* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2014-11-23 13:22 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2014-11-28 10:04 ` Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2014-11-28 10:04 UTC (permalink / raw
To: gentoo-commits
commit: 74986b6148745779596c8604e6f6e489a2c89c13
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Nov 23 12:46:08 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov 23 12:46:08 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=74986b61
OpenRC cgroup helper requires dac_override privilege
Managing and updating cgroups through the kernel-invoked openrc cgroup
helper has the helper run under root privileges, but accessing files
(reading mostly) that are owned by a different user.
---
policy/modules/contrib/openrc.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/openrc.te b/policy/modules/contrib/openrc.te
index bf5a336..91afb6e 100644
--- a/policy/modules/contrib/openrc.te
+++ b/policy/modules/contrib/openrc.te
@@ -13,6 +13,7 @@ role system_r types openrc_cgroup_release_t;
# OpenRC cgroup release policy
#
+allow openrc_cgroup_release_t self:capability dac_override;
allow openrc_cgroup_release_t self:unix_stream_socket create_socket_perms;
kernel_domtrans_to(openrc_cgroup_release_t, openrc_cgroup_release_exec_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2014-11-28 9:40 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2014-11-28 10:04 ` Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2014-11-28 10:04 UTC (permalink / raw
To: gentoo-commits
commit: 7a74e7ba38497d870a3d3c51c8ffd6ffb876d00e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Nov 28 09:28:46 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Nov 28 09:28:46 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7a74e7ba
Allow cgroup handler to access /sys/fs/cgroup as tmpfs_t
Currently, the /sys/fs/cgroup location is mounted as a tmpfs_t. As the
mount options cannot be easily modified as of yet, we grant the cgroup
handler search privileges over tmpfs_t.
Additional cgroup mounts within /sys/fs/cgroup do hold the right context
(cgroup_t).
---
policy/modules/contrib/openrc.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/openrc.te b/policy/modules/contrib/openrc.te
index 91afb6e..6a0d7cb 100644
--- a/policy/modules/contrib/openrc.te
+++ b/policy/modules/contrib/openrc.te
@@ -28,5 +28,8 @@ files_search_pids(openrc_cgroup_release_t)
fs_manage_cgroup_dirs(openrc_cgroup_release_t)
fs_manage_cgroup_files(openrc_cgroup_release_t)
+# /sys/fs/cgroup is by default mounted as tmpfs_t
+# Allow search until we can have it mounted correctly (TODO)
+fs_search_tmpfs(openrc_cgroup_release_t)
auth_use_nsswitch(openrc_cgroup_release_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2014-11-28 10:44 Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2014-11-28 10:44 UTC (permalink / raw
To: gentoo-commits
commit: 827b774fcc313e5c6b6b9681a73460b79eee334e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Nov 28 10:41:28 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Nov 28 10:41:40 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=827b774f
Introduce ntp_manage_config interface
---
policy/modules/contrib/ntp.if | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index e96a309..6a83626 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -188,3 +188,23 @@ interface(`ntp_admin',`
ntp_run($1, $2)
')
+
+# This should be in an ifdef distro_gentoo but that is not allowed in if files
+
+########################################
+## <summary>
+## Manage ntp(d) configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_manage_config',`
+ gen_require(`
+ type ntp_conf_t;
+ ')
+
+ manage_files_pattern($1, ntp_conf_t, ntp_conf_t)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2014-11-28 11:16 Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2014-11-28 11:16 UTC (permalink / raw
To: gentoo-commits
commit: c9e4efbf074197e3d774022fb5a4e85ea1d6e8ff
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Nov 28 10:41:28 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Nov 28 11:15:06 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c9e4efbf
Introduce ntp_manage_config interface
---
policy/modules/contrib/ntp.if | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index e96a309..6a83626 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -188,3 +188,23 @@ interface(`ntp_admin',`
ntp_run($1, $2)
')
+
+# This should be in an ifdef distro_gentoo but that is not allowed in if files
+
+########################################
+## <summary>
+## Manage ntp(d) configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_manage_config',`
+ gen_require(`
+ type ntp_conf_t;
+ ')
+
+ manage_files_pattern($1, ntp_conf_t, ntp_conf_t)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2014-12-21 12:49 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2014-12-20 15:49 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2014-12-20 15:49 UTC (permalink / raw
To: gentoo-commits
commit: 99b40156a93dcd1147049daca610b53d20eaa4b7
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Dec 20 13:46:45 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sat Dec 20 13:46:45 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=99b40156
salt: allow salt minion to ssh_manage_home_files
also dac_override and dac_read_search since some home dirs are not
world readable.
---
policy/modules/contrib/salt.te | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 279edfb..024a165 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -198,7 +198,7 @@ tunable_policy(`salt_master_read_nfs',`
# salt_minion_t policy
#
-allow salt_minion_t self:capability { fsetid chown net_admin sys_admin sys_tty_config };
+allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin sys_admin sys_tty_config };
allow salt_minion_t self:capability2 block_suspend;
allow salt_minion_t self:process { signal signull };
allow salt_minion_t self:tcp_socket create_stream_socket_perms;
@@ -294,6 +294,10 @@ optional_policy(`
')
optional_policy(`
+ ssh_manage_home_files(salt_minion_t)
+')
+
+optional_policy(`
mount_domtrans(salt_minion_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-01-20 15:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-01-20 15:08 UTC (permalink / raw
To: gentoo-commits
commit: 7e4e70e1102bfcbaf60948cb92cb76744e686d5b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:23:22 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Jan 20 14:32:31 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7e4e70e1
Introduce networkmanager_rw_rawip_sockets
---
policy/modules/contrib/networkmanager.if | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index 5aced8c..b512ce0 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -381,3 +381,23 @@ interface(`networkmanager_run_wpa_cli',`
networkmanager_domtrans_wpa_cli($1)
role $2 types wpa_cli_t;
')
+
+# Gentoo specific interfaces follow but not allowed ifdef
+
+########################################
+## <summary>
+## Read and write networkmanager rawip sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_rw_rawip_sockets',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:rawip_socket { read write };
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-01-20 15:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-01-20 15:08 UTC (permalink / raw
To: gentoo-commits
commit: f2b51c9c7e6523062ecea89466f3ae56fce915d6
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:30:45 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Jan 20 14:32:32 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f2b51c9c
resolvconf: needs access to networkmanager rawip sockets
---
policy/modules/contrib/resolvconf.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/resolvconf.te b/policy/modules/contrib/resolvconf.te
index 32cba23..b8c8e7e 100644
--- a/policy/modules/contrib/resolvconf.te
+++ b/policy/modules/contrib/resolvconf.te
@@ -49,6 +49,10 @@ optional_policy(`
dnsmasq_write_config(resolvconf_t)
')
+optional_policy(`
+ networkmanager_rw_rawip_sockets(resolvconf_t)
+')
+
#########################################
#
# Resolvconf client policy
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-01-20 15:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-01-20 15:08 UTC (permalink / raw
To: gentoo-commits
commit: 88d6730704203fd01d8f5dfd60a87d872ccddde4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:30:07 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Jan 20 14:32:32 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=88d67307
networkmanager: v1.0.0 needs new socket permissions
---
policy/modules/contrib/networkmanager.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index a0dc708..d8dcaee 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -371,6 +371,12 @@ ifdef(`distro_gentoo',`
#
# NetworkManager_t policy
#
+ allow NetworkManager_t self:rawip_socket create_socket_perms;
+ allow NetworkManager_t self:unix_stream_socket connectto;
+
+ # listing /etc/NetworkManager/dispatch.d/
+ list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+ read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
optional_policy(`
resolvconf_client_domain(NetworkManager_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-01-20 15:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-01-20 15:08 UTC (permalink / raw
To: gentoo-commits
commit: b35bf5cdf747242782de8e4fb95ad004702a36dd
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:25:58 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Jan 20 14:32:32 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b35bf5cd
networkmanager: nm-dispatcher has changed name
---
policy/modules/contrib/networkmanager.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index bbf3bba..5ffd285 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -15,7 +15,7 @@
/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/lib/networkmanager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-01-20 15:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-01-20 15:08 UTC (permalink / raw
To: gentoo-commits
commit: 64e1eae12f151f6583db40e376d2f1109b4bc59a
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:57:05 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Jan 20 14:57:05 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=64e1eae1
networkmanager: run dispatch scripts in initrc_t domain
---
policy/modules/contrib/networkmanager.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index d8dcaee..dc381b8 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -377,6 +377,7 @@ ifdef(`distro_gentoo',`
# listing /etc/NetworkManager/dispatch.d/
list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+ init_labeled_script_domtrans(NetworkManager_t, NetworkManager_initrc_exec_t)
optional_policy(`
resolvconf_client_domain(NetworkManager_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-01-25 13:46 Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2015-01-25 13:46 UTC (permalink / raw
To: gentoo-commits
commit: e10b85ea541851d59eab478d384cf99bff3f0965
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:30:07 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 25 13:45:20 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e10b85ea
networkmanager: v1.0.0 needs new socket permissions
---
policy/modules/contrib/networkmanager.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index a0dc708..d8dcaee 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -371,6 +371,12 @@ ifdef(`distro_gentoo',`
#
# NetworkManager_t policy
#
+ allow NetworkManager_t self:rawip_socket create_socket_perms;
+ allow NetworkManager_t self:unix_stream_socket connectto;
+
+ # listing /etc/NetworkManager/dispatch.d/
+ list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+ read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
optional_policy(`
resolvconf_client_domain(NetworkManager_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-01-25 13:46 Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2015-01-25 13:46 UTC (permalink / raw
To: gentoo-commits
commit: 2f68bc28f6f29db06f58c03273049b8add618b76
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:57:05 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 25 13:45:20 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2f68bc28
networkmanager: run dispatch scripts in initrc_t domain
---
policy/modules/contrib/networkmanager.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index d8dcaee..dc381b8 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -377,6 +377,7 @@ ifdef(`distro_gentoo',`
# listing /etc/NetworkManager/dispatch.d/
list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+ init_labeled_script_domtrans(NetworkManager_t, NetworkManager_initrc_exec_t)
optional_policy(`
resolvconf_client_domain(NetworkManager_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-01-25 13:46 Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2015-01-25 13:46 UTC (permalink / raw
To: gentoo-commits
commit: e778a08233d701cd7b0688261faa3868bda281ed
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:30:45 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 25 13:45:20 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e778a082
resolvconf: needs access to networkmanager rawip sockets
---
policy/modules/contrib/resolvconf.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/resolvconf.te b/policy/modules/contrib/resolvconf.te
index 32cba23..b8c8e7e 100644
--- a/policy/modules/contrib/resolvconf.te
+++ b/policy/modules/contrib/resolvconf.te
@@ -49,6 +49,10 @@ optional_policy(`
dnsmasq_write_config(resolvconf_t)
')
+optional_policy(`
+ networkmanager_rw_rawip_sockets(resolvconf_t)
+')
+
#########################################
#
# Resolvconf client policy
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-01-25 13:46 Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2015-01-25 13:46 UTC (permalink / raw
To: gentoo-commits
commit: 11699dbbcad3bbd69aa43cfb46d56397e0fc95b8
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:23:22 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 25 13:45:20 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=11699dbb
Introduce networkmanager_rw_rawip_sockets
---
policy/modules/contrib/networkmanager.if | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index 5aced8c..b512ce0 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -381,3 +381,23 @@ interface(`networkmanager_run_wpa_cli',`
networkmanager_domtrans_wpa_cli($1)
role $2 types wpa_cli_t;
')
+
+# Gentoo specific interfaces follow but not allowed ifdef
+
+########################################
+## <summary>
+## Read and write networkmanager rawip sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_rw_rawip_sockets',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:rawip_socket { read write };
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-01-25 13:46 Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2015-01-25 13:46 UTC (permalink / raw
To: gentoo-commits
commit: 41ed8a53abd6710e8b5954e341fb2198973453bd
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:25:58 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 25 13:45:20 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=41ed8a53
networkmanager: nm-dispatcher has changed name
---
policy/modules/contrib/networkmanager.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index bbf3bba..5ffd285 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -15,7 +15,7 @@
/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/lib/networkmanager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-01-29 6:51 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-01-29 6:51 UTC (permalink / raw
To: gentoo-commits
commit: 6d72fa7053e93be8cefde6bd6b09b2ab142ef31c
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:30:45 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Jan 26 06:42:28 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6d72fa70
resolvconf: needs access to networkmanager rawip sockets
---
policy/modules/contrib/resolvconf.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/resolvconf.te b/policy/modules/contrib/resolvconf.te
index 32cba23..b8c8e7e 100644
--- a/policy/modules/contrib/resolvconf.te
+++ b/policy/modules/contrib/resolvconf.te
@@ -49,6 +49,10 @@ optional_policy(`
dnsmasq_write_config(resolvconf_t)
')
+optional_policy(`
+ networkmanager_rw_rawip_sockets(resolvconf_t)
+')
+
#########################################
#
# Resolvconf client policy
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-01-29 6:51 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-01-29 6:51 UTC (permalink / raw
To: gentoo-commits
commit: 0e6ef13cb306c6334acaf45ac032a9db4bda3680
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:23:22 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Jan 26 06:42:28 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0e6ef13c
Introduce networkmanager_rw_rawip_sockets
---
policy/modules/contrib/networkmanager.if | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index 5aced8c..b512ce0 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -381,3 +381,23 @@ interface(`networkmanager_run_wpa_cli',`
networkmanager_domtrans_wpa_cli($1)
role $2 types wpa_cli_t;
')
+
+# Gentoo specific interfaces follow but not allowed ifdef
+
+########################################
+## <summary>
+## Read and write networkmanager rawip sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_rw_rawip_sockets',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:rawip_socket { read write };
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-01-29 6:51 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-01-29 6:51 UTC (permalink / raw
To: gentoo-commits
commit: 9409a7dfdb62c05c978a5134e85a1ea05838d37d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:25:58 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Jan 26 06:42:28 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9409a7df
networkmanager: nm-dispatcher has changed name
---
policy/modules/contrib/networkmanager.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index bbf3bba..5ffd285 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -15,7 +15,7 @@
/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/lib/networkmanager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-01-29 6:51 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-01-29 6:51 UTC (permalink / raw
To: gentoo-commits
commit: 9758e5c10c99ed6be3cd889f1bbb1c34e1dda38a
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:57:05 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Jan 26 06:42:28 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9758e5c1
networkmanager: run dispatch scripts in initrc_t domain
---
policy/modules/contrib/networkmanager.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index d8dcaee..dc381b8 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -377,6 +377,7 @@ ifdef(`distro_gentoo',`
# listing /etc/NetworkManager/dispatch.d/
list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+ init_labeled_script_domtrans(NetworkManager_t, NetworkManager_initrc_exec_t)
optional_policy(`
resolvconf_client_domain(NetworkManager_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-01-26 5:59 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-01-29 6:51 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-01-29 6:51 UTC (permalink / raw
To: gentoo-commits
commit: 55f243889b8296ed4f0ba967d2289faa797fa09b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jan 26 05:57:27 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Jan 26 05:57:27 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=55f24388
salt: fcontext for the default directory for pillars
---
policy/modules/contrib/salt.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/salt.fc b/policy/modules/contrib/salt.fc
index 399f5ad..22c2d13 100644
--- a/policy/modules/contrib/salt.fc
+++ b/policy/modules/contrib/salt.fc
@@ -27,3 +27,4 @@
/var/cache/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_cache_t,s0)
/srv/salt(/.*)? gen_context(system_u:object_r:salt_sls_t,s0)
+/srv/pillar(/.*)? gen_context(system_u:object_r:salt_sls_t,s0)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-01-29 6:51 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-01-29 6:51 UTC (permalink / raw
To: gentoo-commits
commit: 99ed324731d394bd4b2ce978e08b3d4c13a88fc3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:30:07 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Jan 26 06:42:28 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=99ed3247
networkmanager: v1.0.0 needs new socket permissions
---
policy/modules/contrib/networkmanager.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index a0dc708..d8dcaee 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -371,6 +371,12 @@ ifdef(`distro_gentoo',`
#
# NetworkManager_t policy
#
+ allow NetworkManager_t self:rawip_socket create_socket_perms;
+ allow NetworkManager_t self:unix_stream_socket connectto;
+
+ # listing /etc/NetworkManager/dispatch.d/
+ list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+ read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
optional_policy(`
resolvconf_client_domain(NetworkManager_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-01-29 8:38 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-01-29 8:38 UTC (permalink / raw
To: gentoo-commits
commit: 0e94bb1e493e057bf771f5a9d82d096c37a59f1d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:57:05 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Jan 29 08:28:55 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0e94bb1e
networkmanager: run dispatch scripts in initrc_t domain
---
policy/modules/contrib/networkmanager.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index a0dc708..3abaf53 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -372,6 +372,11 @@ ifdef(`distro_gentoo',`
# NetworkManager_t policy
#
+ # listing /etc/NetworkManager/dispatch.d/
+ list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+ read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+ init_labeled_script_domtrans(NetworkManager_t, NetworkManager_initrc_exec_t)
+
optional_policy(`
resolvconf_client_domain(NetworkManager_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-01-29 9:12 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-01-29 8:38 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-01-29 8:38 UTC (permalink / raw
To: gentoo-commits
commit: 65e9be2b0d0dc77520bde9590a8d9d5c04b68602
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:23:22 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Jan 29 08:32:53 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=65e9be2b
Introduce networkmanager_rw_rawip_sockets
---
policy/modules/contrib/networkmanager.if | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index 5aced8c..b512ce0 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -381,3 +381,23 @@ interface(`networkmanager_run_wpa_cli',`
networkmanager_domtrans_wpa_cli($1)
role $2 types wpa_cli_t;
')
+
+# Gentoo specific interfaces follow but not allowed ifdef
+
+########################################
+## <summary>
+## Read and write networkmanager rawip sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_rw_rawip_sockets',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:rawip_socket { read write };
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-01-29 8:38 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-01-29 8:38 UTC (permalink / raw
To: gentoo-commits
commit: d9bf60684a0ccb33aa64d3710734d21e702188b0
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:30:07 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Jan 29 08:32:49 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d9bf6068
networkmanager: v1.0.0 needs new socket permissions
---
policy/modules/contrib/networkmanager.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 3abaf53..c29e773 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -372,6 +372,10 @@ ifdef(`distro_gentoo',`
# NetworkManager_t policy
#
+ # bug #538110
+ allow NetworkManager_t self:rawip_socket create_socket_perms;
+ allow NetworkManager_t self:unix_stream_socket connectto;
+
# listing /etc/NetworkManager/dispatch.d/
list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-01-29 8:38 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-01-29 8:38 UTC (permalink / raw
To: gentoo-commits
commit: ec270d7eca495e088850d5397e3a9f64fcd63844
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:30:45 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Jan 29 08:32:53 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ec270d7e
resolvconf: needs access to networkmanager rawip sockets
---
policy/modules/contrib/resolvconf.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/resolvconf.te b/policy/modules/contrib/resolvconf.te
index 32cba23..b8c8e7e 100644
--- a/policy/modules/contrib/resolvconf.te
+++ b/policy/modules/contrib/resolvconf.te
@@ -49,6 +49,10 @@ optional_policy(`
dnsmasq_write_config(resolvconf_t)
')
+optional_policy(`
+ networkmanager_rw_rawip_sockets(resolvconf_t)
+')
+
#########################################
#
# Resolvconf client policy
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-01-29 9:12 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-01-29 8:38 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-01-29 8:38 UTC (permalink / raw
To: gentoo-commits
commit: 437a3cfff57c983594212bfb8ba2ce0fd5367cb9
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:25:58 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Jan 29 08:26:09 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=437a3cff
networkmanager: nm-dispatcher has changed name
gentoo bug: 538110
---
policy/modules/contrib/networkmanager.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index bbf3bba..5ffd285 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -15,7 +15,7 @@
/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/lib/networkmanager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-02-09 18:33 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-02-09 18:33 UTC (permalink / raw
To: gentoo-commits
commit: b649a2b3c92b17613faaf013a03357399095059e
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Feb 9 17:17:40 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 9 17:17:40 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b649a2b3
salt: allow salt to ps all processes
Salt needs to be able to list all processes to check if services
are running
---
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 970b183..4c76ecc 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -269,7 +269,7 @@ corenet_tcp_connect_salt_port(salt_minion_t)
dev_read_sysfs(salt_minion_t)
domain_dontaudit_exec_all_entry_files(salt_minion_t)
-domain_dontaudit_search_all_domains_state(salt_minion_t)
+domain_read_all_domains_state(salt_minion_t)
files_manage_all_non_security_file_types(salt_minion_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-02-09 18:35 [gentoo-commits] proj/hardened-refpolicy:adminroles " Jason Zaman
@ 2015-02-09 18:33 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-02-09 18:33 UTC (permalink / raw
To: gentoo-commits
commit: 5544629a0aa065819ff40dfefef33f70218b0cab
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Feb 3 13:48:40 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 9 17:17:24 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5544629a
add fcontext for openntpd drift file
---
policy/modules/contrib/ntp.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 6105583..c74d996 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -27,4 +27,5 @@
ifdef(`distro_gentoo',`
/usr/bin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/var/lib/openntpd/ntpd.drift -- gen_context(system_u:object_r:ntp_drift_t,s0)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-02-24 17:11 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-02-24 17:11 UTC (permalink / raw
To: gentoo-commits
commit: 8a9db2c7ce1d9ffc2b0e2f789d3eb8fec86eeb53
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Feb 15 17:58:38 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 15 17:58:38 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8a9db2c7
Fix bug #536666 - Assign mailman_domain to all mailman domains
---
policy/modules/contrib/mailman.if | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/mailman.if b/policy/modules/contrib/mailman.if
index 108c0f1..dcede3a 100644
--- a/policy/modules/contrib/mailman.if
+++ b/policy/modules/contrib/mailman.if
@@ -39,6 +39,11 @@ template(`mailman_domain_template',`
files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir })
auth_use_nsswitch(mailman_$1_t)
+
+ ifdef(`distro_gentoo',`
+ # Bug #536666 - Assign mailman_domain to all mailman domains
+ typeattribute mailmain_$1_t mailman_domain;
+ ')
')
#######################################
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-02-24 17:11 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-02-24 17:11 UTC (permalink / raw
To: gentoo-commits
commit: 748a5e04609445337bbc5dbbfe5554263fae7720
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Feb 15 17:40:49 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Feb 19 10:43:25 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=748a5e04
Fix typo for radiusd /var/lib location
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/radius.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/radius.fc b/policy/modules/contrib/radius.fc
index d447e85..021438b 100644
--- a/policy/modules/contrib/radius.fc
+++ b/policy/modules/contrib/radius.fc
@@ -9,7 +9,7 @@
/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
-/var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
+/var/lib/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
/var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-02-24 17:11 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-02-24 17:11 UTC (permalink / raw
To: gentoo-commits
commit: b30c4a3ee18b2d432f54807046d4d748f19d6f72
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Feb 9 17:17:40 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 24 16:59:13 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b30c4a3e
salt: allow salt to ps all processes
Salt needs to be able to list all processes to check if services
are running
---
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 970b183..4c76ecc 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -269,7 +269,7 @@ corenet_tcp_connect_salt_port(salt_minion_t)
dev_read_sysfs(salt_minion_t)
domain_dontaudit_exec_all_entry_files(salt_minion_t)
-domain_dontaudit_search_all_domains_state(salt_minion_t)
+domain_read_all_domains_state(salt_minion_t)
files_manage_all_non_security_file_types(salt_minion_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-02-24 17:11 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-02-24 17:11 UTC (permalink / raw
To: gentoo-commits
commit: de0425cfcaf108a4e726e7ff42d23573bfae4e8d
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Feb 15 18:04:57 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 15 18:04:57 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=de0425cf
Remove duplicate mailman etc declaration
---
policy/modules/contrib/mailman.fc | 2 --
1 file changed, 2 deletions(-)
diff --git a/policy/modules/contrib/mailman.fc b/policy/modules/contrib/mailman.fc
index 337f7d1..79c9f80 100644
--- a/policy/modules/contrib/mailman.fc
+++ b/policy/modules/contrib/mailman.fc
@@ -48,6 +48,4 @@ ifdef(`distro_gentoo',`
/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
-
-/etc/mailman(/.*)?
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-02-24 17:11 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-02-24 17:11 UTC (permalink / raw
To: gentoo-commits
commit: 2520e92b0d4d6dd062477a74731bf2dcb668350b
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Feb 17 13:33:44 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Feb 19 10:43:27 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2520e92b
Module version bump for fc typo in radius from Sven Vermeulen.
---
policy/modules/contrib/radius.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te
index 403a4fe..d85eecc 100644
--- a/policy/modules/contrib/radius.te
+++ b/policy/modules/contrib/radius.te
@@ -1,4 +1,4 @@
-policy_module(radius, 1.13.0)
+policy_module(radius, 1.13.1)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-02-24 17:11 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-02-24 17:11 UTC (permalink / raw
To: gentoo-commits
commit: 9bbc62384c84e9ca59adae9e6b2c68bdb5c6102a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Feb 15 18:01:37 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 15 18:01:37 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9bbc6238
Fix typo
---
policy/modules/contrib/mailman.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/mailman.if b/policy/modules/contrib/mailman.if
index dcede3a..c3c6837 100644
--- a/policy/modules/contrib/mailman.if
+++ b/policy/modules/contrib/mailman.if
@@ -42,7 +42,7 @@ template(`mailman_domain_template',`
ifdef(`distro_gentoo',`
# Bug #536666 - Assign mailman_domain to all mailman domains
- typeattribute mailmain_$1_t mailman_domain;
+ typeattribute mailman_$1_t mailman_domain;
')
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-02-24 17:11 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-02-24 17:11 UTC (permalink / raw
To: gentoo-commits
commit: 18dc4eb371f43ee12b8469de78f5ea183df3b1f0
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Feb 3 13:48:40 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 24 16:59:13 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=18dc4eb3
add fcontext for openntpd drift file
---
policy/modules/contrib/ntp.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 6105583..c74d996 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -27,4 +27,5 @@
ifdef(`distro_gentoo',`
/usr/bin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/var/lib/openntpd/ntpd.drift -- gen_context(system_u:object_r:ntp_drift_t,s0)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-02-24 17:11 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-02-24 17:11 UTC (permalink / raw
To: gentoo-commits
commit: dc06f7836a3223cd02516a937e9cbe858c07084a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Feb 15 17:56:13 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 15 17:56:13 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dc06f783
Fix bug #536666 - Fix mailman contexts
---
policy/modules/contrib/mailman.fc | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/policy/modules/contrib/mailman.fc b/policy/modules/contrib/mailman.fc
index 995d0a5..337f7d1 100644
--- a/policy/modules/contrib/mailman.fc
+++ b/policy/modules/contrib/mailman.fc
@@ -27,3 +27,27 @@
/usr/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+# Bug 536666
+# Seems like Fedora changes trickled in refpolicy and break due to /usr/lib/mailman/bin declaration in corecommands.fc
+/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+
+/usr/lib/cgi-bin/mailman(/.*)? gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/bin/mm-handler -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/cgi-bin(/.*)? gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/cron(/.*)? gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+
+/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+
+/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
+
+/etc/mailman(/.*)?
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-04 17:03 Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2015-03-04 17:03 UTC (permalink / raw
To: gentoo-commits
commit: 0ce3435159ef02f7e22c79219f14c63e33285d5b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Feb 9 17:17:40 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Mar 4 16:57:31 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0ce34351
salt: allow salt to ps all processes
Salt needs to be able to list all processes to check if services
are running
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 970b183..4c76ecc 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -269,7 +269,7 @@ corenet_tcp_connect_salt_port(salt_minion_t)
dev_read_sysfs(salt_minion_t)
domain_dontaudit_exec_all_entry_files(salt_minion_t)
-domain_dontaudit_search_all_domains_state(salt_minion_t)
+domain_read_all_domains_state(salt_minion_t)
files_manage_all_non_security_file_types(salt_minion_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-04 17:03 Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2015-03-04 17:03 UTC (permalink / raw
To: gentoo-commits
commit: 22f58390b7427334d071d07d8da62866cbb0d00c
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Feb 3 13:48:40 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Mar 4 16:57:31 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=22f58390
add fcontext for openntpd drift file
policy/modules/contrib/ntp.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 6105583..c74d996 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -27,4 +27,5 @@
ifdef(`distro_gentoo',`
/usr/bin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/var/lib/openntpd/ntpd.drift -- gen_context(system_u:object_r:ntp_drift_t,s0)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-23 14:58 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-23 14:58 UTC (permalink / raw
To: gentoo-commits
commit: c49aab8c0188ed4c024d01882ce374933d4c85db
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Feb 3 13:48:40 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 23 07:25:04 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c49aab8c
add fcontext for openntpd drift file
policy/modules/contrib/ntp.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 6105583..c74d996 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -27,4 +27,5 @@
ifdef(`distro_gentoo',`
/usr/bin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/var/lib/openntpd/ntpd.drift -- gen_context(system_u:object_r:ntp_drift_t,s0)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-23 14:58 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-23 14:58 UTC (permalink / raw
To: gentoo-commits
commit: a878ba884dced44d933d3e694a898fdc444dc3f2
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Feb 9 17:17:40 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 23 07:25:04 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a878ba88
salt: allow salt to ps all processes
Salt needs to be able to list all processes to check if services
are running
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 970b183..4c76ecc 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -269,7 +269,7 @@ corenet_tcp_connect_salt_port(salt_minion_t)
dev_read_sysfs(salt_minion_t)
domain_dontaudit_exec_all_entry_files(salt_minion_t)
-domain_dontaudit_search_all_domains_state(salt_minion_t)
+domain_read_all_domains_state(salt_minion_t)
files_manage_all_non_security_file_types(salt_minion_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-23 14:58 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-23 14:58 UTC (permalink / raw
To: gentoo-commits
commit: eac63cf59c69b655c2a02c383a36a39d8a107f43
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Mar 23 14:55:32 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 23 14:55:32 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eac63cf5
alsa: gentoo saves state files in /var/lib/alsa/oss/CardName
alsa_read/write_lib have permission on files, add in permission
for dirs too since gentoo's init script saves things in subdirs
policy/modules/contrib/alsa.if | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if
index 8f25112..cfd5a6c 100644
--- a/policy/modules/contrib/alsa.if
+++ b/policy/modules/contrib/alsa.if
@@ -255,6 +255,11 @@ interface(`alsa_read_lib',`
files_search_var_lib($1)
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+
+ ifdef(`distro_gentoo',`
+ # gentoo saves the files in /var/lib/alsa/oss/CardName
+ list_dirs_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ ')
')
#########################################
@@ -274,6 +279,11 @@ interface(`alsa_write_lib',`
files_search_var_lib($1)
write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+
+ ifdef(`distro_gentoo',`
+ # gentoo saves the files in /var/lib/alsa/oss/CardName
+ write_dirs_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ ')
')
# Gentoo specific for now, but cannot use ifdef distro_gentoo in an interface
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-24 13:25 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-24 13:25 UTC (permalink / raw
To: gentoo-commits
commit: 86e70dc4889211d9f07d7d9e5b233d93a93885b7
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Mar 23 14:55:32 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 23 16:01:49 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=86e70dc4
alsa: gentoo saves state files in /var/lib/alsa/oss/CardName
alsa_read/write_lib have permission on files, add in permission
for dirs too since gentoo's init script saves things in subdirs
policy/modules/contrib/alsa.if | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if
index 8f25112..38bbf80 100644
--- a/policy/modules/contrib/alsa.if
+++ b/policy/modules/contrib/alsa.if
@@ -255,6 +255,11 @@ interface(`alsa_read_lib',`
files_search_var_lib($1)
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+
+ ifdef(`distro_gentoo',`
+ # gentoo saves the files in /var/lib/alsa/oss/CardName
+ list_dirs_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ ')
')
#########################################
@@ -274,6 +279,11 @@ interface(`alsa_write_lib',`
files_search_var_lib($1)
write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+
+ ifdef(`distro_gentoo',`
+ # gentoo saves the files in /var/lib/alsa/oss/CardName
+ rw_dirs_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ ')
')
# Gentoo specific for now, but cannot use ifdef distro_gentoo in an interface
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-24 13:25 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-24 13:25 UTC (permalink / raw
To: gentoo-commits
commit: 3df00ca1929a1b9aefe2699a841a543109702c92
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Mar 24 12:27:05 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Mar 24 13:06:20 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3df00ca1
skype: policy rules for v4.3
It now uses pulseaudio and also needs dir permissions in /tmp
policy/modules/contrib/skype.te | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/skype.te b/policy/modules/contrib/skype.te
index 4c71730..be0684f 100644
--- a/policy/modules/contrib/skype.te
+++ b/policy/modules/contrib/skype.te
@@ -55,9 +55,10 @@ manage_fifo_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
manage_sock_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
fs_tmpfs_filetrans(skype_t, skype_tmpfs_t, { file lnk_file sock_file fifo_file })
+manage_dirs_pattern(skype_t, skype_tmp_t, skype_tmp_t)
manage_files_pattern(skype_t, skype_tmp_t, skype_tmp_t)
manage_sock_files_pattern(skype_t, skype_tmp_t, skype_tmp_t)
-files_tmp_filetrans(skype_t, skype_tmp_t, { file sock_file })
+files_tmp_filetrans(skype_t, skype_tmp_t, { dir file sock_file })
kernel_dontaudit_search_sysctl(skype_t)
kernel_dontaudit_read_kernel_sysctls(skype_t)
@@ -73,15 +74,16 @@ corenet_all_recvfrom_netlabel(skype_t)
corenet_all_recvfrom_unlabeled(skype_t)
corenet_sendrecv_http_client_packets(skype_t)
corenet_tcp_bind_generic_node(skype_t)
-corenet_tcp_bind_generic_port(skype_t)
+corenet_tcp_bind_generic_port(skype_t)
corenet_tcp_connect_all_unreserved_ports(skype_t)
corenet_tcp_connect_generic_port(skype_t)
corenet_tcp_connect_http_port(skype_t)
corenet_tcp_sendrecv_http_port(skype_t)
corenet_udp_bind_generic_node(skype_t)
-corenet_udp_bind_generic_port(skype_t)
+corenet_udp_bind_generic_port(skype_t)
dev_dontaudit_search_sysfs(skype_t)
+dev_dontaudit_read_sysfs(skype_t)
dev_read_sound(skype_t)
dev_read_video_dev(skype_t)
dev_write_sound(skype_t)
@@ -112,6 +114,10 @@ tunable_policy(`skype_manage_user_content',`
')
optional_policy(`
+ pulseaudio_client_domain(skype_t, skype_tmpfs_t)
+')
+
+optional_policy(`
dbus_system_bus_client(skype_t)
dbus_all_session_bus_client(skype_t)
')
@@ -120,6 +126,10 @@ optional_policy(`
xdg_manage_config_home(skype_t)
')
+optional_policy(`
+ mozilla_dontaudit_manage_user_home_files(skype_t)
+')
+
ifdef(`use_alsa',`
optional_policy(`
alsa_domain(skype_t, skype_tmpfs_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-25 2:17 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-25 2:17 UTC (permalink / raw
To: gentoo-commits
commit: e2d6b5b1a6c86a1f55eccb417d99ac34324ae740
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Mar 24 15:53:44 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Mar 24 15:53:44 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e2d6b5b1
introduce chromium_rw_usb_dev
allows chromium to use USB devices for android debugging or to use
a FIDO U2F token.
policy/modules/contrib/chromium.te | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index e5aa5aa..b2c9ccc 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -41,6 +41,17 @@ gen_tunable(chromium_read_system_info, false)
## </desc>
gen_tunable(chromium_bind_tcp_unreserved_ports, false)
+## <desc>
+## <p>
+## Allow chromium to read/write USB devices
+## </p>
+## <p>
+## Although not needed for regular browsing, used for debugging over usb
+## or using FIDO U2F tokens.
