rssh.te b/policy/modules/contrib/rssh.te index 5c5465fe..cf6dd81e 100644 --- a/policy/modules/contrib/rssh.te +++ b/policy/modules/contrib/rssh.te @@ -86,7 +86,7 @@ optional_policy(` # Chroot helper local policy # -allow rssh_chroot_helper_t self:capability { sys_chroot setuid }; +allow rssh_chroot_helper_t self:capability { setuid sys_chroot }; allow rssh_chroot_helper_t self:fifo_file rw_fifo_file_perms; allow rssh_chroot_helper_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te index 18db99d4..2fce98b0 100644 --- a/policy/modules/contrib/rsync.te +++ b/policy/modules/contrib/rsync.te @@ -83,7 +83,7 @@ files_pid_file(rsync_var_run_t) # Local policy # -allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; +allow rsync_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_chroot }; allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_fifo_file_perms; allow rsync_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te index 0acf15a7..e7dae973 100644 --- a/policy/modules/contrib/samba.te +++ b/policy/modules/contrib/samba.te @@ -194,7 +194,7 @@ files_pid_file(winbind_var_run_t) # Net local policy # -allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override }; +allow samba_net_t self:capability { dac_override dac_read_search sys_chroot sys_nice }; allow samba_net_t self:capability2 block_suspend; allow samba_net_t self:process { getsched setsched }; allow samba_net_t self:unix_stream_socket { accept listen }; @@ -261,7 +261,7 @@ optional_policy(` # Smbd Local policy # -allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search }; +allow smbd_t self:capability { chown dac_override dac_read_search fowner fsetid kill lease setgid setuid sys_admin sys_chroot sys_nice sys_resource }; dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; allow smbd_t self:fd use; @@ -650,7 +650,7 @@ optional_policy(` # Smbmount Local policy # -allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; +allow smbmount_t self:capability { chown dac_override sys_admin sys_rawio }; allow smbmount_t self:process signal_perms; allow smbmount_t self:tcp_socket { accept listen }; allow smbmount_t self:unix_dgram_socket create_socket_perms; @@ -724,7 +724,7 @@ optional_policy(` # Swat Local policy # -allow swat_t self:capability { dac_override setuid setgid sys_resource }; +allow swat_t self:capability { dac_override setgid setuid sys_resource }; allow swat_t self:process { setrlimit signal_perms }; allow swat_t self:fifo_file rw_fifo_file_perms; allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te index 1d2f80f5..865f9563 100644 --- a/policy/modules/contrib/samhain.te +++ b/policy/modules/contrib/samhain.te @@ -49,7 +49,7 @@ ifdef(`enable_mls',` # allow samhain_domain self:capability { dac_override dac_read_search fowner ipc_lock }; -dontaudit samhain_domain self:capability { sys_resource sys_ptrace }; +dontaudit samhain_domain self:capability { sys_ptrace sys_resource }; allow samhain_domain self:process { setsched setrlimit signull }; allow samhain_domain self:fd use; allow samhain_domain self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te index e8569cb1..e376da59 100644 --- a/policy/modules/contrib/screen.te +++ b/policy/modules/contrib/screen.te @@ -29,7 +29,7 @@ ubac_constrained(screen_runtime_t) # # dac_override : read /dev/pts/ID -allow screen_domain self:capability { setuid setgid fsetid dac_override }; +allow screen_domain self:capability { dac_override fsetid setgid setuid }; allow screen_domain self:process signal_perms; allow screen_domain self:fd use; allow screen_domain self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te index 1ae4a27a..dbfab0a0 100644 --- a/policy/modules/contrib/sendmail.te +++ b/policy/modules/contrib/sendmail.te @@ -40,7 +40,7 @@ role sendmail_unconfined_roles types unconfined_sendmail_t; # Local policy # -allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config }; +allow sendmail_t self:capability { chown dac_override setgid setuid sys_nice sys_tty_config }; allow sendmail_t self:process { setsched setpgid setrlimit signal signull }; allow sendmail_t self:fifo_file rw_fifo_file_perms; allow sendmail_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te index e2e6c30d..5e815dd8 100644 --- a/policy/modules/contrib/shorewall.te +++ b/policy/modules/contrib/shorewall.te @@ -32,7 +32,7 @@ logging_log_file(shorewall_log_t) # Local policy # -allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin }; +allow shorewall_t self:capability { dac_override net_admin net_raw setgid setuid sys_admin sys_nice }; dontaudit shorewall_t self:capability sys_tty_config; allow shorewall_t self:fifo_file rw_fifo_file_perms; allow shorewall_t self:netlink_socket create_socket_perms; diff --git a/policy/modules/contrib/slocate.te b/policy/modules/contrib/slocate.te index 65fe1cb6..2bf0fed4 100644 --- a/policy/modules/contrib/slocate.te +++ b/policy/modules/contrib/slocate.te @@ -20,7 +20,7 @@ files_pid_file(locate_var_run_t) # Local policy # -allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid }; +allow locate_t self:capability { chown dac_override dac_read_search fowner fsetid }; allow locate_t self:process { execmem execheap execstack signal setsched }; allow locate_t self:fifo_file rw_fifo_file_perms; allow locate_t self:unix_stream_socket create_socket_perms; diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te index eb812fe8..4a7cafa7 100644 --- a/policy/modules/contrib/smartmon.te +++ b/policy/modules/contrib/smartmon.te @@ -38,7 +38,7 @@ ifdef(`enable_mls',` # Local policy # -allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin }; +allow fsdaemon_t self:capability { dac_override kill setgid setpcap sys_admin sys_rawio }; dontaudit fsdaemon_t self:capability sys_tty_config; allow fsdaemon_t self:process { getcap setcap signal_perms }; allow fsdaemon_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te index 625d8018..cc19c38d 100644 --- a/policy/modules/contrib/smokeping.te +++ b/policy/modules/contrib/smokeping.te @@ -23,7 +23,7 @@ files_type(smokeping_var_lib_t) # Local policy # -dontaudit smokeping_t self:capability { dac_read_search dac_override }; +dontaudit smokeping_t self:capability { dac_override dac_read_search }; allow smokeping_t self:fifo_file rw_fifo_file_perms; allow smokeping_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/snmp.te b/policy/modules/contrib/snmp.te index 49385798..fe37b52d 100644 --- a/policy/modules/contrib/snmp.te +++ b/policy/modules/contrib/snmp.te @@ -26,7 +26,7 @@ files_type(snmpd_var_lib_t) # Local policy # -allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace }; +allow snmpd_t self:capability { chown dac_override ipc_lock kill net_admin setgid setuid sys_nice sys_ptrace sys_tty_config }; dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te index 30ba1e0c..536efd00 100644 --- a/policy/modules/contrib/snort.te +++ b/policy/modules/contrib/snort.te @@ -30,7 +30,7 @@ init_daemon_pid_file(snort_var_run_t, dir, "snort") # Local policy # -allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; +allow snort_t self:capability { dac_override net_admin net_raw setgid setuid }; dontaudit snort_t self:capability sys_tty_config; allow snort_t self:process signal_perms; allow snort_t self:netlink_socket create_socket_perms; diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te index 18dca447..940f220a 100644 --- a/policy/modules/contrib/sosreport.te +++ b/policy/modules/contrib/sosreport.te @@ -31,7 +31,7 @@ optional_policy(` # Local policy # -allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override }; +allow sosreport_t self:capability { dac_override kill net_admin net_raw setuid sys_admin sys_nice }; dontaudit sosreport_t self:capability sys_ptrace; allow sosreport_t self:process { setsched setpgid signal_perms }; allow sosreport_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te index 6631a498..4a9153ce 100644 --- a/policy/modules/contrib/spamassassin.te +++ b/policy/modules/contrib/spamassassin.te @@ -270,7 +270,7 @@ optional_policy(` # Daemon local policy # -allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config }; +allow spamd_t self:capability { dac_override kill setgid setuid sys_tty_config }; dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te index 2852599a..74fb3c23 100644 --- a/policy/modules/contrib/squid.te +++ b/policy/modules/contrib/squid.te @@ -51,7 +51,7 @@ files_pid_file(squid_var_run_t) # Local policy # -allow squid_t self:capability { setgid kill setuid dac_override sys_resource }; +allow squid_t self:capability { dac_override kill setgid setuid sys_resource }; dontaudit squid_t self:capability sys_tty_config; allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; allow squid_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te index 9be5c19c..e273c904 100644 --- a/policy/modules/contrib/sssd.te +++ b/policy/modules/contrib/sssd.te @@ -33,7 +33,7 @@ files_pid_file(sssd_var_run_t) # Local policy # -allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource }; +allow sssd_t self:capability { chown dac_override dac_read_search kill net_admin setgid setuid sys_admin sys_nice sys_resource }; allow sssd_t self:capability2 block_suspend; allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit }; allow sssd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/sxid.te b/policy/modules/contrib/sxid.te index 01a9d0ac..010c40ce 100644 --- a/policy/modules/contrib/sxid.te +++ b/policy/modules/contrib/sxid.te @@ -21,7 +21,7 @@ files_tmp_file(sxid_tmp_t) # allow sxid_t self:capability { dac_override dac_read_search fsetid }; -dontaudit sxid_t self:capability { setuid setgid sys_tty_config }; +dontaudit sxid_t self:capability { setgid setuid sys_tty_config }; allow sxid_t self:process signal_perms; allow sxid_t self:fifo_file rw_fifo_file_perms; allow sxid_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/modules/contrib/systemtap.te b/policy/modules/contrib/systemtap.te index f2fa8494..c0ddb637 100644 --- a/policy/modules/contrib/systemtap.te +++ b/policy/modules/contrib/systemtap.te @@ -29,7 +29,7 @@ files_pid_file(stapserver_var_run_t) # Local policy # -allow stapserver_t self:capability { dac_override kill setuid setgid }; +allow stapserver_t self:capability { dac_override kill setgid setuid }; allow stapserver_t self:process { setrlimit setsched signal }; allow stapserver_t self:fifo_file rw_fifo_file_perms; allow stapserver_t self:key write; diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te index 0e70d1f4..6007d763 100644 --- a/policy/modules/contrib/telnet.te +++ b/policy/modules/contrib/telnet.te @@ -27,7 +27,7 @@ files_pid_file(telnetd_var_run_t) # Local policy # -allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; +allow telnetd_t self:capability { chown dac_override fowner fsetid setgid setuid sys_tty_config }; allow telnetd_t self:process signal_perms; allow telnetd_t self:fifo_file rw_fifo_file_perms; allow telnetd_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/tripwire.te b/policy/modules/contrib/tripwire.te index 03aa6b7f..47dc24b3 100644 --- a/policy/modules/contrib/tripwire.te +++ b/policy/modules/contrib/tripwire.te @@ -47,7 +47,7 @@ role twprint_roles types twprint_t; # Local policy # -allow tripwire_t self:capability { setgid setuid dac_override }; +allow tripwire_t self:capability { dac_override setgid setuid }; allow tripwire_t tripwire_etc_t:dir list_dir_perms; allow tripwire_t tripwire_etc_t:file read_file_perms; diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te index 6c3a3eaf..50beee26 100644 --- a/policy/modules/contrib/ulogd.te +++ b/policy/modules/contrib/ulogd.te @@ -26,7 +26,7 @@ logging_log_file(ulogd_var_log_t) # Local policy # -allow ulogd_t self:capability { net_admin setuid setgid sys_nice }; +allow ulogd_t self:capability { net_admin setgid setuid sys_nice }; allow ulogd_t self:process setsched; allow ulogd_t self:netlink_nflog_socket create_socket_perms; allow ulogd_t self:netlink_socket create_socket_perms; diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te index 7a57c21a..9c7ac268 100644 --- a/policy/modules/contrib/userhelper.te +++ b/policy/modules/contrib/userhelper.te @@ -25,7 +25,7 @@ application_executable_file(consolehelper_exec_t) # Common consolehelper domain local policy # -allow consolehelper_type self:capability { setgid setuid dac_override }; +allow consolehelper_type self:capability { dac_override setgid setuid }; allow consolehelper_type self:process signal; allow consolehelper_type self:fifo_file rw_fifo_file_perms; allow consolehelper_type self:unix_stream_socket create_stream_socket_perms; @@ -94,7 +94,7 @@ optional_policy(` # Common userhelper domain local policy # -allow userhelper_type self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; +allow userhelper_type self:capability { chown dac_override net_bind_service setgid setuid sys_tty_config }; allow userhelper_type self:process ~{ ptrace setcurrent setfscreate setrlimit execmem execstack execheap }; allow userhelper_type self:fd use; allow userhelper_type self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/usernetctl.te b/policy/modules/contrib/usernetctl.te index f973af82..3f774951 100644 --- a/policy/modules/contrib/usernetctl.te +++ b/policy/modules/contrib/usernetctl.te @@ -18,7 +18,7 @@ role usernetctl_roles types usernetctl_t; # Local policy # -allow usernetctl_t self:capability { setuid setgid dac_override }; +allow usernetctl_t self:capability { dac_override setgid setuid }; allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow usernetctl_t self:fd use; allow usernetctl_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/uucp.te b/policy/modules/contrib/uucp.te index 9c884c46..d44d025f 100644 --- a/policy/modules/contrib/uucp.te +++ b/policy/modules/contrib/uucp.te @@ -46,7 +46,7 @@ role uux_roles types uux_t; # Local policy # -allow uucpd_t self:capability { setuid setgid }; +allow uucpd_t self:capability { setgid setuid }; allow uucpd_t self:process signal_perms; allow uucpd_t self:fifo_file rw_fifo_file_perms; allow uucpd_t self:tcp_socket { accept listen }; @@ -137,7 +137,7 @@ optional_policy(` # UUX Local policy # -allow uux_t self:capability { setuid setgid }; +allow uux_t self:capability { setgid setuid }; allow uux_t self:fifo_file write_fifo_file_perms; domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t) diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te index 36c32fcd..b36f69ca 100644 --- a/policy/modules/contrib/varnishd.te +++ b/policy/modules/contrib/varnishd.te @@ -50,7 +50,7 @@ files_type(varnishlog_log_t) # Local policy # -allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; +allow varnishd_t self:capability { dac_override ipc_lock kill setgid setuid }; dontaudit varnishd_t self:capability sys_tty_config; allow varnishd_t self:process signal; allow varnishd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/vbetool.te b/policy/modules/contrib/vbetool.te index 2a61f752..09980a08 100644 --- a/policy/modules/contrib/vbetool.te +++ b/policy/modules/contrib/vbetool.te @@ -26,7 +26,7 @@ role vbetool_roles types vbetool_t; # Local policy # -allow vbetool_t self:capability { dac_override sys_tty_config sys_admin }; +allow vbetool_t self:capability { dac_override sys_admin sys_tty_config }; allow vbetool_t self:process execmem; dev_wx_raw_memory(vbetool_t) diff --git a/policy/modules/contrib/vhostmd.te b/policy/modules/contrib/vhostmd.te index 4d47427d..f6636a99 100644 --- a/policy/modules/contrib/vhostmd.te +++ b/policy/modules/contrib/vhostmd.te @@ -23,7 +23,7 @@ files_pid_file(vhostmd_var_run_t) # Local policy # -allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid }; +allow vhostmd_t self:capability { dac_override ipc_lock setgid setuid }; allow vhostmd_t self:process { setsched getsched signal }; allow vhostmd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index e8ac408d..eb72843f 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -455,7 +455,7 @@ tunable_policy(`virt_use_vfio',` # virtd local policy # -allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; +allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice }; allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; @@ -808,7 +808,7 @@ optional_policy(` # Virsh local policy # -allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; +allow virsh_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config }; allow virsh_t self:process { getcap getsched setsched setcap signal }; allow virsh_t self:fifo_file rw_fifo_file_perms; allow virsh_t self:unix_stream_socket { accept connectto listen }; @@ -956,7 +956,7 @@ optional_policy(` # Lxc local policy # -allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource }; +allow virtd_lxc_t self:capability { chown dac_override net_admin net_raw setpcap sys_admin sys_boot sys_resource }; allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms }; allow virtd_lxc_t self:fifo_file rw_fifo_file_perms; allow virtd_lxc_t self:netlink_route_socket nlmsg_write; @@ -1052,7 +1052,7 @@ sysnet_domtrans_ifconfig(virtd_lxc_t) # Common virt lxc domain local policy # -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; +allow svirt_lxc_domain self:capability { dac_override kill setgid setuid sys_boot }; allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; allow svirt_lxc_domain self:fifo_file manage_file_perms; allow svirt_lxc_domain