+## </p>
+## </desc>
+gen_tunable(chromium_rw_usb_dev, false)
+
type chromium_t;
domain_dyntrans_type(chromium_t)
@@ -181,6 +192,10 @@ tunable_policy(`chromium_bind_tcp_unreserved_ports',`
allow chromium_t self:tcp_socket { listen accept };
')
+tunable_policy(`chromium_rw_usb_dev',`
+ dev_rw_generic_usb_dev(chromium_t)
+')
+
tunable_policy(`chromium_read_system_info',`
kernel_read_kernel_sysctls(chromium_t)
# Memory optimizations & optimizations based on OS/version
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-25 16:01 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-25 16:01 UTC (permalink / raw
To: gentoo-commits
commit: 5661e0858e00e7f331d66a334d7c374842f1180a
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 02:24:41 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:04 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5661e085
rpcbind: typo fix
policy/modules/contrib/rpcbind.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/rpcbind.if b/policy/modules/contrib/rpcbind.if
index 1a1cb99..f78fef0 100644
--- a/policy/modules/contrib/rpcbind.if
+++ b/policy/modules/contrib/rpcbind.if
@@ -21,7 +21,7 @@ interface(`rpcbind_domtrans',`
########################################
## <summary>
-## Connect to rpcbindd with a
+## Connect to rpcbind with a
## unix domain stream socket.
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-25 16:01 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-25 16:01 UTC (permalink / raw
To: gentoo-commits
commit: cb6b0aae28b9c827262a505246a574b00fc7790c
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Feb 3 13:48:40 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:54:44 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cb6b0aae
add fcontext for openntpd drift file
policy/modules/contrib/ntp.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 6105583..c74d996 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -27,4 +27,5 @@
ifdef(`distro_gentoo',`
/usr/bin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/var/lib/openntpd/ntpd.drift -- gen_context(system_u:object_r:ntp_drift_t,s0)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-25 16:01 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-25 16:01 UTC (permalink / raw
To: gentoo-commits
commit: 7b3c908130c376a0c5d312057979dbfa4281d2ea
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 02:24:42 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:04 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7b3c9081
git: make inetd interface optional
git-daemon can be run without inetd, this patch makes the
interface optional so that git.pp can be loaded without inetd
policy/modules/contrib/git.te | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index 084ac9d..a93c976 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -86,7 +86,6 @@ apache_content_template(git)
type git_system_t, git_daemon;
type gitd_exec_t;
-inetd_service_domain(git_system_t, gitd_exec_t)
init_daemon_domain(git_system_t, gitd_exec_t)
type git_session_t, git_daemon;
@@ -122,6 +121,10 @@ auth_use_nsswitch(git_session_t)
userdom_use_user_terminals(git_session_t)
+optional_policy(`
+ inetd_service_domain(git_system_t, gitd_exec_t)
+')
+
tunable_policy(`git_session_bind_all_unreserved_ports',`
corenet_sendrecv_all_server_packets(git_session_t)
corenet_tcp_bind_all_unreserved_ports(git_session_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-25 16:01 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-25 16:01 UTC (permalink / raw
To: gentoo-commits
commit: df65cfff17b72258446578aafe99edac7ea237bd
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 02:24:44 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:05 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=df65cfff
rpc: allow setgid capability
rpc.gssd needs to be able to setgid, otherwise using a kerberized nfs
mount fails with permission denied.
errors:
rpc.gssd[22887]: WARNING: unable to drop supplimentary groups!
rpc.gssd[22887]: WARNING: failed to change identity: Operation not permitted
denials:
type=AVC msg=audit(1427206637.030:9956): avc: denied { setgid } for
pid=22887 comm="rpc.gssd" capability=6
scontext=system_u:system_r:gssd_t tcontext=system_u:system_r:gssd_t
tclass=capability permissive=0
type=SYSCALL msg=audit(1427206637.030:9956): arch=c000003e syscall=116
success=no exit=-1 a0=0 a1=0 a2=5111a30e20 a3=31fc5672090 items=0
ppid=22763 pid=22887 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=2 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd"
subj=system_u:system_r:gssd_t key=(null)
policy/modules/contrib/rpc.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 66f77ab..cf4d1fc 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -282,7 +282,7 @@ optional_policy(`
# GSSD local policy
#
-allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
+allow gssd_t self:capability { dac_override dac_read_search setuid setgid sys_nice };
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-03-25 15:55 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-03-25 16:01 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-25 16:01 UTC (permalink / raw
To: gentoo-commits
commit: 05a1bdce8efe1b2c689f55e1f3018ff7df6de43d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 02:24:43 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:05 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=05a1bdce
rpc: introduce allow_gssd_write_tmp boolean
gssd needs to be able to write the user's kerberos token
into the ticket cache which is stored in /tmp
type=AVC msg=audit(1427206305.314:9914): avc: granted { read write
open } for pid=22562 comm="rpc.gssd" path="/tmp/krb5cc_1000"
dev="tmpfs" ino=327516 scontext=system_u:system_r:gssd_t
tcontext=staff_u:object_r:user_tmp_t tclass=file
policy/modules/contrib/rpc.te | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index d48a946..66f77ab 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -15,6 +15,14 @@ gen_tunable(allow_gssd_read_tmp, false)
## <desc>
## <p>
+## Determine whether gssd can write
+## generic user temporary content.
+## </p>
+## </desc>
+gen_tunable(allow_gssd_write_tmp, false)
+
+## <desc>
+## <p>
## Determine whether nfs can modify
## public files used for public file
## transfer services. Directories/Files must
@@ -313,6 +321,11 @@ tunable_policy(`allow_gssd_read_tmp',`
userdom_read_user_tmp_symlinks(gssd_t)
')
+tunable_policy(`allow_gssd_write_tmp',`
+ userdom_list_user_tmp(gssd_t)
+ userdom_rw_user_tmp_files(gssd_t)
+')
+
optional_policy(`
automount_signal(gssd_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-25 16:01 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-25 16:01 UTC (permalink / raw
To: gentoo-commits
commit: f78e2773a5ccfa735d536aa373d95219a47a3f78
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Mar 25 12:27:04 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:05 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f78e2773
Module version bump for patches from Jason Zaman.
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/git.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index eb3c7f8..e2f8300 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.12.0)
+policy_module(dnsmasq, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index a93c976..1ca8c24 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -1,4 +1,4 @@
-policy_module(git, 1.5.0)
+policy_module(git, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index cf4d1fc..f0fa041 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.16.0)
+policy_module(rpc, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 78022b6..9604d59 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.8.0)
+policy_module(rpcbind, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0d50107..27a28df 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.8.0)
+policy_module(virt, 1.8.1)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-25 16:01 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-25 16:01 UTC (permalink / raw
To: gentoo-commits
commit: d4ff30bdc377f3dea934af1b478cdf86d33a7589
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 02:24:46 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:05 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4ff30bd
introduce virt_leaseshelper_t
policy/modules/contrib/dnsmasq.te | 1 +
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.if | 20 ++++++++++++++++++++
policy/modules/contrib/virt.te | 23 +++++++++++++++++++++++
4 files changed, 45 insertions(+)
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index fbfe09f..eb3c7f8 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -127,4 +127,5 @@ optional_policy(`
virt_manage_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
+ virt_domtrans_leaseshelper(dnsmasq_t)
')
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index a4f20bc..b38007b 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -18,6 +18,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
+/usr/libexec/libvirt_leaseshelper -- gen_context(system_u:object_r:virt_leaseshelper_exec_t,s0)
/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
index c8bc302..7c97c87 100644
--- a/policy/modules/contrib/virt.if
+++ b/policy/modules/contrib/virt.if
@@ -193,6 +193,26 @@ interface(`virt_domtrans_bridgehelper',`
########################################
## <summary>
+## Execute a domain transition to
+## run virt bridgehelper.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_domtrans_leaseshelper',`
+ gen_require(`
+ type virt_leaseshelper_t, virt_leaseshelper_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, virt_leaseshelper_exec_t, virt_leaseshelper_t)
+')
+
+########################################
+## <summary>
## Execute bridgehelper in the bridgehelper
## domain, and allow the specified role
## the bridgehelper domain.
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 6332b0f..0d50107 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -166,6 +166,12 @@ domain_type(virt_bridgehelper_t)
domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
role virt_bridgehelper_roles types virt_bridgehelper_t;
+type virt_leaseshelper_t;
+type virt_leaseshelper_exec_t;
+domain_type(virt_leaseshelper_t)
+domain_entry_file(virt_leaseshelper_t, virt_leaseshelper_exec_t)
+role system_r types virt_leaseshelper_t;
+
type virtd_lxc_t;
type virtd_lxc_exec_t;
init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
@@ -1220,3 +1226,20 @@ corenet_rw_tun_tap_dev(virt_bridgehelper_t)
userdom_search_user_home_dirs(virt_bridgehelper_t)
userdom_use_user_ptys(virt_bridgehelper_t)
+
+########################################
+#
+# Leaseshelper local policy
+#
+
+allow virt_leaseshelper_t virtd_t:fd use;
+allow virt_leaseshelper_t virtd_t:fifo_file write_fifo_file_perms;
+
+manage_dirs_pattern(virt_leaseshelper_t, virt_var_lib_t, virt_var_lib_t)
+manage_files_pattern(virt_leaseshelper_t, virt_var_lib_t, virt_var_lib_t)
+files_var_lib_filetrans(virt_leaseshelper_t, virt_var_lib_t, { file dir })
+
+manage_files_pattern(virt_leaseshelper_t, virt_var_run_t, virt_var_run_t)
+files_pid_filetrans(virt_leaseshelper_t, virt_var_run_t, file)
+
+kernel_dontaudit_read_system_state(virt_leaseshelper_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-25 16:01 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-25 16:01 UTC (permalink / raw
To: gentoo-commits
commit: c00545ccf571b026bd76524b6efec2d766ef7f12
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 02:24:45 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:05 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c00545cc
virt: add virt_tmpfs_t type and permissions
virtd_t writes the spice shm file in tmpfs so this allows access.
type=AVC msg=audit(1427209364.960:10357): avc: granted { add_name }
for pid=24933 comm="qemu-system-x86" name="spice.24933"
scontext=system_u:system_r:virtd_t tcontext=system_u:object_r:tmpfs_t
tclass=dir
type=AVC msg=audit(1427209364.960:10357): avc: granted { write } for
pid=24933 comm="qemu-system-x86" path="/dev/shm/spice.24933" dev="tmpfs"
ino=638614 scontext=system_u:system_r:virtd_t
tcontext=system_u:object_r:tmpfs_t tclass=file
policy/modules/contrib/virt.te | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 59c0f07..6332b0f 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -127,6 +127,9 @@ mls_trusted_object(virt_log_t)
type virt_tmp_t;
files_tmp_file(virt_tmp_t)
+type virt_tmpfs_t;
+files_tmpfs_file(virt_tmpfs_t)
+
type virt_var_run_t;
files_pid_file(virt_var_run_t)
@@ -484,6 +487,10 @@ manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
+manage_dirs_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+manage_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+fs_tmpfs_filetrans(virtd_t, virt_tmpfs_t, { file dir })
+
# This needs a file context specification
manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-25 16:01 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-25 16:01 UTC (permalink / raw
To: gentoo-commits
commit: 84771e7cc45aa4f5b0b9ac2a3834a48a24f1b3c6
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Mar 24 15:53:44 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:54:45 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=84771e7c
introduce chromium_rw_usb_dev
allows chromium to use USB devices for android debugging or to use
a FIDO U2F token.
policy/modules/contrib/chromium.te | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index e5aa5aa..b2c9ccc 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -41,6 +41,17 @@ gen_tunable(chromium_read_system_info, false)
## </desc>
gen_tunable(chromium_bind_tcp_unreserved_ports, false)
+## <desc>
+## <p>
+## Allow chromium to read/write USB devices
+## </p>
+## <p>
+## Although not needed for regular browsing, used for debugging over usb
+## or using FIDO U2F tokens.
+## </p>
+## </desc>
+gen_tunable(chromium_rw_usb_dev, false)
+
type chromium_t;
domain_dyntrans_type(chromium_t)
@@ -181,6 +192,10 @@ tunable_policy(`chromium_bind_tcp_unreserved_ports',`
allow chromium_t self:tcp_socket { listen accept };
')
+tunable_policy(`chromium_rw_usb_dev',`
+ dev_rw_generic_usb_dev(chromium_t)
+')
+
tunable_policy(`chromium_read_system_info',`
kernel_read_kernel_sysctls(chromium_t)
# Memory optimizations & optimizations based on OS/version
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-25 16:01 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-25 16:01 UTC (permalink / raw
To: gentoo-commits
commit: 7c88c205ad51f397e75030c9e60bd561a9f8a147
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Mar 24 12:27:05 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:54:45 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7c88c205
skype: policy rules for v4.3
It now uses pulseaudio and also needs dir permissions in /tmp
policy/modules/contrib/skype.te | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/skype.te b/policy/modules/contrib/skype.te
index 4c71730..be0684f 100644
--- a/policy/modules/contrib/skype.te
+++ b/policy/modules/contrib/skype.te
@@ -55,9 +55,10 @@ manage_fifo_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
manage_sock_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
fs_tmpfs_filetrans(skype_t, skype_tmpfs_t, { file lnk_file sock_file fifo_file })
+manage_dirs_pattern(skype_t, skype_tmp_t, skype_tmp_t)
manage_files_pattern(skype_t, skype_tmp_t, skype_tmp_t)
manage_sock_files_pattern(skype_t, skype_tmp_t, skype_tmp_t)
-files_tmp_filetrans(skype_t, skype_tmp_t, { file sock_file })
+files_tmp_filetrans(skype_t, skype_tmp_t, { dir file sock_file })
kernel_dontaudit_search_sysctl(skype_t)
kernel_dontaudit_read_kernel_sysctls(skype_t)
@@ -73,15 +74,16 @@ corenet_all_recvfrom_netlabel(skype_t)
corenet_all_recvfrom_unlabeled(skype_t)
corenet_sendrecv_http_client_packets(skype_t)
corenet_tcp_bind_generic_node(skype_t)
-corenet_tcp_bind_generic_port(skype_t)
+corenet_tcp_bind_generic_port(skype_t)
corenet_tcp_connect_all_unreserved_ports(skype_t)
corenet_tcp_connect_generic_port(skype_t)
corenet_tcp_connect_http_port(skype_t)
corenet_tcp_sendrecv_http_port(skype_t)
corenet_udp_bind_generic_node(skype_t)
-corenet_udp_bind_generic_port(skype_t)
+corenet_udp_bind_generic_port(skype_t)
dev_dontaudit_search_sysfs(skype_t)
+dev_dontaudit_read_sysfs(skype_t)
dev_read_sound(skype_t)
dev_read_video_dev(skype_t)
dev_write_sound(skype_t)
@@ -112,6 +114,10 @@ tunable_policy(`skype_manage_user_content',`
')
optional_policy(`
+ pulseaudio_client_domain(skype_t, skype_tmpfs_t)
+')
+
+optional_policy(`
dbus_system_bus_client(skype_t)
dbus_all_session_bus_client(skype_t)
')
@@ -120,6 +126,10 @@ optional_policy(`
xdg_manage_config_home(skype_t)
')
+optional_policy(`
+ mozilla_dontaudit_manage_user_home_files(skype_t)
+')
+
ifdef(`use_alsa',`
optional_policy(`
alsa_domain(skype_t, skype_tmpfs_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-25 16:01 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-25 16:01 UTC (permalink / raw
To: gentoo-commits
commit: 33bf518a1fec1773e47c3431cd749f4c8207d2e4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Mar 23 14:55:32 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:54:45 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=33bf518a
alsa: gentoo saves state files in /var/lib/alsa/oss/CardName
alsa_read/write_lib have permission on files, add in permission
for dirs too since gentoo's init script saves things in subdirs
policy/modules/contrib/alsa.if | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if
index 8f25112..38bbf80 100644
--- a/policy/modules/contrib/alsa.if
+++ b/policy/modules/contrib/alsa.if
@@ -255,6 +255,11 @@ interface(`alsa_read_lib',`
files_search_var_lib($1)
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+
+ ifdef(`distro_gentoo',`
+ # gentoo saves the files in /var/lib/alsa/oss/CardName
+ list_dirs_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ ')
')
#########################################
@@ -274,6 +279,11 @@ interface(`alsa_write_lib',`
files_search_var_lib($1)
write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+
+ ifdef(`distro_gentoo',`
+ # gentoo saves the files in /var/lib/alsa/oss/CardName
+ rw_dirs_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ ')
')
# Gentoo specific for now, but cannot use ifdef distro_gentoo in an interface
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-25 16:01 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-25 16:01 UTC (permalink / raw
To: gentoo-commits
commit: 35ecd91545512101234bf017ce9edb67407cb086
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Feb 9 17:17:40 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:54:44 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35ecd915
salt: allow salt to ps all processes
Salt needs to be able to list all processes to check if services
are running
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 970b183..4c76ecc 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -269,7 +269,7 @@ corenet_tcp_connect_salt_port(salt_minion_t)
dev_read_sysfs(salt_minion_t)
domain_dontaudit_exec_all_entry_files(salt_minion_t)
-domain_dontaudit_search_all_domains_state(salt_minion_t)
+domain_read_all_domains_state(salt_minion_t)
files_manage_all_non_security_file_types(salt_minion_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-29 10:01 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-29 10:01 UTC (permalink / raw
To: gentoo-commits
commit: ecd0604b018b735a5f47a3fa43a7141f5ab66ab9
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Feb 9 17:17:40 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 29 09:53:51 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ecd0604b
salt: allow salt to ps all processes
Salt needs to be able to list all processes to check if services
are running
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 970b183..4c76ecc 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -269,7 +269,7 @@ corenet_tcp_connect_salt_port(salt_minion_t)
dev_read_sysfs(salt_minion_t)
domain_dontaudit_exec_all_entry_files(salt_minion_t)
-domain_dontaudit_search_all_domains_state(salt_minion_t)
+domain_read_all_domains_state(salt_minion_t)
files_manage_all_non_security_file_types(salt_minion_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-29 10:01 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-29 10:01 UTC (permalink / raw
To: gentoo-commits
commit: 57264aa48955ae0f3b62257b0bb6bf0fd6a312bb
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Mar 23 14:55:32 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 29 09:54:10 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=57264aa4
alsa: gentoo saves state files in /var/lib/alsa/oss/CardName
alsa_read/write_lib have permission on files, add in permission
for dirs too since gentoo's init script saves things in subdirs
policy/modules/contrib/alsa.if | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if
index 8f25112..38bbf80 100644
--- a/policy/modules/contrib/alsa.if
+++ b/policy/modules/contrib/alsa.if
@@ -255,6 +255,11 @@ interface(`alsa_read_lib',`
files_search_var_lib($1)
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+
+ ifdef(`distro_gentoo',`
+ # gentoo saves the files in /var/lib/alsa/oss/CardName
+ list_dirs_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ ')
')
#########################################
@@ -274,6 +279,11 @@ interface(`alsa_write_lib',`
files_search_var_lib($1)
write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+
+ ifdef(`distro_gentoo',`
+ # gentoo saves the files in /var/lib/alsa/oss/CardName
+ rw_dirs_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ ')
')
# Gentoo specific for now, but cannot use ifdef distro_gentoo in an interface
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-29 10:01 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-29 10:01 UTC (permalink / raw
To: gentoo-commits
commit: 394b856733a6953b28aa53ee305aea7d5de03ccb
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Mar 24 12:27:05 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 29 09:54:32 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=394b8567
skype: policy rules for v4.3
It now uses pulseaudio and also needs dir permissions in /tmp
policy/modules/contrib/skype.te | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/skype.te b/policy/modules/contrib/skype.te
index 4c71730..be0684f 100644
--- a/policy/modules/contrib/skype.te
+++ b/policy/modules/contrib/skype.te
@@ -55,9 +55,10 @@ manage_fifo_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
manage_sock_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
fs_tmpfs_filetrans(skype_t, skype_tmpfs_t, { file lnk_file sock_file fifo_file })
+manage_dirs_pattern(skype_t, skype_tmp_t, skype_tmp_t)
manage_files_pattern(skype_t, skype_tmp_t, skype_tmp_t)
manage_sock_files_pattern(skype_t, skype_tmp_t, skype_tmp_t)
-files_tmp_filetrans(skype_t, skype_tmp_t, { file sock_file })
+files_tmp_filetrans(skype_t, skype_tmp_t, { dir file sock_file })
kernel_dontaudit_search_sysctl(skype_t)
kernel_dontaudit_read_kernel_sysctls(skype_t)
@@ -73,15 +74,16 @@ corenet_all_recvfrom_netlabel(skype_t)
corenet_all_recvfrom_unlabeled(skype_t)
corenet_sendrecv_http_client_packets(skype_t)
corenet_tcp_bind_generic_node(skype_t)
-corenet_tcp_bind_generic_port(skype_t)
+corenet_tcp_bind_generic_port(skype_t)
corenet_tcp_connect_all_unreserved_ports(skype_t)
corenet_tcp_connect_generic_port(skype_t)
corenet_tcp_connect_http_port(skype_t)
corenet_tcp_sendrecv_http_port(skype_t)
corenet_udp_bind_generic_node(skype_t)
-corenet_udp_bind_generic_port(skype_t)
+corenet_udp_bind_generic_port(skype_t)
dev_dontaudit_search_sysfs(skype_t)
+dev_dontaudit_read_sysfs(skype_t)
dev_read_sound(skype_t)
dev_read_video_dev(skype_t)
dev_write_sound(skype_t)
@@ -112,6 +114,10 @@ tunable_policy(`skype_manage_user_content',`
')
optional_policy(`
+ pulseaudio_client_domain(skype_t, skype_tmpfs_t)
+')
+
+optional_policy(`
dbus_system_bus_client(skype_t)
dbus_all_session_bus_client(skype_t)
')
@@ -120,6 +126,10 @@ optional_policy(`
xdg_manage_config_home(skype_t)
')
+optional_policy(`
+ mozilla_dontaudit_manage_user_home_files(skype_t)
+')
+
ifdef(`use_alsa',`
optional_policy(`
alsa_domain(skype_t, skype_tmpfs_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-29 10:01 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-29 10:01 UTC (permalink / raw
To: gentoo-commits
commit: 4e11ed26a455239c132651edfed09d88e1c080a9
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Feb 3 13:48:40 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 29 09:56:26 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4e11ed26
add fcontext for openntpd drift file
policy/modules/contrib/ntp.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 6105583..c74d996 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -27,4 +27,5 @@
ifdef(`distro_gentoo',`
/usr/bin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/var/lib/openntpd/ntpd.drift -- gen_context(system_u:object_r:ntp_drift_t,s0)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-03-29 9:59 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-03-29 10:01 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-03-29 10:01 UTC (permalink / raw
To: gentoo-commits
commit: cc6a8328ab18f5447fbdba85531c9b521dc2eb0b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Mar 24 15:53:44 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 29 09:54:32 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cc6a8328
introduce chromium_rw_usb_dev
allows chromium to use USB devices for android debugging or to use
a FIDO U2F token.
policy/modules/contrib/chromium.te | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index e5aa5aa..b2c9ccc 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -41,6 +41,17 @@ gen_tunable(chromium_read_system_info, false)
## </desc>
gen_tunable(chromium_bind_tcp_unreserved_ports, false)
+## <desc>
+## <p>
+## Allow chromium to read/write USB devices
+## </p>
+## <p>
+## Although not needed for regular browsing, used for debugging over usb
+## or using FIDO U2F tokens.
+## </p>
+## </desc>
+gen_tunable(chromium_rw_usb_dev, false)
+
type chromium_t;
domain_dyntrans_type(chromium_t)
@@ -181,6 +192,10 @@ tunable_policy(`chromium_bind_tcp_unreserved_ports',`
allow chromium_t self:tcp_socket { listen accept };
')
+tunable_policy(`chromium_rw_usb_dev',`
+ dev_rw_generic_usb_dev(chromium_t)
+')
+
tunable_policy(`chromium_read_system_info',`
kernel_read_kernel_sysctls(chromium_t)
# Memory optimizations & optimizations based on OS/version
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-05-11 21:49 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-05-11 21:49 UTC (permalink / raw
To: gentoo-commits
commit: 79e88c8b29101c1af176e969573f87f3ebbf80c3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon May 11 20:25:10 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon May 11 21:47:29 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=79e88c8b
remove initrc_exec_t transitions for sysadm
policy/modules/contrib/abrt.if | 8 ++++----
policy/modules/contrib/acct.if | 8 ++++----
policy/modules/contrib/afs.if | 8 ++++----
policy/modules/contrib/aiccu.if | 8 ++++----
policy/modules/contrib/aisexec.if | 8 ++++----
policy/modules/contrib/amavis.if | 8 ++++----
policy/modules/contrib/amtu.if | 8 ++++----
policy/modules/contrib/apache.if | 8 ++++----
policy/modules/contrib/apcupsd.if | 8 ++++----
policy/modules/contrib/apm.if | 8 ++++----
policy/modules/contrib/arpwatch.if | 8 ++++----
policy/modules/contrib/asterisk.if | 8 ++++----
policy/modules/contrib/automount.if | 8 ++++----
policy/modules/contrib/avahi.if | 8 ++++----
policy/modules/contrib/bacula.if | 8 ++++----
policy/modules/contrib/bcfg2.if | 8 ++++----
policy/modules/contrib/bind.if | 8 ++++----
policy/modules/contrib/bird.if | 8 ++++----
policy/modules/contrib/bitcoin.if | 8 ++++----
policy/modules/contrib/bitlbee.if | 8 ++++----
policy/modules/contrib/bluetooth.if | 8 ++++----
policy/modules/contrib/boinc.if | 8 ++++----
policy/modules/contrib/cachefilesd.if | 8 ++++----
policy/modules/contrib/callweaver.if | 8 ++++----
policy/modules/contrib/canna.if | 8 ++++----
policy/modules/contrib/ccs.if | 8 ++++----
policy/modules/contrib/certmaster.if | 8 ++++----
policy/modules/contrib/certmonger.if | 8 ++++----
policy/modules/contrib/cfengine.if | 8 ++++----
policy/modules/contrib/cgroup.if | 10 +++++-----
policy/modules/contrib/chronyd.if | 8 ++++----
policy/modules/contrib/cipe.if | 8 ++++----
policy/modules/contrib/clamav.if | 8 ++++----
policy/modules/contrib/cmirrord.if | 8 ++++----
policy/modules/contrib/cobbler.if | 8 ++++----
policy/modules/contrib/collectd.if | 8 ++++----
policy/modules/contrib/condor.if | 8 ++++----
policy/modules/contrib/corosync.if | 8 ++++----
policy/modules/contrib/couchdb.if | 8 ++++----
policy/modules/contrib/ctdb.if | 8 ++++----
policy/modules/contrib/cups.if | 8 ++++----
policy/modules/contrib/cvs.if | 8 ++++----
policy/modules/contrib/cyphesis.if | 8 ++++----
policy/modules/contrib/cyrus.if | 8 ++++----
policy/modules/contrib/dante.if | 8 ++++----
policy/modules/contrib/ddclient.if | 8 ++++----
policy/modules/contrib/denyhosts.if | 8 ++++----
policy/modules/contrib/dhcp.if | 8 ++++----
policy/modules/contrib/dictd.if | 8 ++++----
policy/modules/contrib/dirmngr.if | 8 ++++----
policy/modules/contrib/distcc.if | 8 ++++----
policy/modules/contrib/dkim.if | 8 ++++----
policy/modules/contrib/dnsmasq.if | 8 ++++----
policy/modules/contrib/dnssectrigger.if | 8 ++++----
policy/modules/contrib/dovecot.if | 8 ++++----
policy/modules/contrib/drbd.if | 8 ++++----
policy/modules/contrib/dspam.if | 8 ++++----
policy/modules/contrib/entropyd.if | 8 ++++----
policy/modules/contrib/exim.if | 8 ++++----
policy/modules/contrib/fail2ban.if | 8 ++++----
policy/modules/contrib/fcoe.if | 8 ++++----
policy/modules/contrib/fetchmail.if | 8 ++++----
policy/modules/contrib/firewalld.if | 8 ++++----
policy/modules/contrib/ftp.if | 8 ++++----
policy/modules/contrib/gatekeeper.if | 8 ++++----
policy/modules/contrib/gdomap.if | 8 ++++----
policy/modules/contrib/glance.if | 8 ++++----
policy/modules/contrib/glusterfs.if | 8 ++++----
policy/modules/contrib/gpm.if | 8 ++++----
policy/modules/contrib/gpsd.if | 8 ++++----
policy/modules/contrib/hadoop.if | 8 ++++----
policy/modules/contrib/hddtemp.if | 8 ++++----
policy/modules/contrib/howl.if | 8 ++++----
policy/modules/contrib/hypervkvp.if | 8 ++++----
policy/modules/contrib/i18n_input.if | 8 ++++----
policy/modules/contrib/icecast.if | 8 ++++----
policy/modules/contrib/ifplugd.if | 8 ++++----
policy/modules/contrib/inn.if | 8 ++++----
policy/modules/contrib/iodine.if | 8 ++++----
policy/modules/contrib/ircd.if | 8 ++++----
policy/modules/contrib/irqbalance.if | 8 ++++----
policy/modules/contrib/iscsi.if | 8 ++++----
policy/modules/contrib/isns.if | 8 ++++----
policy/modules/contrib/jabber.if | 8 ++++----
policy/modules/contrib/kdump.if | 8 ++++----
policy/modules/contrib/kerberos.if | 8 ++++----
policy/modules/contrib/kerneloops.if | 8 ++++----
policy/modules/contrib/keystone.if | 8 ++++----
policy/modules/contrib/kismet.if | 8 ++++----
policy/modules/contrib/ksmtuned.if | 8 ++++----
policy/modules/contrib/kudzu.if | 8 ++++----
policy/modules/contrib/l2tp.if | 8 ++++----
policy/modules/contrib/ldap.if | 8 ++++----
policy/modules/contrib/likewise.if | 8 ++++----
policy/modules/contrib/lircd.if | 8 ++++----
policy/modules/contrib/lldpad.if | 8 ++++----
policy/modules/contrib/mailscanner.if | 8 ++++----
policy/modules/contrib/mcelog.if | 8 ++++----
policy/modules/contrib/memcached.if | 8 ++++----
policy/modules/contrib/minidlna.if | 8 ++++----
policy/modules/contrib/minissdpd.if | 8 ++++----
policy/modules/contrib/mongodb.if | 8 ++++----
policy/modules/contrib/monop.if | 8 ++++----
policy/modules/contrib/mpd.if | 8 ++++----
policy/modules/contrib/mrtg.if | 8 ++++----
policy/modules/contrib/munin.if | 8 ++++----
policy/modules/contrib/mysql.if | 8 ++++----
policy/modules/contrib/nagios.if | 8 ++++----
policy/modules/contrib/nessus.if | 8 ++++----
policy/modules/contrib/networkmanager.if | 8 ++++----
policy/modules/contrib/nis.if | 10 +++++-----
policy/modules/contrib/nscd.if | 8 ++++----
policy/modules/contrib/nsd.if | 8 ++++----
policy/modules/contrib/nslcd.if | 8 ++++----
policy/modules/contrib/ntop.if | 8 ++++----
policy/modules/contrib/ntp.if | 8 ++++----
policy/modules/contrib/numad.if | 8 ++++----
policy/modules/contrib/nut.if | 8 ++++----
policy/modules/contrib/oident.if | 8 ++++----
policy/modules/contrib/openct.if | 8 ++++----
policy/modules/contrib/openhpi.if | 8 ++++----
policy/modules/contrib/openvpn.if | 8 ++++----
policy/modules/contrib/openvswitch.if | 8 ++++----
policy/modules/contrib/pacemaker.if | 8 ++++----
policy/modules/contrib/pads.if | 8 ++++----
policy/modules/contrib/pcscd.if | 8 ++++----
policy/modules/contrib/pegasus.if | 8 ++++----
policy/modules/contrib/perdition.if | 8 ++++----
policy/modules/contrib/pingd.if | 8 ++++----
policy/modules/contrib/pkcs.if | 8 ++++----
policy/modules/contrib/polipo.if | 8 ++++----
policy/modules/contrib/portmap.if | 8 ++++----
policy/modules/contrib/portreserve.if | 8 ++++----
policy/modules/contrib/postfix.if | 8 ++++----
policy/modules/contrib/postfixpolicyd.if | 8 ++++----
policy/modules/contrib/postgrey.if | 8 ++++----
policy/modules/contrib/ppp.if | 8 ++++----
policy/modules/contrib/prelude.if | 8 ++++----
policy/modules/contrib/privoxy.if | 8 ++++----
policy/modules/contrib/psad.if | 8 ++++----
policy/modules/contrib/puppet.if | 8 ++++----
policy/modules/contrib/pxe.if | 8 ++++----
policy/modules/contrib/pyicqt.if | 8 ++++----
policy/modules/contrib/pyzor.if | 8 ++++----
policy/modules/contrib/qpid.if | 8 ++++----
policy/modules/contrib/quantum.if | 8 ++++----
policy/modules/contrib/quota.if | 8 ++++----
policy/modules/contrib/rabbitmq.if | 8 ++++----
policy/modules/contrib/radius.if | 8 ++++----
policy/modules/contrib/radvd.if | 8 ++++----
policy/modules/contrib/raid.if | 8 ++++----
policy/modules/contrib/redis.if | 8 ++++----
policy/modules/contrib/resmgr.if | 8 ++++----
policy/modules/contrib/rgmanager.if | 8 ++++----
policy/modules/contrib/rhcs.if | 8 ++++----
policy/modules/contrib/rhsmcertd.if | 8 ++++----
policy/modules/contrib/ricci.if | 8 ++++----
policy/modules/contrib/rngd.if | 8 ++++----
policy/modules/contrib/roundup.if | 8 ++++----
policy/modules/contrib/rpc.if | 8 ++++----
policy/modules/contrib/rpcbind.if | 8 ++++----
policy/modules/contrib/rpm.if | 8 ++++----
policy/modules/contrib/rtkit.if | 8 ++++----
policy/modules/contrib/rwho.if | 8 ++++----
policy/modules/contrib/salt.if | 16 ++++++++--------
policy/modules/contrib/samba.if | 8 ++++----
policy/modules/contrib/sanlock.if | 8 ++++----
policy/modules/contrib/sasl.if | 8 ++++----
policy/modules/contrib/sblim.if | 8 ++++----
policy/modules/contrib/sendmail.if | 6 +++---
policy/modules/contrib/sensord.if | 8 ++++----
policy/modules/contrib/shorewall.if | 8 ++++----
policy/modules/contrib/slpd.if | 8 ++++----
policy/modules/contrib/smartmon.if | 8 ++++----
policy/modules/contrib/smokeping.if | 8 ++++----
policy/modules/contrib/smstools.if | 8 ++++----
policy/modules/contrib/snmp.if | 8 ++++----
policy/modules/contrib/snort.if | 8 ++++----
policy/modules/contrib/soundserver.if | 8 ++++----
policy/modules/contrib/spamassassin.if | 8 ++++----
policy/modules/contrib/squid.if | 8 ++++----
policy/modules/contrib/sssd.if | 8 ++++----
policy/modules/contrib/svnserve.if | 8 ++++----
policy/modules/contrib/sysstat.if | 8 ++++----
policy/modules/contrib/systemtap.if | 8 ++++----
policy/modules/contrib/tcsd.if | 8 ++++----
policy/modules/contrib/tgtd.if | 8 ++++----
policy/modules/contrib/tor.if | 8 ++++----
policy/modules/contrib/transproxy.if | 8 ++++----
policy/modules/contrib/tuned.if | 8 ++++----
policy/modules/contrib/ulogd.if | 8 ++++----
policy/modules/contrib/uptime.if | 8 ++++----
policy/modules/contrib/uucp.if | 8 ++++----
policy/modules/contrib/uuidd.if | 8 ++++----
policy/modules/contrib/varnishd.if | 16 ++++++++--------
policy/modules/contrib/vdagent.if | 8 ++++----
policy/modules/contrib/vhostmd.if | 8 ++++----
policy/modules/contrib/virt.if | 8 ++++----
policy/modules/contrib/vnstatd.if | 8 ++++----
policy/modules/contrib/watchdog.if | 8 ++++----
policy/modules/contrib/wdmd.if | 8 ++++----
policy/modules/contrib/xfs.if | 8 ++++----
policy/modules/contrib/zabbix.if | 8 ++++----
policy/modules/contrib/zarafa.if | 8 ++++----
policy/modules/contrib/zebra.if | 8 ++++----
205 files changed, 829 insertions(+), 829 deletions(-)
diff --git a/policy/modules/contrib/abrt.if b/policy/modules/contrib/abrt.if
index 058d908..6195190 100644
--- a/policy/modules/contrib/abrt.if
+++ b/policy/modules/contrib/abrt.if
@@ -304,10 +304,10 @@ interface(`abrt_admin',`
allow $1 abrt_domain:process { ptrace signal_perms };
ps_process_pattern($1, abrt_domain)
- init_labeled_script_domtrans($1, abrt_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 abrt_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, abrt_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 abrt_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, abrt_etc_t)
diff --git a/policy/modules/contrib/acct.if b/policy/modules/contrib/acct.if
index 81280d0..a49181a 100644
--- a/policy/modules/contrib/acct.if
+++ b/policy/modules/contrib/acct.if
@@ -106,10 +106,10 @@ interface(`acct_admin',`
allow $1 acct_t:process { ptrace signal_perms };
ps_process_pattern($1, acct_t)
- init_labeled_script_domtrans($1, acct_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 acct_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, acct_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 acct_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, acct_data_t)
diff --git a/policy/modules/contrib/afs.if b/policy/modules/contrib/afs.if
index 3b41be6..04f8f03 100644
--- a/policy/modules/contrib/afs.if
+++ b/policy/modules/contrib/afs.if
@@ -103,10 +103,10 @@ interface(`afs_admin',`
allow $1 afs_domain:process { ptrace signal_perms };
ps_process_pattern($1, afs_domain)
- afs_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 afs_initrc_exec_t system_r;
- allow $2 system_r;
+ #afs_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 afs_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, afs_config_t)
diff --git a/policy/modules/contrib/aiccu.if b/policy/modules/contrib/aiccu.if
index 3b5dcb9..cd049ac 100644
--- a/policy/modules/contrib/aiccu.if
+++ b/policy/modules/contrib/aiccu.if
@@ -82,10 +82,10 @@ interface(`aiccu_admin',`
allow $1 aiccu_t:process { ptrace signal_perms };
ps_process_pattern($1, aiccu_t)
- aiccu_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 aiccu_initrc_exec_t system_r;
- allow $2 system_r;
+ #aiccu_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 aiccu_initrc_exec_t system_r;
+ #allow $2 system_r;
admin_pattern($1, aiccu_etc_t)
files_list_etc($1)
diff --git a/policy/modules/contrib/aisexec.if b/policy/modules/contrib/aisexec.if
index a2997fa..1bc0fcf 100644
--- a/policy/modules/contrib/aisexec.if
+++ b/policy/modules/contrib/aisexec.if
@@ -86,10 +86,10 @@ interface(`aisexecd_admin',`
allow $1 aisexec_t:process { ptrace signal_perms };
ps_process_pattern($1, aisexec_t)
- init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 aisexec_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 aisexec_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, aisexec_var_lib_t)
diff --git a/policy/modules/contrib/amavis.if b/policy/modules/contrib/amavis.if
index 60d4f8c..9b6f2b2 100644
--- a/policy/modules/contrib/amavis.if
+++ b/policy/modules/contrib/amavis.if
@@ -237,10 +237,10 @@ interface(`amavis_admin',`
allow $1 amavis_t:process { ptrace signal_perms };
ps_process_pattern($1, amavis_t)
- amavis_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 amavis_initrc_exec_t system_r;
- allow $2 system_r;
+ #amavis_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 amavis_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, amavis_etc_t)
diff --git a/policy/modules/contrib/amtu.if b/policy/modules/contrib/amtu.if
index 884b23b..fa319c7 100644
--- a/policy/modules/contrib/amtu.if
+++ b/policy/modules/contrib/amtu.if
@@ -70,8 +70,8 @@ interface(`amtu_admin',`
allow $1 amtu_t:process { ptrace signal_perms };
ps_process_pattern($1, amtu_t)
- init_labeled_script_domtrans($1, amtu_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 amtu_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, amtu_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 amtu_initrc_exec_t system_r;
+ #allow $2 system_r;
')
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index 717c6f7..b148da6 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -1318,10 +1318,10 @@ interface(`apache_admin',`
ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t })
ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t })
- init_labeled_script_domtrans($1, httpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 httpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 httpd_initrc_exec_t system_r;
+ #allow $2 system_r;
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
diff --git a/policy/modules/contrib/apcupsd.if b/policy/modules/contrib/apcupsd.if
index f3c0aba..2e2b50c 100644
--- a/policy/modules/contrib/apcupsd.if
+++ b/policy/modules/contrib/apcupsd.if
@@ -149,10 +149,10 @@ interface(`apcupsd_admin',`
allow $1 apcupsd_t:process { ptrace signal_perms };
ps_process_pattern($1, apcupsd_t)
- apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 apcupsd_initrc_exec_t system_r;
- allow $2 system_r;
+ #apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 apcupsd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_var($1)
admin_pattern($1, apcupsd_lock_t)
diff --git a/policy/modules/contrib/apm.if b/policy/modules/contrib/apm.if
index 1a7a97e..f5219a2 100644
--- a/policy/modules/contrib/apm.if
+++ b/policy/modules/contrib/apm.if
@@ -166,10 +166,10 @@ interface(`apm_admin',`
allow $1 apmd_t:process { ptrace signal_perms };
ps_process_pattern($1, apmd_t)
- init_labeled_script_domtrans($1, apmd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 apmd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, apmd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 apmd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, apmd_log_t)
diff --git a/policy/modules/contrib/arpwatch.if b/policy/modules/contrib/arpwatch.if
index 50c9b9c..7296bdf 100644
--- a/policy/modules/contrib/arpwatch.if
+++ b/policy/modules/contrib/arpwatch.if
@@ -143,10 +143,10 @@ interface(`arpwatch_admin',`
allow $1 arpwatch_t:process { ptrace signal_perms };
ps_process_pattern($1, arpwatch_t)
- arpwatch_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 arpwatch_initrc_exec_t system_r;
- allow $2 system_r;
+ #arpwatch_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 arpwatch_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, arpwatch_tmp_t)
diff --git a/policy/modules/contrib/asterisk.if b/policy/modules/contrib/asterisk.if
index 2077053..46ef939 100644
--- a/policy/modules/contrib/asterisk.if
+++ b/policy/modules/contrib/asterisk.if
@@ -127,10 +127,10 @@ interface(`asterisk_admin',`
allow $1 asterisk_t:process { ptrace signal_perms };
ps_process_pattern($1, asterisk_t)
- init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 asterisk_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 asterisk_initrc_exec_t system_r;
+ #allow $2 system_r;
asterisk_exec($1)
diff --git a/policy/modules/contrib/automount.if b/policy/modules/contrib/automount.if
index f24e369..82c1ea5 100644
--- a/policy/modules/contrib/automount.if
+++ b/policy/modules/contrib/automount.if
@@ -159,10 +159,10 @@ interface(`automount_admin',`
allow $1 automount_t:process { ptrace signal_perms };
ps_process_pattern($1, automount_t)
- init_labeled_script_domtrans($1, automount_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 automount_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, automount_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 automount_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, automount_keytab_t)
diff --git a/policy/modules/contrib/avahi.if b/policy/modules/contrib/avahi.if
index 9078c3d..b490161 100644
--- a/policy/modules/contrib/avahi.if
+++ b/policy/modules/contrib/avahi.if
@@ -264,10 +264,10 @@ interface(`avahi_admin',`
allow $1 avahi_t:process { ptrace signal_perms };
ps_process_pattern($1, avahi_t)
- avahi_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 avahi_initrc_exec_t system_r;
- allow $2 system_r;
+ #avahi_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 avahi_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, avahi_var_run_t)
diff --git a/policy/modules/contrib/bacula.if b/policy/modules/contrib/bacula.if
index dcd774e..fdfef80 100644
--- a/policy/modules/contrib/bacula.if
+++ b/policy/modules/contrib/bacula.if
@@ -74,10 +74,10 @@ interface(`bacula_admin',`
allow $1 bacula_t:process { ptrace signal_perms };
ps_process_pattern($1, bacula_t)
- init_labeled_script_domtrans($1, bacula_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bacula_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, bacula_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 bacula_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, bacula_etc_t)
diff --git a/policy/modules/contrib/bcfg2.if b/policy/modules/contrib/bcfg2.if
index ec95d36..311ab75 100644
--- a/policy/modules/contrib/bcfg2.if
+++ b/policy/modules/contrib/bcfg2.if
@@ -141,10 +141,10 @@ interface(`bcfg2_admin',`
allow $1 bcfg2_t:process { ptrace signal_perms };
ps_process_pattern($1, bcfg2_t)
- bcfg2_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 bcfg2_initrc_exec_t system_r;
- allow $2 system_r;
+ #bcfg2_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 bcfg2_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, bcfg2_var_run_t)
diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if
index 531a8f2..835b9c0 100644
--- a/policy/modules/contrib/bind.if
+++ b/policy/modules/contrib/bind.if
@@ -370,10 +370,10 @@ interface(`bind_admin',`
allow $1 { named_t ndc_t }:process { ptrace signal_perms };
ps_process_pattern($1, { named_t ndc_t })
- init_labeled_script_domtrans($1, named_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 named_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, named_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 named_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, named_tmp_t)
diff --git a/policy/modules/contrib/bird.if b/policy/modules/contrib/bird.if
index 85c035f..01278df 100644
--- a/policy/modules/contrib/bird.if
+++ b/policy/modules/contrib/bird.if
@@ -26,10 +26,10 @@ interface(`bird_admin',`
allow $1 bird_t:process { ptrace signal_perms };
ps_process_pattern($1, bird_t)
- init_labeled_script_domtrans($1, bird_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bird_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, bird_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 bird_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, bird_etc_t)
diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
index 922bc7c..a6d9018 100644
--- a/policy/modules/contrib/bitcoin.if
+++ b/policy/modules/contrib/bitcoin.if
@@ -26,10 +26,10 @@ interface(`bitcoin_admin',`
allow $1 bitcoin_t:process { ptrace signal_perms };
ps_process_pattern($1, bitcoin_t)
- init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bitcoin_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 bitcoin_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, bitcoin_tmp_t)
diff --git a/policy/modules/contrib/bitlbee.if b/policy/modules/contrib/bitlbee.if
index e73fb79..bc326c9 100644
--- a/policy/modules/contrib/bitlbee.if
+++ b/policy/modules/contrib/bitlbee.if
@@ -47,10 +47,10 @@ interface(`bitlbee_admin',`
allow $1 bitlbee_t:process { ptrace signal_perms };
ps_process_pattern($1, bitlbee_t)
- init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bitlbee_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 bitlbee_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, bitlbee_conf_t)
diff --git a/policy/modules/contrib/bluetooth.if b/policy/modules/contrib/bluetooth.if
index c723a0a..8e2eff5 100644
--- a/policy/modules/contrib/bluetooth.if
+++ b/policy/modules/contrib/bluetooth.if
@@ -216,10 +216,10 @@ interface(`bluetooth_admin',`
allow $1 bluetooth_t:process { ptrace signal_perms };
ps_process_pattern($1, bluetooth_t)
- init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bluetooth_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 bluetooth_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, bluetooth_tmp_t)
diff --git a/policy/modules/contrib/boinc.if b/policy/modules/contrib/boinc.if
index 02fefaa..3a66e75 100644
--- a/policy/modules/contrib/boinc.if
+++ b/policy/modules/contrib/boinc.if
@@ -28,10 +28,10 @@ interface(`boinc_admin',`
allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms };
ps_process_pattern($1, { boinc_t boinc_project_t })
- init_labeled_script_domtrans($1, boinc_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 boinc_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 boinc_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, boinc_log_t)
diff --git a/policy/modules/contrib/cachefilesd.if b/policy/modules/contrib/cachefilesd.if
index 8de2ab9..4c68242 100644
--- a/policy/modules/contrib/cachefilesd.if
+++ b/policy/modules/contrib/cachefilesd.if
@@ -26,10 +26,10 @@ interface(`cachefilesd_admin',`
allow $1 cachefilesd_t:process { ptrace signal_perms };
ps_process_pattern($1, cachefilesd_t)
- init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cachefilesd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cachefilesd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var($1)
admin_pattern($1, cachefilesd_cache_t)
diff --git a/policy/modules/contrib/callweaver.if b/policy/modules/contrib/callweaver.if
index 16f1855..ad4dee3 100644
--- a/policy/modules/contrib/callweaver.if
+++ b/policy/modules/contrib/callweaver.if
@@ -65,10 +65,10 @@ interface(`callweaver_admin',`
allow $1 callweaver_t:process { ptrace signal_perms };
ps_process_pattern($1, callweaver_t)
- init_labeled_script_domtrans($1, callweaver_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 callweaver_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, callweaver_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 callweaver_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, callweaver_log_t)
diff --git a/policy/modules/contrib/canna.if b/policy/modules/contrib/canna.if
index 400db07..98a34d7 100644
--- a/policy/modules/contrib/canna.if
+++ b/policy/modules/contrib/canna.if
@@ -46,10 +46,10 @@ interface(`canna_admin',`
allow $1 canna_t:process { ptrace signal_perms };
ps_process_pattern($1, canna_t)
- init_labeled_script_domtrans($1, canna_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 canna_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, canna_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 canna_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, canna_log_t)
diff --git a/policy/modules/contrib/ccs.if b/policy/modules/contrib/ccs.if
index bb17e0f..80ef99e 100644
--- a/policy/modules/contrib/ccs.if
+++ b/policy/modules/contrib/ccs.if
@@ -105,10 +105,10 @@ interface(`ccs_admin',`
allow $1 ccs_t:process { ptrace signal_perms };
ps_process_pattern($1, ccs_t)
- init_labeled_script_domtrans($1, ccs_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ccs_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ccs_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ccs_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, ccs_conf_t)
diff --git a/policy/modules/contrib/certmaster.if b/policy/modules/contrib/certmaster.if
index 0c53b18..ad86de9 100644
--- a/policy/modules/contrib/certmaster.if
+++ b/policy/modules/contrib/certmaster.if
@@ -124,10 +124,10 @@ interface(`certmaster_admin',`
allow $1 certmaster_t:process { ptrace signal_perms };
ps_process_pattern($1, certmaster_t)
- init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 certmaster_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 certmaster_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
miscfiles_manage_generic_cert_dirs($1)
diff --git a/policy/modules/contrib/certmonger.if b/policy/modules/contrib/certmonger.if
index 008f8ef..bed2a59 100644
--- a/policy/modules/contrib/certmonger.if
+++ b/policy/modules/contrib/certmonger.if
@@ -162,10 +162,10 @@ interface(`certmonger_admin',`
ps_process_pattern($1, certmonger_t)
allow $1 certmonger_t:process { ptrace signal_perms };
- certmonger_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 certmonger_initrc_exec_t system_r;
- allow $2 system_r;
+ #certmonger_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 certmonger_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, certmonger_var_lib_t)
diff --git a/policy/modules/contrib/cfengine.if b/policy/modules/contrib/cfengine.if
index a731122..d47ea2a 100644
--- a/policy/modules/contrib/cfengine.if
+++ b/policy/modules/contrib/cfengine.if
@@ -97,10 +97,10 @@ interface(`cfengine_admin',`
allow $1 cfengine_domain:process { ptrace signal_perms };
ps_process_pattern($1, cfengine_domain)
- init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cfengine_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cfengine_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
diff --git a/policy/modules/contrib/cgroup.if b/policy/modules/contrib/cgroup.if
index 85ca63f..c136d2f 100644
--- a/policy/modules/contrib/cgroup.if
+++ b/policy/modules/contrib/cgroup.if
@@ -180,11 +180,11 @@ interface(`cgroup_admin',`
admin_pattern($1, cgred_var_run_t)
files_list_pids($1)
- cgroup_initrc_domtrans_cgconfig($1)
- cgroup_initrc_domtrans_cgred($1)
- domain_system_change_exemption($1)
- role_transition $2 { cgconfig_initrc_exec_t cgred_initrc_exec_t } system_r;
- allow $2 system_r;
+ #cgroup_initrc_domtrans_cgconfig($1)
+ #cgroup_initrc_domtrans_cgred($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 { cgconfig_initrc_exec_t cgred_initrc_exec_t } system_r;
+ #allow $2 system_r;
cgroup_run_cgclear($1, $2)
')
diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if
index 32e8265..f504b7b 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -184,10 +184,10 @@ interface(`chronyd_admin',`
allow $1 chronyd_t:process { ptrace signal_perms };
ps_process_pattern($1, chronyd_t)
- chronyd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 chronyd_initrc_exec_t system_r;
- allow $2 system_r;
+ #chronyd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 chronyd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, chronyd_keys_t)
diff --git a/policy/modules/contrib/cipe.if b/policy/modules/contrib/cipe.if
index 5fb51b2..11ff777 100644
--- a/policy/modules/contrib/cipe.if
+++ b/policy/modules/contrib/cipe.if
@@ -25,8 +25,8 @@ interface(`cipe_admin',`
allow $1 ciped_t:process { ptrace signal_perms };
ps_process_pattern($1, ciped_t)
- init_labeled_script_domtrans($1, ciped_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ciped_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ciped_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ciped_initrc_exec_t system_r;
+ #allow $2 system_r;
')
diff --git a/policy/modules/contrib/clamav.if b/policy/modules/contrib/clamav.if
index 4cc4a5c..e194bb7 100644
--- a/policy/modules/contrib/clamav.if
+++ b/policy/modules/contrib/clamav.if
@@ -205,10 +205,10 @@ interface(`clamav_admin',`
allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms };
ps_process_pattern($1, { clamd_t clamscan_t freshclam_t })
- init_labeled_script_domtrans($1, clamd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 clamd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, clamd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 clamd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, clamd_etc_t)
diff --git a/policy/modules/contrib/cmirrord.if b/policy/modules/contrib/cmirrord.if
index cc4e7cb..242bbc3 100644
--- a/policy/modules/contrib/cmirrord.if
+++ b/policy/modules/contrib/cmirrord.if
@@ -106,10 +106,10 @@ interface(`cmirrord_admin',`
allow $1 cmirrord_t:process { ptrace signal_perms };
ps_process_pattern($1, cmirrord_t)
- cmirrord_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 cmirrord_initrc_exec_t system_r;
- allow $2 system_r;
+ #cmirrord_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cmirrord_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_pids($1)
admin_pattern($1, cmirrord_var_run_t)
diff --git a/policy/modules/contrib/cobbler.if b/policy/modules/contrib/cobbler.if
index c223f81..8392d01 100644
--- a/policy/modules/contrib/cobbler.if
+++ b/policy/modules/contrib/cobbler.if
@@ -183,10 +183,10 @@ interface(`cobbler_admin',`
allow $1 cobblerd_t:process { ptrace signal_perms };
ps_process_pattern($1, cobblerd_t)
- cobblerd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 cobblerd_initrc_exec_t system_r;
- allow $2 system_r;
+ #cobblerd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cobblerd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, cobbler_etc_t)
diff --git a/policy/modules/contrib/collectd.if b/policy/modules/contrib/collectd.if
index 954309e..9bb2db5 100644
--- a/policy/modules/contrib/collectd.if
+++ b/policy/modules/contrib/collectd.if
@@ -26,10 +26,10 @@ interface(`collectd_admin',`
allow $1 collectd_t:process { ptrace signal_perms };
ps_process_pattern($1, collectd_t)
- init_labeled_script_domtrans($1, collectd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 collectd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, collectd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 collectd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, collectd_var_run_t)
diff --git a/policy/modules/contrib/condor.if b/policy/modules/contrib/condor.if
index c80aaf5..b350506 100644
--- a/policy/modules/contrib/condor.if
+++ b/policy/modules/contrib/condor.if
@@ -66,10 +66,10 @@ interface(`condor_admin',`
allow $1 condor_domain:process { ptrace signal_perms };
ps_process_pattern($1, condor_domain)
- init_labeled_script_domtrans($1, condor_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 condor_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, condor_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 condor_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, condor_conf_t)
diff --git a/policy/modules/contrib/corosync.if b/policy/modules/contrib/corosync.if
index 694a037..2e5c8e0 100644
--- a/policy/modules/contrib/corosync.if
+++ b/policy/modules/contrib/corosync.if
@@ -165,10 +165,10 @@ interface(`corosync_admin',`
allow $1 corosync_t:process { ptrace signal_perms };
ps_process_pattern($1, corosync_t)
- corosync_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 corosync_initrc_exec_t system_r;
- allow $2 system_r;
+ #corosync_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 corosync_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, corosync_tmp_t)
diff --git a/policy/modules/contrib/couchdb.if b/policy/modules/contrib/couchdb.if
index 715a826..654e58a 100644
--- a/policy/modules/contrib/couchdb.if
+++ b/policy/modules/contrib/couchdb.if
@@ -103,10 +103,10 @@ interface(`couchdb_admin',`
allow $1 couchdb_t:process { ptrace signal_perms };
ps_process_pattern($1, couchdb_t)
- init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 couchdb_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 couchdb_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, couchdb_conf_t)
diff --git a/policy/modules/contrib/ctdb.if b/policy/modules/contrib/ctdb.if
index b25b01d..bb9daea 100644
--- a/policy/modules/contrib/ctdb.if
+++ b/policy/modules/contrib/ctdb.if
@@ -66,10 +66,10 @@ interface(`ctdb_admin',`
allow $1 ctdbd_t:process { ptrace signal_perms };
ps_process_pattern($1, ctdbd_t)
- init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ctdbd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ctdbd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, ctdbd_log_t)
diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
index 3023be7..f5e5fcb 100644
--- a/policy/modules/contrib/cups.if
+++ b/policy/modules/contrib/cups.if
@@ -357,10 +357,10 @@ interface(`cups_admin',`
ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
- init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cupsd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cupsd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t ptal_etc_t })
diff --git a/policy/modules/contrib/cvs.if b/policy/modules/contrib/cvs.if
index 64775fd..276840c 100644
--- a/policy/modules/contrib/cvs.if
+++ b/policy/modules/contrib/cvs.if
@@ -65,10 +65,10 @@ interface(`cvs_admin',`
allow $1 cvs_t:process { ptrace signal_perms };
ps_process_pattern($1, cvs_t)
- init_labeled_script_domtrans($1, cvs_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cvs_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, cvs_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cvs_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, cvs_keytab_t)
diff --git a/policy/modules/contrib/cyphesis.if b/policy/modules/contrib/cyphesis.if
index df8aa4a..86c1316 100644
--- a/policy/modules/contrib/cyphesis.if
+++ b/policy/modules/contrib/cyphesis.if
@@ -45,10 +45,10 @@ interface(`cyphesis_admin',`
allow $1 cyphesis_t:process { ptrace signal_perms };
ps_process_pattern($1, cyphesis_t)
- init_labeled_script_domtrans($1, cyphesis_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cyphesis_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, cyphesis_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cyphesis_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, cyphesis_log_t)
diff --git a/policy/modules/contrib/cyrus.if b/policy/modules/contrib/cyrus.if
index 83bfda6..069eec7 100644
--- a/policy/modules/contrib/cyrus.if
+++ b/policy/modules/contrib/cyrus.if
@@ -67,10 +67,10 @@ interface(`cyrus_admin',`
allow $1 cyrus_t:process { ptrace signal_perms };
ps_process_pattern($1, cyrus_t)
- init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cyrus_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cyrus_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, cyrus_keytab_t)
diff --git a/policy/modules/contrib/dante.if b/policy/modules/contrib/dante.if
index e709177..8e26fd8 100644
--- a/policy/modules/contrib/dante.if
+++ b/policy/modules/contrib/dante.if
@@ -26,10 +26,10 @@ interface(`dante_admin',`
allow $1 dante_t:process { ptrace signal_perms };
ps_process_pattern($1, dante_t)
- init_labeled_script_domtrans($1, dante_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dante_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dante_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dante_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, dante_conf_t)
diff --git a/policy/modules/contrib/ddclient.if b/policy/modules/contrib/ddclient.if
index 5606b40..790ed46 100644
--- a/policy/modules/contrib/ddclient.if
+++ b/policy/modules/contrib/ddclient.if
@@ -73,10 +73,10 @@ interface(`ddclient_admin',`
allow $1 ddclient_t:process { ptrace signal_perms };
ps_process_pattern($1, ddclient_t)
- init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ddclient_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ddclient_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, ddclient_etc_t)
diff --git a/policy/modules/contrib/denyhosts.if b/policy/modules/contrib/denyhosts.if
index a7326da..ee887da 100644
--- a/policy/modules/contrib/denyhosts.if
+++ b/policy/modules/contrib/denyhosts.if
@@ -63,10 +63,10 @@ interface(`denyhosts_admin',`
allow $1 denyhosts_t:process { ptrace signal_perms };
ps_process_pattern($1, denyhosts_t)
- denyhosts_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 denyhosts_initrc_exec_t system_r;
- allow $2 system_r;
+ #denyhosts_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 denyhosts_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, denyhosts_var_lib_t)
diff --git a/policy/modules/contrib/dhcp.if b/policy/modules/contrib/dhcp.if
index c697edb..fe3f70a 100644
--- a/policy/modules/contrib/dhcp.if
+++ b/policy/modules/contrib/dhcp.if
@@ -84,10 +84,10 @@ interface(`dhcpd_admin',`
allow $1 dhcpd_t:process { ptrace signal_perms };
ps_process_pattern($1, dhcpd_t)
- init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dhcpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dhcpd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, dhcpd_tmp_t)
diff --git a/policy/modules/contrib/dictd.if b/policy/modules/contrib/dictd.if
index 3cc3494..5946e57 100644
--- a/policy/modules/contrib/dictd.if
+++ b/policy/modules/contrib/dictd.if
@@ -41,10 +41,10 @@ interface(`dictd_admin',`
allow $1 dictd_t:process { ptrace signal_perms };
ps_process_pattern($1, dictd_t)
- init_labeled_script_domtrans($1, dictd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dictd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dictd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dictd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, dictd_etc_t)
diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if
index e5f6733..e41f285 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -26,10 +26,10 @@ interface(`dirmngr_admin',`
allow $1 dirmngr_t:process { ptrace signal_perms };
ps_process_pattern($1, dirmngr_t)
- init_labeled_script_domtrans($1, dirmngr_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dirmngr_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dirmngr_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dirmngr_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, dirmngr_conf_t)
diff --git a/policy/modules/contrib/distcc.if b/policy/modules/contrib/distcc.if
index 473823d..28a4164 100644
--- a/policy/modules/contrib/distcc.if
+++ b/policy/modules/contrib/distcc.if
@@ -26,10 +26,10 @@ interface(`distcc_admin',`
allow $1 distccd_t:process { ptrace signal_perms };
ps_process_pattern($1, distccd_t)
- init_labeled_script_domtrans($1, distccd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 distccd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, distccd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 distccd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, distccd_log_t)
diff --git a/policy/modules/contrib/dkim.if b/policy/modules/contrib/dkim.if
index 386e494..7999295 100644
--- a/policy/modules/contrib/dkim.if
+++ b/policy/modules/contrib/dkim.if
@@ -26,10 +26,10 @@ interface(`dkim_admin',`
allow $1 dkim_milter_t:process { ptrace signal_perms };
ps_process_pattern($1, dkim_milter_t)
- init_labeled_script_domtrans($1, dkim_milter_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dkim_milter_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dkim_milter_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dkim_milter_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, dkim_milter_private_key_t)
diff --git a/policy/modules/contrib/dnsmasq.if b/policy/modules/contrib/dnsmasq.if
index 62e4948..0ea06df 100644
--- a/policy/modules/contrib/dnsmasq.if
+++ b/policy/modules/contrib/dnsmasq.if
@@ -273,10 +273,10 @@ interface(`dnsmasq_admin',`
allow $1 dnsmasq_t:process { ptrace signal_perms };
ps_process_pattern($1, dnsmasq_t)
- init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dnsmasq_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dnsmasq_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t)
diff --git a/policy/modules/contrib/dnssectrigger.if b/policy/modules/contrib/dnssectrigger.if
index 456da5c..2e1bd25 100644
--- a/policy/modules/contrib/dnssectrigger.if
+++ b/policy/modules/contrib/dnssectrigger.if
@@ -26,10 +26,10 @@ interface(`dnssectrigger_admin',`
allow $1 dnssec_triggerd_t:process { ptrace signal_perms };
ps_process_pattern($1, dnssec_triggerd_t)
- init_labeled_script_domtrans($1, dnssec_triggerd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dnssec_triggerd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dnssec_triggerd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dnssec_triggerd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, dnssec_trigger_conf_t)
diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if
index d5badb7..294d61e 100644
--- a/policy/modules/contrib/dovecot.if
+++ b/policy/modules/contrib/dovecot.if
@@ -149,10 +149,10 @@ interface(`dovecot_admin',`
allow $1 dovecot_t:process { ptrace signal_perms };
ps_process_pattern($1, dovecot_t)
- init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dovecot_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dovecot_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
diff --git a/policy/modules/contrib/drbd.if b/policy/modules/contrib/drbd.if
index 9a21639..18dbd73 100644
--- a/policy/modules/contrib/drbd.if
+++ b/policy/modules/contrib/drbd.if
@@ -46,10 +46,10 @@ interface(`drbd_admin',`
allow $1 drbd_t:process { ptrace signal_perms };
ps_process_pattern($1, drbd_t)
- init_labeled_script_domtrans($1, drbd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 drbd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, drbd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 drbd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_locks($1)
admin_pattern($1, drbd_lock_t)
diff --git a/policy/modules/contrib/dspam.if b/policy/modules/contrib/dspam.if
index 18f2452..b16cb67 100644
--- a/policy/modules/contrib/dspam.if
+++ b/policy/modules/contrib/dspam.if
@@ -66,10 +66,10 @@ interface(`dspam_admin',`
allow $1 dspam_t:process { ptrace signal_perms };
ps_process_pattern($1, dspam_t)
- init_labeled_script_domtrans($1, dspam_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dspam_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dspam_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dspam_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, dspam_log_t)
diff --git a/policy/modules/contrib/entropyd.if b/policy/modules/contrib/entropyd.if
index 1161fbf..1fc147c 100644
--- a/policy/modules/contrib/entropyd.if
+++ b/policy/modules/contrib/entropyd.if
@@ -25,10 +25,10 @@ interface(`entropyd_admin',`
allow $1 entropyd_t:process { ptrace signal_perms };
ps_process_pattern($1, entropyd_t)
- init_labeled_script_domtrans($1, entropyd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 entropyd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, entropyd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 entropyd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, entropyd_var_run_t)
diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if
index 9bbc690..16d2922 100644
--- a/policy/modules/contrib/exim.if
+++ b/policy/modules/contrib/exim.if
@@ -288,10 +288,10 @@ interface(`exim_admin',`