self:sem create_sem_perms; @@ -1149,7 +1149,7 @@ optional_policy(` # Lxc net local policy # -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; +allow svirt_lxc_net_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_raw setpcap sys_admin sys_nice sys_ptrace sys_resource }; dontaudit svirt_lxc_net_t self:capability2 block_suspend; allow svirt_lxc_net_t self:process setrlimit; allow svirt_lxc_net_t self:tcp_socket { accept listen }; @@ -1253,7 +1253,7 @@ optional_policy(` # allow virt_bridgehelper_t self:process { setcap getcap }; -allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; +allow virt_bridgehelper_t self:capability { net_admin setgid setpcap setuid }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/policy/modules/contrib/vlock.te b/policy/modules/contrib/vlock.te index 6b72968e..d4094916 100644 --- a/policy/modules/contrib/vlock.te +++ b/policy/modules/contrib/vlock.te @@ -17,7 +17,7 @@ role vlock_roles types vlock_t; # Local policy # -dontaudit vlock_t self:capability { setuid setgid }; +dontaudit vlock_t self:capability { setgid setuid }; allow vlock_t self:fd use; allow vlock_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te index 0fa22c2b..59a32f5d 100644 --- a/policy/modules/contrib/vmware.te +++ b/policy/modules/contrib/vmware.te @@ -69,7 +69,7 @@ optional_policy(` # Host local policy # -allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override }; +allow vmware_host_t self:capability { dac_override kill net_raw setgid setuid sys_nice sys_ptrace sys_time }; dontaudit vmware_host_t self:capability sys_tty_config; allow vmware_host_t self:process { execstack execmem signal_perms }; allow vmware_host_t self:fifo_file rw_fifo_file_perms; @@ -186,7 +186,7 @@ optional_policy(` # Guest local policy # -allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown }; +allow vmware_t self:capability { chown dac_override setgid setuid sys_admin sys_nice sys_rawio sys_resource }; dontaudit vmware_t self:capability sys_tty_config; allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow vmware_t self:process { execmem execstack }; diff --git a/policy/modules/contrib/vpn.te b/policy/modules/contrib/vpn.te index 85353fa7..10fb1013 100644 --- a/policy/modules/contrib/vpn.te +++ b/policy/modules/contrib/vpn.te @@ -24,7 +24,7 @@ files_pid_file(vpnc_var_run_t) # Local policy # -allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw setuid }; +allow vpnc_t self:capability { dac_override dac_read_search ipc_lock net_admin net_raw setuid }; allow vpnc_t self:process { getsched signal }; allow vpnc_t self:fifo_file rw_fifo_file_perms; allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te index a181f48b..bac0a747 100644 --- a/policy/modules/contrib/watchdog.te +++ b/policy/modules/contrib/watchdog.te @@ -23,7 +23,7 @@ files_pid_file(watchdog_var_run_t) # Local policy # -allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource net_raw }; +allow watchdog_t self:capability { ipc_lock net_admin net_raw sys_admin sys_boot sys_nice sys_pacct sys_resource }; dontaudit watchdog_t self:capability sys_tty_config; allow watchdog_t self:process { setsched signal_perms }; allow watchdog_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/wdmd.te b/policy/modules/contrib/wdmd.te index a32e1988..24c3802e 100644 --- a/policy/modules/contrib/wdmd.te +++ b/policy/modules/contrib/wdmd.te @@ -23,7 +23,7 @@ files_pid_file(wdmd_var_run_t) # Local policy # -allow wdmd_t self:capability { chown sys_nice ipc_lock }; +allow wdmd_t self:capability { chown ipc_lock sys_nice }; allow wdmd_t self:process { setsched signal }; allow wdmd_t self:fifo_file rw_fifo_file_perms; allow wdmd_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te index c134cfe5..383c00a7 100644 --- a/policy/modules/contrib/xen.te +++ b/policy/modules/contrib/xen.te @@ -163,7 +163,7 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) # xend local policy # -allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_resource sys_rawio }; +allow xend_t self:capability { dac_override ipc_lock net_admin net_raw setuid sys_admin sys_nice sys_rawio sys_resource sys_tty_config }; dontaudit xend_t self:capability { sys_ptrace }; allow xend_t self:process { setrlimit signal sigkill }; dontaudit xend_t self:process ptrace; @@ -470,7 +470,7 @@ xen_append_log(xenstored_t) # xm local policy # -allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; +allow xm_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config }; allow xm_t self:process { getcap getsched setsched setcap signal }; allow xm_t self:fifo_file rw_fifo_file_perms; allow xm_t self:unix_stream_socket { accept connectto listen }; diff --git a/policy/modules/contrib/yam.te b/policy/modules/contrib/yam.te index 2695db25..4927d4d7 100644 --- a/policy/modules/contrib/yam.te +++ b/policy/modules/contrib/yam.te @@ -26,7 +26,7 @@ files_tmp_file(yam_tmp_t) # Local policy # -allow yam_t self:capability { chown fowner fsetid dac_override }; +allow yam_t self:capability { chown dac_override fowner fsetid }; allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; allow yam_t self:fd use; allow yam_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te index 33822181..a021b743 100644 --- a/policy/modules/contrib/zabbix.te +++ b/policy/modules/contrib/zabbix.te @@ -44,7 +44,7 @@ files_pid_file(zabbix_var_run_t) # Local policy # -allow zabbix_t self:capability { dac_read_search dac_override setuid setgid }; +allow zabbix_t self:capability { dac_override dac_read_search setgid setuid }; allow zabbix_t self:process { setsched signal_perms }; allow zabbix_t self:fifo_file rw_fifo_file_perms; allow zabbix_t self:unix_stream_socket create_stream_socket_perms; @@ -132,7 +132,7 @@ optional_policy(` # Agent local policy # -allow zabbix_agent_t self:capability { setuid setgid }; +allow zabbix_agent_t self:capability { setgid setuid }; allow zabbix_agent_t self:process { setsched getsched signal }; allow zabbix_agent_t self:fifo_file rw_fifo_file_perms; allow zabbix_agent_t self:sem create_sem_perms; diff --git a/policy/modules/contrib/zarafa.te b/policy/modules/contrib/zarafa.te index 5ce3c3eb..506952fb 100644 --- a/policy/modules/contrib/zarafa.te +++ b/policy/modules/contrib/zarafa.te @@ -158,7 +158,7 @@ corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t) # Zarafa domain local policy # -allow zarafa_domain self:capability { kill dac_override chown setgid setuid }; +allow zarafa_domain self:capability { chown dac_override kill setgid setuid }; allow zarafa_domain self:process { setrlimit signal }; allow zarafa_domain self:fifo_file rw_fifo_file_perms; allow zarafa_domain self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te index d0b03583..bfc2d21d 100644 --- a/policy/modules/contrib/zebra.te +++ b/policy/modules/contrib/zebra.te @@ -37,7 +37,7 @@ files_pid_file(zebra_var_run_t) # Local policy # -allow zebra_t self:capability { setgid setuid net_admin net_raw }; +allow zebra_t self:capability { net_admin net_raw setgid setuid }; dontaudit zebra_t self:capability sys_tty_config; allow zebra_t self:process { signal_perms getcap setcap }; allow zebra_t self:fifo_file rw_fifo_file_perms; From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 2B7A7139694 for ; Fri, 17 Feb 2017 08:44:45 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5ADFF21C084; Fri, 17 Feb 2017 08:44:34 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 26CEE21C084 for ; Fri, 17 Feb 2017 08:44:29 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 15094341142 for ; Fri, 17 Feb 2017 08:44:18 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id BF9B74AD8 for ; Fri, 17 Feb 2017 08:44:13 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1487320892.6c4f7f44b8475c05327146520cc4f3e196f9574c.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/accountsd.te policy/modules/contrib/afs.te policy/modules/contrib/aisexec.te policy/modules/contrib/alsa.te policy/modules/contrib/amanda.te policy/modules/contrib/amavis.te policy/modules/contrib/apache.te policy/modules/contrib/apm.te policy/modules/contrib/asterisk.te policy/modules/contrib/automount.te policy/modules/contrib/avahi.te policy/modules/contrib/bacula.te policy/modules/contrib/bluetooth.te policy/modules/contrib/boinc.te policy/modules/contrib/cachefilesd.te policy/modules/contrib/callweaver.te policy/modules/contrib/canna.te policy/modules/contrib/ccs.te policy/modules/contrib/cdrecord.te policy/modules/contrib/certmaster.te policy/modules/contrib/certmonger.te policy/modules/contrib/cgroup.te policy/modules/contrib/chronyd.te policy/modules/contrib/cipe.te policy/modules/contrib/clamav.te policy/modules/contrib/clockspeed.te policy/modules/contrib/clogd.te policy/modules/contrib/cmirrord.te policy/modules/contrib/colord.te policy/ modules/contrib/comsat.te policy/modules/contrib/condor.te policy/modules/contrib/consolekit.te policy/modules/contrib/corosync.te policy/modules/contrib/courier.te policy/modules/contrib/cron.te policy/modules/contrib/cups.te policy/modules/contrib/cvs.te policy/modules/contrib/daemontools.te policy/modules/contrib/dante.te policy/modules/contrib/dbus.te policy/modules/contrib/dcc.te policy/modules/contrib/ddcprobe.te policy/modules/contrib/devicekit.te policy/modules/contrib/dhcp.te policy/modules/contrib/dictd.te policy/modules/contrib/dnsmasq.te policy/modules/contrib/dovecot.te policy/modules/contrib/dpkg.te policy/modules/contrib/evolution.te policy/modules/contrib/exim.te policy/modules/contrib/fail2ban.te policy/modules/contrib/finger.te policy/modules/contrib/ftp.te policy/modules/contrib/gdomap.te policy/modules/contrib/glusterfs.te policy/modules/contrib/gpm.te policy/modules/contrib/gpsd.te policy/modules/contrib/hadoop.te policy/modules/contrib/hal.te policy/modules/con trib/ifplugd.te policy/modules/contrib/inetd.te policy/modules/contrib/iodine.te policy/modules/contrib/kdump.te policy/modules/contrib/kerberos.te policy/modules/contrib/kismet.te policy/modules/contrib/kudzu.te policy/modules/contrib/ldap.te policy/modules/contrib/likewise.te policy/modules/contrib/logrotate.te policy/modules/contrib/logwatch.te policy/modules/contrib/lpd.te policy/modules/contrib/mailman.te policy/modules/contrib/mailscanner.te policy/modules/contrib/mandb.te policy/modules/contrib/memcached.te policy/modules/contrib/milter.te policy/modules/contrib/minissdpd.te policy/modules/contrib/mozilla.te policy/modules/contrib/mrtg.te policy/modules/contrib/mta.te policy/modules/contrib/nagios.te policy/modules/contrib/networkmanager.te policy/modules/contrib/nslcd.te policy/modules/contrib/ntop.te policy/modules/contrib/ntp.te policy/modules/contrib/nut.te policy/modules/contrib/oddjob.te policy/modules/contrib/oident.te policy/modules/contrib/openvpn.te policy/modules/c ontrib/openvswitch.te policy/modules/contrib/pacemaker.te policy/modules/contrib/passenger.te policy/modules/contrib/pcmcia.te policy/modules/contrib/pegasus.te policy/modules/contrib/pkcs.te policy/modules/contrib/podsleuth.te policy/modules/contrib/portage.if policy/modules/contrib/portage.te policy/modules/contrib/portmap.te policy/modules/contrib/portreserve.te policy/modules/contrib/portslave.te policy/modules/contrib/postfix.te policy/modules/contrib/postfixpolicyd.te policy/modules/contrib/ppp.te policy/modules/contrib/procmail.te policy/modules/contrib/psad.te policy/modules/contrib/pulseaudio.te policy/modules/contrib/puppet.te policy/modules/contrib/qemu.if policy/modules/contrib/qmail.te policy/modules/contrib/quota.te policy/modules/contrib/radvd.te policy/modules/contrib/raid.te policy/modules/contrib/readahead.te policy/modules/contrib/remotelogin.te policy/modules/contrib/rgmanager.te policy/modules/contrib/rhcs.te policy/modules/contrib/ricci.te policy/modules/contri b/rlogin.te policy/modules/contrib/rpc.te policy/modules/contrib/rpm.te policy/modules/contrib/rshd.te policy/modules/contrib/rssh.te policy/modules/contrib/rsync.te policy/modules/contrib/samba.te policy/modules/contrib/samhain.te policy/modules/contrib/screen.te policy/modules/contrib/sendmail.te policy/modules/contrib/shorewall.te policy/modules/contrib/slocate.te policy/modules/contrib/smartmon.te policy/modules/contrib/smokeping.te policy/modules/contrib/snmp.te policy/modules/contrib/snort.te policy/modules/contrib/sosreport.te policy/modules/contrib/spamassassin.te policy/modules/contrib/squid.te policy/modules/contrib/sssd.te policy/modules/contrib/sxid.te policy/modules/contrib/systemtap.te policy/modules/contrib/telnet.te policy/modules/contrib/tripwire.te policy/modules/contrib/ulogd.te policy/modules/contrib/userhelper.te policy/modules/contrib/usernetctl.te policy/modules/contrib/uucp.te policy/modules/contrib/varnishd.te policy/modules/contrib/vbetool.te policy/modules /contrib/vhostmd.te policy/modules/contrib/virt.te policy/modules/contrib/vlock.te policy/modules/contrib/vmware.te policy/modules/contrib/vpn.te policy/modules/contrib/watchdog.te policy/modules/contrib/wdmd.te policy/modules/contrib/xen.te policy/modules/contrib/yam.te policy/modules/contrib/zabbix.te policy/modules/contrib/zarafa.te policy/modules/contrib/zebra.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 6c4f7f44b8475c05327146520cc4f3e196f9574c X-VCS-Branch: master Date: Fri, 17 Feb 2017 08:44:13 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 096e3f34-ed9d-4154-b29d-ad868046a43f X-Archives-Hash: 1b729408fd2e81e4f29483e7c0c324b3 Message-ID: <20170217084413.rABI7VZEPSAiJo46_z9CUf3RSPWLcxsMTd7SiWdhC1M@z> commit: 6c4f7f44b8475c05327146520cc4f3e196f9574c Author: Chris PeBenito ieee org> AuthorDate: Wed Feb 15 23:47:07 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Fri Feb 17 08:41:32 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6c4f7f44 Sort capabilities permissions from Russell Coker. policy/modules/contrib/accountsd.te | 2 +- policy/modules/contrib/afs.te | 2 +- policy/modules/contrib/aisexec.te | 2 +- policy/modules/contrib/alsa.te | 2 +- policy/modules/contrib/amanda.te | 4 ++-- policy/modules/contrib/amavis.te | 2 +- policy/modules/contrib/apache.te | 2 +- policy/modules/contrib/apm.te | 4 ++-- policy/modules/contrib/asterisk.te | 2 +- policy/modules/contrib/automount.te | 2 +- policy/modules/contrib/avahi.te | 2 +- policy/modules/contrib/bacula.te | 2 +- policy/modules/contrib/bluetooth.te | 2 +- policy/modules/contrib/boinc.te | 2 +- policy/modules/contrib/cachefilesd.te | 2 +- policy/modules/contrib/callweaver.te | 2 +- policy/modules/contrib/canna.te | 2 +- policy/modules/contrib/ccs.te | 2 +- policy/modules/contrib/cdrecord.te | 2 +- policy/modules/contrib/certmaster.te | 2 +- policy/modules/contrib/certmonger.te | 2 +- policy/modules/contrib/cgroup.te | 6 +++--- policy/modules/contrib/chronyd.te | 2 +- policy/modules/contrib/cipe.te | 2 +- policy/modules/contrib/clamav.te | 6 +++--- policy/modules/contrib/clockspeed.te | 2 +- policy/modules/contrib/clogd.te | 2 +- policy/modules/contrib/cmirrord.te | 2 +- policy/modules/contrib/colord.te | 2 +- policy/modules/contrib/comsat.te | 2 +- policy/modules/contrib/condor.te | 12 ++++++------ policy/modules/contrib/consolekit.te | 2 +- policy/modules/contrib/corosync.te | 4 ++-- policy/modules/contrib/courier.te | 4 ++-- policy/modules/contrib/cron.te | 6 +++--- policy/modules/contrib/cups.te | 10 +++++----- policy/modules/contrib/cvs.te | 2 +- policy/modules/contrib/daemontools.te | 2 +- policy/modules/contrib/dante.te | 2 +- policy/modules/contrib/dbus.te | 2 +- policy/modules/contrib/dcc.te | 4 ++-- policy/modules/contrib/ddcprobe.te | 2 +- policy/modules/contrib/devicekit.te | 4 ++-- policy/modules/contrib/dhcp.te | 2 +- policy/modules/contrib/dictd.te | 2 +- policy/modules/contrib/dnsmasq.te | 2 +- policy/modules/contrib/dovecot.te | 2 +- policy/modules/contrib/dpkg.te | 4 ++-- policy/modules/contrib/evolution.te | 2 +- policy/modules/contrib/exim.te | 2 +- policy/modules/contrib/fail2ban.te | 2 +- policy/modules/contrib/finger.te | 2 +- policy/modules/contrib/ftp.te | 2 +- policy/modules/contrib/gdomap.te | 2 +- policy/modules/contrib/glusterfs.te | 2 +- policy/modules/contrib/gpm.te | 2 +- policy/modules/contrib/gpsd.te | 4 ++-- policy/modules/contrib/hadoop.te | 2 +- policy/modules/contrib/hal.te | 2 +- policy/modules/contrib/ifplugd.te | 2 +- policy/modules/contrib/inetd.te | 4 ++-- policy/modules/contrib/iodine.te | 2 +- policy/modules/contrib/kdump.te | 2 +- policy/modules/contrib/kerberos.te | 4 ++-- policy/modules/contrib/kismet.te | 2 +- policy/modules/contrib/kudzu.te | 2 +- policy/modules/contrib/ldap.te | 2 +- policy/modules/contrib/likewise.te | 4 ++-- policy/modules/contrib/logrotate.te | 2 +- policy/modules/contrib/logwatch.te | 2 +- policy/modules/contrib/lpd.te | 6 +++--- policy/modules/contrib/mailman.te | 2 +- policy/modules/contrib/mailscanner.te | 2 +- policy/modules/contrib/mandb.te | 2 +- policy/modules/contrib/memcached.te | 2 +- policy/modules/contrib/milter.te | 2 +- policy/modules/contrib/minissdpd.te | 2 +- policy/modules/contrib/mozilla.te | 4 ++-- policy/modules/contrib/mrtg.te | 2 +- policy/modules/contrib/mta.te | 2 +- policy/modules/contrib/nagios.te | 8 ++++---- policy/modules/contrib/networkmanager.te | 4 ++-- policy/modules/contrib/nslcd.te | 2 +- policy/modules/contrib/ntop.te | 2 +- policy/modules/contrib/ntp.te | 4 ++-- policy/modules/contrib/nut.te | 2 +- policy/modules/contrib/oddjob.te | 2 +- policy/modules/contrib/oident.te | 2 +- policy/modules/contrib/openvpn.te | 2 +- policy/modules/contrib/openvswitch.te | 2 +- policy/modules/contrib/pacemaker.te | 2 +- policy/modules/contrib/passenger.te | 2 +- policy/modules/contrib/pcmcia.te | 2 +- policy/modules/contrib/pegasus.te | 2 +- policy/modules/contrib/pkcs.te | 2 +- policy/modules/contrib/podsleuth.te | 2 +- policy/modules/contrib/portage.if | 2 +- policy/modules/contrib/portage.te | 4 ++-- policy/modules/contrib/portmap.te | 2 +- policy/modules/contrib/portreserve.te | 2 +- policy/modules/contrib/portslave.te | 2 +- policy/modules/contrib/postfix.te | 8 ++++---- policy/modules/contrib/postfixpolicyd.te | 2 +- policy/modules/contrib/ppp.te | 4 ++-- policy/modules/contrib/procmail.te | 2 +- policy/modules/contrib/psad.te | 2 +- policy/modules/contrib/pulseaudio.te | 2 +- policy/modules/contrib/puppet.te | 4 ++-- policy/modules/contrib/qemu.if | 2 +- policy/modules/contrib/qmail.te | 2 +- policy/modules/contrib/quota.te | 2 +- policy/modules/contrib/radvd.te | 2 +- policy/modules/contrib/raid.te | 2 +- policy/modules/contrib/readahead.te | 2 +- policy/modules/contrib/remotelogin.te | 2 +- policy/modules/contrib/rgmanager.te | 2 +- policy/modules/contrib/rhcs.te | 2 +- policy/modules/contrib/ricci.te | 2 +- policy/modules/contrib/rlogin.te | 2 +- policy/modules/contrib/rpc.te | 4 ++-- policy/modules/contrib/rpm.te | 4 ++-- policy/modules/contrib/rshd.te | 2 +- policy/modules/contrib/rssh.te | 2 +- policy/modules/contrib/rsync.te | 2 +- policy/modules/contrib/samba.te | 8 ++++---- policy/modules/contrib/samhain.te | 2 +- policy/modules/contrib/screen.te | 2 +- policy/modules/contrib/sendmail.te | 2 +- policy/modules/contrib/shorewall.te | 2 +- policy/modules/contrib/slocate.te | 2 +- policy/modules/contrib/smartmon.te | 2 +- policy/modules/contrib/smokeping.te | 2 +- policy/modules/contrib/snmp.te | 2 +- policy/modules/contrib/snort.te | 2 +- policy/modules/contrib/sosreport.te | 2 +- policy/modules/contrib/spamassassin.te | 2 +- policy/modules/contrib/squid.te | 2 +- policy/modules/contrib/sssd.te | 2 +- policy/modules/contrib/sxid.te | 2 +- policy/modules/contrib/systemtap.te | 2 +- policy/modules/contrib/telnet.te | 2 +- policy/modules/contrib/tripwire.te | 2 +- policy/modules/contrib/ulogd.te | 2 +- policy/modules/contrib/userhelper.te | 4 ++-- policy/modules/contrib/usernetctl.te | 2 +- policy/modules/contrib/uucp.te | 4 ++-- policy/modules/contrib/varnishd.te | 2 +- policy/modules/contrib/vbetool.te | 2 +- policy/modules/contrib/vhostmd.te | 2 +- policy/modules/contrib/virt.te | 12 ++++++------ policy/modules/contrib/vlock.te | 2 +- policy/modules/contrib/vmware.te | 4 ++-- policy/modules/contrib/vpn.te | 2 +- policy/modules/contrib/watchdog.te | 2 +- policy/modules/contrib/wdmd.te | 2 +- policy/modules/contrib/xen.te | 4 ++-- policy/modules/contrib/yam.te | 2 +- policy/modules/contrib/zabbix.te | 4 ++-- policy/modules/contrib/zarafa.te | 2 +- policy/modules/contrib/zebra.te | 2 +- 160 files changed, 215 insertions(+), 215 deletions(-) diff --git a/policy/modules/contrib/accountsd.te b/policy/modules/contrib/accountsd.te index 3593510d..d435a2d6 100644 --- a/policy/modules/contrib/accountsd.te +++ b/policy/modules/contrib/accountsd.te @@ -21,7 +21,7 @@ files_type(accountsd_var_lib_t) # Local policy # -allow accountsd_t self:capability { chown dac_override setuid setgid sys_ptrace }; +allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace }; allow accountsd_t self:process signal; allow accountsd_t self:fifo_file rw_fifo_file_perms; allow accountsd_t self:passwd { rootok passwd chfn chsh }; diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te index e685b5d3..b95757a5 100644 --- a/policy/modules/contrib/afs.te +++ b/policy/modules/contrib/afs.te @@ -147,7 +147,7 @@ seutil_read_config(afs_bosserver_t) # fileserver local policy # -allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice }; +allow afs_fsserver_t self:capability { chown dac_override fowner kill sys_nice }; dontaudit afs_fsserver_t self:capability fsetid; allow afs_fsserver_t self:process { setsched signal_perms }; allow afs_fsserver_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/aisexec.te b/policy/modules/contrib/aisexec.te index d89a243e..06b61940 100644 --- a/policy/modules/contrib/aisexec.te +++ b/policy/modules/contrib/aisexec.te @@ -32,7 +32,7 @@ files_pid_file(aisexec_var_run_t) # Local policy # -allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner }; +allow aisexec_t self:capability { ipc_lock ipc_owner sys_nice sys_resource }; allow aisexec_t self:process { setrlimit setsched signal }; allow aisexec_t self:fifo_file rw_fifo_file_perms; allow aisexec_t self:sem create_sem_perms; diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te index 19046676..f82e39ca 100644 --- a/policy/modules/contrib/alsa.te +++ b/policy/modules/contrib/alsa.te @@ -38,7 +38,7 @@ userdom_user_home_content(alsa_home_t) # Local policy # -allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner }; +allow alsa_t self:capability { dac_override dac_read_search ipc_owner setgid setuid }; dontaudit alsa_t self:capability sys_admin; allow alsa_t self:sem create_sem_perms; allow alsa_t self:shm create_shm_perms; diff --git a/policy/modules/contrib/amanda.te b/policy/modules/contrib/amanda.te index 65fa3975..ecf15211 100644 --- a/policy/modules/contrib/amanda.te +++ b/policy/modules/contrib/amanda.te @@ -59,7 +59,7 @@ optional_policy(` # Local policy # -allow amanda_t self:capability { chown dac_override setuid kill }; +allow amanda_t self:capability { chown dac_override kill setuid }; allow amanda_t self:process { setpgid signal }; allow amanda_t self:fifo_file rw_fifo_file_perms; allow amanda_t self:unix_stream_socket { accept listen }; @@ -141,7 +141,7 @@ logging_send_syslog_msg(amanda_t) # Recover local policy # -allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override }; +allow amanda_recover_t self:capability { chown dac_override fowner fsetid kill setgid setuid }; allow amanda_recover_t self:process { sigkill sigstop signal }; allow amanda_recover_t self:fifo_file rw_fifo_file_perms; allow amanda_recover_t self:unix_stream_socket create_socket_perms; diff --git a/policy/modules/contrib/amavis.te b/policy/modules/contrib/amavis.te index 2f66a812..44913b37 100644 --- a/policy/modules/contrib/amavis.te +++ b/policy/modules/contrib/amavis.te @@ -46,7 +46,7 @@ files_type(amavis_spool_t) # Local policy # -allow amavis_t self:capability { kill chown dac_override setgid setuid }; +allow amavis_t self:capability { chown dac_override kill setgid setuid }; dontaudit amavis_t self:capability sys_tty_config; allow amavis_t self:process signal_perms; allow amavis_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te index 12b80554..2f724b68 100644 --- a/policy/modules/contrib/apache.te +++ b/policy/modules/contrib/apache.te @@ -920,7 +920,7 @@ tunable_policy(`httpd_tty_comm',` # Suexec local policy # -allow httpd_suexec_t self:capability { setuid setgid }; +allow httpd_suexec_t self:capability { setgid setuid }; allow httpd_suexec_t self:process signal_perms; allow httpd_suexec_t self:fifo_file rw_fifo_file_perms; allow httpd_suexec_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te index f5692d58..c5647460 100644 --- a/policy/modules/contrib/apm.te +++ b/policy/modules/contrib/apm.te @@ -62,8 +62,8 @@ logging_send_syslog_msg(apm_t) # Server local policy # -allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; -dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config }; +allow apmd_t self:capability { kill mknod sys_admin sys_nice sys_time }; +dontaudit apmd_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config }; allow apmd_t self:process { signal_perms getsession }; allow apmd_t self:fifo_file rw_fifo_file_perms; allow apmd_t self:netlink_socket create_socket_perms; diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te index db0efef0..9c6a947f 100644 --- a/policy/modules/contrib/asterisk.te +++ b/policy/modules/contrib/asterisk.te @@ -39,7 +39,7 @@ init_daemon_pid_file(asterisk_var_run_t, dir, "asterisk") # Local policy # -allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin }; +allow asterisk_t self:capability { chown dac_override net_admin setgid setuid sys_nice }; dontaudit asterisk_t self:capability { sys_module sys_tty_config }; allow asterisk_t self:process { getsched setsched signal_perms getcap setcap }; allow asterisk_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te index ae421061..09b82b0c 100644 --- a/policy/modules/contrib/automount.te +++ b/policy/modules/contrib/automount.te @@ -33,7 +33,7 @@ files_pid_file(automount_var_run_t) # Local policy # -allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin }; +allow automount_t self:capability { dac_override setgid setuid sys_admin sys_nice sys_resource }; dontaudit automount_t self:capability sys_tty_config; allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit }; allow automount_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te index d5d87ee3..b2e43eed 100644 --- a/policy/modules/contrib/avahi.te +++ b/policy/modules/contrib/avahi.te @@ -27,7 +27,7 @@ files_pid_file(avahi_var_run_t) # Local policy # -allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot }; +allow avahi_t self:capability { chown dac_override fowner kill net_admin net_raw setgid setuid sys_chroot }; dontaudit avahi_t self:capability sys_tty_config; allow avahi_t self:process { setrlimit signal_perms getcap setcap }; allow avahi_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/bacula.te b/policy/modules/contrib/bacula.te index 2050984c..20b92c3f 100644 --- a/policy/modules/contrib/bacula.te +++ b/policy/modules/contrib/bacula.te @@ -43,7 +43,7 @@ role bacula_admin_roles types bacula_admin_t; # Local policy # -allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid}; +allow bacula_t self:capability { chown dac_override dac_read_search fowner fsetid }; allow bacula_t self:process signal; allow bacula_t self:fifo_file rw_fifo_file_perms; allow bacula_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te index ceb79e63..75d739da 100644 --- a/policy/modules/contrib/bluetooth.te +++ b/policy/modules/contrib/bluetooth.te @@ -57,7 +57,7 @@ files_pid_file(bluetooth_var_run_t) # Local policy # -allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock }; +allow bluetooth_t self:capability { dac_override ipc_lock net_admin net_bind_service net_raw setpcap sys_admin sys_tty_config }; dontaudit bluetooth_t self:capability sys_tty_config; allow bluetooth_t self:process { getcap setcap getsched signal_perms }; allow bluetooth_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/boinc.te b/policy/modules/contrib/boinc.te index 64803206..ed1aaf34 100644 --- a/policy/modules/contrib/boinc.te +++ b/policy/modules/contrib/boinc.te @@ -168,7 +168,7 @@ optional_policy(` # Project local policy # -allow boinc_project_t self:capability { setuid setgid }; +allow boinc_project_t self:capability { setgid setuid }; allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms }; manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te index 14fcf67c..c92149d1 100644 --- a/policy/modules/contrib/cachefilesd.te +++ b/policy/modules/contrib/cachefilesd.te @@ -27,7 +27,7 @@ role system_r types cachefiles_kernel_t; # Cachefilesd local policy # -allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override }; +allow cachefilesd_t self:capability { dac_override setgid setuid sys_admin }; allow cachefilesd_t cachefiles_kernel_t:kernel_service use_as_override; diff --git a/policy/modules/contrib/callweaver.te b/policy/modules/contrib/callweaver.te index d67ad9b8..f9443343 100644 --- a/policy/modules/contrib/callweaver.te +++ b/policy/modules/contrib/callweaver.te @@ -29,7 +29,7 @@ files_type(callweaver_spool_t) # Local policy # -allow callweaver_t self:capability { setuid sys_nice setgid }; +allow callweaver_t self:capability { setgid setuid sys_nice }; allow callweaver_t self:process { setsched signal }; allow callweaver_t self:fifo_file rw_fifo_file_perms; allow callweaver_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/canna.te b/policy/modules/contrib/canna.te index 6738527a..ea8f64b5 100644 --- a/policy/modules/contrib/canna.te +++ b/policy/modules/contrib/canna.te @@ -26,7 +26,7 @@ files_pid_file(canna_var_run_t) # Local policy # -allow canna_t self:capability { setgid setuid net_bind_service }; +allow canna_t self:capability { net_bind_service setgid setuid }; dontaudit canna_t self:capability sys_tty_config; allow canna_t self:process signal_perms; allow canna_t self:unix_stream_socket { accept connectto listen }; diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te index eacec0bf..bc766e74 100644 --- a/policy/modules/contrib/ccs.te +++ b/policy/modules/contrib/ccs.te @@ -35,7 +35,7 @@ files_pid_file(ccs_var_run_t) # Local policy # -allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin }; +allow ccs_t self:capability { ipc_lock ipc_owner sys_admin sys_nice sys_resource }; allow ccs_t self:process { signal setrlimit setsched }; dontaudit ccs_t self:process ptrace; allow ccs_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/cdrecord.te b/policy/modules/contrib/cdrecord.te index 16883c9c..4af7717a 100644 --- a/policy/modules/contrib/cdrecord.te +++ b/policy/modules/contrib/cdrecord.te @@ -29,7 +29,7 @@ role cdrecord_roles types cdrecord_t; # Local policy # -allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio }; +allow cdrecord_t self:capability { dac_override ipc_lock setuid sys_nice sys_rawio }; allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill }; allow cdrecord_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/certmaster.te b/policy/modules/contrib/certmaster.te index 16420ae9..daeb417d 100644 --- a/policy/modules/contrib/certmaster.te +++ b/policy/modules/contrib/certmaster.te @@ -29,7 +29,7 @@ files_pid_file(certmaster_var_run_t) # Local policy # -allow certmaster_t self:capability { dac_read_search dac_override sys_tty_config }; +allow certmaster_t self:capability { dac_override dac_read_search sys_tty_config }; allow certmaster_t self:tcp_socket { accept listen }; list_dirs_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te index defc3467..f6c9d20d 100644 --- a/policy/modules/contrib/certmonger.te +++ b/policy/modules/contrib/certmonger.te @@ -23,7 +23,7 @@ files_pid_file(certmonger_var_run_t) # Local policy # -allow certmonger_t self:capability { chown dac_override dac_read_search setgid setuid kill sys_nice }; +allow certmonger_t self:capability { chown dac_override dac_read_search kill setgid setuid sys_nice }; dontaudit certmonger_t self:capability sys_tty_config; allow certmonger_t self:capability2 block_suspend; allow certmonger_t self:process { getsched setsched sigkill signal }; diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te index 5d600a9f..3599d7a2 100644 --- a/policy/modules/contrib/cgroup.te +++ b/policy/modules/contrib/cgroup.te @@ -40,7 +40,7 @@ files_config_file(cgconfig_etc_t) # cgclear local policy # -allow cgclear_t self:capability { dac_read_search dac_override sys_admin }; +allow cgclear_t self:capability { dac_override dac_read_search sys_admin }; allow cgclear_t cgconfig_etc_t:file read_file_perms; @@ -57,7 +57,7 @@ fs_unmount_cgroup(cgclear_t) # cgconfig local policy # -allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config }; +allow cgconfig_t self:capability { chown dac_override fowner fsetid sys_admin sys_tty_config }; allow cgconfig_t cgconfig_etc_t:file read_file_perms; @@ -77,7 +77,7 @@ fs_unmount_cgroup(cgconfig_t) # cgred local policy # -allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; +allow cgred_t self:capability { chown dac_override fsetid net_admin sys_admin sys_ptrace }; allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:unix_dgram_socket { write create connect }; diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te index 97c541c6..618f6cf5 100644 --- a/policy/modules/contrib/chronyd.te +++ b/policy/modules/contrib/chronyd.te @@ -35,7 +35,7 @@ files_pid_file(chronyd_var_run_t) # Local policy # -allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time }; +allow chronyd_t self:capability { dac_override ipc_lock setgid setuid sys_resource sys_time }; allow chronyd_t self:process { getcap setcap setrlimit signal }; allow chronyd_t self:shm create_shm_perms; allow chronyd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/cipe.te b/policy/modules/contrib/cipe.te index e2a5c13c..729d7820 100644 --- a/policy/modules/contrib/cipe.te +++ b/policy/modules/contrib/cipe.te @@ -17,7 +17,7 @@ init_script_file(ciped_initrc_exec_t) # Local policy # -allow ciped_t self:capability { net_admin ipc_lock sys_tty_config }; +allow ciped_t self:capability { ipc_lock net_admin sys_tty_config }; dontaudit ciped_t self:capability sys_tty_config; allow ciped_t self:process signal_perms; allow ciped_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te index 0940e437..f2664e82 100644 --- a/policy/modules/contrib/clamav.te +++ b/policy/modules/contrib/clamav.te @@ -73,7 +73,7 @@ logging_log_file(freshclam_var_log_t) # Clamd local policy # -allow clamd_t self:capability { kill setgid setuid dac_override }; +allow clamd_t self:capability { dac_override kill setgid setuid }; dontaudit clamd_t