allow $1 exim_t:process { ptrace signal_perms };
ps_process_pattern($1, exim_t)
- init_labeled_script_domtrans($1, exim_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 exim_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, exim_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 exim_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, exim_keytab_t)
diff --git a/policy/modules/contrib/fail2ban.if b/policy/modules/contrib/fail2ban.if
index 50d0084..0d23647 100644
--- a/policy/modules/contrib/fail2ban.if
+++ b/policy/modules/contrib/fail2ban.if
@@ -266,10 +266,10 @@ interface(`fail2ban_admin',`
allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms };
ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
- init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 fail2ban_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 fail2ban_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, fail2ban_log_t)
diff --git a/policy/modules/contrib/fcoe.if b/policy/modules/contrib/fcoe.if
index c3484a9..e8b2446 100644
--- a/policy/modules/contrib/fcoe.if
+++ b/policy/modules/contrib/fcoe.if
@@ -44,10 +44,10 @@ interface(`fcoe_admin',`
allow $1 fcoemon_t:process { ptrace signal_perms };
ps_process_pattern($1, fcoemon_t)
- init_labeled_script_domtrans($1, fcoemon_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 fcoemon_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, fcoemon_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 fcoemon_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, fcoemon_var_run_t)
diff --git a/policy/modules/contrib/fetchmail.if b/policy/modules/contrib/fetchmail.if
index c3f7916..8823986 100644
--- a/policy/modules/contrib/fetchmail.if
+++ b/policy/modules/contrib/fetchmail.if
@@ -23,10 +23,10 @@ interface(`fetchmail_admin',`
type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t;
')
- init_labeled_script_domtrans($1, fetchmail_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 fetchmail_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, fetchmail_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 fetchmail_initrc_exec_t system_r;
+ #allow $2 system_r;
allow $1 fetchmail_t:process { ptrace signal_perms };
ps_process_pattern($1, fetchmail_t)
diff --git a/policy/modules/contrib/firewalld.if b/policy/modules/contrib/firewalld.if
index c62c567..cbe9016 100644
--- a/policy/modules/contrib/firewalld.if
+++ b/policy/modules/contrib/firewalld.if
@@ -86,10 +86,10 @@ interface(`firewalld_admin',`
allow $1 firewalld_t:process { ptrace signal_perms };
ps_process_pattern($1, firewalld_t)
- init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 firewalld_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 firewalld_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, firewalld_var_run_t)
diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if
index 65adda9..5d7a53f 100644
--- a/policy/modules/contrib/ftp.if
+++ b/policy/modules/contrib/ftp.if
@@ -182,10 +182,10 @@ interface(`ftp_admin',`
allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
- init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ftpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ftpd_initrc_exec_t system_r;
+ #allow $2 system_r;
miscfiles_manage_public_files($1)
diff --git a/policy/modules/contrib/gatekeeper.if b/policy/modules/contrib/gatekeeper.if
index 30926d7..879de37 100644
--- a/policy/modules/contrib/gatekeeper.if
+++ b/policy/modules/contrib/gatekeeper.if
@@ -26,10 +26,10 @@ interface(`gatekeeper_admin',`
allow $1 gatekeeper_t:process { ptrace signal_perms };
ps_process_pattern($1, gatekeeper_t)
- init_labeled_script_domtrans($1, gatekeeper_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 gatekeeper_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, gatekeeper_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 gatekeeper_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, gatekeeper_etc_t)
diff --git a/policy/modules/contrib/gdomap.if b/policy/modules/contrib/gdomap.if
index 7d6b6b7..b4ebe6c 100644
--- a/policy/modules/contrib/gdomap.if
+++ b/policy/modules/contrib/gdomap.if
@@ -45,10 +45,10 @@ interface(`gdomap_admin',`
allow $1 gdomap_t:process { ptrace signal_perms };
ps_process_pattern($1, gdomap_t)
- init_labeled_script_domtrans($1, gdomap_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 gdomap_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, gdomap_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 gdomap_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, gdomap_conf_t)
diff --git a/policy/modules/contrib/glance.if b/policy/modules/contrib/glance.if
index 9eacb2c..6966abb 100644
--- a/policy/modules/contrib/glance.if
+++ b/policy/modules/contrib/glance.if
@@ -245,10 +245,10 @@ interface(`glance_admin',`
allow $1 { glance_api_t glance_registry_t }:process signal_perms;
ps_process_pattern($1, { glance_api_t glance_registry_t })
- init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { glance_api_initrc_exec_t glance_registry_initrc_exec_t } system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
+ #domain_system_change_exemption($1)
+ #role_transition $2 { glance_api_initrc_exec_t glance_registry_initrc_exec_t } system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, glance_log_t)
diff --git a/policy/modules/contrib/glusterfs.if b/policy/modules/contrib/glusterfs.if
index 05233c8..c121fda 100644
--- a/policy/modules/contrib/glusterfs.if
+++ b/policy/modules/contrib/glusterfs.if
@@ -46,10 +46,10 @@ interface(`glusterfs_admin',`
type glusterd_var_run_t;
')
- init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 glusterd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 glusterd_initrc_exec_t system_r;
+ #allow $2 system_r;
allow $1 glusterd_t:process { ptrace signal_perms };
ps_process_pattern($1, glusterd_t)
diff --git a/policy/modules/contrib/gpm.if b/policy/modules/contrib/gpm.if
index f1528c9..65818dc 100644
--- a/policy/modules/contrib/gpm.if
+++ b/policy/modules/contrib/gpm.if
@@ -106,10 +106,10 @@ interface(`gpm_admin',`
allow $1 gpm_t:process { ptrace signal_perms };
ps_process_pattern($1, gpm_t)
- init_labeled_script_domtrans($1, gpm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 gpm_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, gpm_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 gpm_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, gpm_conf_t)
diff --git a/policy/modules/contrib/gpsd.if b/policy/modules/contrib/gpsd.if
index 92eb564..6d077a4 100644
--- a/policy/modules/contrib/gpsd.if
+++ b/policy/modules/contrib/gpsd.if
@@ -91,10 +91,10 @@ interface(`gpsd_admin',`
allow $1 gpsd_t:process { ptrace signal_perms };
ps_process_pattern($1, gpsd_t)
- init_labeled_script_domtrans($1, gpsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 gpsd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, gpsd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 gpsd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, gpsd_var_run_t)
diff --git a/policy/modules/contrib/hadoop.if b/policy/modules/contrib/hadoop.if
index 2b0d488..48f93d3 100644
--- a/policy/modules/contrib/hadoop.if
+++ b/policy/modules/contrib/hadoop.if
@@ -441,10 +441,10 @@ interface(`hadoop_admin',`
allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms };
ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t })
- init_labeled_script_domtrans($1, hadoop_init_script_file)
- domain_system_change_exemption($1)
- role_transition $2 hadoop_init_script_file system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, hadoop_init_script_file)
+ #domain_system_change_exemption($1)
+ #role_transition $2 hadoop_init_script_file system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, { hadoop_etc_t zookeeper_etc_t })
diff --git a/policy/modules/contrib/hddtemp.if b/policy/modules/contrib/hddtemp.if
index 1728071..718fc12 100644
--- a/policy/modules/contrib/hddtemp.if
+++ b/policy/modules/contrib/hddtemp.if
@@ -63,10 +63,10 @@ interface(`hddtemp_admin',`
allow $1 hddtemp_t:process { ptrace signal_perms };
ps_process_pattern($1, hddtemp_t)
- init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 hddtemp_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 hddtemp_initrc_exec_t system_r;
+ #allow $2 system_r;
admin_pattern($1, hddtemp_etc_t)
files_search_etc($1)
diff --git a/policy/modules/contrib/howl.if b/policy/modules/contrib/howl.if
index dc609f0..d67eac5 100644
--- a/policy/modules/contrib/howl.if
+++ b/policy/modules/contrib/howl.if
@@ -43,10 +43,10 @@ interface(`howl_admin',`
allow $1 howl_t:process { ptrace signal_perms };
ps_process_pattern($1, howl_t)
- init_labeled_script_domtrans($1, howl_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 howl_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, howl_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 howl_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, howl_var_run_t)
diff --git a/policy/modules/contrib/hypervkvp.if b/policy/modules/contrib/hypervkvp.if
index 6517fad..d483ebe 100644
--- a/policy/modules/contrib/hypervkvp.if
+++ b/policy/modules/contrib/hypervkvp.if
@@ -25,8 +25,8 @@ interface(`hypervkvp_admin',`
allow $1 hypervkvpd_t:process { ptrace signal_perms };
ps_process_pattern($1, hypervkvpd_t)
- init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 hypervkvpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 hypervkvpd_initrc_exec_t system_r;
+ #allow $2 system_r;
')
diff --git a/policy/modules/contrib/i18n_input.if b/policy/modules/contrib/i18n_input.if
index 5eab254..dd6c6a9 100644
--- a/policy/modules/contrib/i18n_input.if
+++ b/policy/modules/contrib/i18n_input.if
@@ -40,10 +40,10 @@ interface(`i18n_input_admin',`
allow $1 i18n_input_t:process { ptrace signal_perms };
ps_process_pattern($1, i18n_input_t)
- init_labeled_script_domtrans($1, i18n_input_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 i18n_input_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, i18n_input_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 i18n_input_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, i18n_input_var_run_t)
diff --git a/policy/modules/contrib/icecast.if b/policy/modules/contrib/icecast.if
index 580b533..0235592 100644
--- a/policy/modules/contrib/icecast.if
+++ b/policy/modules/contrib/icecast.if
@@ -176,10 +176,10 @@ interface(`icecast_admin',`
type icecast_var_run_t;
')
- icecast_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 icecast_initrc_exec_t system_r;
- allow $2 system_r;
+ #icecast_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 icecast_initrc_exec_t system_r;
+ #allow $2 system_r;
allow $1 icecast_t:process { ptrace signal_perms };
ps_process_pattern($1, icecast_t)
diff --git a/policy/modules/contrib/ifplugd.if b/policy/modules/contrib/ifplugd.if
index 8999899..bc3884d 100644
--- a/policy/modules/contrib/ifplugd.if
+++ b/policy/modules/contrib/ifplugd.if
@@ -122,10 +122,10 @@ interface(`ifplugd_admin',`
allow $1 ifplugd_t:process { ptrace signal_perms };
ps_process_pattern($1, ifplugd_t)
- init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ifplugd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ifplugd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, ifplugd_etc_t)
diff --git a/policy/modules/contrib/inn.if b/policy/modules/contrib/inn.if
index eb87f23..91b81e9 100644
--- a/policy/modules/contrib/inn.if
+++ b/policy/modules/contrib/inn.if
@@ -230,10 +230,10 @@ interface(`inn_admin',`
type innd_var_run_t, innd_initrc_exec_t;
')
- init_labeled_script_domtrans($1, innd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 innd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, innd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 innd_initrc_exec_t system_r;
+ #allow $2 system_r;
allow $1 innd_t:process { ptrace signal_perms };
ps_process_pattern($1, innd_t)
diff --git a/policy/modules/contrib/iodine.if b/policy/modules/contrib/iodine.if
index a0bfbd0..f034884 100644
--- a/policy/modules/contrib/iodine.if
+++ b/policy/modules/contrib/iodine.if
@@ -47,8 +47,8 @@ interface(`iodine_admin',`
allow $1 iodined_t:process { ptrace signal_perms };
ps_process_pattern($1, iodined_t)
- init_labeled_script_domtrans($1, iodined_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 iodined_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, iodined_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 iodined_initrc_exec_t system_r;
+ #allow $2 system_r;
')
diff --git a/policy/modules/contrib/ircd.if b/policy/modules/contrib/ircd.if
index 1a88664..6d057fd 100644
--- a/policy/modules/contrib/ircd.if
+++ b/policy/modules/contrib/ircd.if
@@ -23,10 +23,10 @@ interface(`ircd_admin',`
type ircd_log_t, ircd_var_lib_t, ircd_var_run_t;
')
- init_labeled_script_domtrans($1, ircd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ircd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ircd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ircd_initrc_exec_t system_r;
+ #allow $2 system_r;
allow $1 ircd_t:process { ptrace signal_perms };
ps_process_pattern($1, ircd_t)
diff --git a/policy/modules/contrib/irqbalance.if b/policy/modules/contrib/irqbalance.if
index d7113e7..5f97e41 100644
--- a/policy/modules/contrib/irqbalance.if
+++ b/policy/modules/contrib/irqbalance.if
@@ -25,10 +25,10 @@ interface(`irqbalance_admin',`
allow $1 irqbalance_t:process { ptrace signal_perms };
ps_process_pattern($1, irqbalance_t)
- init_labeled_script_domtrans($1, irqbalance_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 irqbalance_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, irqbalance_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 irqbalance_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, irqbalance_var_run_t)
diff --git a/policy/modules/contrib/iscsi.if b/policy/modules/contrib/iscsi.if
index 1a35420..9e73947 100644
--- a/policy/modules/contrib/iscsi.if
+++ b/policy/modules/contrib/iscsi.if
@@ -105,10 +105,10 @@ interface(`iscsi_admin',`
allow $1 iscsid_t:process { ptrace signal_perms };
ps_process_pattern($1, iscsid_t)
- init_labeled_script_domtrans($1, iscsi_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 iscsi_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, iscsi_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 iscsi_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/policy/modules/contrib/isns.if b/policy/modules/contrib/isns.if
index da7e970..baf3539 100644
--- a/policy/modules/contrib/isns.if
+++ b/policy/modules/contrib/isns.if
@@ -26,10 +26,10 @@ interface(`isnsd_admin',`
allow $1 isnsd_t:process { ptrace signal_perms };
ps_process_pattern($1, isnsd_t)
- init_labeled_script_domtrans($1, isnsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 isnsd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, isnsd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 isnsd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, isnsd_var_lib_t)
diff --git a/policy/modules/contrib/jabber.if b/policy/modules/contrib/jabber.if
index 7eb3811..dda272b 100644
--- a/policy/modules/contrib/jabber.if
+++ b/policy/modules/contrib/jabber.if
@@ -81,10 +81,10 @@ interface(`jabber_admin',`
allow $1 jabberd_domain:process { ptrace signal_perms };
ps_process_pattern($1, jabberd_domain)
- init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 jabberd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 jabberd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_locks($1)
admin_pattern($1, jabberd_lock_t)
diff --git a/policy/modules/contrib/kdump.if b/policy/modules/contrib/kdump.if
index 3a00b3a..804c498 100644
--- a/policy/modules/contrib/kdump.if
+++ b/policy/modules/contrib/kdump.if
@@ -102,10 +102,10 @@ interface(`kdump_admin',`
allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms };
ps_process_pattern($1, { kdump_t kdumpctl_t })
- init_labeled_script_domtrans($1, kdump_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kdump_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, kdump_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 kdump_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index 77a5c49..ab3f24e 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -493,10 +493,10 @@ interface(`kerberos_admin',`
allow $1 { kadmind_t krb5kdc_t kpropd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd_t })
- init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kerberos_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 kerberos_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, kadmind_log_t)
diff --git a/policy/modules/contrib/kerneloops.if b/policy/modules/contrib/kerneloops.if
index 714448f..7e50bdd 100644
--- a/policy/modules/contrib/kerneloops.if
+++ b/policy/modules/contrib/kerneloops.if
@@ -108,10 +108,10 @@ interface(`kerneloops_admin',`
allow $1 kerneloops_t:process { ptrace signal_perms };
ps_process_pattern($1, kerneloops_t)
- init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kerneloops_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 kerneloops_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_tmp($1)
admin_pattern($1, kerneloops_tmp_t)
diff --git a/policy/modules/contrib/keystone.if b/policy/modules/contrib/keystone.if
index e88fb16..7407597 100644
--- a/policy/modules/contrib/keystone.if
+++ b/policy/modules/contrib/keystone.if
@@ -26,10 +26,10 @@ interface(`keystone_admin',`
allow $1 keystone_t:process { ptrace signal_perms };
ps_process_pattern($1, keystone_t)
- init_labeled_script_domtrans($1, keystone_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 keystone_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, keystone_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 keystone_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, keystone_log_t)
diff --git a/policy/modules/contrib/kismet.if b/policy/modules/contrib/kismet.if
index f20de6e..1a3bc7d 100644
--- a/policy/modules/contrib/kismet.if
+++ b/policy/modules/contrib/kismet.if
@@ -286,10 +286,10 @@ interface(`kismet_admin',`
type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t;
')
- init_labeled_script_domtrans($1, kismet_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kismet_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, kismet_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 kismet_initrc_exec_t system_r;
+ #allow $2 system_r;
ps_process_pattern($1, kismet_t)
allow $1 kismet_t:process { ptrace signal_perms };
diff --git a/policy/modules/contrib/ksmtuned.if b/policy/modules/contrib/ksmtuned.if
index 93a64bc..663a091 100644
--- a/policy/modules/contrib/ksmtuned.if
+++ b/policy/modules/contrib/ksmtuned.if
@@ -61,10 +61,10 @@ interface(`ksmtuned_admin',`
type ksmtuned_initrc_exec_t, ksmtuned_log_t;
')
- ksmtuned_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 ksmtuned_initrc_exec_t system_r;
- allow $2 system_r;
+ #ksmtuned_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ksmtuned_initrc_exec_t system_r;
+ #allow $2 system_r;
allow $1 ksmtuned_t:process { ptrace signal_perms };
ps_process_pattern($1, ksmtuned_t)
diff --git a/policy/modules/contrib/kudzu.if b/policy/modules/contrib/kudzu.if
index 5297064..db57d00 100644
--- a/policy/modules/contrib/kudzu.if
+++ b/policy/modules/contrib/kudzu.if
@@ -89,10 +89,10 @@ interface(`kudzu_admin',`
allow $1 kudzu_t:process { ptrace signal_perms };
ps_process_pattern($1, kudzu_t)
- init_labeled_script_domtrans($1, kudzu_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kudzu_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, kudzu_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 kudzu_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_tmp($1)
admin_pattern($1, kudzu_tmp_t)
diff --git a/policy/modules/contrib/l2tp.if b/policy/modules/contrib/l2tp.if
index 73e2803..5f364d2 100644
--- a/policy/modules/contrib/l2tp.if
+++ b/policy/modules/contrib/l2tp.if
@@ -86,10 +86,10 @@ interface(`l2tp_admin',`
allow $1 l2tpd_t:process { ptrace signal_perms };
ps_process_pattern($1, l2tpd_t)
- init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 l2tpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 l2tpd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, l2tp_conf_t)
diff --git a/policy/modules/contrib/ldap.if b/policy/modules/contrib/ldap.if
index 7f09b4a..bb0ca32 100644
--- a/policy/modules/contrib/ldap.if
+++ b/policy/modules/contrib/ldap.if
@@ -122,10 +122,10 @@ interface(`ldap_admin',`
allow $1 slapd_t:process { ptrace signal_perms };
ps_process_pattern($1, slapd_t)
- init_labeled_script_domtrans($1, slapd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 slapd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 slapd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
diff --git a/policy/modules/contrib/likewise.if b/policy/modules/contrib/likewise.if
index bd20e8c..3813742 100644
--- a/policy/modules/contrib/likewise.if
+++ b/policy/modules/contrib/likewise.if
@@ -110,10 +110,10 @@ interface(`likewise_admin',`
allow $1 likewise_domains:process { ptrace signal_perms };
ps_process_pattern($1, likewise_domains)
- init_labeled_script_domtrans($1, likewise_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 likewise_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, likewise_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 likewise_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t })
diff --git a/policy/modules/contrib/lircd.if b/policy/modules/contrib/lircd.if
index dff21a7..50996eb 100644
--- a/policy/modules/contrib/lircd.if
+++ b/policy/modules/contrib/lircd.if
@@ -84,10 +84,10 @@ interface(`lircd_admin',`
allow $1 lircd_t:process { ptrace signal_perms };
ps_process_pattern($1, lircd_t)
- init_labeled_script_domtrans($1, lircd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 lircd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, lircd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 lircd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, lircd_etc_t)
diff --git a/policy/modules/contrib/lldpad.if b/policy/modules/contrib/lldpad.if
index d18c960..612d86f 100644
--- a/policy/modules/contrib/lldpad.if
+++ b/policy/modules/contrib/lldpad.if
@@ -45,10 +45,10 @@ interface(`lldpad_admin',`
allow $1 lldpad_t:process { ptrace signal_perms };
ps_process_pattern($1, lldpad_t)
- init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 lldpad_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 lldpad_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, lldpad_var_lib_t)
diff --git a/policy/modules/contrib/mailscanner.if b/policy/modules/contrib/mailscanner.if
index 214cb44..d3bd6c5 100644
--- a/policy/modules/contrib/mailscanner.if
+++ b/policy/modules/contrib/mailscanner.if
@@ -47,10 +47,10 @@ interface(`mscan_admin',`
allow $1 mscan_t:process { ptrace signal_perms };
ps_process_pattern($1, mscan_t)
- init_labeled_script_domtrans($1, mscan_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mscan_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, mscan_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 mscan_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, mscan_etc_t)
diff --git a/policy/modules/contrib/mcelog.if b/policy/modules/contrib/mcelog.if
index f89651e..82b0846 100644
--- a/policy/modules/contrib/mcelog.if
+++ b/policy/modules/contrib/mcelog.if
@@ -45,10 +45,10 @@ interface(`mcelog_admin',`
allow $1 mcelog_t:process { ptrace signal_perms };
ps_process_pattern($1, mcelog_t)
- init_labeled_script_domtrans($1, mcelog_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mcelog_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, mcelog_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 mcelog_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, mcelog_etc_t)
diff --git a/policy/modules/contrib/memcached.if b/policy/modules/contrib/memcached.if
index 1d4eb19..6b3c3dc 100644
--- a/policy/modules/contrib/memcached.if
+++ b/policy/modules/contrib/memcached.if
@@ -124,10 +124,10 @@ interface(`memcached_admin',`
allow $1 memcached_t:process { ptrace signal_perms };
ps_process_pattern($1, memcached_t)
- init_labeled_script_domtrans($1, memcached_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 memcached_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, memcached_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 memcached_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, memcached_var_run_t)
diff --git a/policy/modules/contrib/minidlna.if b/policy/modules/contrib/minidlna.if
index 358917a..e58f50a 100644
--- a/policy/modules/contrib/minidlna.if
+++ b/policy/modules/contrib/minidlna.if
@@ -26,10 +26,10 @@ interface(`minidlna_admin',`
allow $1 minidlna_t:process { ptrace signal_perms };
ps_process_pattern($1, minidlna_t)
- minidlna_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 minidlna_initrc_exec_t system_r;
- allow $2 system_r;
+ #minidlna_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 minidlna_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, minidlna_conf_t)
diff --git a/policy/modules/contrib/minissdpd.if b/policy/modules/contrib/minissdpd.if
index f37a116..3121ce0 100644
--- a/policy/modules/contrib/minissdpd.if
+++ b/policy/modules/contrib/minissdpd.if
@@ -45,10 +45,10 @@ interface(`minissdpd_admin',`
allow $1 minissdpd_t:process { ptrace signal_perms };
ps_process_pattern($1, minissdpd_t)
- init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 minissdpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 minissdpd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, minissdpd_conf_t)
diff --git a/policy/modules/contrib/mongodb.if b/policy/modules/contrib/mongodb.if
index b247d25..80ba75c 100644
--- a/policy/modules/contrib/mongodb.if
+++ b/policy/modules/contrib/mongodb.if
@@ -26,10 +26,10 @@ interface(`mongodb_admin',`
allow $1 mongod_t:process { ptrace signal_perms };
ps_process_pattern($1, mongod_t)
- init_labeled_script_domtrans($1, mongod_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mongod_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, mongod_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 mongod_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, mongod_log_t)
diff --git a/policy/modules/contrib/monop.if b/policy/modules/contrib/monop.if
index a6ec137..a798087 100644
--- a/policy/modules/contrib/monop.if
+++ b/policy/modules/contrib/monop.if
@@ -26,10 +26,10 @@ interface(`monop_admin',`
allow $1 monopd_t:process { ptrace signal_perms };
ps_process_pattern($1, monopd_t)
- init_labeled_script_domtrans($1, monopd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 monopd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, monopd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 monopd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, monopd_etc_t)
diff --git a/policy/modules/contrib/mpd.if b/policy/modules/contrib/mpd.if
index 5fa77c7..9be1aa8 100644
--- a/policy/modules/contrib/mpd.if
+++ b/policy/modules/contrib/mpd.if
@@ -347,10 +347,10 @@ interface(`mpd_admin',`
allow $1 mpd_t:process { ptrace signal_perms };
ps_process_pattern($1, mpd_t)
- mpd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 mpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #mpd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 mpd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, mpd_etc_t)
diff --git a/policy/modules/contrib/mrtg.if b/policy/modules/contrib/mrtg.if
index c595094..aeac4b2 100644
--- a/policy/modules/contrib/mrtg.if
+++ b/policy/modules/contrib/mrtg.if
@@ -47,10 +47,10 @@ interface(`mrtg_admin',`
allow $1 mrtg_t:process { ptrace signal_perms };
ps_process_pattern($1, mrtg_t)
- init_labeled_script_domtrans($1, mrtg_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mrtg_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, mrtg_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 mrtg_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, mrtg_etc_t)
diff --git a/policy/modules/contrib/munin.if b/policy/modules/contrib/munin.if
index b744fe3..b540634 100644
--- a/policy/modules/contrib/munin.if
+++ b/policy/modules/contrib/munin.if
@@ -173,10 +173,10 @@ interface(`munin_admin',`
allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms };
ps_process_pattern($1, { munin_plugin_domain munin_t })
- init_labeled_script_domtrans($1, munin_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 munin_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, munin_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 munin_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, { munin_tmp_t munin_plugin_tmp_content })
diff --git a/policy/modules/contrib/mysql.if b/policy/modules/contrib/mysql.if
index 590748a..5535d22 100644
--- a/policy/modules/contrib/mysql.if
+++ b/policy/modules/contrib/mysql.if
@@ -450,10 +450,10 @@ interface(`mysql_admin',`
allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t })
- init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t })
+ #domain_system_change_exemption($1)
+ #role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t })
diff --git a/policy/modules/contrib/nagios.if b/policy/modules/contrib/nagios.if
index 0641e97..8289ecb 100644
--- a/policy/modules/contrib/nagios.if
+++ b/policy/modules/contrib/nagios.if
@@ -204,10 +204,10 @@ interface(`nagios_admin',`
allow $1 { nagios_t nrpe_t nagios_plugin_domain }:process { ptrace signal_perms };
ps_process_pattern($1, { nagios_t nrpe_t nagios_plugin_domain })
- init_labeled_script_domtrans($1, nagios_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nagios_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, nagios_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 nagios_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_tmp($1)
admin_pattern($1, { nagios_eventhandler_plugin_tmp_t nagios_tmp_t nagios_system_plugin_tmp_t })
diff --git a/policy/modules/contrib/nessus.if b/policy/modules/contrib/nessus.if
index 42e9ed4..5fa68ad 100644
--- a/policy/modules/contrib/nessus.if
+++ b/policy/modules/contrib/nessus.if
@@ -40,10 +40,10 @@ interface(`nessus_admin',`
allow $1 nessusd_t:process { ptrace signal_perms };
ps_process_pattern($1, nessusd_t)
- init_labeled_script_domtrans($1, nessusd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nessusd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, nessusd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 nessusd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, nessusd_log_t)
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index b512ce0..7e1b861 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -297,10 +297,10 @@ interface(`networkmanager_admin',`
allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms };
ps_process_pattern($1, { wpa_cli_t NetworkManager_t })
- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 NetworkManager_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 NetworkManager_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t })
diff --git a/policy/modules/contrib/nis.if b/policy/modules/contrib/nis.if
index 46e55c3..8000aa6 100644
--- a/policy/modules/contrib/nis.if
+++ b/policy/modules/contrib/nis.if
@@ -381,11 +381,11 @@ interface(`nis_admin',`
allow $1 { ypbind_t yppasswdd_t ypserv_t ypxfr_t }:process { ptrace signal_perms };
ps_process_pattern($1, { ypbind_t yppasswdd_t ypserv_t ypxfr_t })
- nis_initrc_domtrans($1)
- nis_initrc_domtrans_ypbind($1)
- domain_system_change_exemption($1)
- role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r;
- allow $2 system_r;
+ #nis_initrc_domtrans($1)
+ #nis_initrc_domtrans_ypbind($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, { ypserv_tmp_t ypbind_tmp_t })
diff --git a/policy/modules/contrib/nscd.if b/policy/modules/contrib/nscd.if
index 8f2ab09..7d046d2 100644
--- a/policy/modules/contrib/nscd.if
+++ b/policy/modules/contrib/nscd.if
@@ -299,10 +299,10 @@ interface(`nscd_admin',`
allow $1 nscd_t:process { ptrace signal_perms };
ps_process_pattern($1, nscd_t)
- init_labeled_script_domtrans($1, nscd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nscd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, nscd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 nscd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, nscd_log_t)
diff --git a/policy/modules/contrib/nsd.if b/policy/modules/contrib/nsd.if
index a9c60ff..6b42add 100644
--- a/policy/modules/contrib/nsd.if
+++ b/policy/modules/contrib/nsd.if
@@ -54,10 +54,10 @@ interface(`nsd_admin',`
allow $1 nsd_t:process { ptrace signal_perms };
ps_process_pattern($1, nsd_t)
- init_labeled_script_domtrans($1, nsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nsd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, nsd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 nsd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, { nsd_conf_t nsd_db_t })
diff --git a/policy/modules/contrib/nslcd.if b/policy/modules/contrib/nslcd.if
index bbd7cac..4c7aee8 100644
--- a/policy/modules/contrib/nslcd.if
+++ b/policy/modules/contrib/nslcd.if
@@ -102,10 +102,10 @@ interface(`nslcd_admin',`
allow $1 nslcd_t:process { ptrace signal_perms };
ps_process_pattern($1, nslcd_t)
- nslcd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 nslcd_initrc_exec_t system_r;
- allow $2 system_r;
+ #nslcd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 nslcd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, nslcd_conf_t)
diff --git a/policy/modules/contrib/ntop.if b/policy/modules/contrib/ntop.if
index beaee73..756b0cc 100644
--- a/policy/modules/contrib/ntop.if
+++ b/policy/modules/contrib/ntop.if
@@ -26,10 +26,10 @@ interface(`ntop_admin',`
allow $1 ntop_t:process { ptrace signal_perms };
ps_process_pattern($1, ntop_t)
- init_labeled_script_domtrans($1, ntop_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ntop_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ntop_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ntop_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, ntop_etc_t)
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index 6a83626..02e6320 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -166,10 +166,10 @@ interface(`ntp_admin',`
allow $1 ntpd_t:process { ptrace signal_perms };
ps_process_pattern($1, ntpd_t)
- init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ntpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ntpd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { ntpd_key_t ntp_conf_t })
diff --git a/policy/modules/contrib/numad.if b/policy/modules/contrib/numad.if
index 0d3c270..d5c4a6d 100644
--- a/policy/modules/contrib/numad.if
+++ b/policy/modules/contrib/numad.if
@@ -26,10 +26,10 @@ interface(`numad_admin',`
allow $1 numad_t:process { ptrace signal_perms };
ps_process_pattern($1, numad_t)
- init_labeled_script_domtrans($1, numad_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 numad_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, numad_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 numad_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, numad_log_t)
diff --git a/policy/modules/contrib/nut.if b/policy/modules/contrib/nut.if
index c606ae6..f0f6b74 100644
--- a/policy/modules/contrib/nut.if
+++ b/policy/modules/contrib/nut.if
@@ -26,10 +26,10 @@ interface(`nut_admin',`
allow $1 nut_domain:process { ptrace signal_perms };
ps_process_pattern($1, nut_domain)
- init_labeled_script_domtrans($1, nut_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nut_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, nut_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 nut_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, nut_conf_t)
diff --git a/policy/modules/contrib/oident.if b/policy/modules/contrib/oident.if
index 513f452..c4d4419 100644
--- a/policy/modules/contrib/oident.if
+++ b/policy/modules/contrib/oident.if
@@ -131,10 +131,10 @@ interface(`oident_admin',`
allow $1 oidentd_t:process { ptrace signal_perms };
ps_process_pattern($1, oidentd_t)
- init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 oidentd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 oidentd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, oidentd_config_t)
diff --git a/policy/modules/contrib/openct.if b/policy/modules/contrib/openct.if
index a55238b..4fe22f9 100644
--- a/policy/modules/contrib/openct.if
+++ b/policy/modules/contrib/openct.if
@@ -120,10 +120,10 @@ interface(`openct_admin',`
allow $1 openct_t:process { ptrace signal_perms };
ps_process_pattern($1, openct_t)
- init_labeled_script_domtrans($1, openct_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openct_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, openct_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 openct_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, openct_var_run_t)
diff --git a/policy/modules/contrib/openhpi.if b/policy/modules/contrib/openhpi.if
index 3c86958..141f3c8 100644
--- a/policy/modules/contrib/openhpi.if
+++ b/policy/modules/contrib/openhpi.if
@@ -26,10 +26,10 @@ interface(`openhpi_admin',`
allow $1 openhpid_t:process { ptrace signal_perms };
ps_process_pattern($1, openhpid_t)
- init_labeled_script_domtrans($1, openhpid_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openhpid_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, openhpid_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 openhpid_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, openhpid_var_lib_t)
diff --git a/policy/modules/contrib/openvpn.if b/policy/modules/contrib/openvpn.if
index 6837e9a..7efa5a5 100644
--- a/policy/modules/contrib/openvpn.if
+++ b/policy/modules/contrib/openvpn.if
@@ -150,10 +150,10 @@ interface(`openvpn_admin',`
allow $1 openvpn_t:process { ptrace signal_perms };
ps_process_pattern($1, openvpn_t)
- init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openvpn_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 openvpn_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t })
diff --git a/policy/modules/contrib/openvswitch.if b/policy/modules/contrib/openvswitch.if
index 9b15730..131e6dc 100644
--- a/policy/modules/contrib/openvswitch.if
+++ b/policy/modules/contrib/openvswitch.if
@@ -64,10 +64,10 @@ interface(`openvswitch_admin',`
allow $1 openvswitch_t:process { ptrace signal_perms };
ps_process_pattern($1, openvswitch_t)
- init_labeled_script_domtrans($1, openvswitch_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openvswitch_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, openvswitch_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 openvswitch_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, openvswitch_conf_t)
diff --git a/policy/modules/contrib/pacemaker.if b/policy/modules/contrib/pacemaker.if
index 9682d9a..3ae9dcf 100644
--- a/policy/modules/contrib/pacemaker.if
+++ b/policy/modules/contrib/pacemaker.if
@@ -26,10 +26,10 @@ interface(`pacemaker_admin',`
allow $1 pacemaker_t:process { ptrace signal_perms };
ps_process_pattern($1, pacemaker_t)
- init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pacemaker_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pacemaker_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, pacemaker_var_lib_t)
diff --git a/policy/modules/contrib/pads.if b/policy/modules/contrib/pads.if
index 6e097c9..e9fa6d2 100644
--- a/policy/modules/contrib/pads.if
+++ b/policy/modules/contrib/pads.if
@@ -26,10 +26,10 @@ interface(`pads_admin', `
allow $1 pads_t:process { ptrace signal_perms };
ps_process_pattern($1, pads_t)
- init_labeled_script_domtrans($1, pads_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pads_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pads_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pads_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, pads_var_run_t)
diff --git a/policy/modules/contrib/pcscd.if b/policy/modules/contrib/pcscd.if
index 7f77d32..aa414bd 100644
--- a/policy/modules/contrib/pcscd.if
+++ b/policy/modules/contrib/pcscd.if
@@ -128,10 +128,10 @@ interface(`pcscd_admin',`
allow $1 pcscd_t:process { ptrace signal_perms };
ps_process_pattern($1, pcscd_t)
- init_labeled_script_domtrans($1, pcscd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pcscd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pcscd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pcscd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, pcscd_var_run_t)
diff --git a/policy/modules/contrib/pegasus.if b/policy/modules/contrib/pegasus.if
index d2fc677..3b509a4 100644
--- a/policy/modules/contrib/pegasus.if
+++ b/policy/modules/contrib/pegasus.if
@@ -27,10 +27,10 @@ interface(`pegasus_admin',`
allow $1 pegasus_t:process { ptrace signal_perms };
ps_process_pattern($1, pegasus_t)
- init_labeled_script_domtrans($1, pegasus_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pegasus_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pegasus_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pegasus_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, pegasus_conf_t)
diff --git a/policy/modules/contrib/perdition.if b/policy/modules/contrib/perdition.if
index 47e09e1..ffe3965 100644
--- a/policy/modules/contrib/perdition.if
+++ b/policy/modules/contrib/perdition.if
@@ -40,10 +40,10 @@ interface(`perdition_admin',`
allow $1 perdition_t:process { ptrace signal_perms };
ps_process_pattern($1, perdition_t)
- init_labeled_script_domtrans($1, perdition_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 perdition_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, perdition_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 perdition_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, perdition_etc_t)
diff --git a/policy/modules/contrib/pingd.if b/policy/modules/contrib/pingd.if
index 21a6ecb..4194b84 100644
--- a/policy/modules/contrib/pingd.if
+++ b/policy/modules/contrib/pingd.if
@@ -84,10 +84,10 @@ interface(`pingd_admin',`
allow $1 pingd_t:process { ptrace signal_perms };
ps_process_pattern($1, pingd_t)
- init_labeled_script_domtrans($1, pingd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pingd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pingd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pingd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, pingd_etc_t)
diff --git a/policy/modules/contrib/pkcs.if b/policy/modules/contrib/pkcs.if
index 69be2aa..c3b3223 100644
--- a/policy/modules/contrib/pkcs.if
+++ b/policy/modules/contrib/pkcs.if
@@ -26,10 +26,10 @@ interface(`pkcs_admin_slotd',`
allow $1 pkcs_slotd_t:process { ptrace signal_perms };
ps_process_pattern($1, pkcs_slotd_t)
- init_labeled_script_domtrans($1, pkcs_slotd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pkcs_slotd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pkcs_slotd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pkcs_slotd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, pkcs_slotd_var_lib_t)
diff --git a/policy/modules/contrib/polipo.if b/policy/modules/contrib/polipo.if
index ae27bb7..c6c431e 100644
--- a/policy/modules/contrib/polipo.if
+++ b/policy/modules/contrib/polipo.if
@@ -125,10 +125,10 @@ interface(`polipo_admin',`
allow $1 polipo_system_t:process { ptrace signal_perms };
ps_process_pattern($1, polipo_system_t)
- polipo_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 polipo_initrc_exec_t system_r;
- allow $2 system_r;
+ #polipo_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 polipo_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var($1)
admin_pattern($1, polipo_cache_t)
diff --git a/policy/modules/contrib/portmap.if b/policy/modules/contrib/portmap.if
index 9f982b5..7cc0695 100644
--- a/policy/modules/contrib/portmap.if
+++ b/policy/modules/contrib/portmap.if
@@ -114,10 +114,10 @@ interface(`portmap_admin',`
allow $1 { portmap_t portmap_helper_t }:process { ptrace signal_perms };
ps_process_pattern($1, { portmap_t portmap_helper_t })
- init_labeled_script_domtrans($1, portmap_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 portmap_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, portmap_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 portmap_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, portmap_var_run_t)
diff --git a/policy/modules/contrib/portreserve.if b/policy/modules/contrib/portreserve.if
index 5ad5291..ecffbfc 100644
--- a/policy/modules/contrib/portreserve.if
+++ b/policy/modules/contrib/portreserve.if
@@ -108,10 +108,10 @@ interface(`portreserve_admin',`
allow $1 portreserve_t:process { ptrace signal_perms };
ps_process_pattern($1, portreserve_t)
- portreserve_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 portreserve_initrc_exec_t system_r;
- allow $2 system_r;