self:capability sys_tty_config; allow clamd_t self:process signal; allow clamd_t self:fifo_file rw_fifo_file_perms; @@ -173,7 +173,7 @@ optional_policy(` # Freshclam local policy # -allow freshclam_t self:capability { setgid setuid dac_override }; +allow freshclam_t self:capability { dac_override setgid setuid }; allow freshclam_t self:fifo_file rw_fifo_file_perms; allow freshclam_t self:unix_stream_socket { accept listen }; allow freshclam_t self:tcp_socket { accept listen }; @@ -252,7 +252,7 @@ optional_policy(` # Clamscam local policy # -allow clamscan_t self:capability { setgid setuid dac_override }; +allow clamscan_t self:capability { dac_override setgid setuid }; allow clamscan_t self:fifo_file rw_fifo_file_perms; allow clamscan_t self:unix_stream_socket create_stream_socket_perms; allow clamscan_t self:unix_dgram_socket create_socket_perms; diff --git a/policy/modules/contrib/clockspeed.te b/policy/modules/contrib/clockspeed.te index d3e2a67e..6544d006 100644 --- a/policy/modules/contrib/clockspeed.te +++ b/policy/modules/contrib/clockspeed.te @@ -49,7 +49,7 @@ userdom_use_user_terminals(clockspeed_cli_t) # Server local policy # -allow clockspeed_srv_t self:capability { sys_time net_bind_service }; +allow clockspeed_srv_t self:capability { net_bind_service sys_time }; allow clockspeed_srv_t self:udp_socket create_socket_perms; allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms; allow clockspeed_srv_t self:unix_stream_socket create_socket_perms; diff --git a/policy/modules/contrib/clogd.te b/policy/modules/contrib/clogd.te index 356ef465..b9a57b18 100644 --- a/policy/modules/contrib/clogd.te +++ b/policy/modules/contrib/clogd.te @@ -20,7 +20,7 @@ files_pid_file(clogd_var_run_t) # Local policy # -allow clogd_t self:capability { net_admin mknod }; +allow clogd_t self:capability { mknod net_admin }; allow clogd_t self:process signal; allow clogd_t self:sem create_sem_perms; allow clogd_t self:shm create_shm_perms; diff --git a/policy/modules/contrib/cmirrord.te b/policy/modules/contrib/cmirrord.te index d916d65c..ece1a1ce 100644 --- a/policy/modules/contrib/cmirrord.te +++ b/policy/modules/contrib/cmirrord.te @@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t) # Local policy # -allow cmirrord_t self:capability { net_admin kill }; +allow cmirrord_t self:capability { kill net_admin }; dontaudit cmirrord_t self:capability sys_tty_config; allow cmirrord_t self:process { setfscreate signal }; allow cmirrord_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te index b7a2b96f..0236b279 100644 --- a/policy/modules/contrib/colord.te +++ b/policy/modules/contrib/colord.te @@ -23,7 +23,7 @@ files_type(colord_var_lib_t) # Local policy # -allow colord_t self:capability { dac_read_search dac_override }; +allow colord_t self:capability { dac_override dac_read_search }; dontaudit colord_t self:capability sys_admin; allow colord_t self:process signal; allow colord_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/comsat.te b/policy/modules/contrib/comsat.te index c63cf855..9b7b3706 100644 --- a/policy/modules/contrib/comsat.te +++ b/policy/modules/contrib/comsat.te @@ -20,7 +20,7 @@ files_pid_file(comsat_var_run_t) # Local policy # -allow comsat_t self:capability { setuid setgid }; +allow comsat_t self:capability { setgid setuid }; allow comsat_t self:process signal_perms; allow comsat_t self:fifo_file rw_fifo_file_perms; allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te index 33937669..fbb70249 100644 --- a/policy/modules/contrib/condor.te +++ b/policy/modules/contrib/condor.te @@ -130,7 +130,7 @@ optional_policy(` # Master local policy # -allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace }; +allow condor_master_t self:capability { dac_override setgid setuid sys_ptrace }; allow condor_master_t condor_domain:process { sigkill signal }; @@ -167,7 +167,7 @@ optional_policy(` # Collector local policy # -allow condor_collector_t self:capability { setuid setgid }; +allow condor_collector_t self:capability { setgid setuid }; allow condor_collector_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; @@ -179,7 +179,7 @@ kernel_read_network_state(condor_collector_t) # Negotiator local policy # -allow condor_negotiator_t self:capability { setuid setgid }; +allow condor_negotiator_t self:capability { setgid setuid }; allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_negotiator_t condor_master_t:udp_socket getattr; @@ -188,7 +188,7 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr; # Procd local policy # -allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace }; +allow condor_procd_t self:capability { chown dac_override fowner kill sys_ptrace }; allow condor_procd_t condor_domain:process sigkill; @@ -199,7 +199,7 @@ domain_read_all_domains_state(condor_procd_t) # Schedd local policy # -allow condor_schedd_t self:capability { setuid chown setgid dac_override }; +allow condor_schedd_t self:capability { chown dac_override setgid setuid }; allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_schedd_t condor_master_t:udp_socket getattr; @@ -219,7 +219,7 @@ files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) # Startd local policy # -allow condor_startd_t self:capability { setuid net_admin setgid dac_override }; +allow condor_startd_t self:capability { dac_override net_admin setgid setuid }; allow condor_startd_t self:process execmem; manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t) diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te index 5b11390c..a2a51ba8 100644 --- a/policy/modules/contrib/consolekit.te +++ b/policy/modules/contrib/consolekit.te @@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit") # Local policy # -allow consolekit_t self:capability { chown fowner setuid setgid sys_admin sys_tty_config dac_override sys_nice sys_ptrace }; +allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config }; allow consolekit_t self:process { getsched signal setfscreate }; allow consolekit_t self:fifo_file rw_fifo_file_perms; allow consolekit_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/corosync.te b/policy/modules/contrib/corosync.te index 43ec8c61..771582f0 100644 --- a/policy/modules/contrib/corosync.te +++ b/policy/modules/contrib/corosync.te @@ -33,9 +33,9 @@ files_pid_file(corosync_var_run_t) # Local policy # -allow corosync_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock }; +allow corosync_t self:capability { dac_override fowner ipc_lock setgid setuid sys_admin sys_nice sys_resource }; # for hearbeat -allow corosync_t self:capability { net_raw chown }; +allow corosync_t self:capability { chown net_raw }; allow corosync_t self:process { setpgid setrlimit setsched signal signull }; allow corosync_t self:fifo_file rw_fifo_file_perms; allow corosync_t self:sem create_sem_perms; diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te index 35ba8d89..176bd5c2 100644 --- a/policy/modules/contrib/courier.te +++ b/policy/modules/contrib/courier.te @@ -85,7 +85,7 @@ optional_policy(` # Authdaemon local policy # -allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config }; +allow courier_authdaemon_t self:capability { setgid setuid sys_tty_config }; allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen }; create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) @@ -123,7 +123,7 @@ userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t) # Calendar (PCP) local policy # -allow courier_pcp_t self:capability { setuid setgid }; +allow courier_pcp_t self:capability { setgid setuid }; dev_read_rand(courier_pcp_t) diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te index 1c6f3867..905deb16 100644 --- a/policy/modules/contrib/cron.te +++ b/policy/modules/contrib/cron.te @@ -141,7 +141,7 @@ ifdef(`enable_mcs',` # Common crontab local policy # -allow crontab_domain self:capability { fowner setuid setgid chown dac_override }; +allow crontab_domain self:capability { chown dac_override fowner setgid setuid }; allow crontab_domain self:process { getcap setsched signal_perms }; allow crontab_domain self:fifo_file rw_fifo_file_perms; @@ -217,7 +217,7 @@ tunable_policy(`fcron_crond',` # Daemon local policy # -allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search }; +allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice }; dontaudit crond_t self:capability { sys_resource sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; @@ -425,7 +425,7 @@ optional_policy(` # System local policy # -allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice }; allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fd use; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te index c90e2120..8fdd713f 100644 --- a/policy/modules/contrib/cups.te +++ b/policy/modules/contrib/cups.te @@ -109,8 +109,8 @@ ifdef(`enable_mls',` # Cups local policy # -allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config }; -dontaudit cupsd_t self:capability { sys_tty_config net_admin }; +allow cupsd_t self:capability { chown dac_override dac_override dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_admin sys_rawio sys_resource sys_tty_config }; +dontaudit cupsd_t self:capability { net_admin sys_tty_config }; allow cupsd_t self:capability2 block_suspend; allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; allow cupsd_t self:fifo_file rw_fifo_file_perms; @@ -357,7 +357,7 @@ optional_policy(` # Configuration daemon local policy # -allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid }; +allow cupsd_config_t self:capability { chown dac_override setgid setuid sys_tty_config }; dontaudit cupsd_config_t self:capability sys_tty_config; allow cupsd_config_t self:process { getsched signal_perms }; allow cupsd_config_t self:fifo_file rw_fifo_file_perms; @@ -500,7 +500,7 @@ optional_policy(` # Lpd local policy # -allow cupsd_lpd_t self:capability { setuid setgid }; +allow cupsd_lpd_t self:capability { setgid setuid }; allow cupsd_lpd_t self:process signal_perms; allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms; allow cupsd_lpd_t self:tcp_socket { accept listen }; @@ -562,7 +562,7 @@ optional_policy(` # Pdf local policy # -allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; +allow cups_pdf_t self:capability { chown dac_override fowner fsetid setgid setuid }; allow cups_pdf_t self:fifo_file rw_fifo_file_perms; allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te index ab055c99..f090b62a 100644 --- a/policy/modules/contrib/cvs.te +++ b/policy/modules/contrib/cvs.te @@ -39,7 +39,7 @@ files_pid_file(cvs_var_run_t) # Local policy # -allow cvs_t self:capability { setuid setgid }; +allow cvs_t self:capability { setgid setuid }; allow cvs_t self:process signal_perms; allow cvs_t self:fifo_file rw_fifo_file_perms; allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms; diff --git a/policy/modules/contrib/daemontools.te b/policy/modules/contrib/daemontools.te index 78a01e75..d355befc 100644 --- a/policy/modules/contrib/daemontools.te +++ b/policy/modules/contrib/daemontools.te @@ -55,7 +55,7 @@ logging_manage_generic_logs(svc_multilog_t) # ie. softlimit, setuidgid, envuidgid, envdir, fghack .. # -allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource }; +allow svc_run_t self:capability { chown fsetid setgid setuid sys_resource }; allow svc_run_t self:process setrlimit; allow svc_run_t self:fifo_file rw_fifo_file_perms; allow svc_run_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/contrib/dante.te b/policy/modules/contrib/dante.te index 4ed8790f..124f2c58 100644 --- a/policy/modules/contrib/dante.te +++ b/policy/modules/contrib/dante.te @@ -23,7 +23,7 @@ files_pid_file(dante_var_run_t) # Local policy # -allow dante_t self:capability { setuid setgid }; +allow dante_t self:capability { setgid setuid }; dontaudit dante_t self:capability sys_tty_config; allow dante_t self:process signal_perms; allow dante_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te index 42c7d4fe..78de2022 100644 --- a/policy/modules/contrib/dbus.te +++ b/policy/modules/contrib/dbus.te @@ -60,7 +60,7 @@ ifdef(`enable_mls',` # Local policy # -allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid }; +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource }; dontaudit system_dbusd_t self:capability sys_tty_config; allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; allow system_dbusd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/dcc.te b/policy/modules/contrib/dcc.te index 0a6abd4b..9b1c25e7 100644 --- a/policy/modules/contrib/dcc.te +++ b/policy/modules/contrib/dcc.te @@ -82,7 +82,7 @@ files_pid_file(dccm_var_run_t) # Daemon controller local policy # -allow cdcc_t self:capability { setuid setgid }; +allow cdcc_t self:capability { setgid setuid }; manage_dirs_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t) manage_files_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t) @@ -109,7 +109,7 @@ userdom_use_user_terminals(cdcc_t) # Procmail interface local policy # -allow dcc_client_t self:capability { setuid setgid }; +allow dcc_client_t self:capability { setgid setuid }; allow dcc_client_t dcc_client_map_t:file rw_file_perms; diff --git a/policy/modules/contrib/ddcprobe.te b/policy/modules/contrib/ddcprobe.te index 8fa4bb99..8d1263ae 100644 --- a/policy/modules/contrib/ddcprobe.te +++ b/policy/modules/contrib/ddcprobe.te @@ -18,7 +18,7 @@ role ddcprobe_roles types ddcprobe_t; # Local policy # -allow ddcprobe_t self:capability { sys_rawio sys_admin }; +allow ddcprobe_t self:capability { sys_admin sys_rawio }; allow ddcprobe_t self:process execmem; kernel_read_system_state(ddcprobe_t) diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te index a5926c4a..82ce25c3 100644 --- a/policy/modules/contrib/devicekit.te +++ b/policy/modules/contrib/devicekit.te @@ -64,7 +64,7 @@ optional_policy(` # Disk local policy # -allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; +allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio }; allow devicekit_disk_t self:process { getsched signal_perms }; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -197,7 +197,7 @@ optional_policy(` # Power local policy # -allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; +allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_nice sys_ptrace sys_tty_config }; allow devicekit_power_t self:capability2 wake_alarm; allow devicekit_power_t self:process { getsched signal_perms }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te index a5f6ecd8..2fbf84ed 100644 --- a/policy/modules/contrib/dhcp.te +++ b/policy/modules/contrib/dhcp.te @@ -37,7 +37,7 @@ files_pid_file(dhcpd_var_run_t) # Local policy # -allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource }; +allow dhcpd_t self:capability { chown dac_override net_raw setgid setuid sys_chroot sys_resource }; dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; allow dhcpd_t self:process { getcap setcap signal_perms }; allow dhcpd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te index 74b38850..c390b549 100644 --- a/policy/modules/contrib/dictd.te +++ b/policy/modules/contrib/dictd.te @@ -26,7 +26,7 @@ files_pid_file(dictd_var_run_t) # Local policy # -allow dictd_t self:capability { setuid setgid }; +allow dictd_t self:capability { setgid setuid }; dontaudit dictd_t self:capability sys_tty_config; allow dictd_t self:process { signal_perms setpgid }; allow dictd_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te index 23fdaa0d..ee961ce2 100644 --- a/policy/modules/contrib/dnsmasq.te +++ b/policy/modules/contrib/dnsmasq.te @@ -32,7 +32,7 @@ files_pid_file(dnsmasq_var_run_t) # Local policy # -allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_raw }; +allow dnsmasq_t self:capability { chown dac_override net_admin net_raw setgid setuid }; dontaudit dnsmasq_t self:capability sys_tty_config; allow dnsmasq_t self:process { getcap setcap signal_perms }; allow dnsmasq_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te index fcfcf3c2..1701e3f0 100644 --- a/policy/modules/contrib/dovecot.te +++ b/policy/modules/contrib/dovecot.te @@ -92,7 +92,7 @@ miscfiles_read_localization(dovecot_domain) # Local policy # -allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot }; +allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot }; dontaudit dovecot_t self:capability sys_tty_config; allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched }; allow dovecot_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te index 9bb9d6f6..84dd6ba1 100644 --- a/policy/modules/contrib/dpkg.te +++ b/policy/modules/contrib/dpkg.te @@ -49,7 +49,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t) # Local policy # -allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; +allow dpkg_t self:capability { chown dac_override fowner fsetid kill linux_immutable mknod setgid setuid sys_nice sys_resource sys_tty_config }; allow dpkg_t self:process { setpgid fork getsched setfscreate }; allow dpkg_t self:fd use; allow dpkg_t self:fifo_file rw_fifo_file_perms; @@ -202,7 +202,7 @@ optional_policy(` # Script Local policy # -allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; +allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod setgid setuid sys_chroot sys_nice }; allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow dpkg_script_t self:fd use; allow dpkg_script_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te index b2376d6d..d717829a 100644 --- a/policy/modules/contrib/evolution.te +++ b/policy/modules/contrib/evolution.te @@ -110,7 +110,7 @@ userdom_user_tmpfs_file(evolution_webcal_tmpfs_t) # Local policy # -allow evolution_t self:capability { setuid setgid sys_nice }; +allow evolution_t self:capability { setgid setuid sys_nice }; allow evolution_t self:process { signal getsched setsched }; allow evolution_t self:fifo_file rw_file_perms; diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te index 97dff0ac..66421ff3 100644 --- a/policy/modules/contrib/exim.te +++ b/policy/modules/contrib/exim.te @@ -73,7 +73,7 @@ ifdef(`distro_debian',` # Local policy # -allow exim_t self:capability { chown dac_override fowner setuid setgid sys_resource }; +allow exim_t self:capability { chown dac_override fowner setgid setuid sys_resource }; allow exim_t self:process { setrlimit setpgid }; allow exim_t self:fifo_file rw_fifo_file_perms; allow exim_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te index 6f34502d..215d0935 100644 --- a/policy/modules/contrib/fail2ban.te +++ b/policy/modules/contrib/fail2ban.te @@ -36,7 +36,7 @@ role fail2ban_client_roles types fail2ban_client_t; # Server Local policy # -allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config }; +allow fail2ban_t self:capability { dac_override dac_read_search sys_tty_config }; allow fail2ban_t self:process signal; allow fail2ban_t self:fifo_file rw_fifo_file_perms; allow fail2ban_t self:unix_stream_socket { accept connectto listen }; diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/finger.te index 0de8ac23..d7fdd5eb 100644 --- a/policy/modules/contrib/finger.te +++ b/policy/modules/contrib/finger.te @@ -25,7 +25,7 @@ files_pid_file(fingerd_var_run_t) # allow fingerd_t self:capability { setgid setuid }; -dontaudit fingerd_t self:capability { sys_tty_config fsetid }; +dontaudit fingerd_t self:capability { fsetid sys_tty_config }; allow fingerd_t self:process signal_perms; allow fingerd_t self:fifo_file rw_fifo_file_perms; allow fingerd_t self:tcp_socket connected_stream_socket_perms; diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te index faf6863a..7e81e249 100644 --- a/policy/modules/contrib/ftp.te +++ b/policy/modules/contrib/ftp.te @@ -170,7 +170,7 @@ ifdef(`enable_mls',` # Local policy # -allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_chroot sys_admin sys_nice sys_resource }; +allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_admin sys_chroot sys_nice sys_resource }; dontaudit ftpd_t self:capability sys_tty_config; allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms }; allow ftpd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/gdomap.te b/policy/modules/contrib/gdomap.te index 3227543f..e710d356 100644 --- a/policy/modules/contrib/gdomap.te +++ b/policy/modules/contrib/gdomap.te @@ -23,7 +23,7 @@ files_pid_file(gdomap_var_run_t) # Local policy # -allow gdomap_t self:capability { setuid sys_chroot net_bind_service setgid }; +allow gdomap_t self:capability { net_bind_service setgid setuid sys_chroot }; allow gdomap_t self:tcp_socket { listen accept }; allow gdomap_t gdomap_var_run_t:file manage_file_perms; diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te index 83a5806a..07bd10d7 100644 --- a/policy/modules/contrib/glusterfs.te +++ b/policy/modules/contrib/glusterfs.te @@ -32,7 +32,7 @@ files_type(glusterd_var_lib_t) # Local policy # -allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner }; +allow glusterd_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_resource }; allow glusterd_t self:process { setrlimit signal }; allow glusterd_t self:fifo_file rw_fifo_file_perms; allow glusterd_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te index 5cbfa3a6..4e2b5f9c 100644 --- a/policy/modules/contrib/gpm.te +++ b/policy/modules/contrib/gpm.te @@ -29,7 +29,7 @@ files_type(gpmctl_t) # Local policy # -allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config }; +allow gpm_t self:capability { dac_override setpcap setuid sys_admin sys_tty_config }; allow gpm_t self:process { signal signull getcap setcap }; allow gpm_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/gpsd.te b/policy/modules/contrib/gpsd.te index bd09110f..6f4e8b79 100644 --- a/policy/modules/contrib/gpsd.te +++ b/policy/modules/contrib/gpsd.te @@ -27,8 +27,8 @@ files_pid_file(gpsd_var_run_t) # Local policy # -allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config }; -dontaudit gpsd_t self:capability { dac_read_search dac_override }; +allow gpsd_t self:capability { fowner fsetid setgid setuid sys_nice sys_time sys_tty_config }; +dontaudit gpsd_t self:capability { dac_override dac_read_search }; allow gpsd_t self:process { setsched signal_perms }; allow gpsd_t self:shm create_shm_perms; allow gpsd_t self:unix_dgram_socket sendto; diff --git a/policy/modules/contrib/hadoop.te b/policy/modules/contrib/hadoop.te index f22683e3..9f333bfd 100644 --- a/policy/modules/contrib/hadoop.te +++ b/policy/modules/contrib/hadoop.te @@ -246,7 +246,7 @@ optional_policy(` # Common hadoop_initrc_domain local policy # -allow hadoop_initrc_domain self:capability { setuid setgid }; +allow hadoop_initrc_domain self:capability { setgid setuid }; dontaudit hadoop_initrc_domain self:capability sys_tty_config; allow hadoop_initrc_domain self:process setsched; allow hadoop_initrc_domain self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te index d3296e28..31035d15 100644 --- a/policy/modules/contrib/hal.te +++ b/policy/modules/contrib/hal.te @@ -72,7 +72,7 @@ hal_stream_connect(hald_domain) # Local policy # -allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config }; +allow hald_t self:capability { chown dac_override dac_read_search kill mknod net_admin setgid setuid sys_admin sys_nice sys_rawio sys_tty_config }; dontaudit hald_t self:capability { sys_ptrace sys_tty_config }; allow hald_t self:process { getsched getattr signal_perms }; allow hald_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/ifplugd.te b/policy/modules/contrib/ifplugd.te index addcca5a..4f1223db 100644 --- a/policy/modules/contrib/ifplugd.te +++ b/policy/modules/contrib/ifplugd.te @@ -23,7 +23,7 @@ files_pid_file(ifplugd_var_run_t) # Local policy # -allow ifplugd_t self:capability { net_admin sys_nice net_bind_service }; +allow ifplugd_t self:capability { net_admin net_bind_service sys_nice }; dontaudit ifplugd_t self:capability sys_tty_config; allow ifplugd_t self:process { signal signull }; allow ifplugd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/inetd.te b/policy/modules/contrib/inetd.te index 1974c112..66c15680 100644 --- a/policy/modules/contrib/inetd.te +++ b/policy/modules/contrib/inetd.te @@ -37,7 +37,7 @@ ifdef(`enable_mcs',` # Local policy # -allow inetd_t self:capability { setuid setgid sys_resource }; +allow inetd_t self:capability { setgid setuid sys_resource }; dontaudit inetd_t self:capability sys_tty_config; allow inetd_t self:process { setsched setexec setrlimit }; allow inetd_t self:fifo_file rw_fifo_file_perms; @@ -204,7 +204,7 @@ optional_policy(` # Child local policy # -allow inetd_child_t self:capability { setuid setgid }; +allow inetd_child_t self:capability { setgid setuid }; allow inetd_child_t self:process signal_perms; allow inetd_child_t self:fifo_file rw_fifo_file_perms; allow inetd_child_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te index 6eb84095..c35fc069 100644 --- a/policy/modules/contrib/iodine.te +++ b/policy/modules/contrib/iodine.te @@ -17,7 +17,7 @@ init_script_file(iodined_initrc_exec_t) # Local policy # -allow iodined_t self:capability { net_admin net_raw sys_chroot setgid setuid }; +allow iodined_t self:capability { net_admin net_raw setgid setuid sys_chroot }; allow iodined_t self:rawip_socket create_socket_perms; allow iodined_t self:tun_socket create_socket_perms; allow iodined_t self:udp_socket connected_socket_perms; diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te index e758c15f..9981dc55 100644 --- a/policy/modules/contrib/kdump.te +++ b/policy/modules/contrib/kdump.te @@ -31,7 +31,7 @@ files_tmp_file(kdumpctl_tmp_t) # Local policy # -allow kdump_t self:capability { sys_boot dac_override }; +allow kdump_t self:capability { dac_override sys_boot }; allow kdump_t kdump_etc_t:file read_file_perms; diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te index 38532d33..d226156e 100644 --- a/policy/modules/contrib/kerberos.te +++ b/policy/modules/contrib/kerberos.te @@ -74,7 +74,7 @@ files_pid_file(krb5kdc_var_run_t) # kadmind local policy # -allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; +allow kadmind_t self:capability { chown dac_override fowner setgid setuid sys_nice }; dontaudit kadmind_t self:capability sys_tty_config; allow kadmind_t self:capability2 block_suspend; allow kadmind_t self:process { setfscreate setsched getsched signal_perms }; @@ -174,7 +174,7 @@ optional_policy(` # Krb5kdc local policy # -allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; +allow krb5kdc_t self:capability { chown dac_override fowner net_admin setgid setuid sys_nice }; dontaudit krb5kdc_t self:capability sys_tty_config; allow krb5kdc_t self:capability2 block_suspend; allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; diff --git a/policy/modules/contrib/kismet.te b/policy/modules/contrib/kismet.te index 30c8c689..a581ece2 100644 --- a/policy/modules/contrib/kismet.te +++ b/policy/modules/contrib/kismet.te @@ -38,7 +38,7 @@ files_pid_file(kismet_var_run_t) # Local policy # -allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid }; +allow kismet_t self:capability { dac_override kill net_admin net_raw setgid setuid }; allow kismet_t self:process signal_perms; allow kismet_t self:fifo_file rw_fifo_file_perms; allow kismet_t self:packet_socket create_socket_perms; diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te index 4116d008..00b43648 100644 --- a/policy/modules/contrib/kudzu.te +++ b/policy/modules/contrib/kudzu.te @@ -26,7 +26,7 @@ files_pid_file(kudzu_var_run_t) # Local policy # -allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; +allow kudzu_t self:capability { dac_override mknod net_admin sys_admin sys_rawio sys_tty_config }; dontaudit kudzu_t self:capability sys_tty_config; allow kudzu_t self:process { signal_perms execmem }; allow kudzu_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te index b740c730..023884ab 100644 --- a/policy/modules/contrib/ldap.te +++ b/policy/modules/contrib/ldap.te @@ -50,7 +50,7 @@ files_pid_file(slapd_var_run_t) # Local policy # -allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search }; +allow slapd_t self:capability { dac_override dac_read_search kill net_raw setgid setuid }; dontaudit slapd_t self:capability sys_tty_config; allow slapd_t self:process setsched; allow slapd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/likewise.te b/policy/modules/contrib/likewise.te index 58c05712..21d18a3c 100644 --- a/policy/modules/contrib/likewise.te +++ b/policy/modules/contrib/likewise.te @@ -102,7 +102,7 @@ corenet_tcp_sendrecv_epmap_port(eventlogd_t) # lsassd local policy # -allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time }; +allow lsassd_t self:capability { chown dac_override fowner fsetid sys_time }; allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms; @@ -165,7 +165,7 @@ optional_policy(` # lwiod local policy # -allow lwiod_t self:capability { fowner chown fsetid dac_override sys_resource }; +allow lwiod_t self:capability { chown dac_override fowner fsetid sys_resource }; allow lwiod_t self:process setrlimit; allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms; diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te index e2daa42d..1179568b 100644 --- a/policy/modules/contrib/logrotate.te +++ b/policy/modules/contrib/logrotate.te @@ -36,7 +36,7 @@ role system_r types logrotate_mail_t; # Local policy # -allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice }; +allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource }; allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; allow logrotate_t self:fd use; allow logrotate_t self:key manage_key_perms; diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te index 353a5311..24f1c17b 100644 --- a/policy/modules/contrib/logwatch.te +++ b/policy/modules/contrib/logwatch.te @@ -173,7 +173,7 @@ optional_policy(` # Mail local policy # -allow logwatch_mail_t self:capability { dac_read_search dac_override }; +allow logwatch_mail_t self:capability { dac_override dac_read_search }; allow logwatch_mail_t logwatch_t:fd use; allow logwatch_mail_t logwatch_t:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te index fc70ff9e..8ebe2435 100644 --- a/policy/modules/contrib/lpd.te +++ b/policy/modules/contrib/lpd.te @@ -62,7 +62,7 @@ files_config_file(printconf_t) # Checkpc local policy # -allow checkpc_t self:capability { setgid setuid dac_override }; +allow checkpc_t self:capability { dac_override setgid setuid }; allow checkpc_t self:process signal_perms; allow checkpc_t self:unix_stream_socket create_socket_perms; allow checkpc_t self:tcp_socket create_socket_perms; @@ -126,7 +126,7 @@ optional_policy(` # Lpd local policy # -allow lpd_t self:capability { setgid setuid dac_read_search dac_override chown fowner }; +allow lpd_t self:capability { chown dac_override dac_read_search fowner setgid setuid }; dontaudit lpd_t self:capability sys_tty_config; allow lpd_t self:process signal_perms; allow lpd_t self:fifo_file rw_fifo_file_perms; @@ -214,7 +214,7 @@ optional_policy(` # Lpr local policy # -allow lpr_t self:capability { setuid dac_override net_bind_service chown }; +allow lpr_t self:capability { chown dac_override net_bind_service setuid }; allow lpr_t self:unix_stream_socket { accept listen }; allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms }; diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te index 46d98e79..7421ce3a 100644 --- a/policy/modules/contrib/mailman.te +++ b/policy/modules/contrib/mailman.te @@ -115,7 +115,7 @@ optional_policy(` # Mail local policy # -allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; +allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config }; allow mailman_mail_t self:process { signal signull }; manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) diff --git a/policy/modules/contrib/mailscanner.te b/policy/modules/contrib/mailscanner.te index 14840eda..d8dcb317 100644 --- a/policy/modules/contrib/mailscanner.te +++ b/policy/modules/contrib/mailscanner.te @@ -29,7 +29,7 @@ files_pid_file(mscan_var_run_t) # Local policy # -allow mscan_t self:capability { setuid chown setgid dac_override }; +allow mscan_t self:capability { chown dac_override setgid setuid }; allow mscan_t self:process signal; allow mscan_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te index ce0ac3c8..142e7e07 100644 --- a/policy/modules/contrib/mandb.te +++ b/policy/modules/contrib/mandb.te @@ -21,7 +21,7 @@ init_unit_file(mandb_unit_t) # Local policy # -allow mandb_t self:capability { setuid setgid }; +allow mandb_t self:capability { setgid setuid }; allow mandb_t self:process { setsched signal }; allow mandb_t self:fifo_file rw_fifo_file_perms; allow mandb_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/contrib/memcached.te b/policy/modules/contrib/memcached.te index 570035ef..c90c632f 100644 --- a/policy/modules/contrib/memcached.te +++ b/policy/modules/contrib/memcached.te @@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t) # Local policy # -allow memcached_t self:capability { setuid setgid }; +allow memcached_t self:capability { setgid setuid }; dontaudit memcached_t self:capability sys_tty_config; allow memcached_t self:process { setrlimit signal_perms }; allow memcached_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te index c25488c9..7c4b347d 100644 --- a/policy/modules/contrib/milter.te +++ b/policy/modules/contrib/milter.te @@ -82,7 +82,7 @@ optional_policy(` # regex local policy # -allow regex_milter_t self:capability { setuid setgid dac_override }; +allow regex_milter_t self:capability { dac_override setgid setuid }; files_search_spool(regex_milter_t) diff --git a/policy/modules/contrib/minissdpd.te b/policy/modules/contrib/minissdpd.te index f1a37029..d16cdb1b 100644 --- a/policy/modules/contrib/minissdpd.te +++ b/policy/modules/contrib/minissdpd.te @@ -23,7 +23,7 @@ files_pid_file(minissdpd_var_run_t) # Local policy # -allow minissdpd_t self:capability { sys_module net_admin }; +allow minissdpd_t self:capability { net_admin sys_module }; allow minissdpd_t self:netlink_route_socket r_netlink_socket_perms; allow minissdpd_t self:udp_socket create_socket_perms; allow minissdpd_t self:unix_dgram_socket create_socket_perms; diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te index fa651ed4..85d6bda1 100644 --- a/policy/modules/contrib/mozilla.te +++ b/policy/modules/contrib/mozilla.te @@ -81,7 +81,7 @@ userdom_user_tmpfs_file(mozilla_tmpfs_t) # Local policy # -allow mozilla_t self:capability { sys_nice setgid setuid }; +allow mozilla_t self:capability { setgid setuid sys_nice }; allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; allow mozilla_t self:fifo_file rw_fifo_file_perms; allow mozilla_t self:shm create_shm_perms; @@ -533,7 +533,7 @@ optional_policy(` # Plugin config local policy # -allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; +allow mozilla_plugin_config_t self:capability { dac_override dac_read_search setgid setuid sys_nice }; allow mozilla_plugin_config_t self:process { setsched signal_perms getsched }; allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms; allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te index 42b484c0..5126d9d5 100644 --- a/policy/modules/contrib/mrtg.te +++ b/policy/modules/contrib/mrtg.te @@ -32,7 +32,7 @@ files_pid_file(mrtg_var_run_t) # Local policy # -allow mrtg_t self:capability { setgid setuid chown }; +allow mrtg_t self:capability { chown setgid setuid }; dontaudit mrtg_t self:capability sys_tty_config; allow mrtg_t self:process signal_perms; allow mrtg_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te index f0c4b92c..9a3ee20e 100644 --- a/policy/modules/contrib/mta.te +++ b/policy/modules/contrib/mta.te @@ -55,7 +55,7 @@ userdom_user_tmp_file(user_mail_tmp_t) # Common base mail policy # -allow user_mail_domain self:capability { setuid setgid chown }; +allow user_mail_domain self:capability { chown setgid setuid }; allow user_mail_domain self:process { signal_perms setrlimit }; allow user_mail_domain self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te index 3f1a7b95..44c2abcd 100644 --- a/policy/modules/contrib/nagios.te +++ b/policy/modules/contrib/nagios.te @@ -216,8 +216,8 @@ optional_policy(` # Nrpe local policy # -allow nrpe_t self:capability { setuid setgid }; -dontaudit nrpe_t self:capability { sys_tty_config sys_resource }; +allow nrpe_t self:capability { setgid setuid }; +dontaudit nrpe_t self:capability { sys_resource sys_tty_config }; allow nrpe_t self:process { setpgid signal_perms setsched setrlimit }; allow nrpe_t self:fifo_file rw_fifo_file_perms; allow nrpe_t self:tcp_socket { accept listen }; @@ -311,7 +311,7 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) # Mail local policy # -allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; +allow nagios_mail_plugin_t self:capability { dac_override setgid setuid }; allow nagios_mail_plugin_t self:tcp_socket { accept listen }; kernel_read_kernel_sysctls(nagios_mail_plugin_t) @@ -405,7 +405,7 @@ optional_policy(` # allow nagios_system_plugin_t self:capability dac_override; -dontaudit nagios_system_plugin_t self:capability { setuid setgid }; +dontaudit nagios_system_plugin_t self:capability { setgid setuid }; read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t) diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te index 27b92658..cde12ad5 100644 --- a/policy/modules/contrib/networkmanager.te +++ b/policy/modules/contrib/networkmanager.te @@ -47,8 +47,8 @@ ifdef(`distro_gentoo',` # Local policy # -allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock }; -dontaudit NetworkManager_t self:capability { sys_tty_config sys_module sys_ptrace }; +allow NetworkManager_t self:capability { chown dac_override fowner fsetid ipc_lock kill net_admin net_raw setgid setuid sys_nice }; +dontaudit NetworkManager_t self:capability { sys_module sys_ptrace sys_tty_config }; allow NetworkManager_t self:capability2 wake_alarm; allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; allow NetworkManager_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/nslcd.te b/policy/modules/contrib/nslcd.te index 40682ca2..30639e64 100644 --- a/policy/modules/contrib/nslcd.te +++ b/policy/modules/contrib/nslcd.te @@ -23,7 +23,7 @@ files_config_file(nslcd_conf_t) # Local policy # -allow nslcd_t self:capability { setgid setuid dac_override }; +allow nslcd_t self:capability { dac_override setgid setuid }; allow nslcd_t self:process signal; allow nslcd_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/ntop.te b/policy/modules/contrib/ntop.te index a3503716..025f5d4a 100644 --- a/policy/modules/contrib/ntop.te +++ b/policy/modules/contrib/ntop.te @@ -29,7 +29,7 @@ files_pid_file(ntop_var_run_t) # Local Policy # -allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin }; +allow ntop_t self:capability { net_admin net_raw setgid setuid sys_admin }; dontaudit ntop_t self:capability sys_tty_config; allow ntop_t self:process signal_perms; allow ntop_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te index c7c27be5..2fcf0a40 100644 --- a/policy/modules/contrib/ntp.te +++ b/policy/modules/contrib/ntp.te @@ -47,8 +47,8 @@ init_system_domain(ntpd_t, ntpdate_exec_t) # Local policy # -allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; -dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; +allow ntpd_t self:capability { chown dac_override ipc_lock ipc_owner kill setgid setuid sys_chroot sys_nice sys_resource sys_time }; +dontaudit ntpd_t self:capability { fsetid net_admin sys_nice sys_tty_config }; allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; allow ntpd_t self:fifo_file rw_fifo_file_perms; allow ntpd_t self:shm create_shm_perms; diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te index 8086281f..d38ced7b 100644 --- a/policy/modules/contrib/nut.te +++ b/policy/modules/contrib/nut.te @@ -34,7 +34,7 @@ init_daemon_pid_file(nut_var_run_t, dir, "nut") # Common nut domain local policy # -allow nut_domain self:capability { setgid setuid dac_override kill }; +allow nut_domain self:capability { dac_override kill setgid setuid }; allow nut_domain self:process signal_perms; allow nut_domain self:fifo_file rw_fifo_file_perms; allow nut_domain self:unix_dgram_socket sendto; diff --git a/policy/modules/contrib/oddjob.te b/policy/modules/contrib/oddjob.te index c01d4f62..507d6d24 100644 --- a/policy/modules/contrib/oddjob.te +++ b/policy/modules/contrib/oddjob.te @@ -74,7 +74,7 @@ optional_policy(` # Mkhomedir local policy # -allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; +allow oddjob_mkhomedir_t self:capability { chown dac_override fowner fsetid }; allow oddjob_mkhomedir_t self:process setfscreate; allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms; allow oddjob_mkhomedir_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/oident.te b/policy/modules/contrib/oident.te index 0cf6cfe3..c1f42dc1 100644 --- a/policy/modules/contrib/oident.te +++ b/policy/modules/contrib/oident.te @@ -25,7 +25,7 @@ files_config_file(oidentd_config_t) # Local policy # -allow oidentd_t self:capability { setuid setgid }; +allow oidentd_t self:capability { setgid setuid }; allow oidentd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow oidentd_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te index cce20317..465716f6 100644 --- a/policy/modules/contrib/openvpn.te +++ b/policy/modules/contrib/openvpn.te @@ -54,7 +54,7 @@ files_pid_file(openvpn_var_run_t) # Local policy # -allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_admin setgid setuid sys_chroot sys_tty_config sys_nice }; +allow openvpn_t self:capability { dac_override dac_read_search ipc_lock net_admin setgid setuid sys_chroot sys_nice sys_tty_config }; allow openvpn_t self:process { signal getsched setsched }; allow openvpn_t self:fifo_file rw_fifo_file_perms; allow openvpn_t self:unix_dgram_socket sendto; diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te index 04cbe909..b9790021 100644 --- a/policy/modules/contrib/openvswitch.te +++ b/policy/modules/contrib/openvswitch.te @@ -32,7 +32,7 @@ files_pid_file(openvswitch_var_run_t) # Local policy # -allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock }; +allow openvswitch_t self:capability { ipc_lock net_admin sys_nice sys_resource }; allow openvswitch_t self:process { setrlimit setsched signal }; allow openvswitch_t self:fifo_file rw_fifo_file_perms; allow openvswitch_t self:rawip_socket create_socket_perms; diff --git a/policy/modules/contrib/pacemaker.te b/policy/modules/contrib/pacemaker.te index 6d1b3c4d..218470bb 100644 --- a/policy/modules/contrib/pacemaker.te +++ b/policy/modules/contrib/pacemaker.te @@ -29,7 +29,7 @@ files_pid_file(pacemaker_var_run_t) # Local policy # -allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid }; +allow pacemaker_t self:capability { chown dac_override fowner fsetid kill setuid }; allow pacemaker_t self:process { setrlimit signal setpgid }; allow pacemaker_t self:fifo_file rw_fifo_file_perms; allow pacemaker_t self:unix_stream_socket { connectto accept listen }; diff --git a/policy/modules/contrib/passenger.te b/policy/modules/contrib/passenger.te index 85fb36db..b6181456 100644 --- a/policy/modules/contrib/passenger.te +++ b/policy/modules/contrib/passenger.te @@ -25,7 +25,7 @@ files_pid_file(passenger_var_run_t) # Local policy # -allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource }; +allow passenger_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace sys_resource }; allow passenger_t self:process { setpgid setsched sigkill signal }; allow passenger_t self:fifo_file rw_fifo_file_perms; allow passenger_t self:unix_stream_socket { accept connectto listen }; diff --git a/policy/modules/contrib/pcmcia.te b/policy/modules/contrib/pcmcia.te index ceab5763..230f1f00 100644 --- a/policy/modules/contrib/pcmcia.te +++ b/policy/modules/contrib/pcmcia.te @@ -29,7 +29,7 @@ role cardmgr_roles types cardmgr_t; # Local policy # -allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod }; +allow cardmgr_t self:capability { dac_override dac_read_search mknod net_admin setuid sys_admin sys_nice sys_tty_config }; dontaudit cardmgr_t self:capability sys_tty_config; allow cardmgr_t self:process signal_perms; allow cardmgr_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/pegasus.te b/policy/modules/contrib/pegasus.te index 6d8c0192..b2138295 100644 --- a/policy/modules/contrib/pegasus.te +++ b/policy/modules/contrib/pegasus.te @@ -35,7 +35,7 @@ files_pid_file(pegasus_var_run_t) # Local policy # -allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service }; +allow pegasus_t self:capability { chown dac_override ipc_lock kill net_admin net_bind_service setgid setuid sys_nice }; dontaudit pegasus_t self:capability sys_tty_config; allow pegasus_t self:process signal; allow pegasus_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te index 1d1635d4..b10f18e7 100644 --- a/policy/modules/contrib/pkcs.te +++ b/policy/modules/contrib/pkcs.te @@ -29,7 +29,7 @@ files_tmpfs_file(pkcs_slotd_tmpfs_t) # Local policy # -allow pkcs_slotd_t self:capability { fsetid kill chown }; +allow pkcs_slotd_t self:capability { chown fsetid kill }; allow pkcs_slotd_t self:fifo_file rw_fifo_file_perms; allow pkcs_slotd_t self:sem create_sem_perms; allow pkcs_slotd_t self:shm create_shm_perms; diff --git a/policy/modules/contrib/podsleuth.te b/policy/modules/contrib/podsleuth.te index 9123f715..83dc77b5 100644 --- a/policy/modules/contrib/podsleuth.te +++ b/policy/modules/contrib/podsleuth.te @@ -28,7 +28,7 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t) # Local policy # -allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio }; +allow podsleuth_t self:capability { dac_override kill sys_admin sys_rawio }; allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack }; allow podsleuth_t self:fifo_file rw_fifo_file_perms; allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if index e990d79a..cad9b9f1 100644 --- a/policy/modules/contrib/portage.if +++ b/policy/modules/contrib/portage.if @@ -72,7 +72,7 @@ interface(`portage_compile_domain',` type portage_tmp_t, portage_tmpfs_t; ') - allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw }; + allow $1 self:capability { chown dac_override fowner fsetid mknod net_raw setgid setuid }; dontaudit $1 self:capability sys_chroot; allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate }; allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te index 87ca0c6c..ef04131e 100644 --- a/policy/modules/contrib/portage.te +++ b/policy/modules/contrib/portage.te @@ -160,7 +160,7 @@ optional_policy(` # - setfscreate for merging to live fs allow portage_t self:process { setfscreate }; # - kill for mysql merging, at least -allow portage_t self:capability { sys_nice kill setfcap }; +allow portage_t self:capability { kill setfcap sys_nice }; dontaudit portage_t self:capability { dac_read_search }; dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms; @@ -247,7 +247,7 @@ dontaudit portage_t device_type:blk_file read_blk_file_perms; # allow portage_fetch_t self:process signal; -allow portage_fetch_t self:capability { dac_override fowner fsetid chown }; +allow portage_fetch_t self:capability { chown dac_override fowner fsetid }; allow portage_fetch_t self:fifo_file rw_fifo_file_perms; allow portage_fetch_t self:tcp_socket { accept listen }; allow portage_fetch_t self:unix_stream_socket create_socket_perms; diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te index 292b3aa8..2a8c850b 100644 --- a/policy/modules/contrib/portmap.te +++ b/policy/modules/contrib/portmap.te @@ -30,7 +30,7 @@ files_pid_file(portmap_var_run_t) # Local policy # -allow portmap_t self:capability { setuid setgid }; +allow portmap_t self:capability { setgid setuid }; dontaudit portmap_t self:capability sys_tty_config; allow portmap_t self:unix_stream_socket { accept listen }; allow portmap_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/portreserve.te b/policy/modules/contrib/portreserve.te index 7e05b61b..a09698ce 100644 --- a/policy/modules/contrib/portreserve.te +++ b/policy/modules/contrib/portreserve.te @@ -23,7 +23,7 @@ files_pid_file(portreserve_var_run_t) # Local policy # -allow portreserve_t self:capability { dac_read_search dac_override }; +allow portreserve_t self:capability { dac_override dac_read_search }; allow portreserve_t self:fifo_file rw_fifo_file_perms; allow portreserve_t self:unix_stream_socket create_stream_socket_perms; allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto }; diff --git a/policy/modules/contrib/portslave.te b/policy/modules/contrib/portslave.te index cbe36c1d..b34887c9 100644 --- a/policy/modules/contrib/portslave.te +++ b/policy/modules/contrib/portslave.te @@ -21,7 +21,7 @@ files_lock_file(portslave_lock_t) # Local policy # -allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config }; +allow portslave_t self:capability { fsetid net_admin net_bind_service setgid setuid sys_tty_config }; dontaudit portslave_t self:capability sys_admin; allow portslave_t self:process signal_perms; allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te index 1f1a396f..74cb3d7e 100644 --- a/policy/modules/contrib/postfix.te +++ b/policy/modules/contrib/postfix.te @@ -108,7 +108,7 @@ mta_mailserver_delivery(postfix_virtual_t) # Common postfix domain local policy # -allow postfix_domain self:capability { sys_nice sys_chroot }; +allow postfix_domain self:capability { sys_chroot sys_nice }; dontaudit postfix_domain self:capability sys_tty_config; allow postfix_domain self:process { signal_perms setpgid setsched }; allow postfix_domain self:fifo_file rw_fifo_file_perms; @@ -171,7 +171,7 @@ optional_policy(` # Common postfix server domain local policy # -allow postfix_server_domain self:capability { setuid setgid dac_override }; +allow postfix_server_domain self:capability { dac_override setgid setuid }; allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; @@ -198,7 +198,7 @@ domain_use_interactive_fds(postfix_user_domains) # Master local policy # -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config }; +allow postfix_master_t self:capability { chown dac_override fowner kill setgid setuid sys_tty_config }; allow postfix_master_t self:capability2 block_suspend; allow postfix_master_t self:process setrlimit; allow postfix_master_t self:tcp_socket create_stream_socket_perms; @@ -683,7 +683,7 @@ corecmd_exec_bin(postfix_qmgr_t) # Showq local policy # -allow postfix_showq_t self:capability { setuid setgid }; +allow postfix_showq_t self:capability { setgid setuid }; allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te index 153fb19c..621e1817 100644 --- a/policy/modules/contrib/postfixpolicyd.te +++ b/policy/modules/contrib/postfixpolicyd.te @@ -23,7 +23,7 @@ files_pid_file(postfix_policyd_var_run_t) # Local policy # -allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid }; +allow postfix_policyd_t self:capability { setgid setuid sys_chroot sys_resource }; allow postfix_policyd_t self:process setrlimit; allow postfix_policyd_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te index 27718824..1015b4ee 100644 --- a/policy/modules/contrib/ppp.te +++ b/policy/modules/contrib/ppp.te @@ -78,7 +78,7 @@ userdom_user_home_content(ppp_home_t) # PPPD local policy # -allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice }; +allow pppd_t self:capability { dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_admin sys_nice }; dontaudit pppd_t self:capability sys_tty_config; allow pppd_t self:process { getsched setsched signal }; allow pppd_t self:fifo_file rw_fifo_file_perms; @@ -224,7 +224,7 @@ optional_policy(` # PPTP local policy # -allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin }; +allow pptp_t self:capability { dac_override dac_read_search net_admin net_raw }; dontaudit pptp_t self:capability sys_tty_config; allow pptp_t self:process signal; allow pptp_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te index a4fa22b0..8a842661 100644 --- a/policy/modules/contrib/procmail.te +++ b/policy/modules/contrib/procmail.te @@ -24,7 +24,7 @@ files_tmp_file(procmail_tmp_t) # Local policy # -allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override }; +allow procmail_t self:capability { chown dac_override