+ #portreserve_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 portreserve_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, portreserve_etc_t)
diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
index 8e7d1e7..603f2e3 100644
--- a/policy/modules/contrib/postfix.if
+++ b/policy/modules/contrib/postfix.if
@@ -720,10 +720,10 @@ interface(`postfix_admin',`
allow $1 postfix_domain:process { ptrace signal_perms };
ps_process_pattern($1, postfix_domain)
- init_labeled_script_domtrans($1, postfix_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 postfix_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 postfix_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })
diff --git a/policy/modules/contrib/postfixpolicyd.if b/policy/modules/contrib/postfixpolicyd.if
index 5de8173..d74f378 100644
--- a/policy/modules/contrib/postfixpolicyd.if
+++ b/policy/modules/contrib/postfixpolicyd.if
@@ -26,10 +26,10 @@ interface(`postfixpolicyd_admin',`
allow $1 postfix_policyd_t:process { ptrace signal_perms };
ps_process_pattern($1, postfix_policyd_t)
- init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 postfix_policyd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 postfix_policyd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, postfix_policyd_conf_t)
diff --git a/policy/modules/contrib/postgrey.if b/policy/modules/contrib/postgrey.if
index b9e71b5..05a4cd4 100644
--- a/policy/modules/contrib/postgrey.if
+++ b/policy/modules/contrib/postgrey.if
@@ -67,10 +67,10 @@ interface(`postgrey_admin',`
allow $1 postgrey_t:process { ptrace signal_perms };
ps_process_pattern($1, postgrey_t)
- init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 postgrey_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 postgrey_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, postgrey_etc_t)
diff --git a/policy/modules/contrib/ppp.if b/policy/modules/contrib/ppp.if
index cd8b8b9..71455d1 100644
--- a/policy/modules/contrib/ppp.if
+++ b/policy/modules/contrib/ppp.if
@@ -487,10 +487,10 @@ interface(`ppp_admin',`
allow $1 { pptp_t pppd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { pptp_t pppd_t })
- ppp_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 pppd_initrc_exec_t system_r;
- allow $2 system_r;
+ #ppp_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pppd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, pppd_tmp_t)
diff --git a/policy/modules/contrib/prelude.if b/policy/modules/contrib/prelude.if
index db8f510..573fac7 100644
--- a/policy/modules/contrib/prelude.if
+++ b/policy/modules/contrib/prelude.if
@@ -126,10 +126,10 @@ interface(`prelude_admin',`
allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms };
ps_process_pattern($1, { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t })
- init_labeled_script_domtrans($1, prelude_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 prelude_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, prelude_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 prelude_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_spool($1)
admin_pattern($1, prelude_spool_t)
diff --git a/policy/modules/contrib/privoxy.if b/policy/modules/contrib/privoxy.if
index bdcee30..182267b 100644
--- a/policy/modules/contrib/privoxy.if
+++ b/policy/modules/contrib/privoxy.if
@@ -26,10 +26,10 @@ interface(`privoxy_admin',`
allow $1 privoxy_t:process { ptrace signal_perms };
ps_process_pattern($1, privoxy_t)
- init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 privoxy_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 privoxy_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, privoxy_log_t)
diff --git a/policy/modules/contrib/psad.if b/policy/modules/contrib/psad.if
index cdc83d2..a04483a 100644
--- a/policy/modules/contrib/psad.if
+++ b/policy/modules/contrib/psad.if
@@ -242,10 +242,10 @@ interface(`psad_admin',`
allow $1 psad_t:process { ptrace signal_perms };
ps_process_pattern($1, psad_t)
- init_labeled_script_domtrans($1, psad_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 psad_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, psad_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 psad_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, psad_etc_t)
diff --git a/policy/modules/contrib/puppet.if b/policy/modules/contrib/puppet.if
index 7cb8b1f..9d0c95c 100644
--- a/policy/modules/contrib/puppet.if
+++ b/policy/modules/contrib/puppet.if
@@ -211,10 +211,10 @@ interface(`puppet_admin',`
allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms };
ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t })
- init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
+ #domain_system_change_exemption($1)
+ #role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, puppet_etc_t)
diff --git a/policy/modules/contrib/pxe.if b/policy/modules/contrib/pxe.if
index 7da286f..3a60f9b 100644
--- a/policy/modules/contrib/pxe.if
+++ b/policy/modules/contrib/pxe.if
@@ -26,10 +26,10 @@ interface(`pxe_admin',`
allow $1 pxe_t:process { ptrace signal_perms };
ps_process_pattern($1, pxe_t)
- init_labeled_script_domtrans($1, pxe_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pxe_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pxe_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pxe_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, pxe_log_t)
diff --git a/policy/modules/contrib/pyicqt.if b/policy/modules/contrib/pyicqt.if
index 0ccea82..683d0ee 100644
--- a/policy/modules/contrib/pyicqt.if
+++ b/policy/modules/contrib/pyicqt.if
@@ -26,10 +26,10 @@ interface(`pyicqt_admin',`
allow $1 pyicqt_t:process { ptrace signal_perms };
ps_process_pattern($1, pyicqt_t)
- init_labeled_script_domtrans($1, pyicqt_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pyicqt_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pyicqt_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pyicqt_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, pyicqt_conf_t)
diff --git a/policy/modules/contrib/pyzor.if b/policy/modules/contrib/pyzor.if
index c05a504..664b594 100644
--- a/policy/modules/contrib/pyzor.if
+++ b/policy/modules/contrib/pyzor.if
@@ -118,10 +118,10 @@ interface(`pyzor_admin',`
allow $1 pyzord_t:process { ptrace signal_perms };
ps_process_pattern($1, pyzord_t)
- init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pyzord_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pyzord_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, pyzor_etc_t)
diff --git a/policy/modules/contrib/qpid.if b/policy/modules/contrib/qpid.if
index fe2adf8..307b419 100644
--- a/policy/modules/contrib/qpid.if
+++ b/policy/modules/contrib/qpid.if
@@ -177,10 +177,10 @@ interface(`qpidd_admin',`
allow $1 qpidd_t:process { ptrace signal_perms };
ps_process_pattern($1, qpidd_t)
- qpidd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 qpidd_initrc_exec_t system_r;
- allow $2 system_r;
+ #qpidd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 qpidd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, qpidd_var_lib_t)
diff --git a/policy/modules/contrib/quantum.if b/policy/modules/contrib/quantum.if
index afc0068..2d9ec09 100644
--- a/policy/modules/contrib/quantum.if
+++ b/policy/modules/contrib/quantum.if
@@ -26,10 +26,10 @@ interface(`quantum_admin',`
allow $1 quantum_t:process { ptrace signal_perms };
ps_process_pattern($1, quantum_t)
- init_labeled_script_domtrans($1, quantum_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 quantum_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, quantum_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 quantum_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, quantum_log_t)
diff --git a/policy/modules/contrib/quota.if b/policy/modules/contrib/quota.if
index 68611e3..6af6364 100644
--- a/policy/modules/contrib/quota.if
+++ b/policy/modules/contrib/quota.if
@@ -184,10 +184,10 @@ interface(`quota_admin',`
allow $1 { quota_nld_t quota_t }:process { ptrace signal_perms };
ps_process_pattern($1, { quota_nld_t quota_t })
- init_labeled_script_domtrans($1, quota_nld_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 quota_nld_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, quota_nld_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 quota_nld_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_all($1)
admin_pattern($1, { quota_db_t quota_flag_t quota_nld_var_run_t })
diff --git a/policy/modules/contrib/rabbitmq.if b/policy/modules/contrib/rabbitmq.if
index 2c3d338..64bd4db 100644
--- a/policy/modules/contrib/rabbitmq.if
+++ b/policy/modules/contrib/rabbitmq.if
@@ -45,10 +45,10 @@ interface(`rabbitmq_admin',`
allow $1 { rabbitmq_epmd_t rabbitmq_beam_t }:process { ptrace signal_perms };
ps_process_pattern($1, { rabbitmq_epmd_t rabbitmq_beam_t })
- init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rabbitmq_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rabbitmq_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, rabbitmq_var_log_t)
diff --git a/policy/modules/contrib/radius.if b/policy/modules/contrib/radius.if
index 4460582..785c40a 100644
--- a/policy/modules/contrib/radius.if
+++ b/policy/modules/contrib/radius.if
@@ -41,10 +41,10 @@ interface(`radius_admin',`
allow $1 radiusd_t:process { ptrace signal_perms };
ps_process_pattern($1, radiusd_t)
- init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 radiusd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 radiusd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { radiusd_etc_t radiusd_etc_rw_t })
diff --git a/policy/modules/contrib/radvd.if b/policy/modules/contrib/radvd.if
index ac7058d..33a3f31 100644
--- a/policy/modules/contrib/radvd.if
+++ b/policy/modules/contrib/radvd.if
@@ -26,10 +26,10 @@ interface(`radvd_admin',`
allow $1 radvd_t:process { ptrace signal_perms };
ps_process_pattern($1, radvd_t)
- init_labeled_script_domtrans($1, radvd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 radvd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, radvd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 radvd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, radvd_etc_t)
diff --git a/policy/modules/contrib/raid.if b/policy/modules/contrib/raid.if
index 951db7f..f865481 100644
--- a/policy/modules/contrib/raid.if
+++ b/policy/modules/contrib/raid.if
@@ -91,10 +91,10 @@ interface(`raid_admin_mdadm',`
allow $1 mdadm_t:process { ptrace signal_perms };
ps_process_pattern($1, mdadm_t)
- init_labeled_script_domtrans($1, mdadm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mdadm_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, mdadm_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 mdadm_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, mdadm_var_run_t)
diff --git a/policy/modules/contrib/redis.if b/policy/modules/contrib/redis.if
index 3969450..13812be 100644
--- a/policy/modules/contrib/redis.if
+++ b/policy/modules/contrib/redis.if
@@ -26,10 +26,10 @@ interface(`redis_admin',`
allow $1 redis_t:process { ptrace signal_perms };
ps_process_pattern($1, redis_t)
- init_labeled_script_domtrans($1, redis_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 redis_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, redis_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 redis_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, redis_log_t)
diff --git a/policy/modules/contrib/resmgr.if b/policy/modules/contrib/resmgr.if
index 0d93db6..b6a5cec 100644
--- a/policy/modules/contrib/resmgr.if
+++ b/policy/modules/contrib/resmgr.if
@@ -46,10 +46,10 @@ interface(`resmgr_admin',`
allow $1 resmgrd_t:process { ptrace signal_perms };
ps_process_pattern($1, resmgrd_t)
- init_labeled_script_domtrans($1, resmgrd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 resmgrd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, resmgrd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 resmgrd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, resmgrd_etc_t)
diff --git a/policy/modules/contrib/rgmanager.if b/policy/modules/contrib/rgmanager.if
index 1c2f9aa..5ab664c 100644
--- a/policy/modules/contrib/rgmanager.if
+++ b/policy/modules/contrib/rgmanager.if
@@ -105,10 +105,10 @@ interface(`rgmanager_admin',`
allow $1 rgmanager_t:process { ptrace signal_perms };
ps_process_pattern($1, rgmanager_t)
- init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rgmanager_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rgmanager_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, rgmanager_tmp_t)
diff --git a/policy/modules/contrib/rhcs.if b/policy/modules/contrib/rhcs.if
index c8bdea2..10828e8 100644
--- a/policy/modules/contrib/rhcs.if
+++ b/policy/modules/contrib/rhcs.if
@@ -472,10 +472,10 @@ interface(`rhcs_admin',`
allow $1 cluster_domain:process { ptrace signal_perms };
ps_process_pattern($1, cluster_domain)
- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
+ #domain_system_change_exemption($1)
+ #role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, cluster_pid)
diff --git a/policy/modules/contrib/rhsmcertd.if b/policy/modules/contrib/rhsmcertd.if
index 6dbc905..98574fe 100644
--- a/policy/modules/contrib/rhsmcertd.if
+++ b/policy/modules/contrib/rhsmcertd.if
@@ -285,10 +285,10 @@ interface(`rhsmcertd_admin',`
allow $1 rhsmcertd_t:process { ptrace signal_perms };
ps_process_pattern($1, rhsmcertd_t)
- rhsmcertd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 rhsmcertd_initrc_exec_t system_r;
- allow $2 system_r;
+ #rhsmcertd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rhsmcertd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, rhsmcertd_log_t)
diff --git a/policy/modules/contrib/ricci.if b/policy/modules/contrib/ricci.if
index 2ab3ed1..3290abc 100644
--- a/policy/modules/contrib/ricci.if
+++ b/policy/modules/contrib/ricci.if
@@ -203,10 +203,10 @@ interface(`ricci_admin',`
allow $1 ricci_t:process { ptrace signal_perms };
ps_process_pattern($1, ricci_t)
- init_labeled_script_domtrans($1, ricci_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ricci_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ricci_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ricci_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, ricci_tmp_t)
diff --git a/policy/modules/contrib/rngd.if b/policy/modules/contrib/rngd.if
index 13f788f..d182588 100644
--- a/policy/modules/contrib/rngd.if
+++ b/policy/modules/contrib/rngd.if
@@ -25,10 +25,10 @@ interface(`rngd_admin',`
allow $1 rngd_t:process { ptrace signal_perms };
ps_process_pattern($1, rngd_t)
- init_labeled_script_domtrans($1, rngd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rngd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, rngd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rngd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, rngd_var_run_t)
diff --git a/policy/modules/contrib/roundup.if b/policy/modules/contrib/roundup.if
index 975bb6a..f540ee7 100644
--- a/policy/modules/contrib/roundup.if
+++ b/policy/modules/contrib/roundup.if
@@ -26,10 +26,10 @@ interface(`roundup_admin',`
allow $1 roundup_t:process { ptrace signal_perms };
ps_process_pattern($1, roundup_t)
- init_labeled_script_domtrans($1, roundup_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 roundup_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, roundup_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 roundup_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, roundup_var_lib_t)
diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if
index 157afd9..baf9509 100644
--- a/policy/modules/contrib/rpc.if
+++ b/policy/modules/contrib/rpc.if
@@ -400,10 +400,10 @@ interface(`rpc_admin',`
allow $1 rpc_domain:process { ptrace signal_perms };
ps_process_pattern($1, rpc_domain)
- init_labeled_script_domtrans($1, { nfsd_initrc_exec_t rpcd_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { nfsd_initrc_exec_t rpcd_initrc_exec_t } system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, { nfsd_initrc_exec_t rpcd_initrc_exec_t })
+ #domain_system_change_exemption($1)
+ #role_transition $2 { nfsd_initrc_exec_t rpcd_initrc_exec_t } system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { gssd_keytab_t exports_t })
diff --git a/policy/modules/contrib/rpcbind.if b/policy/modules/contrib/rpcbind.if
index f78fef0..bfee269 100644
--- a/policy/modules/contrib/rpcbind.if
+++ b/policy/modules/contrib/rpcbind.if
@@ -160,10 +160,10 @@ interface(`rpcbind_admin',`
allow $1 rpcbind_t:process { ptrace signal_perms };
ps_process_pattern($1, rpcbind_t)
- init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rpcbind_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rpcbind_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, rpcbind_var_run_t)
diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
index fc9c8d8..4b1a6b3 100644
--- a/policy/modules/contrib/rpm.if
+++ b/policy/modules/contrib/rpm.if
@@ -634,10 +634,10 @@ interface(`rpm_admin',`
allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
ps_process_pattern($1, { rpm_t rpm_script_t })
- init_labeled_script_domtrans($1, rpm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rpm_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, rpm_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rpm_initrc_exec_t system_r;
+ #allow $2 system_r;
admin_pattern($1, rpm_file_t)
diff --git a/policy/modules/contrib/rtkit.if b/policy/modules/contrib/rtkit.if
index e904ec4..37daa13 100644
--- a/policy/modules/contrib/rtkit.if
+++ b/policy/modules/contrib/rtkit.if
@@ -90,8 +90,8 @@ interface(`rtkit_admin',`
allow $1 rtkit_daemon_t:process { ptrace signal_perms };
ps_process_pattern($1, rtkit_daemon_t)
- init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rtkit_daemon_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rtkit_daemon_initrc_exec_t system_r;
+ #allow $2 system_r;
')
diff --git a/policy/modules/contrib/rwho.if b/policy/modules/contrib/rwho.if
index 0360ff0..01b5928 100644
--- a/policy/modules/contrib/rwho.if
+++ b/policy/modules/contrib/rwho.if
@@ -142,10 +142,10 @@ interface(`rwho_admin',`
allow $1 rwho_t:process { ptrace signal_perms };
ps_process_pattern($1, rwho_t)
- init_labeled_script_domtrans($1, rwho_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rwho_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, rwho_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rwho_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, rwho_log_t)
diff --git a/policy/modules/contrib/salt.if b/policy/modules/contrib/salt.if
index 7ab9e6b..c8e33a5 100644
--- a/policy/modules/contrib/salt.if
+++ b/policy/modules/contrib/salt.if
@@ -29,12 +29,12 @@ interface(`salt_admin_master',`
allow $1 salt_master_t:process { ptrace signal_perms };
ps_process_pattern($1, salt_master_t)
- init_labeled_script_domtrans($1, salt_master_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 salt_master_initrc_exec_t system_r;
+ #init_labeled_script_domtrans($1, salt_master_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 salt_master_initrc_exec_t system_r;
# for debugging?
- role_transition $2 salt_master_exec_t system_r;
+ #role_transition $2 salt_master_exec_t system_r;
domtrans_pattern($1, salt_master_exec_t, salt_master_t)
roleattribute $2 salt_master_roles;
@@ -73,12 +73,12 @@ interface(`salt_admin_minion',`
allow $1 salt_minion_t:process { ptrace signal_perms };
ps_process_pattern($1, salt_minion_t)
- init_labeled_script_domtrans($1, salt_minion_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 salt_minion_initrc_exec_t system_r;
+ #init_labeled_script_domtrans($1, salt_minion_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 salt_minion_initrc_exec_t system_r;
# for debugging
- role_transition $2 salt_minion_exec_t system_r;
+ #role_transition $2 salt_minion_exec_t system_r;
domtrans_pattern($1, salt_minion_exec_t, salt_minion_t)
roleattribute $2 salt_minion_roles;
diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if
index 50d07fb..51e6858 100644
--- a/policy/modules/contrib/samba.if
+++ b/policy/modules/contrib/samba.if
@@ -695,10 +695,10 @@ interface(`samba_admin',`
allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { nmbd_t smbd_t })
- init_labeled_script_domtrans($1, samba_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 samba_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, samba_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 samba_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { samba_etc_t smbd_keytab_t })
diff --git a/policy/modules/contrib/sanlock.if b/policy/modules/contrib/sanlock.if
index cd6c213..98b2950 100644
--- a/policy/modules/contrib/sanlock.if
+++ b/policy/modules/contrib/sanlock.if
@@ -104,10 +104,10 @@ interface(`sanlock_admin',`
allow $1 sanlock_t:process { ptrace signal_perms };
ps_process_pattern($1, sanlock_t)
- sanlock_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 sanlock_initrc_exec_t system_r;
- allow $2 system_r;
+ #sanlock_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 sanlock_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, sanlock_var_run_t)
diff --git a/policy/modules/contrib/sasl.if b/policy/modules/contrib/sasl.if
index 8c3c151..7da737b 100644
--- a/policy/modules/contrib/sasl.if
+++ b/policy/modules/contrib/sasl.if
@@ -45,10 +45,10 @@ interface(`sasl_admin',`
allow $1 saslauthd_t:process { ptrace signal_perms };
ps_process_pattern($1, saslauthd_t)
- init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 saslauthd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 saslauthd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, saslauthd_keytab_t)
diff --git a/policy/modules/contrib/sblim.if b/policy/modules/contrib/sblim.if
index 98c9e0a..25d94a4 100644
--- a/policy/modules/contrib/sblim.if
+++ b/policy/modules/contrib/sblim.if
@@ -64,10 +64,10 @@ interface(`sblim_admin',`
allow $1 sblim_domain:process { ptrace signal_perms };
ps_process_pattern($1, sblim_domain)
- init_labeled_script_domtrans($1, sblim_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sblim_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, sblim_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 sblim_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/policy/modules/contrib/sendmail.if b/policy/modules/contrib/sendmail.if
index 35ad2a7..7a95364 100644
--- a/policy/modules/contrib/sendmail.if
+++ b/policy/modules/contrib/sendmail.if
@@ -360,9 +360,9 @@ interface(`sendmail_admin',`
allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms };
ps_process_pattern($1, { unconfined_sendmail_t sendmail_t })
- init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sendmail_initrc_exec_t system_r;
+ #init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 sendmail_initrc_exec_t system_r;
files_list_etc($1)
admin_pattern($1, sendmail_keytab_t)
diff --git a/policy/modules/contrib/sensord.if b/policy/modules/contrib/sensord.if
index d204752..ec77409 100644
--- a/policy/modules/contrib/sensord.if
+++ b/policy/modules/contrib/sensord.if
@@ -25,10 +25,10 @@ interface(`sensord_admin',`
allow $1 sensord_t:process { ptrace signal_perms };
ps_process_pattern($1, sensord_t)
- init_labeled_script_domtrans($1, sensord_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sensord_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, sensord_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 sensord_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, sensord_var_run_t)
diff --git a/policy/modules/contrib/shorewall.if b/policy/modules/contrib/shorewall.if
index 1aeef8a..abcfdf5 100644
--- a/policy/modules/contrib/shorewall.if
+++ b/policy/modules/contrib/shorewall.if
@@ -179,10 +179,10 @@ interface(`shorewall_admin',`
allow $1 shorewall_t:process { ptrace signal_perms };
ps_process_pattern($1, shorewall_t)
- init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 shorewall_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 shorewall_initrc_exec_t system_r;
+ #allow $2 system_r;
can_exec($1, shorewall_exec_t)
diff --git a/policy/modules/contrib/slpd.if b/policy/modules/contrib/slpd.if
index ca32e89..c13e32c 100644
--- a/policy/modules/contrib/slpd.if
+++ b/policy/modules/contrib/slpd.if
@@ -26,10 +26,10 @@ interface(`slpd_admin',`
allow $1 slpd_t:process { ptrace signal_perms };
ps_process_pattern($1, slpd_t)
- init_labeled_script_domtrans($1, slpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 slpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, slpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 slpd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, slpd_log_t)
diff --git a/policy/modules/contrib/smartmon.if b/policy/modules/contrib/smartmon.if
index e0644b5..b0660d6 100644
--- a/policy/modules/contrib/smartmon.if
+++ b/policy/modules/contrib/smartmon.if
@@ -45,10 +45,10 @@ interface(`smartmon_admin',`
allow $1 fsdaemon_t:process { ptrace signal_perms };
ps_process_pattern($1, fsdaemon_t)
- init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 fsdaemon_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 fsdaemon_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, fsdaemon_tmp_t)
diff --git a/policy/modules/contrib/smokeping.if b/policy/modules/contrib/smokeping.if
index 1fa51c1..8c0eefe 100644
--- a/policy/modules/contrib/smokeping.if
+++ b/policy/modules/contrib/smokeping.if
@@ -161,10 +161,10 @@ interface(`smokeping_admin',`
allow $1 smokeping_t:process { ptrace signal_perms };
ps_process_pattern($1, smokeping_t)
- smokeping_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 smokeping_initrc_exec_t system_r;
- allow $2 system_r;
+ #smokeping_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 smokeping_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, smokeping_var_lib_t)
diff --git a/policy/modules/contrib/smstools.if b/policy/modules/contrib/smstools.if
index 81136f0..2b49829 100644
--- a/policy/modules/contrib/smstools.if
+++ b/policy/modules/contrib/smstools.if
@@ -27,10 +27,10 @@ interface(`smstools_admin',`
allow $1 smsd_t:process { ptrace signal_perms };
ps_process_pattern($1, smsd_t)
- init_labeled_script_domtrans($1, smsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 smsd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, smsd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 smsd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, smsd_conf_t)
diff --git a/policy/modules/contrib/snmp.if b/policy/modules/contrib/snmp.if
index bf78fa9..0da50f0 100644
--- a/policy/modules/contrib/snmp.if
+++ b/policy/modules/contrib/snmp.if
@@ -182,10 +182,10 @@ interface(`snmp_admin',`
allow $1 snmpd_t:process { ptrace signal_perms };
ps_process_pattern($1, snmpd_t)
- init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 snmpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 snmpd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, snmpd_log_t)
diff --git a/policy/modules/contrib/snort.if b/policy/modules/contrib/snort.if
index 7d86b34..910ffb9 100644
--- a/policy/modules/contrib/snort.if
+++ b/policy/modules/contrib/snort.if
@@ -45,10 +45,10 @@ interface(`snort_admin',`
allow $1 snort_t:process { ptrace signal_perms };
ps_process_pattern($1, snort_t)
- init_labeled_script_domtrans($1, snort_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 snort_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, snort_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 snort_initrc_exec_t system_r;
+ #allow $2 system_r;
admin_pattern($1, snort_etc_t)
files_search_etc($1)
diff --git a/policy/modules/contrib/soundserver.if b/policy/modules/contrib/soundserver.if
index a5abc5a..c6d0368 100644
--- a/policy/modules/contrib/soundserver.if
+++ b/policy/modules/contrib/soundserver.if
@@ -41,10 +41,10 @@ interface(`soundserver_admin',`
allow $1 soundd_t:process { ptrace signal_perms };
ps_process_pattern($1, soundd_t)
- init_labeled_script_domtrans($1, soundd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 soundd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, soundd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 soundd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, soundd_etc_t)
diff --git a/policy/modules/contrib/spamassassin.if b/policy/modules/contrib/spamassassin.if
index 7f5a1cc..f697f7b 100644
--- a/policy/modules/contrib/spamassassin.if
+++ b/policy/modules/contrib/spamassassin.if
@@ -384,10 +384,10 @@ interface(`spamassassin_admin',`
allow $1 spamd_t:process { ptrace signal_perms };
ps_process_pattern($1, spamd_t)
- init_labeled_script_domtrans($1, spamd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 spamd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, spamd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 spamd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, spamd_tmp_t)
diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if
index 5e1f053..0d43504 100644
--- a/policy/modules/contrib/squid.if
+++ b/policy/modules/contrib/squid.if
@@ -216,10 +216,10 @@ interface(`squid_admin',`
allow $1 squid_t:process { ptrace signal_perms };
ps_process_pattern($1, squid_t)
- init_labeled_script_domtrans($1, squid_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 squid_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, squid_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 squid_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_var($1)
admin_pattern($1, squid_cache_t)
diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if
index a240455..4ba98cc 100644
--- a/policy/modules/contrib/sssd.if
+++ b/policy/modules/contrib/sssd.if
@@ -342,10 +342,10 @@ interface(`sssd_admin',`
allow $1 sssd_t:process { ptrace signal_perms };
ps_process_pattern($1, sssd_t)
- sssd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 sssd_initrc_exec_t system_r;
- allow $2 system_r;
+ #sssd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 sssd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, sssd_conf_t)
diff --git a/policy/modules/contrib/svnserve.if b/policy/modules/contrib/svnserve.if
index 5cd46e9..043ade5 100644
--- a/policy/modules/contrib/svnserve.if
+++ b/policy/modules/contrib/svnserve.if
@@ -25,10 +25,10 @@ interface(`svnserve_admin',`
allow $1 svnserve_t:process { ptrace signal_perms };
ps_process_pattern($1, svnserve_t)
- init_labeled_script_domtrans($1, svnserve_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 svnserve_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, svnserve_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 svnserve_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, svnserve_var_run_t)
diff --git a/policy/modules/contrib/sysstat.if b/policy/modules/contrib/sysstat.if
index 14ae3f2..46e08d3 100644
--- a/policy/modules/contrib/sysstat.if
+++ b/policy/modules/contrib/sysstat.if
@@ -46,10 +46,10 @@ interface(`sysstat_admin',`
allow $1 sysstat_t:process { ptrace signal_perms };
ps_process_pattern($1, sysstat_t)
- init_labeled_script_domtrans($1, sysstat_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sysstat_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, sysstat_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 sysstat_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, sysstat_log_t)
diff --git a/policy/modules/contrib/systemtap.if b/policy/modules/contrib/systemtap.if
index d60a21e..4718ca2 100644
--- a/policy/modules/contrib/systemtap.if
+++ b/policy/modules/contrib/systemtap.if
@@ -26,10 +26,10 @@ interface(`stapserver_admin',`
allow $1 stapserver_t:process { ptrace signal_perms };
ps_process_pattern($1, stapserver_t)
- init_labeled_script_domtrans($1, stapserver_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 stapserver_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, stapserver_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 stapserver_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, stapserver_conf_t)
diff --git a/policy/modules/contrib/tcsd.if b/policy/modules/contrib/tcsd.if
index b42ec1d..d4b8da8 100644
--- a/policy/modules/contrib/tcsd.if
+++ b/policy/modules/contrib/tcsd.if
@@ -141,10 +141,10 @@ interface(`tcsd_admin',`
allow $1 tcsd_t:process { ptrace signal_perms };
ps_process_pattern($1, tcsd_t)
- tcsd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 tcsd_initrc_exec_t system_r;
- allow $2 system_r;
+ #tcsd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 tcsd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, tcsd_var_lib_t)
diff --git a/policy/modules/contrib/tgtd.if b/policy/modules/contrib/tgtd.if
index dc5b46e..bde65e4 100644
--- a/policy/modules/contrib/tgtd.if
+++ b/policy/modules/contrib/tgtd.if
@@ -83,10 +83,10 @@ interface(`tgtd_admin',`
allow $1 tgtd_t:process { ptrace signal_perms };
ps_process_pattern($1, tgtd_t)
- init_labeled_script_domtrans($1, tgtd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 tgtd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, tgtd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 tgtd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, tgtd_var_lib_t)
diff --git a/policy/modules/contrib/tor.if b/policy/modules/contrib/tor.if
index 61c2e07..6ab1023 100644
--- a/policy/modules/contrib/tor.if
+++ b/policy/modules/contrib/tor.if
@@ -45,10 +45,10 @@ interface(`tor_admin',`
allow $1 tor_t:process { ptrace signal_perms };
ps_process_pattern($1, tor_t)
- init_labeled_script_domtrans($1, tor_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 tor_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, tor_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 tor_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, tor_etc_t)
diff --git a/policy/modules/contrib/transproxy.if b/policy/modules/contrib/transproxy.if
index 81a8351..20102c2 100644
--- a/policy/modules/contrib/transproxy.if
+++ b/policy/modules/contrib/transproxy.if
@@ -25,10 +25,10 @@ interface(`transproxy_admin',`
allow $1 transproxy_t:process { ptrace signal_perms };
ps_process_pattern($1, transproxy_t)
- init_labeled_script_domtrans($1, transproxy_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 transproxy_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, transproxy_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 transproxy_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, transproxy_var_run_t)
diff --git a/policy/modules/contrib/tuned.if b/policy/modules/contrib/tuned.if
index e29db63..9829bad 100644
--- a/policy/modules/contrib/tuned.if
+++ b/policy/modules/contrib/tuned.if
@@ -122,10 +122,10 @@ interface(`tuned_admin',`
allow $1 tuned_t:process { ptrace signal_perms };
ps_process_pattern($1, tuned_t)
- tuned_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 tuned_initrc_exec_t system_r;
- allow $2 system_r;
+ #tuned_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 tuned_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, { tuned_etc_t tuned_rw_etc_t })
diff --git a/policy/modules/contrib/ulogd.if b/policy/modules/contrib/ulogd.if
index 9b95c3e..43bfd7b 100644
--- a/policy/modules/contrib/ulogd.if
+++ b/policy/modules/contrib/ulogd.if
@@ -126,10 +126,10 @@ interface(`ulogd_admin',`
allow $1 ulogd_t:process { ptrace signal_perms };
ps_process_pattern($1, ulogd_t)
- init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ulogd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ulogd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, ulogd_etc_t)
diff --git a/policy/modules/contrib/uptime.if b/policy/modules/contrib/uptime.if
index 19f4724..b9f36e4 100644
--- a/policy/modules/contrib/uptime.if
+++ b/policy/modules/contrib/uptime.if
@@ -26,10 +26,10 @@ interface(`uptime_admin',`
allow $1 uptimed_t:process { ptrace signal_perms };
ps_process_pattern($1, uptimed_t)
- init_labeled_script_domtrans($1, uptimed_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 uptimed_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, uptimed_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 uptimed_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, uptimed_etc_t)
diff --git a/policy/modules/contrib/uucp.if b/policy/modules/contrib/uucp.if
index af9acc0..bf7df04 100644
--- a/policy/modules/contrib/uucp.if
+++ b/policy/modules/contrib/uucp.if
@@ -104,10 +104,10 @@ interface(`uucp_admin',`
type uucpd_var_run_t, uucpd_initrc_exec_t;
')
- init_labeled_script_domtrans($1, uucpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 uucpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, uucpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 uucpd_initrc_exec_t system_r;
+ #allow $2 system_r;
allow $1 uucpd_t:process { ptrace signal_perms };
ps_process_pattern($1, uucpd_t)
diff --git a/policy/modules/contrib/uuidd.if b/policy/modules/contrib/uuidd.if
index 6e48653..e33ec25 100644
--- a/policy/modules/contrib/uuidd.if
+++ b/policy/modules/contrib/uuidd.if
@@ -181,10 +181,10 @@ interface(`uuidd_admin',`
allow $1 uuidd_t:process signal_perms;
ps_process_pattern($1, uuidd_t)
- uuidd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 uuidd_initrc_exec_t system_r;
- allow $2 system_r;
+ #uuidd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 uuidd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, uuidd_var_lib_t)
diff --git a/policy/modules/contrib/varnishd.if b/policy/modules/contrib/varnishd.if
index 1c35171..636c20d 100644
--- a/policy/modules/contrib/varnishd.if
+++ b/policy/modules/contrib/varnishd.if
@@ -160,10 +160,10 @@ interface(`varnishd_admin_varnishlog',`
allow $1 varnishlog_t:process { ptrace signal_perms };
ps_process_pattern($1, varnishlog_t)
- init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 varnishlog_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 varnishlog_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_pids($1)
admin_pattern($1, varnishlog_var_run_t)
@@ -199,10 +199,10 @@ interface(`varnishd_admin',`
allow $1 varnishd_t:process { ptrace signal_perms };
ps_process_pattern($1, varnishd_t)
- init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 varnishd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 varnishd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, varnishd_var_lib_t)
diff --git a/policy/modules/contrib/vdagent.if b/policy/modules/contrib/vdagent.if
index 31c752e..5d3b76c 100644
--- a/policy/modules/contrib/vdagent.if
+++ b/policy/modules/contrib/vdagent.if
@@ -121,10 +121,10 @@ interface(`vdagent_admin',`
allow $1 vdagent_t:process signal_perms;
ps_process_pattern($1, vdagent_t)
- init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 vdagentd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 vdagentd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, vdagent_log_t)
diff --git a/policy/modules/contrib/vhostmd.if b/policy/modules/contrib/vhostmd.if
index 22edd58..0055667 100644
--- a/policy/modules/contrib/vhostmd.if
+++ b/policy/modules/contrib/vhostmd.if
@@ -219,10 +219,10 @@ interface(`vhostmd_admin',`
allow $1 vhostmd_t:process { ptrace signal_perms };
ps_process_pattern($1, vhostmd_t)
- vhostmd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 vhostmd_initrc_exec_t system_r;
- allow $2 system_r;
+ #vhostmd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 vhostmd_initrc_exec_t system_r;
+ #allow $2 system_r;
fs_search_tmpfs($1)
admin_pattern($1, vhostmd_tmpfs_t)
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
index 7c97c87..4f531b9 100644
--- a/policy/modules/contrib/virt.if
+++ b/policy/modules/contrib/virt.if
@@ -1176,10 +1176,10 @@ interface(`virt_admin',`
ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
- init_labeled_script_domtrans($1, virtd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 virtd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, virtd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 virtd_initrc_exec_t system_r;
+ #allow $2 system_r;
fs_search_tmpfs($1)
admin_pattern($1, virt_tmpfs_type)
diff --git a/policy/modules/contrib/vnstatd.if b/policy/modules/contrib/vnstatd.if
index 137ac44..99bddf4 100644
--- a/policy/modules/contrib/vnstatd.if
+++ b/policy/modules/contrib/vnstatd.if
@@ -168,10 +168,10 @@ interface(`vnstatd_admin',`
allow $1 vnstatd_t:process { ptrace signal_perms };
ps_process_pattern($1, vnstatd_t)
- init_labeled_script_domtrans($1, vnstatd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 vnstatd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, vnstatd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 vnstatd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, vnstatd_var_run_t)
diff --git a/policy/modules/contrib/watchdog.if b/policy/modules/contrib/watchdog.if
index 6461a77..44a1a7c 100644
--- a/policy/modules/contrib/watchdog.if
+++ b/policy/modules/contrib/watchdog.if
@@ -26,10 +26,10 @@ interface(`watchdog_admin',`
allow $1 watchdog_t:process { ptrace signal_perms };
ps_process_pattern($1, watchdog_t)
- init_labeled_script_domtrans($1, watchdog_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 watchdog_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, watchdog_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 watchdog_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, watchdog_log_t)
diff --git a/policy/modules/contrib/wdmd.if b/policy/modules/contrib/wdmd.if
index 1e3aec0..553b69a 100644
--- a/policy/modules/contrib/wdmd.if
+++ b/policy/modules/contrib/wdmd.if
@@ -45,10 +45,10 @@ interface(`wdmd_admin',`
allow $1 wdmd_t:process { ptrace signal_perms };
ps_process_pattern($1, wdmd_t)
- init_labeled_script_domtrans($1, wdmd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 wdmd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, wdmd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 wdmd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, wdmd_var_run_t)
diff --git a/policy/modules/contrib/xfs.if b/policy/modules/contrib/xfs.if
index 4570b86..3318873 100644
--- a/policy/modules/contrib/xfs.if
+++ b/policy/modules/contrib/xfs.if
@@ -84,10 +84,10 @@ interface(`xfs_admin',`
allow $1 xfs_t:process { ptrace signal_perms };
ps_process_pattern($1, xfs_t)
- init_labeled_script_domtrans($1, xfs_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 xfs_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, xfs_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 xfs_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, xfs_var_run_t)
diff --git a/policy/modules/contrib/zabbix.if b/policy/modules/contrib/zabbix.if
index 29d87d7..0a75b8a 100644
--- a/policy/modules/contrib/zabbix.if
+++ b/policy/modules/contrib/zabbix.if
@@ -146,10 +146,10 @@ interface(`zabbix_admin',`
allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms };
ps_process_pattern($1, { zabbix_t zabbix_agent_t })
- init_labeled_script_domtrans($1, { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t } system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t })
+ #domain_system_change_exemption($1)
+ #role_transition $2 { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t } system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, zabbix_log_t)
diff --git a/policy/modules/contrib/zarafa.if b/policy/modules/contrib/zarafa.if
index 83b4ca5..d2245ae 100644
--- a/policy/modules/contrib/zarafa.if
+++ b/policy/modules/contrib/zarafa.if
@@ -152,10 +152,10 @@ interface(`zarafa_admin',`
allow $1 zarafa_domain:process { ptrace signal_perms };
ps_process_pattern($1, zarafa_domain)
- init_labeled_script_domtrans($1, zarafa_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 zarafa_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, zarafa_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 zarafa_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, zarafa_etc_t)
diff --git a/policy/modules/contrib/zebra.if b/policy/modules/contrib/zebra.if
index 3416401..33aa2ed 100644
--- a/policy/modules/contrib/zebra.if
+++ b/policy/modules/contrib/zebra.if
@@ -69,10 +69,10 @@ interface(`zebra_admin',`
allow $1 zebra_t:process { ptrace signal_perms };
ps_process_pattern($1, zebra_t)
- init_labeled_script_domtrans($1, zebra_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 zebra_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, zebra_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 zebra_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, zebra_conf_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-05-11 22:10 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-05-11 22:10 UTC (permalink / raw
To: gentoo-commits
commit: 08afe9a2b7522cc45e95e24e02aa3349621eeca1
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon May 11 20:25:10 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon May 11 22:06:56 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=08afe9a2
remove initrc_exec_t transitions for sysadm from _admin interfaces
The _admin interfaces have a transition from sysadm_t to initrc_t.