fsetid setgid setuid sys_nice }; allow procmail_t self:process { setsched signal signull }; allow procmail_t self:fifo_file rw_fifo_file_perms; allow procmail_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/psad.te b/policy/modules/contrib/psad.te index 3336ca7e..b94e44a9 100644 --- a/policy/modules/contrib/psad.te +++ b/policy/modules/contrib/psad.te @@ -32,7 +32,7 @@ files_tmp_file(psad_tmp_t) # Local policy # -allow psad_t self:capability { net_admin net_raw setuid setgid dac_override }; +allow psad_t self:capability { dac_override net_admin net_raw setgid setuid }; dontaudit psad_t self:capability sys_tty_config; allow psad_t self:process signal_perms; allow psad_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te index e9a4a507..ac9811ea 100644 --- a/policy/modules/contrib/pulseaudio.te +++ b/policy/modules/contrib/pulseaudio.te @@ -44,7 +44,7 @@ files_pid_file(pulseaudio_var_run_t) # Local policy # -allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config }; +allow pulseaudio_t self:capability { chown fowner fsetid setgid setuid sys_nice sys_resource sys_tty_config }; allow pulseaudio_t self:process { getcap getsched setcap setrlimit setsched signal signull }; allow pulseaudio_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te index 4f496964..0e8161a2 100644 --- a/policy/modules/contrib/puppet.te +++ b/policy/modules/contrib/puppet.te @@ -59,7 +59,7 @@ files_tmp_file(puppetmaster_tmp_t) # Local policy # -allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config }; +allow puppet_t self:capability { chown dac_override fowner fsetid setgid setuid sys_admin sys_nice sys_tty_config }; allow puppet_t self:process { signal signull getsched setsched }; allow puppet_t self:fifo_file rw_fifo_file_perms; allow puppet_t self:netlink_route_socket create_netlink_socket_perms; @@ -255,7 +255,7 @@ optional_policy(` # Master local policy # -allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; +allow puppetmaster_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config }; allow puppetmaster_t self:process { signal_perms getsched setsched }; allow puppetmaster_t self:fifo_file rw_fifo_file_perms; allow puppetmaster_t self:netlink_route_socket nlmsg_write; diff --git a/policy/modules/contrib/qemu.if b/policy/modules/contrib/qemu.if index 32b48657..efdc5286 100644 --- a/policy/modules/contrib/qemu.if +++ b/policy/modules/contrib/qemu.if @@ -27,7 +27,7 @@ template(`qemu_domain_template',` # Policy # - allow $1_t self:capability { dac_read_search dac_override }; + allow $1_t self:capability { dac_override dac_read_search }; allow $1_t self:process { execstack execmem signal getsched }; allow $1_t self:fifo_file rw_file_perms; allow $1_t self:shm create_shm_perms; diff --git a/policy/modules/contrib/qmail.te b/policy/modules/contrib/qmail.te index a40ba2a2..455f2c0e 100644 --- a/policy/modules/contrib/qmail.te +++ b/policy/modules/contrib/qmail.te @@ -145,7 +145,7 @@ optional_policy(` # Lspawn local policy # -allow qmail_lspawn_t self:capability { setuid setgid }; +allow qmail_lspawn_t self:capability { setgid setuid }; allow qmail_lspawn_t self:process signal_perms; allow qmail_lspawn_t self:fifo_file rw_fifo_file_perms; allow qmail_lspawn_t self:unix_stream_socket create_socket_perms; diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te index 9952f537..95fc0aa3 100644 --- a/policy/modules/contrib/quota.te +++ b/policy/modules/contrib/quota.te @@ -33,7 +33,7 @@ files_pid_file(quota_nld_var_run_t) # Local policy # -allow quota_t self:capability { sys_admin dac_override }; +allow quota_t self:capability { dac_override sys_admin }; dontaudit quota_t self:capability sys_tty_config; allow quota_t self:process signal_perms; diff --git a/policy/modules/contrib/radvd.te b/policy/modules/contrib/radvd.te index 1d7fbfe4..41df3b57 100644 --- a/policy/modules/contrib/radvd.te +++ b/policy/modules/contrib/radvd.te @@ -22,7 +22,7 @@ files_pid_file(radvd_var_run_t) # Local policy # -allow radvd_t self:capability { kill setgid setuid net_raw net_admin }; +allow radvd_t self:capability { kill net_admin net_raw setgid setuid }; dontaudit radvd_t self:capability sys_tty_config; allow radvd_t self:process signal_perms; allow radvd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te index ad21e093..49c7dbb4 100644 --- a/policy/modules/contrib/raid.te +++ b/policy/modules/contrib/raid.te @@ -27,7 +27,7 @@ dev_associate(mdadm_var_run_t) # Local policy # -allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; +allow mdadm_t self:capability { dac_override ipc_lock sys_admin }; dontaudit mdadm_t self:capability sys_tty_config; allow mdadm_t self:process { getsched setsched signal_perms }; allow mdadm_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/readahead.te b/policy/modules/contrib/readahead.te index 080c0ad0..ec587591 100644 --- a/policy/modules/contrib/readahead.te +++ b/policy/modules/contrib/readahead.te @@ -22,7 +22,7 @@ init_daemon_pid_file(readahead_var_run_t, dir, "readahead") # Local policy # -allow readahead_t self:capability { sys_admin fowner dac_override dac_read_search }; +allow readahead_t self:capability { dac_override dac_read_search fowner sys_admin }; dontaudit readahead_t self:capability { net_admin sys_tty_config }; allow readahead_t self:process { setsched signal_perms }; diff --git a/policy/modules/contrib/remotelogin.te b/policy/modules/contrib/remotelogin.te index ae308717..3130db86 100644 --- a/policy/modules/contrib/remotelogin.te +++ b/policy/modules/contrib/remotelogin.te @@ -18,7 +18,7 @@ files_tmp_file(remote_login_tmp_t) # Local policy # -allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; +allow remote_login_t self:capability { chown dac_override fowner fsetid kill net_bind_service setgid setuid sys_nice sys_resource sys_tty_config }; allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow remote_login_t self:process { setrlimit setexec }; allow remote_login_t self:fd use; diff --git a/policy/modules/contrib/rgmanager.te b/policy/modules/contrib/rgmanager.te index c533810f..905c3d44 100644 --- a/policy/modules/contrib/rgmanager.te +++ b/policy/modules/contrib/rgmanager.te @@ -37,7 +37,7 @@ files_pid_file(rgmanager_var_run_t) # Local policy # -allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; +allow rgmanager_t self:capability { dac_override ipc_lock net_raw sys_admin sys_nice sys_resource }; allow rgmanager_t self:process { setsched signal }; allow rgmanager_t self:fifo_file rw_fifo_file_perms; allow rgmanager_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te index 4c58d123..85a3a066 100644 --- a/policy/modules/contrib/rhcs.te +++ b/policy/modules/contrib/rhcs.te @@ -170,7 +170,7 @@ tunable_policy(`fenced_can_network_connect',` optional_policy(` tunable_policy(`fenced_can_ssh',` - allow fenced_t self:capability { setuid setgid }; + allow fenced_t self:capability { setgid setuid }; corenet_sendrecv_ssh_client_packets(fenced_t) corenet_tcp_connect_ssh_port(fenced_t) diff --git a/policy/modules/contrib/ricci.te b/policy/modules/contrib/ricci.te index 794dcd36..326d7b85 100644 --- a/policy/modules/contrib/ricci.te +++ b/policy/modules/contrib/ricci.te @@ -78,7 +78,7 @@ files_lock_file(ricci_modstorage_lock_t) # Local policy # -allow ricci_t self:capability { setuid sys_nice sys_boot }; +allow ricci_t self:capability { setuid sys_boot sys_nice }; allow ricci_t self:process setsched; allow ricci_t self:fifo_file rw_fifo_file_perms; allow ricci_t self:unix_stream_socket { accept connectto listen }; diff --git a/policy/modules/contrib/rlogin.te b/policy/modules/contrib/rlogin.te index 0714e380..94d41e81 100644 --- a/policy/modules/contrib/rlogin.te +++ b/policy/modules/contrib/rlogin.te @@ -31,7 +31,7 @@ files_pid_file(rlogind_var_run_t) # Local policy # -allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; +allow rlogind_t self:capability { chown dac_override fowner fsetid setgid setuid sys_tty_config }; allow rlogind_t self:process signal_perms; allow rlogind_t self:fifo_file rw_fifo_file_perms; allow rlogind_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te index cf1f775b..5123f079 100644 --- a/policy/modules/contrib/rpc.te +++ b/policy/modules/contrib/rpc.te @@ -145,7 +145,7 @@ optional_policy(` # Local policy # -allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid }; +allow rpcd_t self:capability { chown dac_override setgid setpcap setuid sys_admin }; allow rpcd_t self:capability2 block_suspend; allow rpcd_t self:process { getcap setcap }; allow rpcd_t self:fifo_file rw_fifo_file_perms; @@ -288,7 +288,7 @@ optional_policy(` # GSSD local policy # -allow gssd_t self:capability { dac_override dac_read_search setuid setgid sys_nice }; +allow gssd_t self:capability { dac_override dac_read_search setgid setuid sys_nice }; allow gssd_t self:process { getsched setsched }; allow gssd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te index 6ab5fd9e..1b36d097 100644 --- a/policy/modules/contrib/rpm.te +++ b/policy/modules/contrib/rpm.te @@ -73,7 +73,7 @@ files_tmpfs_file(rpm_script_tmpfs_t) # rpm Local policy # -allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; +allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config }; allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; allow rpm_t self:process { getattr setexec setfscreate setrlimit }; allow rpm_t self:fd use; @@ -241,7 +241,7 @@ optional_policy(` # rpm-script Local policy # -allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin }; +allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setgid setuid sys_admin sys_chroot sys_nice sys_rawio }; allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te index 5a5f6f71..dc327424 100644 --- a/policy/modules/contrib/rshd.te +++ b/policy/modules/contrib/rshd.te @@ -18,7 +18,7 @@ files_type(rshd_keytab_t) # Local policy # -allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override }; +allow rshd_t self:capability { chown dac_override fowner fsetid kill setgid setuid }; allow rshd_t self:process { signal_perms setsched setpgid setexec }; allow rshd_t self:fifo_file rw_fifo_file_perms; allow rshd_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/modules/contrib/rssh.te b/policy/modules/contrib/rssh.te index 5c5465fe..cf6dd81e 100644 --- a/policy/modules/contrib/rssh.te +++ b/policy/modules/contrib/rssh.te @@ -86,7 +86,7 @@ optional_policy(` # Chroot helper local policy # -allow rssh_chroot_helper_t self:capability { sys_chroot setuid }; +allow rssh_chroot_helper_t self:capability { setuid sys_chroot }; allow rssh_chroot_helper_t self:fifo_file rw_fifo_file_perms; allow rssh_chroot_helper_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te index 18db99d4..2fce98b0 100644 --- a/policy/modules/contrib/rsync.te +++ b/policy/modules/contrib/rsync.te @@ -83,7 +83,7 @@ files_pid_file(rsync_var_run_t) # Local policy # -allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; +allow rsync_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_chroot }; allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_fifo_file_perms; allow rsync_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te index 0acf15a7..e7dae973 100644 --- a/policy/modules/contrib/samba.te +++ b/policy/modules/contrib/samba.te @@ -194,7 +194,7 @@ files_pid_file(winbind_var_run_t) # Net local policy # -allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override }; +allow samba_net_t self:capability { dac_override dac_read_search sys_chroot sys_nice }; allow samba_net_t self:capability2 block_suspend; allow samba_net_t self:process { getsched setsched }; allow samba_net_t self:unix_stream_socket { accept listen }; @@ -261,7 +261,7 @@ optional_policy(` # Smbd Local policy # -allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search }; +allow smbd_t self:capability { chown dac_override dac_read_search fowner fsetid kill lease setgid setuid sys_admin sys_chroot sys_nice sys_resource }; dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; allow smbd_t self:fd use; @@ -650,7 +650,7 @@ optional_policy(` # Smbmount Local policy # -allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; +allow smbmount_t self:capability { chown dac_override sys_admin sys_rawio }; allow smbmount_t self:process signal_perms; allow smbmount_t self:tcp_socket { accept listen }; allow smbmount_t self:unix_dgram_socket create_socket_perms; @@ -724,7 +724,7 @@ optional_policy(` # Swat Local policy # -allow swat_t self:capability { dac_override setuid setgid sys_resource }; +allow swat_t self:capability { dac_override setgid setuid sys_resource }; allow swat_t self:process { setrlimit signal_perms }; allow swat_t self:fifo_file rw_fifo_file_perms; allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te index 1d2f80f5..865f9563 100644 --- a/policy/modules/contrib/samhain.te +++ b/policy/modules/contrib/samhain.te @@ -49,7 +49,7 @@ ifdef(`enable_mls',` # allow samhain_domain self:capability { dac_override dac_read_search fowner ipc_lock }; -dontaudit samhain_domain self:capability { sys_resource sys_ptrace }; +dontaudit samhain_domain self:capability { sys_ptrace sys_resource }; allow samhain_domain self:process { setsched setrlimit signull }; allow samhain_domain self:fd use; allow samhain_domain self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te index e8569cb1..e376da59 100644 --- a/policy/modules/contrib/screen.te +++ b/policy/modules/contrib/screen.te @@ -29,7 +29,7 @@ ubac_constrained(screen_runtime_t) # # dac_override : read /dev/pts/ID -allow screen_domain self:capability { setuid setgid fsetid dac_override }; +allow screen_domain self:capability { dac_override fsetid setgid setuid }; allow screen_domain self:process signal_perms; allow screen_domain self:fd use; allow screen_domain self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te index 1ae4a27a..dbfab0a0 100644 --- a/policy/modules/contrib/sendmail.te +++ b/policy/modules/contrib/sendmail.te @@ -40,7 +40,7 @@ role sendmail_unconfined_roles types unconfined_sendmail_t; # Local policy # -allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config }; +allow sendmail_t self:capability { chown dac_override setgid setuid sys_nice sys_tty_config }; allow sendmail_t self:process { setsched setpgid setrlimit signal signull }; allow sendmail_t self:fifo_file rw_fifo_file_perms; allow sendmail_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te index e2e6c30d..5e815dd8 100644 --- a/policy/modules/contrib/shorewall.te +++ b/policy/modules/contrib/shorewall.te @@ -32,7 +32,7 @@ logging_log_file(shorewall_log_t) # Local policy # -allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin }; +allow shorewall_t self:capability { dac_override net_admin net_raw setgid setuid sys_admin sys_nice }; dontaudit shorewall_t self:capability sys_tty_config; allow shorewall_t self:fifo_file rw_fifo_file_perms; allow shorewall_t self:netlink_socket create_socket_perms; diff --git a/policy/modules/contrib/slocate.te b/policy/modules/contrib/slocate.te index 65fe1cb6..2bf0fed4 100644 --- a/policy/modules/contrib/slocate.te +++ b/policy/modules/contrib/slocate.te @@ -20,7 +20,7 @@ files_pid_file(locate_var_run_t) # Local policy # -allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid }; +allow locate_t self:capability { chown dac_override dac_read_search fowner fsetid }; allow locate_t self:process { execmem execheap execstack signal setsched }; allow locate_t self:fifo_file rw_fifo_file_perms; allow locate_t self:unix_stream_socket create_socket_perms; diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te index eb812fe8..4a7cafa7 100644 --- a/policy/modules/contrib/smartmon.te +++ b/policy/modules/contrib/smartmon.te @@ -38,7 +38,7 @@ ifdef(`enable_mls',` # Local policy # -allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin }; +allow fsdaemon_t self:capability { dac_override kill setgid setpcap sys_admin sys_rawio }; dontaudit fsdaemon_t self:capability sys_tty_config; allow fsdaemon_t self:process { getcap setcap signal_perms }; allow fsdaemon_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te index 625d8018..cc19c38d 100644 --- a/policy/modules/contrib/smokeping.te +++ b/policy/modules/contrib/smokeping.te @@ -23,7 +23,7 @@ files_type(smokeping_var_lib_t) # Local policy # -dontaudit smokeping_t self:capability { dac_read_search dac_override }; +dontaudit smokeping_t self:capability { dac_override dac_read_search }; allow smokeping_t self:fifo_file rw_fifo_file_perms; allow smokeping_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/snmp.te b/policy/modules/contrib/snmp.te index 49385798..fe37b52d 100644 --- a/policy/modules/contrib/snmp.te +++ b/policy/modules/contrib/snmp.te @@ -26,7 +26,7 @@ files_type(snmpd_var_lib_t) # Local policy # -allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace }; +allow snmpd_t self:capability { chown dac_override ipc_lock kill net_admin setgid setuid sys_nice sys_ptrace sys_tty_config }; dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te index 30ba1e0c..536efd00 100644 --- a/policy/modules/contrib/snort.te +++ b/policy/modules/contrib/snort.te @@ -30,7 +30,7 @@ init_daemon_pid_file(snort_var_run_t, dir, "snort") # Local policy # -allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; +allow snort_t self:capability { dac_override net_admin net_raw setgid setuid }; dontaudit snort_t self:capability sys_tty_config; allow snort_t