These interfere with the run_init integration in openrc, so they need to
be removed.
policy/modules/contrib/abrt.if | 8 ++++----
policy/modules/contrib/acct.if | 8 ++++----
policy/modules/contrib/afs.if | 8 ++++----
policy/modules/contrib/aiccu.if | 8 ++++----
policy/modules/contrib/aisexec.if | 8 ++++----
policy/modules/contrib/amavis.if | 8 ++++----
policy/modules/contrib/amtu.if | 8 ++++----
policy/modules/contrib/apache.if | 8 ++++----
policy/modules/contrib/apcupsd.if | 8 ++++----
policy/modules/contrib/apm.if | 8 ++++----
policy/modules/contrib/arpwatch.if | 8 ++++----
policy/modules/contrib/asterisk.if | 8 ++++----
policy/modules/contrib/automount.if | 8 ++++----
policy/modules/contrib/avahi.if | 8 ++++----
policy/modules/contrib/bacula.if | 8 ++++----
policy/modules/contrib/bcfg2.if | 8 ++++----
policy/modules/contrib/bind.if | 8 ++++----
policy/modules/contrib/bird.if | 8 ++++----
policy/modules/contrib/bitcoin.if | 8 ++++----
policy/modules/contrib/bitlbee.if | 8 ++++----
policy/modules/contrib/bluetooth.if | 8 ++++----
policy/modules/contrib/boinc.if | 8 ++++----
policy/modules/contrib/cachefilesd.if | 8 ++++----
policy/modules/contrib/callweaver.if | 8 ++++----
policy/modules/contrib/canna.if | 8 ++++----
policy/modules/contrib/ccs.if | 8 ++++----
policy/modules/contrib/certmaster.if | 8 ++++----
policy/modules/contrib/certmonger.if | 8 ++++----
policy/modules/contrib/cfengine.if | 8 ++++----
policy/modules/contrib/cgroup.if | 10 +++++-----
policy/modules/contrib/chronyd.if | 8 ++++----
policy/modules/contrib/cipe.if | 8 ++++----
policy/modules/contrib/clamav.if | 8 ++++----
policy/modules/contrib/cmirrord.if | 8 ++++----
policy/modules/contrib/cobbler.if | 8 ++++----
policy/modules/contrib/collectd.if | 8 ++++----
policy/modules/contrib/condor.if | 8 ++++----
policy/modules/contrib/corosync.if | 8 ++++----
policy/modules/contrib/couchdb.if | 8 ++++----
policy/modules/contrib/ctdb.if | 8 ++++----
policy/modules/contrib/cups.if | 8 ++++----
policy/modules/contrib/cvs.if | 8 ++++----
policy/modules/contrib/cyphesis.if | 8 ++++----
policy/modules/contrib/cyrus.if | 8 ++++----
policy/modules/contrib/dante.if | 8 ++++----
policy/modules/contrib/ddclient.if | 8 ++++----
policy/modules/contrib/denyhosts.if | 8 ++++----
policy/modules/contrib/dhcp.if | 8 ++++----
policy/modules/contrib/dictd.if | 8 ++++----
policy/modules/contrib/dirmngr.if | 8 ++++----
policy/modules/contrib/distcc.if | 8 ++++----
policy/modules/contrib/dkim.if | 8 ++++----
policy/modules/contrib/dnsmasq.if | 8 ++++----
policy/modules/contrib/dnssectrigger.if | 8 ++++----
policy/modules/contrib/dovecot.if | 8 ++++----
policy/modules/contrib/drbd.if | 8 ++++----
policy/modules/contrib/dspam.if | 8 ++++----
policy/modules/contrib/entropyd.if | 8 ++++----
policy/modules/contrib/exim.if | 8 ++++----
policy/modules/contrib/fail2ban.if | 8 ++++----
policy/modules/contrib/fcoe.if | 8 ++++----
policy/modules/contrib/fetchmail.if | 8 ++++----
policy/modules/contrib/firewalld.if | 8 ++++----
policy/modules/contrib/ftp.if | 8 ++++----
policy/modules/contrib/gatekeeper.if | 8 ++++----
policy/modules/contrib/gdomap.if | 8 ++++----
policy/modules/contrib/glance.if | 8 ++++----
policy/modules/contrib/glusterfs.if | 8 ++++----
policy/modules/contrib/gpm.if | 8 ++++----
policy/modules/contrib/gpsd.if | 8 ++++----
policy/modules/contrib/hadoop.if | 8 ++++----
policy/modules/contrib/hddtemp.if | 8 ++++----
policy/modules/contrib/howl.if | 8 ++++----
policy/modules/contrib/hypervkvp.if | 8 ++++----
policy/modules/contrib/i18n_input.if | 8 ++++----
policy/modules/contrib/icecast.if | 8 ++++----
policy/modules/contrib/ifplugd.if | 8 ++++----
policy/modules/contrib/inn.if | 8 ++++----
policy/modules/contrib/iodine.if | 8 ++++----
policy/modules/contrib/ircd.if | 8 ++++----
policy/modules/contrib/irqbalance.if | 8 ++++----
policy/modules/contrib/iscsi.if | 8 ++++----
policy/modules/contrib/isns.if | 8 ++++----
policy/modules/contrib/jabber.if | 8 ++++----
policy/modules/contrib/kdump.if | 8 ++++----
policy/modules/contrib/kerberos.if | 8 ++++----
policy/modules/contrib/kerneloops.if | 8 ++++----
policy/modules/contrib/keystone.if | 8 ++++----
policy/modules/contrib/kismet.if | 8 ++++----
policy/modules/contrib/ksmtuned.if | 8 ++++----
policy/modules/contrib/kudzu.if | 8 ++++----
policy/modules/contrib/l2tp.if | 8 ++++----
policy/modules/contrib/ldap.if | 8 ++++----
policy/modules/contrib/likewise.if | 8 ++++----
policy/modules/contrib/lircd.if | 8 ++++----
policy/modules/contrib/lldpad.if | 8 ++++----
policy/modules/contrib/mailscanner.if | 8 ++++----
policy/modules/contrib/mcelog.if | 8 ++++----
policy/modules/contrib/memcached.if | 8 ++++----
policy/modules/contrib/minidlna.if | 8 ++++----
policy/modules/contrib/minissdpd.if | 8 ++++----
policy/modules/contrib/mongodb.if | 8 ++++----
policy/modules/contrib/monop.if | 8 ++++----
policy/modules/contrib/mpd.if | 8 ++++----
policy/modules/contrib/mrtg.if | 8 ++++----
policy/modules/contrib/munin.if | 8 ++++----
policy/modules/contrib/mysql.if | 8 ++++----
policy/modules/contrib/nagios.if | 8 ++++----
policy/modules/contrib/nessus.if | 8 ++++----
policy/modules/contrib/networkmanager.if | 8 ++++----
policy/modules/contrib/nis.if | 10 +++++-----
policy/modules/contrib/nscd.if | 8 ++++----
policy/modules/contrib/nsd.if | 8 ++++----
policy/modules/contrib/nslcd.if | 8 ++++----
policy/modules/contrib/ntop.if | 8 ++++----
policy/modules/contrib/ntp.if | 8 ++++----
policy/modules/contrib/numad.if | 8 ++++----
policy/modules/contrib/nut.if | 8 ++++----
policy/modules/contrib/oident.if | 8 ++++----
policy/modules/contrib/openct.if | 8 ++++----
policy/modules/contrib/openhpi.if | 8 ++++----
policy/modules/contrib/openvpn.if | 8 ++++----
policy/modules/contrib/openvswitch.if | 8 ++++----
policy/modules/contrib/pacemaker.if | 8 ++++----
policy/modules/contrib/pads.if | 8 ++++----
policy/modules/contrib/pcscd.if | 8 ++++----
policy/modules/contrib/pegasus.if | 8 ++++----
policy/modules/contrib/perdition.if | 8 ++++----
policy/modules/contrib/pingd.if | 8 ++++----
policy/modules/contrib/pkcs.if | 8 ++++----
policy/modules/contrib/polipo.if | 8 ++++----
policy/modules/contrib/portmap.if | 8 ++++----
policy/modules/contrib/portreserve.if | 8 ++++----
policy/modules/contrib/postfix.if | 8 ++++----
policy/modules/contrib/postfixpolicyd.if | 8 ++++----
policy/modules/contrib/postgrey.if | 8 ++++----
policy/modules/contrib/ppp.if | 8 ++++----
policy/modules/contrib/prelude.if | 8 ++++----
policy/modules/contrib/privoxy.if | 8 ++++----
policy/modules/contrib/psad.if | 8 ++++----
policy/modules/contrib/puppet.if | 8 ++++----
policy/modules/contrib/pxe.if | 8 ++++----
policy/modules/contrib/pyicqt.if | 8 ++++----
policy/modules/contrib/pyzor.if | 8 ++++----
policy/modules/contrib/qpid.if | 8 ++++----
policy/modules/contrib/quantum.if | 8 ++++----
policy/modules/contrib/quota.if | 8 ++++----
policy/modules/contrib/rabbitmq.if | 8 ++++----
policy/modules/contrib/radius.if | 8 ++++----
policy/modules/contrib/radvd.if | 8 ++++----
policy/modules/contrib/raid.if | 8 ++++----
policy/modules/contrib/redis.if | 8 ++++----
policy/modules/contrib/resmgr.if | 8 ++++----
policy/modules/contrib/rgmanager.if | 8 ++++----
policy/modules/contrib/rhcs.if | 8 ++++----
policy/modules/contrib/rhsmcertd.if | 8 ++++----
policy/modules/contrib/ricci.if | 8 ++++----
policy/modules/contrib/rngd.if | 8 ++++----
policy/modules/contrib/roundup.if | 8 ++++----
policy/modules/contrib/rpc.if | 8 ++++----
policy/modules/contrib/rpcbind.if | 8 ++++----
policy/modules/contrib/rpm.if | 8 ++++----
policy/modules/contrib/rtkit.if | 8 ++++----
policy/modules/contrib/rwho.if | 8 ++++----
policy/modules/contrib/salt.if | 16 ++++++++--------
policy/modules/contrib/samba.if | 8 ++++----
policy/modules/contrib/sanlock.if | 8 ++++----
policy/modules/contrib/sasl.if | 8 ++++----
policy/modules/contrib/sblim.if | 8 ++++----
policy/modules/contrib/sendmail.if | 6 +++---
policy/modules/contrib/sensord.if | 8 ++++----
policy/modules/contrib/shorewall.if | 8 ++++----
policy/modules/contrib/slpd.if | 8 ++++----
policy/modules/contrib/smartmon.if | 8 ++++----
policy/modules/contrib/smokeping.if | 8 ++++----
policy/modules/contrib/smstools.if | 8 ++++----
policy/modules/contrib/snmp.if | 8 ++++----
policy/modules/contrib/snort.if | 8 ++++----
policy/modules/contrib/soundserver.if | 8 ++++----
policy/modules/contrib/spamassassin.if | 8 ++++----
policy/modules/contrib/squid.if | 8 ++++----
policy/modules/contrib/sssd.if | 8 ++++----
policy/modules/contrib/svnserve.if | 8 ++++----
policy/modules/contrib/sysstat.if | 8 ++++----
policy/modules/contrib/systemtap.if | 8 ++++----
policy/modules/contrib/tcsd.if | 8 ++++----
policy/modules/contrib/tgtd.if | 8 ++++----
policy/modules/contrib/tor.if | 8 ++++----
policy/modules/contrib/transproxy.if | 8 ++++----
policy/modules/contrib/tuned.if | 8 ++++----
policy/modules/contrib/ulogd.if | 8 ++++----
policy/modules/contrib/uptime.if | 8 ++++----
policy/modules/contrib/uucp.if | 8 ++++----
policy/modules/contrib/uuidd.if | 8 ++++----
policy/modules/contrib/varnishd.if | 16 ++++++++--------
policy/modules/contrib/vdagent.if | 8 ++++----
policy/modules/contrib/vhostmd.if | 8 ++++----
policy/modules/contrib/virt.if | 8 ++++----
policy/modules/contrib/vnstatd.if | 8 ++++----
policy/modules/contrib/watchdog.if | 8 ++++----
policy/modules/contrib/wdmd.if | 8 ++++----
policy/modules/contrib/xfs.if | 8 ++++----
policy/modules/contrib/zabbix.if | 8 ++++----
policy/modules/contrib/zarafa.if | 8 ++++----
policy/modules/contrib/zebra.if | 8 ++++----
205 files changed, 829 insertions(+), 829 deletions(-)
diff --git a/policy/modules/contrib/abrt.if b/policy/modules/contrib/abrt.if
index 058d908..6195190 100644
--- a/policy/modules/contrib/abrt.if
+++ b/policy/modules/contrib/abrt.if
@@ -304,10 +304,10 @@ interface(`abrt_admin',`
allow $1 abrt_domain:process { ptrace signal_perms };
ps_process_pattern($1, abrt_domain)
- init_labeled_script_domtrans($1, abrt_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 abrt_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, abrt_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 abrt_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, abrt_etc_t)
diff --git a/policy/modules/contrib/acct.if b/policy/modules/contrib/acct.if
index 81280d0..a49181a 100644
--- a/policy/modules/contrib/acct.if
+++ b/policy/modules/contrib/acct.if
@@ -106,10 +106,10 @@ interface(`acct_admin',`
allow $1 acct_t:process { ptrace signal_perms };
ps_process_pattern($1, acct_t)
- init_labeled_script_domtrans($1, acct_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 acct_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, acct_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 acct_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, acct_data_t)
diff --git a/policy/modules/contrib/afs.if b/policy/modules/contrib/afs.if
index 3b41be6..04f8f03 100644
--- a/policy/modules/contrib/afs.if
+++ b/policy/modules/contrib/afs.if
@@ -103,10 +103,10 @@ interface(`afs_admin',`
allow $1 afs_domain:process { ptrace signal_perms };
ps_process_pattern($1, afs_domain)
- afs_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 afs_initrc_exec_t system_r;
- allow $2 system_r;
+ #afs_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 afs_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, afs_config_t)
diff --git a/policy/modules/contrib/aiccu.if b/policy/modules/contrib/aiccu.if
index 3b5dcb9..cd049ac 100644
--- a/policy/modules/contrib/aiccu.if
+++ b/policy/modules/contrib/aiccu.if
@@ -82,10 +82,10 @@ interface(`aiccu_admin',`
allow $1 aiccu_t:process { ptrace signal_perms };
ps_process_pattern($1, aiccu_t)
- aiccu_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 aiccu_initrc_exec_t system_r;
- allow $2 system_r;
+ #aiccu_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 aiccu_initrc_exec_t system_r;
+ #allow $2 system_r;
admin_pattern($1, aiccu_etc_t)
files_list_etc($1)
diff --git a/policy/modules/contrib/aisexec.if b/policy/modules/contrib/aisexec.if
index a2997fa..1bc0fcf 100644
--- a/policy/modules/contrib/aisexec.if
+++ b/policy/modules/contrib/aisexec.if
@@ -86,10 +86,10 @@ interface(`aisexecd_admin',`
allow $1 aisexec_t:process { ptrace signal_perms };
ps_process_pattern($1, aisexec_t)
- init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 aisexec_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 aisexec_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, aisexec_var_lib_t)
diff --git a/policy/modules/contrib/amavis.if b/policy/modules/contrib/amavis.if
index 60d4f8c..9b6f2b2 100644
--- a/policy/modules/contrib/amavis.if
+++ b/policy/modules/contrib/amavis.if
@@ -237,10 +237,10 @@ interface(`amavis_admin',`
allow $1 amavis_t:process { ptrace signal_perms };
ps_process_pattern($1, amavis_t)
- amavis_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 amavis_initrc_exec_t system_r;
- allow $2 system_r;
+ #amavis_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 amavis_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, amavis_etc_t)
diff --git a/policy/modules/contrib/amtu.if b/policy/modules/contrib/amtu.if
index 884b23b..fa319c7 100644
--- a/policy/modules/contrib/amtu.if
+++ b/policy/modules/contrib/amtu.if
@@ -70,8 +70,8 @@ interface(`amtu_admin',`
allow $1 amtu_t:process { ptrace signal_perms };
ps_process_pattern($1, amtu_t)
- init_labeled_script_domtrans($1, amtu_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 amtu_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, amtu_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 amtu_initrc_exec_t system_r;
+ #allow $2 system_r;
')
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index 717c6f7..b148da6 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -1318,10 +1318,10 @@ interface(`apache_admin',`
ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t })
ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t })
- init_labeled_script_domtrans($1, httpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 httpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 httpd_initrc_exec_t system_r;
+ #allow $2 system_r;
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
diff --git a/policy/modules/contrib/apcupsd.if b/policy/modules/contrib/apcupsd.if
index f3c0aba..2e2b50c 100644
--- a/policy/modules/contrib/apcupsd.if
+++ b/policy/modules/contrib/apcupsd.if
@@ -149,10 +149,10 @@ interface(`apcupsd_admin',`
allow $1 apcupsd_t:process { ptrace signal_perms };
ps_process_pattern($1, apcupsd_t)
- apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 apcupsd_initrc_exec_t system_r;
- allow $2 system_r;
+ #apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 apcupsd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_var($1)
admin_pattern($1, apcupsd_lock_t)
diff --git a/policy/modules/contrib/apm.if b/policy/modules/contrib/apm.if
index 1a7a97e..f5219a2 100644
--- a/policy/modules/contrib/apm.if
+++ b/policy/modules/contrib/apm.if
@@ -166,10 +166,10 @@ interface(`apm_admin',`
allow $1 apmd_t:process { ptrace signal_perms };
ps_process_pattern($1, apmd_t)
- init_labeled_script_domtrans($1, apmd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 apmd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, apmd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 apmd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, apmd_log_t)
diff --git a/policy/modules/contrib/arpwatch.if b/policy/modules/contrib/arpwatch.if
index 50c9b9c..7296bdf 100644
--- a/policy/modules/contrib/arpwatch.if
+++ b/policy/modules/contrib/arpwatch.if
@@ -143,10 +143,10 @@ interface(`arpwatch_admin',`
allow $1 arpwatch_t:process { ptrace signal_perms };
ps_process_pattern($1, arpwatch_t)
- arpwatch_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 arpwatch_initrc_exec_t system_r;
- allow $2 system_r;
+ #arpwatch_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 arpwatch_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, arpwatch_tmp_t)
diff --git a/policy/modules/contrib/asterisk.if b/policy/modules/contrib/asterisk.if
index 2077053..46ef939 100644
--- a/policy/modules/contrib/asterisk.if
+++ b/policy/modules/contrib/asterisk.if
@@ -127,10 +127,10 @@ interface(`asterisk_admin',`
allow $1 asterisk_t:process { ptrace signal_perms };
ps_process_pattern($1, asterisk_t)
- init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 asterisk_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 asterisk_initrc_exec_t system_r;
+ #allow $2 system_r;
asterisk_exec($1)
diff --git a/policy/modules/contrib/automount.if b/policy/modules/contrib/automount.if
index f24e369..82c1ea5 100644
--- a/policy/modules/contrib/automount.if
+++ b/policy/modules/contrib/automount.if
@@ -159,10 +159,10 @@ interface(`automount_admin',`
allow $1 automount_t:process { ptrace signal_perms };
ps_process_pattern($1, automount_t)
- init_labeled_script_domtrans($1, automount_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 automount_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, automount_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 automount_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, automount_keytab_t)
diff --git a/policy/modules/contrib/avahi.if b/policy/modules/contrib/avahi.if
index 9078c3d..b490161 100644
--- a/policy/modules/contrib/avahi.if
+++ b/policy/modules/contrib/avahi.if
@@ -264,10 +264,10 @@ interface(`avahi_admin',`
allow $1 avahi_t:process { ptrace signal_perms };
ps_process_pattern($1, avahi_t)
- avahi_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 avahi_initrc_exec_t system_r;
- allow $2 system_r;
+ #avahi_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 avahi_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, avahi_var_run_t)
diff --git a/policy/modules/contrib/bacula.if b/policy/modules/contrib/bacula.if
index dcd774e..fdfef80 100644
--- a/policy/modules/contrib/bacula.if
+++ b/policy/modules/contrib/bacula.if
@@ -74,10 +74,10 @@ interface(`bacula_admin',`
allow $1 bacula_t:process { ptrace signal_perms };
ps_process_pattern($1, bacula_t)
- init_labeled_script_domtrans($1, bacula_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bacula_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, bacula_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 bacula_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, bacula_etc_t)
diff --git a/policy/modules/contrib/bcfg2.if b/policy/modules/contrib/bcfg2.if
index ec95d36..311ab75 100644
--- a/policy/modules/contrib/bcfg2.if
+++ b/policy/modules/contrib/bcfg2.if
@@ -141,10 +141,10 @@ interface(`bcfg2_admin',`
allow $1 bcfg2_t:process { ptrace signal_perms };
ps_process_pattern($1, bcfg2_t)
- bcfg2_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 bcfg2_initrc_exec_t system_r;
- allow $2 system_r;
+ #bcfg2_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 bcfg2_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, bcfg2_var_run_t)
diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if
index 531a8f2..835b9c0 100644
--- a/policy/modules/contrib/bind.if
+++ b/policy/modules/contrib/bind.if
@@ -370,10 +370,10 @@ interface(`bind_admin',`
allow $1 { named_t ndc_t }:process { ptrace signal_perms };
ps_process_pattern($1, { named_t ndc_t })
- init_labeled_script_domtrans($1, named_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 named_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, named_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 named_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, named_tmp_t)
diff --git a/policy/modules/contrib/bird.if b/policy/modules/contrib/bird.if
index 85c035f..01278df 100644
--- a/policy/modules/contrib/bird.if
+++ b/policy/modules/contrib/bird.if
@@ -26,10 +26,10 @@ interface(`bird_admin',`
allow $1 bird_t:process { ptrace signal_perms };
ps_process_pattern($1, bird_t)
- init_labeled_script_domtrans($1, bird_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bird_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, bird_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 bird_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, bird_etc_t)
diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
index 922bc7c..a6d9018 100644
--- a/policy/modules/contrib/bitcoin.if
+++ b/policy/modules/contrib/bitcoin.if
@@ -26,10 +26,10 @@ interface(`bitcoin_admin',`
allow $1 bitcoin_t:process { ptrace signal_perms };
ps_process_pattern($1, bitcoin_t)
- init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bitcoin_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 bitcoin_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, bitcoin_tmp_t)
diff --git a/policy/modules/contrib/bitlbee.if b/policy/modules/contrib/bitlbee.if
index e73fb79..bc326c9 100644
--- a/policy/modules/contrib/bitlbee.if
+++ b/policy/modules/contrib/bitlbee.if
@@ -47,10 +47,10 @@ interface(`bitlbee_admin',`
allow $1 bitlbee_t:process { ptrace signal_perms };
ps_process_pattern($1, bitlbee_t)
- init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bitlbee_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 bitlbee_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, bitlbee_conf_t)
diff --git a/policy/modules/contrib/bluetooth.if b/policy/modules/contrib/bluetooth.if
index c723a0a..8e2eff5 100644
--- a/policy/modules/contrib/bluetooth.if
+++ b/policy/modules/contrib/bluetooth.if
@@ -216,10 +216,10 @@ interface(`bluetooth_admin',`
allow $1 bluetooth_t:process { ptrace signal_perms };
ps_process_pattern($1, bluetooth_t)
- init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bluetooth_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 bluetooth_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, bluetooth_tmp_t)
diff --git a/policy/modules/contrib/boinc.if b/policy/modules/contrib/boinc.if
index 02fefaa..3a66e75 100644
--- a/policy/modules/contrib/boinc.if
+++ b/policy/modules/contrib/boinc.if
@@ -28,10 +28,10 @@ interface(`boinc_admin',`
allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms };
ps_process_pattern($1, { boinc_t boinc_project_t })
- init_labeled_script_domtrans($1, boinc_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 boinc_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 boinc_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, boinc_log_t)
diff --git a/policy/modules/contrib/cachefilesd.if b/policy/modules/contrib/cachefilesd.if
index 8de2ab9..4c68242 100644
--- a/policy/modules/contrib/cachefilesd.if
+++ b/policy/modules/contrib/cachefilesd.if
@@ -26,10 +26,10 @@ interface(`cachefilesd_admin',`
allow $1 cachefilesd_t:process { ptrace signal_perms };
ps_process_pattern($1, cachefilesd_t)
- init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cachefilesd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cachefilesd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var($1)
admin_pattern($1, cachefilesd_cache_t)
diff --git a/policy/modules/contrib/callweaver.if b/policy/modules/contrib/callweaver.if
index 16f1855..ad4dee3 100644
--- a/policy/modules/contrib/callweaver.if
+++ b/policy/modules/contrib/callweaver.if
@@ -65,10 +65,10 @@ interface(`callweaver_admin',`
allow $1 callweaver_t:process { ptrace signal_perms };
ps_process_pattern($1, callweaver_t)
- init_labeled_script_domtrans($1, callweaver_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 callweaver_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, callweaver_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 callweaver_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, callweaver_log_t)
diff --git a/policy/modules/contrib/canna.if b/policy/modules/contrib/canna.if
index 400db07..98a34d7 100644
--- a/policy/modules/contrib/canna.if
+++ b/policy/modules/contrib/canna.if
@@ -46,10 +46,10 @@ interface(`canna_admin',`
allow $1 canna_t:process { ptrace signal_perms };
ps_process_pattern($1, canna_t)
- init_labeled_script_domtrans($1, canna_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 canna_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, canna_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 canna_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, canna_log_t)
diff --git a/policy/modules/contrib/ccs.if b/policy/modules/contrib/ccs.if
index bb17e0f..80ef99e 100644
--- a/policy/modules/contrib/ccs.if
+++ b/policy/modules/contrib/ccs.if
@@ -105,10 +105,10 @@ interface(`ccs_admin',`
allow $1 ccs_t:process { ptrace signal_perms };
ps_process_pattern($1, ccs_t)
- init_labeled_script_domtrans($1, ccs_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ccs_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ccs_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ccs_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, ccs_conf_t)
diff --git a/policy/modules/contrib/certmaster.if b/policy/modules/contrib/certmaster.if
index 0c53b18..ad86de9 100644
--- a/policy/modules/contrib/certmaster.if
+++ b/policy/modules/contrib/certmaster.if
@@ -124,10 +124,10 @@ interface(`certmaster_admin',`
allow $1 certmaster_t:process { ptrace signal_perms };
ps_process_pattern($1, certmaster_t)
- init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 certmaster_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 certmaster_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
miscfiles_manage_generic_cert_dirs($1)
diff --git a/policy/modules/contrib/certmonger.if b/policy/modules/contrib/certmonger.if
index 008f8ef..bed2a59 100644
--- a/policy/modules/contrib/certmonger.if
+++ b/policy/modules/contrib/certmonger.if
@@ -162,10 +162,10 @@ interface(`certmonger_admin',`
ps_process_pattern($1, certmonger_t)
allow $1 certmonger_t:process { ptrace signal_perms };
- certmonger_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 certmonger_initrc_exec_t system_r;
- allow $2 system_r;
+ #certmonger_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 certmonger_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, certmonger_var_lib_t)
diff --git a/policy/modules/contrib/cfengine.if b/policy/modules/contrib/cfengine.if
index a731122..d47ea2a 100644
--- a/policy/modules/contrib/cfengine.if
+++ b/policy/modules/contrib/cfengine.if
@@ -97,10 +97,10 @@ interface(`cfengine_admin',`
allow $1 cfengine_domain:process { ptrace signal_perms };
ps_process_pattern($1, cfengine_domain)
- init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cfengine_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cfengine_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
diff --git a/policy/modules/contrib/cgroup.if b/policy/modules/contrib/cgroup.if
index 85ca63f..c136d2f 100644
--- a/policy/modules/contrib/cgroup.if
+++ b/policy/modules/contrib/cgroup.if
@@ -180,11 +180,11 @@ interface(`cgroup_admin',`
admin_pattern($1, cgred_var_run_t)
files_list_pids($1)
- cgroup_initrc_domtrans_cgconfig($1)
- cgroup_initrc_domtrans_cgred($1)
- domain_system_change_exemption($1)
- role_transition $2 { cgconfig_initrc_exec_t cgred_initrc_exec_t } system_r;
- allow $2 system_r;
+ #cgroup_initrc_domtrans_cgconfig($1)
+ #cgroup_initrc_domtrans_cgred($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 { cgconfig_initrc_exec_t cgred_initrc_exec_t } system_r;
+ #allow $2 system_r;
cgroup_run_cgclear($1, $2)
')
diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if
index 32e8265..f504b7b 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -184,10 +184,10 @@ interface(`chronyd_admin',`
allow $1 chronyd_t:process { ptrace signal_perms };
ps_process_pattern($1, chronyd_t)
- chronyd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 chronyd_initrc_exec_t system_r;
- allow $2 system_r;
+ #chronyd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 chronyd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, chronyd_keys_t)
diff --git a/policy/modules/contrib/cipe.if b/policy/modules/contrib/cipe.if
index 5fb51b2..11ff777 100644
--- a/policy/modules/contrib/cipe.if
+++ b/policy/modules/contrib/cipe.if
@@ -25,8 +25,8 @@ interface(`cipe_admin',`
allow $1 ciped_t:process { ptrace signal_perms };
ps_process_pattern($1, ciped_t)
- init_labeled_script_domtrans($1, ciped_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ciped_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ciped_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ciped_initrc_exec_t system_r;
+ #allow $2 system_r;
')
diff --git a/policy/modules/contrib/clamav.if b/policy/modules/contrib/clamav.if
index 4cc4a5c..e194bb7 100644
--- a/policy/modules/contrib/clamav.if
+++ b/policy/modules/contrib/clamav.if
@@ -205,10 +205,10 @@ interface(`clamav_admin',`
allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms };
ps_process_pattern($1, { clamd_t clamscan_t freshclam_t })
- init_labeled_script_domtrans($1, clamd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 clamd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, clamd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 clamd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, clamd_etc_t)
diff --git a/policy/modules/contrib/cmirrord.if b/policy/modules/contrib/cmirrord.if
index cc4e7cb..242bbc3 100644
--- a/policy/modules/contrib/cmirrord.if
+++ b/policy/modules/contrib/cmirrord.if
@@ -106,10 +106,10 @@ interface(`cmirrord_admin',`
allow $1 cmirrord_t:process { ptrace signal_perms };
ps_process_pattern($1, cmirrord_t)
- cmirrord_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 cmirrord_initrc_exec_t system_r;
- allow $2 system_r;
+ #cmirrord_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cmirrord_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_pids($1)
admin_pattern($1, cmirrord_var_run_t)
diff --git a/policy/modules/contrib/cobbler.if b/policy/modules/contrib/cobbler.if
index c223f81..8392d01 100644
--- a/policy/modules/contrib/cobbler.if
+++ b/policy/modules/contrib/cobbler.if
@@ -183,10 +183,10 @@ interface(`cobbler_admin',`
allow $1 cobblerd_t:process { ptrace signal_perms };
ps_process_pattern($1, cobblerd_t)
- cobblerd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 cobblerd_initrc_exec_t system_r;
- allow $2 system_r;
+ #cobblerd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cobblerd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, cobbler_etc_t)
diff --git a/policy/modules/contrib/collectd.if b/policy/modules/contrib/collectd.if
index 954309e..9bb2db5 100644
--- a/policy/modules/contrib/collectd.if
+++ b/policy/modules/contrib/collectd.if
@@ -26,10 +26,10 @@ interface(`collectd_admin',`
allow $1 collectd_t:process { ptrace signal_perms };
ps_process_pattern($1, collectd_t)
- init_labeled_script_domtrans($1, collectd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 collectd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, collectd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 collectd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, collectd_var_run_t)
diff --git a/policy/modules/contrib/condor.if b/policy/modules/contrib/condor.if
index c80aaf5..b350506 100644
--- a/policy/modules/contrib/condor.if
+++ b/policy/modules/contrib/condor.if
@@ -66,10 +66,10 @@ interface(`condor_admin',`
allow $1 condor_domain:process { ptrace signal_perms };
ps_process_pattern($1, condor_domain)
- init_labeled_script_domtrans($1, condor_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 condor_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, condor_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 condor_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, condor_conf_t)
diff --git a/policy/modules/contrib/corosync.if b/policy/modules/contrib/corosync.if
index 694a037..2e5c8e0 100644
--- a/policy/modules/contrib/corosync.if
+++ b/policy/modules/contrib/corosync.if
@@ -165,10 +165,10 @@ interface(`corosync_admin',`
allow $1 corosync_t:process { ptrace signal_perms };
ps_process_pattern($1, corosync_t)
- corosync_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 corosync_initrc_exec_t system_r;
- allow $2 system_r;
+ #corosync_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 corosync_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, corosync_tmp_t)
diff --git a/policy/modules/contrib/couchdb.if b/policy/modules/contrib/couchdb.if
index 715a826..654e58a 100644
--- a/policy/modules/contrib/couchdb.if
+++ b/policy/modules/contrib/couchdb.if
@@ -103,10 +103,10 @@ interface(`couchdb_admin',`
allow $1 couchdb_t:process { ptrace signal_perms };
ps_process_pattern($1, couchdb_t)
- init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 couchdb_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 couchdb_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, couchdb_conf_t)
diff --git a/policy/modules/contrib/ctdb.if b/policy/modules/contrib/ctdb.if
index b25b01d..bb9daea 100644
--- a/policy/modules/contrib/ctdb.if
+++ b/policy/modules/contrib/ctdb.if
@@ -66,10 +66,10 @@ interface(`ctdb_admin',`
allow $1 ctdbd_t:process { ptrace signal_perms };
ps_process_pattern($1, ctdbd_t)
- init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ctdbd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ctdbd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, ctdbd_log_t)
diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
index 3023be7..f5e5fcb 100644
--- a/policy/modules/contrib/cups.if
+++ b/policy/modules/contrib/cups.if
@@ -357,10 +357,10 @@ interface(`cups_admin',`
ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
- init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cupsd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cupsd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t ptal_etc_t })
diff --git a/policy/modules/contrib/cvs.if b/policy/modules/contrib/cvs.if
index 64775fd..276840c 100644
--- a/policy/modules/contrib/cvs.if
+++ b/policy/modules/contrib/cvs.if
@@ -65,10 +65,10 @@ interface(`cvs_admin',`
allow $1 cvs_t:process { ptrace signal_perms };
ps_process_pattern($1, cvs_t)
- init_labeled_script_domtrans($1, cvs_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cvs_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, cvs_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cvs_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, cvs_keytab_t)
diff --git a/policy/modules/contrib/cyphesis.if b/policy/modules/contrib/cyphesis.if
index df8aa4a..86c1316 100644
--- a/policy/modules/contrib/cyphesis.if
+++ b/policy/modules/contrib/cyphesis.if
@@ -45,10 +45,10 @@ interface(`cyphesis_admin',`
allow $1 cyphesis_t:process { ptrace signal_perms };
ps_process_pattern($1, cyphesis_t)
- init_labeled_script_domtrans($1, cyphesis_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cyphesis_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, cyphesis_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cyphesis_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, cyphesis_log_t)
diff --git a/policy/modules/contrib/cyrus.if b/policy/modules/contrib/cyrus.if
index 83bfda6..069eec7 100644
--- a/policy/modules/contrib/cyrus.if
+++ b/policy/modules/contrib/cyrus.if
@@ -67,10 +67,10 @@ interface(`cyrus_admin',`
allow $1 cyrus_t:process { ptrace signal_perms };
ps_process_pattern($1, cyrus_t)
- init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cyrus_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cyrus_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, cyrus_keytab_t)
diff --git a/policy/modules/contrib/dante.if b/policy/modules/contrib/dante.if
index e709177..8e26fd8 100644
--- a/policy/modules/contrib/dante.if
+++ b/policy/modules/contrib/dante.if
@@ -26,10 +26,10 @@ interface(`dante_admin',`
allow $1 dante_t:process { ptrace signal_perms };
ps_process_pattern($1, dante_t)
- init_labeled_script_domtrans($1, dante_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dante_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dante_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dante_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, dante_conf_t)
diff --git a/policy/modules/contrib/ddclient.if b/policy/modules/contrib/ddclient.if
index 5606b40..790ed46 100644
--- a/policy/modules/contrib/ddclient.if
+++ b/policy/modules/contrib/ddclient.if
@@ -73,10 +73,10 @@ interface(`ddclient_admin',`
allow $1 ddclient_t:process { ptrace signal_perms };
ps_process_pattern($1, ddclient_t)
- init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ddclient_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ddclient_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, ddclient_etc_t)
diff --git a/policy/modules/contrib/denyhosts.if b/policy/modules/contrib/denyhosts.if
index a7326da..ee887da 100644
--- a/policy/modules/contrib/denyhosts.if
+++ b/policy/modules/contrib/denyhosts.if
@@ -63,10 +63,10 @@ interface(`denyhosts_admin',`
allow $1 denyhosts_t:process { ptrace signal_perms };
ps_process_pattern($1, denyhosts_t)
- denyhosts_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 denyhosts_initrc_exec_t system_r;
- allow $2 system_r;
+ #denyhosts_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 denyhosts_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, denyhosts_var_lib_t)
diff --git a/policy/modules/contrib/dhcp.if b/policy/modules/contrib/dhcp.if
index c697edb..fe3f70a 100644
--- a/policy/modules/contrib/dhcp.if
+++ b/policy/modules/contrib/dhcp.if
@@ -84,10 +84,10 @@ interface(`dhcpd_admin',`
allow $1 dhcpd_t:process { ptrace signal_perms };
ps_process_pattern($1, dhcpd_t)
- init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dhcpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dhcpd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, dhcpd_tmp_t)
diff --git a/policy/modules/contrib/dictd.if b/policy/modules/contrib/dictd.if
index 3cc3494..5946e57 100644
--- a/policy/modules/contrib/dictd.if
+++ b/policy/modules/contrib/dictd.if
@@ -41,10 +41,10 @@ interface(`dictd_admin',`
allow $1 dictd_t:process { ptrace signal_perms };
ps_process_pattern($1, dictd_t)
- init_labeled_script_domtrans($1, dictd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dictd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dictd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dictd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, dictd_etc_t)
diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if
index e5f6733..e41f285 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -26,10 +26,10 @@ interface(`dirmngr_admin',`
allow $1 dirmngr_t:process { ptrace signal_perms };
ps_process_pattern($1, dirmngr_t)
- init_labeled_script_domtrans($1, dirmngr_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dirmngr_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dirmngr_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dirmngr_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, dirmngr_conf_t)
diff --git a/policy/modules/contrib/distcc.if b/policy/modules/contrib/distcc.if
index 473823d..28a4164 100644
--- a/policy/modules/contrib/distcc.if
+++ b/policy/modules/contrib/distcc.if
@@ -26,10 +26,10 @@ interface(`distcc_admin',`
allow $1 distccd_t:process { ptrace signal_perms };
ps_process_pattern($1, distccd_t)
- init_labeled_script_domtrans($1, distccd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 distccd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, distccd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 distccd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, distccd_log_t)
diff --git a/policy/modules/contrib/dkim.if b/policy/modules/contrib/dkim.if
index 386e494..7999295 100644
--- a/policy/modules/contrib/dkim.if
+++ b/policy/modules/contrib/dkim.if
@@ -26,10 +26,10 @@ interface(`dkim_admin',`
allow $1 dkim_milter_t:process { ptrace signal_perms };
ps_process_pattern($1, dkim_milter_t)
- init_labeled_script_domtrans($1, dkim_milter_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dkim_milter_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dkim_milter_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dkim_milter_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, dkim_milter_private_key_t)
diff --git a/policy/modules/contrib/dnsmasq.if b/policy/modules/contrib/dnsmasq.if
index 62e4948..0ea06df 100644
--- a/policy/modules/contrib/dnsmasq.if
+++ b/policy/modules/contrib/dnsmasq.if
@@ -273,10 +273,10 @@ interface(`dnsmasq_admin',`
allow $1 dnsmasq_t:process { ptrace signal_perms };
ps_process_pattern($1, dnsmasq_t)
- init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dnsmasq_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dnsmasq_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t)
diff --git a/policy/modules/contrib/dnssectrigger.if b/policy/modules/contrib/dnssectrigger.if
index 456da5c..2e1bd25 100644
--- a/policy/modules/contrib/dnssectrigger.if
+++ b/policy/modules/contrib/dnssectrigger.if
@@ -26,10 +26,10 @@ interface(`dnssectrigger_admin',`
allow $1 dnssec_triggerd_t:process { ptrace signal_perms };
ps_process_pattern($1, dnssec_triggerd_t)
- init_labeled_script_domtrans($1, dnssec_triggerd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dnssec_triggerd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dnssec_triggerd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dnssec_triggerd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, dnssec_trigger_conf_t)
diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if
index d5badb7..294d61e 100644
--- a/policy/modules/contrib/dovecot.if
+++ b/policy/modules/contrib/dovecot.if
@@ -149,10 +149,10 @@ interface(`dovecot_admin',`
allow $1 dovecot_t:process { ptrace signal_perms };
ps_process_pattern($1, dovecot_t)
- init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dovecot_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dovecot_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
diff --git a/policy/modules/contrib/drbd.if b/policy/modules/contrib/drbd.if
index 9a21639..18dbd73 100644
--- a/policy/modules/contrib/drbd.if
+++ b/policy/modules/contrib/drbd.if
@@ -46,10 +46,10 @@ interface(`drbd_admin',`
allow $1 drbd_t:process { ptrace signal_perms };
ps_process_pattern($1, drbd_t)
- init_labeled_script_domtrans($1, drbd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 drbd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, drbd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 drbd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_locks($1)
admin_pattern($1, drbd_lock_t)
diff --git a/policy/modules/contrib/dspam.if b/policy/modules/contrib/dspam.if
index 18f2452..b16cb67 100644
--- a/policy/modules/contrib/dspam.if
+++ b/policy/modules/contrib/dspam.if
@@ -66,10 +66,10 @@ interface(`dspam_admin',`
allow $1 dspam_t:process { ptrace signal_perms };
ps_process_pattern($1, dspam_t)
- init_labeled_script_domtrans($1, dspam_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dspam_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dspam_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dspam_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, dspam_log_t)
diff --git a/policy/modules/contrib/entropyd.if b/policy/modules/contrib/entropyd.if
index 1161fbf..1fc147c 100644
--- a/policy/modules/contrib/entropyd.if
+++ b/policy/modules/contrib/entropyd.if
@@ -25,10 +25,10 @@ interface(`entropyd_admin',`
allow $1 entropyd_t:process { ptrace signal_perms };
ps_process_pattern($1, entropyd_t)
- init_labeled_script_domtrans($1, entropyd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 entropyd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, entropyd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 entropyd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, entropyd_var_run_t)
diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if
index 9bbc690..16d2922 100644
--- a/policy/modules/contrib/exim.if
+++ b/policy/modules/contrib/exim.if
@@ -288,10 +288,10 @@ interface(`exim_admin',`
allow $1 exim_t:process { ptrace signal_perms };
ps_process_pattern($1, exim_t)
- init_labeled_script_domtrans($1, exim_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 exim_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, exim_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 exim_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, exim_keytab_t)
diff --git a/policy/modules/contrib/fail2ban.if b/policy/modules/contrib/fail2ban.if
index 50d0084..0d23647 100644
--- a/policy/modules/contrib/fail2ban.if
+++ b/policy/modules/contrib/fail2ban.if
@@ -266,10 +266,10 @@ interface(`fail2ban_admin',`
allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms };
ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
- init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 fail2ban_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 fail2ban_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, fail2ban_log_t)
diff --git a/policy/modules/contrib/fcoe.if b/policy/modules/contrib/fcoe.if
index c3484a9..e8b2446 100644
--- a/policy/modules/contrib/fcoe.if
+++ b/policy/modules/contrib/fcoe.if
@@ -44,10 +44,10 @@ interface(`fcoe_admin',`
allow $1 fcoemon_t:process { ptrace signal_perms };
ps_process_pattern($1, fcoemon_t)
- init_labeled_script_domtrans($1, fcoemon_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 fcoemon_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, fcoemon_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 fcoemon_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, fcoemon_var_run_t)
diff --git a/policy/modules/contrib/fetchmail.if b/policy/modules/contrib/fetchmail.if
index c3f7916..8823986 100644
--- a/policy/modules/contrib/fetchmail.if
+++ b/policy/modules/contrib/fetchmail.if
@@ -23,10 +23,10 @@ interface(`fetchmail_admin',`
type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t;
')
- init_labeled_script_domtrans($1, fetchmail_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 fetchmail_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, fetchmail_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 fetchmail_initrc_exec_t system_r;
+ #allow $2 system_r;
allow $1 fetchmail_t:process { ptrace signal_perms };
ps_process_pattern($1, fetchmail_t)
diff --git a/policy/modules/contrib/firewalld.if b/policy/modules/contrib/firewalld.if
index c62c567..cbe9016 100644
--- a/policy/modules/contrib/firewalld.if
+++ b/policy/modules/contrib/firewalld.if
@@ -86,10 +86,10 @@ interface(`firewalld_admin',`
allow $1 firewalld_t:process { ptrace signal_perms };
ps_process_pattern($1, firewalld_t)
- init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 firewalld_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 firewalld_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, firewalld_var_run_t)
diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if
index 65adda9..5d7a53f 100644
--- a/policy/modules/contrib/ftp.if
+++ b/policy/modules/contrib/ftp.if
@@ -182,10 +182,10 @@ interface(`ftp_admin',`
allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
- init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ftpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ftpd_initrc_exec_t system_r;
+ #allow $2 system_r;
miscfiles_manage_public_files($1)
diff --git a/policy/modules/contrib/gatekeeper.if b/policy/modules/contrib/gatekeeper.if
index 30926d7..879de37 100644
--- a/policy/modules/contrib/gatekeeper.if
+++ b/policy/modules/contrib/gatekeeper.if
@@ -26,10 +26,10 @@ interface(`gatekeeper_admin',`
allow $1 gatekeeper_t:process { ptrace signal_perms };
ps_process_pattern($1, gatekeeper_t)
- init_labeled_script_domtrans($1, gatekeeper_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 gatekeeper_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, gatekeeper_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 gatekeeper_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, gatekeeper_etc_t)
diff --git a/policy/modules/contrib/gdomap.if b/policy/modules/contrib/gdomap.if
index 7d6b6b7..b4ebe6c 100644
--- a/policy/modules/contrib/gdomap.if
+++ b/policy/modules/contrib/gdomap.if
@@ -45,10 +45,10 @@ interface(`gdomap_admin',`
allow $1 gdomap_t:process { ptrace signal_perms };
ps_process_pattern($1, gdomap_t)
- init_labeled_script_domtrans($1, gdomap_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 gdomap_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, gdomap_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 gdomap_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, gdomap_conf_t)
diff --git a/policy/modules/contrib/glance.if b/policy/modules/contrib/glance.if
index 9eacb2c..6966abb 100644
--- a/policy/modules/contrib/glance.if
+++ b/policy/modules/contrib/glance.if
@@ -245,10 +245,10 @@ interface(`glance_admin',`
allow $1 { glance_api_t glance_registry_t }:process signal_perms;
ps_process_pattern($1, { glance_api_t glance_registry_t })
- init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { glance_api_initrc_exec_t glance_registry_initrc_exec_t } system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
+ #domain_system_change_exemption($1)
+ #role_transition $2 { glance_api_initrc_exec_t glance_registry_initrc_exec_t } system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, glance_log_t)
diff --git a/policy/modules/contrib/glusterfs.if b/policy/modules/contrib/glusterfs.if
index 05233c8..c121fda 100644
--- a/policy/modules/contrib/glusterfs.if
+++ b/policy/modules/contrib/glusterfs.if
@@ -46,10 +46,10 @@ interface(`glusterfs_admin',`
type glusterd_var_run_t;
')
- init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 glusterd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 glusterd_initrc_exec_t system_r;
+ #allow $2 system_r;
allow $1 glusterd_t:process { ptrace signal_perms };
ps_process_pattern($1, glusterd_t)
diff --git a/policy/modules/contrib/gpm.if b/policy/modules/contrib/gpm.if
index f1528c9..65818dc 100644
--- a/policy/modules/contrib/gpm.if
+++ b/policy/modules/contrib/gpm.if
@@ -106,10 +106,10 @@ interface(`gpm_admin',`
allow $1 gpm_t:process { ptrace signal_perms };
ps_process_pattern($1, gpm_t)
- init_labeled_script_domtrans($1, gpm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 gpm_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, gpm_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 gpm_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, gpm_conf_t)
diff --git a/policy/modules/contrib/gpsd.if b/policy/modules/contrib/gpsd.if
index 92eb564..6d077a4 100644
--- a/policy/modules/contrib/gpsd.if
+++ b/policy/modules/contrib/gpsd.if
@@ -91,10 +91,10 @@ interface(`gpsd_admin',`
allow $1 gpsd_t:process { ptrace signal_perms };
ps_process_pattern($1, gpsd_t)
- init_labeled_script_domtrans($1, gpsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 gpsd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, gpsd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 gpsd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, gpsd_var_run_t)
diff --git a/policy/modules/contrib/hadoop.if b/policy/modules/contrib/hadoop.if
index 2b0d488..48f93d3 100644
--- a/policy/modules/contrib/hadoop.if
+++ b/policy/modules/contrib/hadoop.if
@@ -441,10 +441,10 @@ interface(`hadoop_admin',`
allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms };
ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t })
- init_labeled_script_domtrans($1, hadoop_init_script_file)
- domain_system_change_exemption($1)
- role_transition $2 hadoop_init_script_file system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, hadoop_init_script_file)
+ #domain_system_change_exemption($1)
+ #role_transition $2 hadoop_init_script_file system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, { hadoop_etc_t zookeeper_etc_t })
diff --git a/policy/modules/contrib/hddtemp.if b/policy/modules/contrib/hddtemp.if
index 1728071..718fc12 100644
--- a/policy/modules/contrib/hddtemp.if
+++ b/policy/modules/contrib/hddtemp.if
@@ -63,10 +63,10 @@ interface(`hddtemp_admin',`
allow $1 hddtemp_t:process { ptrace signal_perms };
ps_process_pattern($1, hddtemp_t)
- init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 hddtemp_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 hddtemp_initrc_exec_t system_r;
+ #allow $2 system_r;
admin_pattern($1, hddtemp_etc_t)
files_search_etc($1)
diff --git a/policy/modules/contrib/howl.if b/policy/modules/contrib/howl.if
index dc609f0..d67eac5 100644
--- a/policy/modules/contrib/howl.if
+++ b/policy/modules/contrib/howl.if
@@ -43,10 +43,10 @@ interface(`howl_admin',`
allow $1 howl_t:process { ptrace signal_perms };
ps_process_pattern($1, howl_t)
- init_labeled_script_domtrans($1, howl_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 howl_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, howl_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 howl_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, howl_var_run_t)
diff --git a/policy/modules/contrib/hypervkvp.if b/policy/modules/contrib/hypervkvp.if
index 6517fad..d483ebe 100644
--- a/policy/modules/contrib/hypervkvp.if
+++ b/policy/modules/contrib/hypervkvp.if
@@ -25,8 +25,8 @@ interface(`hypervkvp_admin',`
allow $1 hypervkvpd_t:process { ptrace signal_perms };
ps_process_pattern($1, hypervkvpd_t)
- init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 hypervkvpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 hypervkvpd_initrc_exec_t system_r;
+ #allow $2 system_r;
')
diff --git a/policy/modules/contrib/i18n_input.if b/policy/modules/contrib/i18n_input.if
index 5eab254..dd6c6a9 100644
--- a/policy/modules/contrib/i18n_input.if
+++ b/policy/modules/contrib/i18n_input.if
@@ -40,10 +40,10 @@ interface(`i18n_input_admin',`
allow $1 i18n_input_t:process { ptrace signal_perms };
ps_process_pattern($1, i18n_input_t)
- init_labeled_script_domtrans($1, i18n_input_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 i18n_input_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, i18n_input_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 i18n_input_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, i18n_input_var_run_t)
diff --git a/policy/modules/contrib/icecast.if b/policy/modules/contrib/icecast.if
index 580b533..0235592 100644
--- a/policy/modules/contrib/icecast.if
+++ b/policy/modules/contrib/icecast.if
@@ -176,10 +176,10 @@ interface(`icecast_admin',`
type icecast_var_run_t;
')
- icecast_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 icecast_initrc_exec_t system_r;
- allow $2 system_r;
+ #icecast_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 icecast_initrc_exec_t system_r;
+ #allow $2 system_r;
allow $1 icecast_t:process { ptrace signal_perms };
ps_process_pattern($1, icecast_t)
diff --git a/policy/modules/contrib/ifplugd.if b/policy/modules/contrib/ifplugd.if
index 8999899..bc3884d 100644
--- a/policy/modules/contrib/ifplugd.if
+++ b/policy/modules/contrib/ifplugd.if
@@ -122,10 +122,10 @@ interface(`ifplugd_admin',`
allow $1 ifplugd_t:process { ptrace signal_perms };
ps_process_pattern($1, ifplugd_t)
- init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ifplugd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ifplugd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, ifplugd_etc_t)
diff --git a/policy/modules/contrib/inn.if b/policy/modules/contrib/inn.if
index eb87f23..91b81e9 100644
--- a/policy/modules/contrib/inn.if
+++ b/policy/modules/contrib/inn.if
@@ -230,10 +230,10 @@ interface(`inn_admin',`
type innd_var_run_t, innd_initrc_exec_t;
')
- init_labeled_script_domtrans($1, innd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 innd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, innd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 innd_initrc_exec_t system_r;
+ #allow $2 system_r;
allow $1 innd_t:process { ptrace signal_perms };
ps_process_pattern($1, innd_t)
diff --git a/policy/modules/contrib/iodine.if b/policy/modules/contrib/iodine.if
index a0bfbd0..f034884 100644
--- a/policy/modules/contrib/iodine.if
+++ b/policy/modules/contrib/iodine.if
@@ -47,8 +47,8 @@ interface(`iodine_admin',`
allow $1 iodined_t:process { ptrace signal_perms };
ps_process_pattern($1, iodined_t)
- init_labeled_script_domtrans($1, iodined_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 iodined_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, iodined_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 iodined_initrc_exec_t system_r;
+ #allow $2 system_r;
')
diff --git a/policy/modules/contrib/ircd.if b/policy/modules/contrib/ircd.if
index 1a88664..6d057fd 100644
--- a/policy/modules/contrib/ircd.if
+++ b/policy/modules/contrib/ircd.if
@@ -23,10 +23,10 @@ interface(`ircd_admin',`
type ircd_log_t, ircd_var_lib_t, ircd_var_run_t;
')
- init_labeled_script_domtrans($1, ircd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ircd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ircd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ircd_initrc_exec_t system_r;
+ #allow $2 system_r;
allow $1 ircd_t:process { ptrace signal_perms };
ps_process_pattern($1, ircd_t)
diff --git a/policy/modules/contrib/irqbalance.if b/policy/modules/contrib/irqbalance.if
index d7113e7..5f97e41 100644
--- a/policy/modules/contrib/irqbalance.if
+++ b/policy/modules/contrib/irqbalance.if
@@ -25,10 +25,10 @@ interface(`irqbalance_admin',`
allow $1 irqbalance_t:process { ptrace signal_perms };
ps_process_pattern($1, irqbalance_t)
- init_labeled_script_domtrans($1, irqbalance_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 irqbalance_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, irqbalance_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 irqbalance_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, irqbalance_var_run_t)
diff --git a/policy/modules/contrib/iscsi.if b/policy/modules/contrib/iscsi.if
index 1a35420..9e73947 100644
--- a/policy/modules/contrib/iscsi.if
+++ b/policy/modules/contrib/iscsi.if
@@ -105,10 +105,10 @@ interface(`iscsi_admin',`
allow $1 iscsid_t:process { ptrace signal_perms };
ps_process_pattern($1, iscsid_t)
- init_labeled_script_domtrans($1, iscsi_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 iscsi_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, iscsi_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 iscsi_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/policy/modules/contrib/isns.if b/policy/modules/contrib/isns.if
index da7e970..baf3539 100644
--- a/policy/modules/contrib/isns.if
+++ b/policy/modules/contrib/isns.if
@@ -26,10 +26,10 @@ interface(`isnsd_admin',`
allow $1 isnsd_t:process { ptrace signal_perms };
ps_process_pattern($1, isnsd_t)
- init_labeled_script_domtrans($1, isnsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 isnsd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, isnsd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 isnsd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, isnsd_var_lib_t)
diff --git a/policy/modules/contrib/jabber.if b/policy/modules/contrib/jabber.if
index 7eb3811..dda272b 100644
--- a/policy/modules/contrib/jabber.if
+++ b/policy/modules/contrib/jabber.if
@@ -81,10 +81,10 @@ interface(`jabber_admin',`
allow $1 jabberd_domain:process { ptrace signal_perms };
ps_process_pattern($1, jabberd_domain)
- init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 jabberd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 jabberd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_locks($1)
admin_pattern($1, jabberd_lock_t)
diff --git a/policy/modules/contrib/kdump.if b/policy/modules/contrib/kdump.if
index 3a00b3a..804c498 100644
--- a/policy/modules/contrib/kdump.if
+++ b/policy/modules/contrib/kdump.if
@@ -102,10 +102,10 @@ interface(`kdump_admin',`
allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms };
ps_process_pattern($1, { kdump_t kdumpctl_t })
- init_labeled_script_domtrans($1, kdump_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kdump_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, kdump_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 kdump_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index 77a5c49..ab3f24e 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -493,10 +493,10 @@ interface(`kerberos_admin',`
allow $1 { kadmind_t krb5kdc_t kpropd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd_t })
- init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kerberos_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 kerberos_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, kadmind_log_t)
diff --git a/policy/modules/contrib/kerneloops.if b/policy/modules/contrib/kerneloops.if
index 714448f..7e50bdd 100644
--- a/policy/modules/contrib/kerneloops.if
+++ b/policy/modules/contrib/kerneloops.if
@@ -108,10 +108,10 @@ interface(`kerneloops_admin',`
allow $1 kerneloops_t:process { ptrace signal_perms };
ps_process_pattern($1, kerneloops_t)
- init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kerneloops_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 kerneloops_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_tmp($1)
admin_pattern($1, kerneloops_tmp_t)
diff --git a/policy/modules/contrib/keystone.if b/policy/modules/contrib/keystone.if
index e88fb16..7407597 100644
--- a/policy/modules/contrib/keystone.if
+++ b/policy/modules/contrib/keystone.if
@@ -26,10 +26,10 @@ interface(`keystone_admin',`
allow $1 keystone_t:process { ptrace signal_perms };
ps_process_pattern($1, keystone_t)
- init_labeled_script_domtrans($1, keystone_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 keystone_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, keystone_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 keystone_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, keystone_log_t)
diff --git a/policy/modules/contrib/kismet.if b/policy/modules/contrib/kismet.if
index f20de6e..1a3bc7d 100644
--- a/policy/modules/contrib/kismet.if
+++ b/policy/modules/contrib/kismet.if
@@ -286,10 +286,10 @@ interface(`kismet_admin',`
type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t;
')
- init_labeled_script_domtrans($1, kismet_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kismet_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, kismet_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 kismet_initrc_exec_t system_r;
+ #allow $2 system_r;
ps_process_pattern($1, kismet_t)
allow $1 kismet_t:process { ptrace signal_perms };
diff --git a/policy/modules/contrib/ksmtuned.if b/policy/modules/contrib/ksmtuned.if
index 93a64bc..663a091 100644
--- a/policy/modules/contrib/ksmtuned.if
+++ b/policy/modules/contrib/ksmtuned.if
@@ -61,10 +61,10 @@ interface(`ksmtuned_admin',`
type ksmtuned_initrc_exec_t, ksmtuned_log_t;
')
- ksmtuned_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 ksmtuned_initrc_exec_t system_r;
- allow $2 system_r;
+ #ksmtuned_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ksmtuned_initrc_exec_t system_r;
+ #allow $2 system_r;
allow $1 ksmtuned_t:process { ptrace signal_perms };
ps_process_pattern($1, ksmtuned_t)
diff --git a/policy/modules/contrib/kudzu.if b/policy/modules/contrib/kudzu.if
index 5297064..db57d00 100644
--- a/policy/modules/contrib/kudzu.if
+++ b/policy/modules/contrib/kudzu.if
@@ -89,10 +89,10 @@ interface(`kudzu_admin',`
allow $1 kudzu_t:process { ptrace signal_perms };
ps_process_pattern($1, kudzu_t)
- init_labeled_script_domtrans($1, kudzu_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kudzu_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, kudzu_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 kudzu_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_tmp($1)
admin_pattern($1, kudzu_tmp_t)
diff --git a/policy/modules/contrib/l2tp.if b/policy/modules/contrib/l2tp.if
index 73e2803..5f364d2 100644
--- a/policy/modules/contrib/l2tp.if
+++ b/policy/modules/contrib/l2tp.if
@@ -86,10 +86,10 @@ interface(`l2tp_admin',`
allow $1 l2tpd_t:process { ptrace signal_perms };
ps_process_pattern($1, l2tpd_t)
- init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 l2tpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 l2tpd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, l2tp_conf_t)
diff --git a/policy/modules/contrib/ldap.if b/policy/modules/contrib/ldap.if
index 7f09b4a..bb0ca32 100644
--- a/policy/modules/contrib/ldap.if
+++ b/policy/modules/contrib/ldap.if
@@ -122,10 +122,10 @@ interface(`ldap_admin',`
allow $1 slapd_t:process { ptrace signal_perms };
ps_process_pattern($1, slapd_t)
- init_labeled_script_domtrans($1, slapd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 slapd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 slapd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
diff --git a/policy/modules/contrib/likewise.if b/policy/modules/contrib/likewise.if
index bd20e8c..3813742 100644
--- a/policy/modules/contrib/likewise.if
+++ b/policy/modules/contrib/likewise.if
@@ -110,10 +110,10 @@ interface(`likewise_admin',`
allow $1 likewise_domains:process { ptrace signal_perms };
ps_process_pattern($1, likewise_domains)
- init_labeled_script_domtrans($1, likewise_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 likewise_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, likewise_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 likewise_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t })
diff --git a/policy/modules/contrib/lircd.if b/policy/modules/contrib/lircd.if
index dff21a7..50996eb 100644
--- a/policy/modules/contrib/lircd.if
+++ b/policy/modules/contrib/lircd.if
@@ -84,10 +84,10 @@ interface(`lircd_admin',`
allow $1 lircd_t:process { ptrace signal_perms };
ps_process_pattern($1, lircd_t)
- init_labeled_script_domtrans($1, lircd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 lircd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, lircd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 lircd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, lircd_etc_t)
diff --git a/policy/modules/contrib/lldpad.if b/policy/modules/contrib/lldpad.if
index d18c960..612d86f 100644
--- a/policy/modules/contrib/lldpad.if
+++ b/policy/modules/contrib/lldpad.if
@@ -45,10 +45,10 @@ interface(`lldpad_admin',`
allow $1 lldpad_t:process { ptrace signal_perms };
ps_process_pattern($1, lldpad_t)
- init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 lldpad_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 lldpad_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, lldpad_var_lib_t)
diff --git a/policy/modules/contrib/mailscanner.if b/policy/modules/contrib/mailscanner.if
index 214cb44..d3bd6c5 100644
--- a/policy/modules/contrib/mailscanner.if
+++ b/policy/modules/contrib/mailscanner.if
@@ -47,10 +47,10 @@ interface(`mscan_admin',`
allow $1 mscan_t:process { ptrace signal_perms };
ps_process_pattern($1, mscan_t)
- init_labeled_script_domtrans($1, mscan_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mscan_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, mscan_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 mscan_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, mscan_etc_t)
diff --git a/policy/modules/contrib/mcelog.if b/policy/modules/contrib/mcelog.if