self:process signal_perms; allow snort_t self:netlink_socket create_socket_perms; diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te index 18dca447..940f220a 100644 --- a/policy/modules/contrib/sosreport.te +++ b/policy/modules/contrib/sosreport.te @@ -31,7 +31,7 @@ optional_policy(` # Local policy # -allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override }; +allow sosreport_t self:capability { dac_override kill net_admin net_raw setuid sys_admin sys_nice }; dontaudit sosreport_t self:capability sys_ptrace; allow sosreport_t self:process { setsched setpgid signal_perms }; allow sosreport_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te index 6631a498..4a9153ce 100644 --- a/policy/modules/contrib/spamassassin.te +++ b/policy/modules/contrib/spamassassin.te @@ -270,7 +270,7 @@ optional_policy(` # Daemon local policy # -allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config }; +allow spamd_t self:capability { dac_override kill setgid setuid sys_tty_config }; dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te index 2852599a..74fb3c23 100644 --- a/policy/modules/contrib/squid.te +++ b/policy/modules/contrib/squid.te @@ -51,7 +51,7 @@ files_pid_file(squid_var_run_t) # Local policy # -allow squid_t self:capability { setgid kill setuid dac_override sys_resource }; +allow squid_t self:capability { dac_override kill setgid setuid sys_resource }; dontaudit squid_t self:capability sys_tty_config; allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; allow squid_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te index 9be5c19c..e273c904 100644 --- a/policy/modules/contrib/sssd.te +++ b/policy/modules/contrib/sssd.te @@ -33,7 +33,7 @@ files_pid_file(sssd_var_run_t) # Local policy # -allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource }; +allow sssd_t self:capability { chown dac_override dac_read_search kill net_admin setgid setuid sys_admin sys_nice sys_resource }; allow sssd_t self:capability2 block_suspend; allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit }; allow sssd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/sxid.te b/policy/modules/contrib/sxid.te index 01a9d0ac..010c40ce 100644 --- a/policy/modules/contrib/sxid.te +++ b/policy/modules/contrib/sxid.te @@ -21,7 +21,7 @@ files_tmp_file(sxid_tmp_t) # allow sxid_t self:capability { dac_override dac_read_search fsetid }; -dontaudit sxid_t self:capability { setuid setgid sys_tty_config }; +dontaudit sxid_t self:capability { setgid setuid sys_tty_config }; allow sxid_t self:process signal_perms; allow sxid_t self:fifo_file rw_fifo_file_perms; allow sxid_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/modules/contrib/systemtap.te b/policy/modules/contrib/systemtap.te index f2fa8494..c0ddb637 100644 --- a/policy/modules/contrib/systemtap.te +++ b/policy/modules/contrib/systemtap.te @@ -29,7 +29,7 @@ files_pid_file(stapserver_var_run_t) # Local policy # -allow stapserver_t self:capability { dac_override kill setuid setgid }; +allow stapserver_t self:capability { dac_override kill setgid setuid }; allow stapserver_t self:process { setrlimit setsched signal }; allow stapserver_t self:fifo_file rw_fifo_file_perms; allow stapserver_t self:key write; diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te index 0e70d1f4..6007d763 100644 --- a/policy/modules/contrib/telnet.te +++ b/policy/modules/contrib/telnet.te @@ -27,7 +27,7 @@ files_pid_file(telnetd_var_run_t) # Local policy # -allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; +allow telnetd_t self:capability { chown dac_override fowner fsetid setgid setuid sys_tty_config }; allow telnetd_t self:process signal_perms; allow telnetd_t self:fifo_file rw_fifo_file_perms; allow telnetd_t self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/tripwire.te b/policy/modules/contrib/tripwire.te index 03aa6b7f..47dc24b3 100644 --- a/policy/modules/contrib/tripwire.te +++ b/policy/modules/contrib/tripwire.te @@ -47,7 +47,7 @@ role twprint_roles types twprint_t; # Local policy # -allow tripwire_t self:capability { setgid setuid dac_override }; +allow tripwire_t self:capability { dac_override setgid setuid }; allow tripwire_t tripwire_etc_t:dir list_dir_perms; allow tripwire_t tripwire_etc_t:file read_file_perms; diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te index 6c3a3eaf..50beee26 100644 --- a/policy/modules/contrib/ulogd.te +++ b/policy/modules/contrib/ulogd.te @@ -26,7 +26,7 @@ logging_log_file(ulogd_var_log_t) # Local policy # -allow ulogd_t self:capability { net_admin setuid setgid sys_nice }; +allow ulogd_t self:capability { net_admin setgid setuid sys_nice }; allow ulogd_t self:process setsched; allow ulogd_t self:netlink_nflog_socket create_socket_perms; allow ulogd_t self:netlink_socket create_socket_perms; diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te index 7a57c21a..9c7ac268 100644 --- a/policy/modules/contrib/userhelper.te +++ b/policy/modules/contrib/userhelper.te @@ -25,7 +25,7 @@ application_executable_file(consolehelper_exec_t) # Common consolehelper domain local policy # -allow consolehelper_type self:capability { setgid setuid dac_override }; +allow consolehelper_type self:capability { dac_override setgid setuid }; allow consolehelper_type self:process signal; allow consolehelper_type self:fifo_file rw_fifo_file_perms; allow consolehelper_type self:unix_stream_socket create_stream_socket_perms; @@ -94,7 +94,7 @@ optional_policy(` # Common userhelper domain local policy # -allow userhelper_type self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; +allow userhelper_type self:capability { chown dac_override net_bind_service setgid setuid sys_tty_config }; allow userhelper_type self:process ~{ ptrace setcurrent setfscreate setrlimit execmem execstack execheap }; allow userhelper_type self:fd use; allow userhelper_type self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/usernetctl.te b/policy/modules/contrib/usernetctl.te index f973af82..3f774951 100644 --- a/policy/modules/contrib/usernetctl.te +++ b/policy/modules/contrib/usernetctl.te @@ -18,7 +18,7 @@ role usernetctl_roles types usernetctl_t; # Local policy # -allow usernetctl_t self:capability { setuid setgid dac_override }; +allow usernetctl_t self:capability { dac_override setgid setuid }; allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow usernetctl_t self:fd use; allow usernetctl_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/uucp.te b/policy/modules/contrib/uucp.te index 9c884c46..d44d025f 100644 --- a/policy/modules/contrib/uucp.te +++ b/policy/modules/contrib/uucp.te @@ -46,7 +46,7 @@ role uux_roles types uux_t; # Local policy # -allow uucpd_t self:capability { setuid setgid }; +allow uucpd_t self:capability { setgid setuid }; allow uucpd_t self:process signal_perms; allow uucpd_t self:fifo_file rw_fifo_file_perms; allow uucpd_t self:tcp_socket { accept listen }; @@ -137,7 +137,7 @@ optional_policy(` # UUX Local policy # -allow uux_t self:capability { setuid setgid }; +allow uux_t self:capability { setgid setuid }; allow uux_t self:fifo_file write_fifo_file_perms; domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t) diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te index 36c32fcd..b36f69ca 100644 --- a/policy/modules/contrib/varnishd.te +++ b/policy/modules/contrib/varnishd.te @@ -50,7 +50,7 @@ files_type(varnishlog_log_t) # Local policy # -allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; +allow varnishd_t self:capability { dac_override ipc_lock kill setgid setuid }; dontaudit varnishd_t self:capability sys_tty_config; allow varnishd_t self:process signal; allow varnishd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/vbetool.te b/policy/modules/contrib/vbetool.te index 2a61f752..09980a08 100644 --- a/policy/modules/contrib/vbetool.te +++ b/policy/modules/contrib/vbetool.te @@ -26,7 +26,7 @@ role vbetool_roles types vbetool_t; # Local policy # -allow vbetool_t self:capability { dac_override sys_tty_config sys_admin }; +allow vbetool_t self:capability { dac_override sys_admin sys_tty_config }; allow vbetool_t self:process execmem; dev_wx_raw_memory(vbetool_t) diff --git a/policy/modules/contrib/vhostmd.te b/policy/modules/contrib/vhostmd.te index 4d47427d..f6636a99 100644 --- a/policy/modules/contrib/vhostmd.te +++ b/policy/modules/contrib/vhostmd.te @@ -23,7 +23,7 @@ files_pid_file(vhostmd_var_run_t) # Local policy # -allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid }; +allow vhostmd_t self:capability { dac_override ipc_lock setgid setuid }; allow vhostmd_t self:process { setsched getsched signal }; allow vhostmd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index e8ac408d..eb72843f 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -455,7 +455,7 @@ tunable_policy(`virt_use_vfio',` # virtd local policy # -allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; +allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice }; allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; @@ -808,7 +808,7 @@ optional_policy(` # Virsh local policy # -allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; +allow virsh_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config }; allow virsh_t self:process { getcap getsched setsched setcap signal }; allow virsh_t self:fifo_file rw_fifo_file_perms; allow virsh_t self:unix_stream_socket { accept connectto listen }; @@ -956,7 +956,7 @@ optional_policy(` # Lxc local policy # -allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource }; +allow virtd_lxc_t self:capability { chown dac_override net_admin net_raw setpcap sys_admin sys_boot sys_resource }; allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms }; allow virtd_lxc_t self:fifo_file rw_fifo_file_perms; allow virtd_lxc_t self:netlink_route_socket nlmsg_write; @@ -1052,7 +1052,7 @@ sysnet_domtrans_ifconfig(virtd_lxc_t) # Common virt lxc domain local policy # -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; +allow svirt_lxc_domain self:capability { dac_override kill setgid setuid sys_boot }; allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; allow svirt_lxc_domain self:fifo_file manage_file_perms; allow svirt_lxc_domain self:sem create_sem_perms; @@ -1149,7 +1149,7 @@ optional_policy(` # Lxc net local policy # -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; +allow svirt_lxc_net_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_raw setpcap sys_admin sys_nice sys_ptrace sys_resource }; dontaudit svirt_lxc_net_t self:capability2 block_suspend; allow svirt_lxc_net_t self:process setrlimit; allow svirt_lxc_net_t self:tcp_socket { accept listen }; @@ -1253,7 +1253,7 @@ optional_policy(` # allow virt_bridgehelper_t self:process { setcap getcap }; -allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; +allow virt_bridgehelper_t self:capability { net_admin setgid setpcap setuid }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/policy/modules/contrib/vlock.te b/policy/modules/contrib/vlock.te index 6b72968e..d4094916 100644 --- a/policy/modules/contrib/vlock.te +++ b/policy/modules/contrib/vlock.te @@ -17,7 +17,7 @@ role vlock_roles types vlock_t; # Local policy # -dontaudit vlock_t self:capability { setuid setgid }; +dontaudit vlock_t self:capability { setgid setuid }; allow vlock_t self:fd use; allow vlock_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te index 0fa22c2b..59a32f5d 100644 --- a/policy/modules/contrib/vmware.te +++ b/policy/modules/contrib/vmware.te @@ -69,7 +69,7 @@ optional_policy(` # Host local policy # -allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override }; +allow vmware_host_t self:capability { dac_override kill net_raw setgid setuid sys_nice sys_ptrace sys_time }; dontaudit vmware_host_t self:capability sys_tty_config; allow vmware_host_t self:process { execstack execmem signal_perms }; allow vmware_host_t self:fifo_file rw_fifo_file_perms; @@ -186,7 +186,7 @@ optional_policy(` # Guest local policy # -allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown }; +allow vmware_t self:capability { chown dac_override setgid setuid sys_admin sys_nice sys_rawio sys_resource }; dontaudit vmware_t self:capability sys_tty_config; allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow vmware_t self:process { execmem execstack }; diff --git a/policy/modules/contrib/vpn.te b/policy/modules/contrib/vpn.te index 85353fa7..10fb1013 100644 --- a/policy/modules/contrib/vpn.te +++ b/policy/modules/contrib/vpn.te @@ -24,7 +24,7 @@ files_pid_file(vpnc_var_run_t) # Local policy # -allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw setuid }; +allow vpnc_t self:capability { dac_override dac_read_search ipc_lock net_admin net_raw setuid }; allow vpnc_t self:process { getsched signal }; allow vpnc_t self:fifo_file rw_fifo_file_perms; allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te index a181f48b..bac0a747 100644 --- a/policy/modules/contrib/watchdog.te +++ b/policy/modules/contrib/watchdog.te @@ -23,7 +23,7 @@ files_pid_file(watchdog_var_run_t) # Local policy # -allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource net_raw }; +allow watchdog_t self:capability { ipc_lock net_admin net_raw sys_admin sys_boot sys_nice sys_pacct sys_resource }; dontaudit watchdog_t self:capability sys_tty_config; allow watchdog_t self:process { setsched signal_perms }; allow watchdog_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/wdmd.te b/policy/modules/contrib/wdmd.te index a32e1988..24c3802e 100644 --- a/policy/modules/contrib/wdmd.te +++ b/policy/modules/contrib/wdmd.te @@ -23,7 +23,7 @@ files_pid_file(wdmd_var_run_t) # Local policy # -allow wdmd_t self:capability { chown sys_nice ipc_lock }; +allow wdmd_t self:capability { chown ipc_lock sys_nice }; allow wdmd_t self:process { setsched signal }; allow wdmd_t self:fifo_file rw_fifo_file_perms; allow wdmd_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te index c134cfe5..383c00a7 100644 --- a/policy/modules/contrib/xen.te +++ b/policy/modules/contrib/xen.te @@ -163,7 +163,7 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) # xend local policy # -allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_resource sys_rawio }; +allow xend_t self:capability { dac_override ipc_lock net_admin net_raw setuid sys_admin sys_nice sys_rawio sys_resource sys_tty_config }; dontaudit xend_t self:capability { sys_ptrace }; allow xend_t self:process { setrlimit signal sigkill }; dontaudit xend_t self:process ptrace; @@ -470,7 +470,7 @@ xen_append_log(xenstored_t) # xm local policy # -allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; +allow xm_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config }; allow xm_t self:process { getcap getsched setsched setcap signal }; allow xm_t self:fifo_file rw_fifo_file_perms; allow xm_t self:unix_stream_socket { accept connectto listen }; diff --git a/policy/modules/contrib/yam.te b/policy/modules/contrib/yam.te index 2695db25..4927d4d7 100644 --- a/policy/modules/contrib/yam.te +++ b/policy/modules/contrib/yam.te @@ -26,7 +26,7 @@ files_tmp_file(yam_tmp_t) # Local policy # -allow yam_t self:capability { chown fowner fsetid dac_override }; +allow yam_t self:capability { chown dac_override fowner fsetid }; allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; allow yam_t self:fd use; allow yam_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te index 33822181..a021b743 100644 --- a/policy/modules/contrib/zabbix.te +++ b/policy/modules/contrib/zabbix.te @@ -44,7 +44,7 @@ files_pid_file(zabbix_var_run_t) # Local policy # -allow zabbix_t self:capability { dac_read_search dac_override setuid setgid }; +allow zabbix_t self:capability { dac_override dac_read_search setgid setuid }; allow zabbix_t self:process { setsched signal_perms }; allow zabbix_t self:fifo_file rw_fifo_file_perms; allow zabbix_t self:unix_stream_socket create_stream_socket_perms; @@ -132,7 +132,7 @@ optional_policy(` # Agent local policy # -allow zabbix_agent_t self:capability { setuid setgid }; +allow zabbix_agent_t self:capability { setgid setuid }; allow zabbix_agent_t self:process { setsched getsched signal }; allow zabbix_agent_t self:fifo_file rw_fifo_file_perms; allow zabbix_agent_t self:sem create_sem_perms; diff --git a/policy/modules/contrib/zarafa.te b/policy/modules/contrib/zarafa.te index 5ce3c3eb..506952fb 100644 --- a/policy/modules/contrib/zarafa.te +++ b/policy/modules/contrib/zarafa.te @@ -158,7 +158,7 @@ corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t) # Zarafa domain local policy # -allow zarafa_domain self:capability { kill dac_override chown setgid setuid }; +allow zarafa_domain self:capability { chown dac_override kill setgid setuid }; allow zarafa_domain self:process { setrlimit signal }; allow zarafa_domain self:fifo_file rw_fifo_file_perms; allow zarafa_domain self:tcp_socket { accept listen }; diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te index d0b03583..bfc2d21d 100644 --- a/policy/modules/contrib/zebra.te +++ b/policy/modules/contrib/zebra.te @@ -37,7 +37,7 @@ files_pid_file(zebra_var_run_t) # Local policy # -allow zebra_t self:capability { setgid setuid net_admin net_raw }; +allow zebra_t self:capability { net_admin net_raw setgid setuid }; dontaudit zebra_t self:capability sys_tty_config; allow zebra_t self:process { signal_perms getcap setcap }; allow zebra_t self:fifo_file rw_fifo_file_perms;