index f89651e..82b0846 100644
--- a/policy/modules/contrib/mcelog.if
+++ b/policy/modules/contrib/mcelog.if
@@ -45,10 +45,10 @@ interface(`mcelog_admin',`
allow $1 mcelog_t:process { ptrace signal_perms };
ps_process_pattern($1, mcelog_t)
- init_labeled_script_domtrans($1, mcelog_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mcelog_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, mcelog_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 mcelog_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, mcelog_etc_t)
diff --git a/policy/modules/contrib/memcached.if b/policy/modules/contrib/memcached.if
index 1d4eb19..6b3c3dc 100644
--- a/policy/modules/contrib/memcached.if
+++ b/policy/modules/contrib/memcached.if
@@ -124,10 +124,10 @@ interface(`memcached_admin',`
allow $1 memcached_t:process { ptrace signal_perms };
ps_process_pattern($1, memcached_t)
- init_labeled_script_domtrans($1, memcached_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 memcached_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, memcached_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 memcached_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, memcached_var_run_t)
diff --git a/policy/modules/contrib/minidlna.if b/policy/modules/contrib/minidlna.if
index 358917a..e58f50a 100644
--- a/policy/modules/contrib/minidlna.if
+++ b/policy/modules/contrib/minidlna.if
@@ -26,10 +26,10 @@ interface(`minidlna_admin',`
allow $1 minidlna_t:process { ptrace signal_perms };
ps_process_pattern($1, minidlna_t)
- minidlna_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 minidlna_initrc_exec_t system_r;
- allow $2 system_r;
+ #minidlna_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 minidlna_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, minidlna_conf_t)
diff --git a/policy/modules/contrib/minissdpd.if b/policy/modules/contrib/minissdpd.if
index f37a116..3121ce0 100644
--- a/policy/modules/contrib/minissdpd.if
+++ b/policy/modules/contrib/minissdpd.if
@@ -45,10 +45,10 @@ interface(`minissdpd_admin',`
allow $1 minissdpd_t:process { ptrace signal_perms };
ps_process_pattern($1, minissdpd_t)
- init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 minissdpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 minissdpd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, minissdpd_conf_t)
diff --git a/policy/modules/contrib/mongodb.if b/policy/modules/contrib/mongodb.if
index b247d25..80ba75c 100644
--- a/policy/modules/contrib/mongodb.if
+++ b/policy/modules/contrib/mongodb.if
@@ -26,10 +26,10 @@ interface(`mongodb_admin',`
allow $1 mongod_t:process { ptrace signal_perms };
ps_process_pattern($1, mongod_t)
- init_labeled_script_domtrans($1, mongod_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mongod_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, mongod_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 mongod_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, mongod_log_t)
diff --git a/policy/modules/contrib/monop.if b/policy/modules/contrib/monop.if
index a6ec137..a798087 100644
--- a/policy/modules/contrib/monop.if
+++ b/policy/modules/contrib/monop.if
@@ -26,10 +26,10 @@ interface(`monop_admin',`
allow $1 monopd_t:process { ptrace signal_perms };
ps_process_pattern($1, monopd_t)
- init_labeled_script_domtrans($1, monopd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 monopd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, monopd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 monopd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, monopd_etc_t)
diff --git a/policy/modules/contrib/mpd.if b/policy/modules/contrib/mpd.if
index 5fa77c7..9be1aa8 100644
--- a/policy/modules/contrib/mpd.if
+++ b/policy/modules/contrib/mpd.if
@@ -347,10 +347,10 @@ interface(`mpd_admin',`
allow $1 mpd_t:process { ptrace signal_perms };
ps_process_pattern($1, mpd_t)
- mpd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 mpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #mpd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 mpd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, mpd_etc_t)
diff --git a/policy/modules/contrib/mrtg.if b/policy/modules/contrib/mrtg.if
index c595094..aeac4b2 100644
--- a/policy/modules/contrib/mrtg.if
+++ b/policy/modules/contrib/mrtg.if
@@ -47,10 +47,10 @@ interface(`mrtg_admin',`
allow $1 mrtg_t:process { ptrace signal_perms };
ps_process_pattern($1, mrtg_t)
- init_labeled_script_domtrans($1, mrtg_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mrtg_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, mrtg_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 mrtg_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, mrtg_etc_t)
diff --git a/policy/modules/contrib/munin.if b/policy/modules/contrib/munin.if
index b744fe3..b540634 100644
--- a/policy/modules/contrib/munin.if
+++ b/policy/modules/contrib/munin.if
@@ -173,10 +173,10 @@ interface(`munin_admin',`
allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms };
ps_process_pattern($1, { munin_plugin_domain munin_t })
- init_labeled_script_domtrans($1, munin_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 munin_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, munin_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 munin_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, { munin_tmp_t munin_plugin_tmp_content })
diff --git a/policy/modules/contrib/mysql.if b/policy/modules/contrib/mysql.if
index 590748a..5535d22 100644
--- a/policy/modules/contrib/mysql.if
+++ b/policy/modules/contrib/mysql.if
@@ -450,10 +450,10 @@ interface(`mysql_admin',`
allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t })
- init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t })
+ #domain_system_change_exemption($1)
+ #role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t })
diff --git a/policy/modules/contrib/nagios.if b/policy/modules/contrib/nagios.if
index 0641e97..8289ecb 100644
--- a/policy/modules/contrib/nagios.if
+++ b/policy/modules/contrib/nagios.if
@@ -204,10 +204,10 @@ interface(`nagios_admin',`
allow $1 { nagios_t nrpe_t nagios_plugin_domain }:process { ptrace signal_perms };
ps_process_pattern($1, { nagios_t nrpe_t nagios_plugin_domain })
- init_labeled_script_domtrans($1, nagios_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nagios_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, nagios_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 nagios_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_tmp($1)
admin_pattern($1, { nagios_eventhandler_plugin_tmp_t nagios_tmp_t nagios_system_plugin_tmp_t })
diff --git a/policy/modules/contrib/nessus.if b/policy/modules/contrib/nessus.if
index 42e9ed4..5fa68ad 100644
--- a/policy/modules/contrib/nessus.if
+++ b/policy/modules/contrib/nessus.if
@@ -40,10 +40,10 @@ interface(`nessus_admin',`
allow $1 nessusd_t:process { ptrace signal_perms };
ps_process_pattern($1, nessusd_t)
- init_labeled_script_domtrans($1, nessusd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nessusd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, nessusd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 nessusd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, nessusd_log_t)
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index b512ce0..7e1b861 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -297,10 +297,10 @@ interface(`networkmanager_admin',`
allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms };
ps_process_pattern($1, { wpa_cli_t NetworkManager_t })
- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 NetworkManager_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 NetworkManager_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t })
diff --git a/policy/modules/contrib/nis.if b/policy/modules/contrib/nis.if
index 46e55c3..8000aa6 100644
--- a/policy/modules/contrib/nis.if
+++ b/policy/modules/contrib/nis.if
@@ -381,11 +381,11 @@ interface(`nis_admin',`
allow $1 { ypbind_t yppasswdd_t ypserv_t ypxfr_t }:process { ptrace signal_perms };
ps_process_pattern($1, { ypbind_t yppasswdd_t ypserv_t ypxfr_t })
- nis_initrc_domtrans($1)
- nis_initrc_domtrans_ypbind($1)
- domain_system_change_exemption($1)
- role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r;
- allow $2 system_r;
+ #nis_initrc_domtrans($1)
+ #nis_initrc_domtrans_ypbind($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, { ypserv_tmp_t ypbind_tmp_t })
diff --git a/policy/modules/contrib/nscd.if b/policy/modules/contrib/nscd.if
index 8f2ab09..7d046d2 100644
--- a/policy/modules/contrib/nscd.if
+++ b/policy/modules/contrib/nscd.if
@@ -299,10 +299,10 @@ interface(`nscd_admin',`
allow $1 nscd_t:process { ptrace signal_perms };
ps_process_pattern($1, nscd_t)
- init_labeled_script_domtrans($1, nscd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nscd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, nscd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 nscd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, nscd_log_t)
diff --git a/policy/modules/contrib/nsd.if b/policy/modules/contrib/nsd.if
index a9c60ff..6b42add 100644
--- a/policy/modules/contrib/nsd.if
+++ b/policy/modules/contrib/nsd.if
@@ -54,10 +54,10 @@ interface(`nsd_admin',`
allow $1 nsd_t:process { ptrace signal_perms };
ps_process_pattern($1, nsd_t)
- init_labeled_script_domtrans($1, nsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nsd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, nsd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 nsd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, { nsd_conf_t nsd_db_t })
diff --git a/policy/modules/contrib/nslcd.if b/policy/modules/contrib/nslcd.if
index bbd7cac..4c7aee8 100644
--- a/policy/modules/contrib/nslcd.if
+++ b/policy/modules/contrib/nslcd.if
@@ -102,10 +102,10 @@ interface(`nslcd_admin',`
allow $1 nslcd_t:process { ptrace signal_perms };
ps_process_pattern($1, nslcd_t)
- nslcd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 nslcd_initrc_exec_t system_r;
- allow $2 system_r;
+ #nslcd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 nslcd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, nslcd_conf_t)
diff --git a/policy/modules/contrib/ntop.if b/policy/modules/contrib/ntop.if
index beaee73..756b0cc 100644
--- a/policy/modules/contrib/ntop.if
+++ b/policy/modules/contrib/ntop.if
@@ -26,10 +26,10 @@ interface(`ntop_admin',`
allow $1 ntop_t:process { ptrace signal_perms };
ps_process_pattern($1, ntop_t)
- init_labeled_script_domtrans($1, ntop_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ntop_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ntop_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ntop_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, ntop_etc_t)
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index 6a83626..02e6320 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -166,10 +166,10 @@ interface(`ntp_admin',`
allow $1 ntpd_t:process { ptrace signal_perms };
ps_process_pattern($1, ntpd_t)
- init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ntpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ntpd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { ntpd_key_t ntp_conf_t })
diff --git a/policy/modules/contrib/numad.if b/policy/modules/contrib/numad.if
index 0d3c270..d5c4a6d 100644
--- a/policy/modules/contrib/numad.if
+++ b/policy/modules/contrib/numad.if
@@ -26,10 +26,10 @@ interface(`numad_admin',`
allow $1 numad_t:process { ptrace signal_perms };
ps_process_pattern($1, numad_t)
- init_labeled_script_domtrans($1, numad_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 numad_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, numad_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 numad_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, numad_log_t)
diff --git a/policy/modules/contrib/nut.if b/policy/modules/contrib/nut.if
index c606ae6..f0f6b74 100644
--- a/policy/modules/contrib/nut.if
+++ b/policy/modules/contrib/nut.if
@@ -26,10 +26,10 @@ interface(`nut_admin',`
allow $1 nut_domain:process { ptrace signal_perms };
ps_process_pattern($1, nut_domain)
- init_labeled_script_domtrans($1, nut_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nut_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, nut_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 nut_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, nut_conf_t)
diff --git a/policy/modules/contrib/oident.if b/policy/modules/contrib/oident.if
index 513f452..c4d4419 100644
--- a/policy/modules/contrib/oident.if
+++ b/policy/modules/contrib/oident.if
@@ -131,10 +131,10 @@ interface(`oident_admin',`
allow $1 oidentd_t:process { ptrace signal_perms };
ps_process_pattern($1, oidentd_t)
- init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 oidentd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 oidentd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, oidentd_config_t)
diff --git a/policy/modules/contrib/openct.if b/policy/modules/contrib/openct.if
index a55238b..4fe22f9 100644
--- a/policy/modules/contrib/openct.if
+++ b/policy/modules/contrib/openct.if
@@ -120,10 +120,10 @@ interface(`openct_admin',`
allow $1 openct_t:process { ptrace signal_perms };
ps_process_pattern($1, openct_t)
- init_labeled_script_domtrans($1, openct_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openct_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, openct_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 openct_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, openct_var_run_t)
diff --git a/policy/modules/contrib/openhpi.if b/policy/modules/contrib/openhpi.if
index 3c86958..141f3c8 100644
--- a/policy/modules/contrib/openhpi.if
+++ b/policy/modules/contrib/openhpi.if
@@ -26,10 +26,10 @@ interface(`openhpi_admin',`
allow $1 openhpid_t:process { ptrace signal_perms };
ps_process_pattern($1, openhpid_t)
- init_labeled_script_domtrans($1, openhpid_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openhpid_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, openhpid_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 openhpid_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, openhpid_var_lib_t)
diff --git a/policy/modules/contrib/openvpn.if b/policy/modules/contrib/openvpn.if
index 6837e9a..7efa5a5 100644
--- a/policy/modules/contrib/openvpn.if
+++ b/policy/modules/contrib/openvpn.if
@@ -150,10 +150,10 @@ interface(`openvpn_admin',`
allow $1 openvpn_t:process { ptrace signal_perms };
ps_process_pattern($1, openvpn_t)
- init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openvpn_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 openvpn_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t })
diff --git a/policy/modules/contrib/openvswitch.if b/policy/modules/contrib/openvswitch.if
index 9b15730..131e6dc 100644
--- a/policy/modules/contrib/openvswitch.if
+++ b/policy/modules/contrib/openvswitch.if
@@ -64,10 +64,10 @@ interface(`openvswitch_admin',`
allow $1 openvswitch_t:process { ptrace signal_perms };
ps_process_pattern($1, openvswitch_t)
- init_labeled_script_domtrans($1, openvswitch_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openvswitch_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, openvswitch_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 openvswitch_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, openvswitch_conf_t)
diff --git a/policy/modules/contrib/pacemaker.if b/policy/modules/contrib/pacemaker.if
index 9682d9a..3ae9dcf 100644
--- a/policy/modules/contrib/pacemaker.if
+++ b/policy/modules/contrib/pacemaker.if
@@ -26,10 +26,10 @@ interface(`pacemaker_admin',`
allow $1 pacemaker_t:process { ptrace signal_perms };
ps_process_pattern($1, pacemaker_t)
- init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pacemaker_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pacemaker_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, pacemaker_var_lib_t)
diff --git a/policy/modules/contrib/pads.if b/policy/modules/contrib/pads.if
index 6e097c9..e9fa6d2 100644
--- a/policy/modules/contrib/pads.if
+++ b/policy/modules/contrib/pads.if
@@ -26,10 +26,10 @@ interface(`pads_admin', `
allow $1 pads_t:process { ptrace signal_perms };
ps_process_pattern($1, pads_t)
- init_labeled_script_domtrans($1, pads_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pads_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pads_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pads_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, pads_var_run_t)
diff --git a/policy/modules/contrib/pcscd.if b/policy/modules/contrib/pcscd.if
index 7f77d32..aa414bd 100644
--- a/policy/modules/contrib/pcscd.if
+++ b/policy/modules/contrib/pcscd.if
@@ -128,10 +128,10 @@ interface(`pcscd_admin',`
allow $1 pcscd_t:process { ptrace signal_perms };
ps_process_pattern($1, pcscd_t)
- init_labeled_script_domtrans($1, pcscd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pcscd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pcscd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pcscd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, pcscd_var_run_t)
diff --git a/policy/modules/contrib/pegasus.if b/policy/modules/contrib/pegasus.if
index d2fc677..3b509a4 100644
--- a/policy/modules/contrib/pegasus.if
+++ b/policy/modules/contrib/pegasus.if
@@ -27,10 +27,10 @@ interface(`pegasus_admin',`
allow $1 pegasus_t:process { ptrace signal_perms };
ps_process_pattern($1, pegasus_t)
- init_labeled_script_domtrans($1, pegasus_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pegasus_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pegasus_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pegasus_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, pegasus_conf_t)
diff --git a/policy/modules/contrib/perdition.if b/policy/modules/contrib/perdition.if
index 47e09e1..ffe3965 100644
--- a/policy/modules/contrib/perdition.if
+++ b/policy/modules/contrib/perdition.if
@@ -40,10 +40,10 @@ interface(`perdition_admin',`
allow $1 perdition_t:process { ptrace signal_perms };
ps_process_pattern($1, perdition_t)
- init_labeled_script_domtrans($1, perdition_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 perdition_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, perdition_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 perdition_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, perdition_etc_t)
diff --git a/policy/modules/contrib/pingd.if b/policy/modules/contrib/pingd.if
index 21a6ecb..4194b84 100644
--- a/policy/modules/contrib/pingd.if
+++ b/policy/modules/contrib/pingd.if
@@ -84,10 +84,10 @@ interface(`pingd_admin',`
allow $1 pingd_t:process { ptrace signal_perms };
ps_process_pattern($1, pingd_t)
- init_labeled_script_domtrans($1, pingd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pingd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pingd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pingd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, pingd_etc_t)
diff --git a/policy/modules/contrib/pkcs.if b/policy/modules/contrib/pkcs.if
index 69be2aa..c3b3223 100644
--- a/policy/modules/contrib/pkcs.if
+++ b/policy/modules/contrib/pkcs.if
@@ -26,10 +26,10 @@ interface(`pkcs_admin_slotd',`
allow $1 pkcs_slotd_t:process { ptrace signal_perms };
ps_process_pattern($1, pkcs_slotd_t)
- init_labeled_script_domtrans($1, pkcs_slotd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pkcs_slotd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pkcs_slotd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pkcs_slotd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, pkcs_slotd_var_lib_t)
diff --git a/policy/modules/contrib/polipo.if b/policy/modules/contrib/polipo.if
index ae27bb7..c6c431e 100644
--- a/policy/modules/contrib/polipo.if
+++ b/policy/modules/contrib/polipo.if
@@ -125,10 +125,10 @@ interface(`polipo_admin',`
allow $1 polipo_system_t:process { ptrace signal_perms };
ps_process_pattern($1, polipo_system_t)
- polipo_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 polipo_initrc_exec_t system_r;
- allow $2 system_r;
+ #polipo_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 polipo_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var($1)
admin_pattern($1, polipo_cache_t)
diff --git a/policy/modules/contrib/portmap.if b/policy/modules/contrib/portmap.if
index 9f982b5..7cc0695 100644
--- a/policy/modules/contrib/portmap.if
+++ b/policy/modules/contrib/portmap.if
@@ -114,10 +114,10 @@ interface(`portmap_admin',`
allow $1 { portmap_t portmap_helper_t }:process { ptrace signal_perms };
ps_process_pattern($1, { portmap_t portmap_helper_t })
- init_labeled_script_domtrans($1, portmap_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 portmap_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, portmap_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 portmap_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, portmap_var_run_t)
diff --git a/policy/modules/contrib/portreserve.if b/policy/modules/contrib/portreserve.if
index 5ad5291..ecffbfc 100644
--- a/policy/modules/contrib/portreserve.if
+++ b/policy/modules/contrib/portreserve.if
@@ -108,10 +108,10 @@ interface(`portreserve_admin',`
allow $1 portreserve_t:process { ptrace signal_perms };
ps_process_pattern($1, portreserve_t)
- portreserve_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 portreserve_initrc_exec_t system_r;
- allow $2 system_r;
+ #portreserve_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 portreserve_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, portreserve_etc_t)
diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
index 8e7d1e7..603f2e3 100644
--- a/policy/modules/contrib/postfix.if
+++ b/policy/modules/contrib/postfix.if
@@ -720,10 +720,10 @@ interface(`postfix_admin',`
allow $1 postfix_domain:process { ptrace signal_perms };
ps_process_pattern($1, postfix_domain)
- init_labeled_script_domtrans($1, postfix_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 postfix_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 postfix_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })
diff --git a/policy/modules/contrib/postfixpolicyd.if b/policy/modules/contrib/postfixpolicyd.if
index 5de8173..d74f378 100644
--- a/policy/modules/contrib/postfixpolicyd.if
+++ b/policy/modules/contrib/postfixpolicyd.if
@@ -26,10 +26,10 @@ interface(`postfixpolicyd_admin',`
allow $1 postfix_policyd_t:process { ptrace signal_perms };
ps_process_pattern($1, postfix_policyd_t)
- init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 postfix_policyd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 postfix_policyd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, postfix_policyd_conf_t)
diff --git a/policy/modules/contrib/postgrey.if b/policy/modules/contrib/postgrey.if
index b9e71b5..05a4cd4 100644
--- a/policy/modules/contrib/postgrey.if
+++ b/policy/modules/contrib/postgrey.if
@@ -67,10 +67,10 @@ interface(`postgrey_admin',`
allow $1 postgrey_t:process { ptrace signal_perms };
ps_process_pattern($1, postgrey_t)
- init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 postgrey_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 postgrey_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, postgrey_etc_t)
diff --git a/policy/modules/contrib/ppp.if b/policy/modules/contrib/ppp.if
index cd8b8b9..71455d1 100644
--- a/policy/modules/contrib/ppp.if
+++ b/policy/modules/contrib/ppp.if
@@ -487,10 +487,10 @@ interface(`ppp_admin',`
allow $1 { pptp_t pppd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { pptp_t pppd_t })
- ppp_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 pppd_initrc_exec_t system_r;
- allow $2 system_r;
+ #ppp_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pppd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, pppd_tmp_t)
diff --git a/policy/modules/contrib/prelude.if b/policy/modules/contrib/prelude.if
index db8f510..573fac7 100644
--- a/policy/modules/contrib/prelude.if
+++ b/policy/modules/contrib/prelude.if
@@ -126,10 +126,10 @@ interface(`prelude_admin',`
allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms };
ps_process_pattern($1, { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t })
- init_labeled_script_domtrans($1, prelude_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 prelude_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, prelude_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 prelude_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_spool($1)
admin_pattern($1, prelude_spool_t)
diff --git a/policy/modules/contrib/privoxy.if b/policy/modules/contrib/privoxy.if
index bdcee30..182267b 100644
--- a/policy/modules/contrib/privoxy.if
+++ b/policy/modules/contrib/privoxy.if
@@ -26,10 +26,10 @@ interface(`privoxy_admin',`
allow $1 privoxy_t:process { ptrace signal_perms };
ps_process_pattern($1, privoxy_t)
- init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 privoxy_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 privoxy_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, privoxy_log_t)
diff --git a/policy/modules/contrib/psad.if b/policy/modules/contrib/psad.if
index cdc83d2..a04483a 100644
--- a/policy/modules/contrib/psad.if
+++ b/policy/modules/contrib/psad.if
@@ -242,10 +242,10 @@ interface(`psad_admin',`
allow $1 psad_t:process { ptrace signal_perms };
ps_process_pattern($1, psad_t)
- init_labeled_script_domtrans($1, psad_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 psad_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, psad_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 psad_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, psad_etc_t)
diff --git a/policy/modules/contrib/puppet.if b/policy/modules/contrib/puppet.if
index 7cb8b1f..9d0c95c 100644
--- a/policy/modules/contrib/puppet.if
+++ b/policy/modules/contrib/puppet.if
@@ -211,10 +211,10 @@ interface(`puppet_admin',`
allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms };
ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t })
- init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
+ #domain_system_change_exemption($1)
+ #role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, puppet_etc_t)
diff --git a/policy/modules/contrib/pxe.if b/policy/modules/contrib/pxe.if
index 7da286f..3a60f9b 100644
--- a/policy/modules/contrib/pxe.if
+++ b/policy/modules/contrib/pxe.if
@@ -26,10 +26,10 @@ interface(`pxe_admin',`
allow $1 pxe_t:process { ptrace signal_perms };
ps_process_pattern($1, pxe_t)
- init_labeled_script_domtrans($1, pxe_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pxe_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pxe_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pxe_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, pxe_log_t)
diff --git a/policy/modules/contrib/pyicqt.if b/policy/modules/contrib/pyicqt.if
index 0ccea82..683d0ee 100644
--- a/policy/modules/contrib/pyicqt.if
+++ b/policy/modules/contrib/pyicqt.if
@@ -26,10 +26,10 @@ interface(`pyicqt_admin',`
allow $1 pyicqt_t:process { ptrace signal_perms };
ps_process_pattern($1, pyicqt_t)
- init_labeled_script_domtrans($1, pyicqt_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pyicqt_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pyicqt_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pyicqt_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, pyicqt_conf_t)
diff --git a/policy/modules/contrib/pyzor.if b/policy/modules/contrib/pyzor.if
index c05a504..664b594 100644
--- a/policy/modules/contrib/pyzor.if
+++ b/policy/modules/contrib/pyzor.if
@@ -118,10 +118,10 @@ interface(`pyzor_admin',`
allow $1 pyzord_t:process { ptrace signal_perms };
ps_process_pattern($1, pyzord_t)
- init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pyzord_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pyzord_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, pyzor_etc_t)
diff --git a/policy/modules/contrib/qpid.if b/policy/modules/contrib/qpid.if
index fe2adf8..307b419 100644
--- a/policy/modules/contrib/qpid.if
+++ b/policy/modules/contrib/qpid.if
@@ -177,10 +177,10 @@ interface(`qpidd_admin',`
allow $1 qpidd_t:process { ptrace signal_perms };
ps_process_pattern($1, qpidd_t)
- qpidd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 qpidd_initrc_exec_t system_r;
- allow $2 system_r;
+ #qpidd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 qpidd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, qpidd_var_lib_t)
diff --git a/policy/modules/contrib/quantum.if b/policy/modules/contrib/quantum.if
index afc0068..2d9ec09 100644
--- a/policy/modules/contrib/quantum.if
+++ b/policy/modules/contrib/quantum.if
@@ -26,10 +26,10 @@ interface(`quantum_admin',`
allow $1 quantum_t:process { ptrace signal_perms };
ps_process_pattern($1, quantum_t)
- init_labeled_script_domtrans($1, quantum_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 quantum_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, quantum_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 quantum_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, quantum_log_t)
diff --git a/policy/modules/contrib/quota.if b/policy/modules/contrib/quota.if
index 68611e3..6af6364 100644
--- a/policy/modules/contrib/quota.if
+++ b/policy/modules/contrib/quota.if
@@ -184,10 +184,10 @@ interface(`quota_admin',`
allow $1 { quota_nld_t quota_t }:process { ptrace signal_perms };
ps_process_pattern($1, { quota_nld_t quota_t })
- init_labeled_script_domtrans($1, quota_nld_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 quota_nld_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, quota_nld_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 quota_nld_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_all($1)
admin_pattern($1, { quota_db_t quota_flag_t quota_nld_var_run_t })
diff --git a/policy/modules/contrib/rabbitmq.if b/policy/modules/contrib/rabbitmq.if
index 2c3d338..64bd4db 100644
--- a/policy/modules/contrib/rabbitmq.if
+++ b/policy/modules/contrib/rabbitmq.if
@@ -45,10 +45,10 @@ interface(`rabbitmq_admin',`
allow $1 { rabbitmq_epmd_t rabbitmq_beam_t }:process { ptrace signal_perms };
ps_process_pattern($1, { rabbitmq_epmd_t rabbitmq_beam_t })
- init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rabbitmq_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rabbitmq_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, rabbitmq_var_log_t)
diff --git a/policy/modules/contrib/radius.if b/policy/modules/contrib/radius.if
index 4460582..785c40a 100644
--- a/policy/modules/contrib/radius.if
+++ b/policy/modules/contrib/radius.if
@@ -41,10 +41,10 @@ interface(`radius_admin',`
allow $1 radiusd_t:process { ptrace signal_perms };
ps_process_pattern($1, radiusd_t)
- init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 radiusd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 radiusd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { radiusd_etc_t radiusd_etc_rw_t })
diff --git a/policy/modules/contrib/radvd.if b/policy/modules/contrib/radvd.if
index ac7058d..33a3f31 100644
--- a/policy/modules/contrib/radvd.if
+++ b/policy/modules/contrib/radvd.if
@@ -26,10 +26,10 @@ interface(`radvd_admin',`
allow $1 radvd_t:process { ptrace signal_perms };
ps_process_pattern($1, radvd_t)
- init_labeled_script_domtrans($1, radvd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 radvd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, radvd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 radvd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, radvd_etc_t)
diff --git a/policy/modules/contrib/raid.if b/policy/modules/contrib/raid.if
index 951db7f..f865481 100644
--- a/policy/modules/contrib/raid.if
+++ b/policy/modules/contrib/raid.if
@@ -91,10 +91,10 @@ interface(`raid_admin_mdadm',`
allow $1 mdadm_t:process { ptrace signal_perms };
ps_process_pattern($1, mdadm_t)
- init_labeled_script_domtrans($1, mdadm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mdadm_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, mdadm_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 mdadm_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, mdadm_var_run_t)
diff --git a/policy/modules/contrib/redis.if b/policy/modules/contrib/redis.if
index 3969450..13812be 100644
--- a/policy/modules/contrib/redis.if
+++ b/policy/modules/contrib/redis.if
@@ -26,10 +26,10 @@ interface(`redis_admin',`
allow $1 redis_t:process { ptrace signal_perms };
ps_process_pattern($1, redis_t)
- init_labeled_script_domtrans($1, redis_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 redis_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, redis_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 redis_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, redis_log_t)
diff --git a/policy/modules/contrib/resmgr.if b/policy/modules/contrib/resmgr.if
index 0d93db6..b6a5cec 100644
--- a/policy/modules/contrib/resmgr.if
+++ b/policy/modules/contrib/resmgr.if
@@ -46,10 +46,10 @@ interface(`resmgr_admin',`
allow $1 resmgrd_t:process { ptrace signal_perms };
ps_process_pattern($1, resmgrd_t)
- init_labeled_script_domtrans($1, resmgrd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 resmgrd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, resmgrd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 resmgrd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, resmgrd_etc_t)
diff --git a/policy/modules/contrib/rgmanager.if b/policy/modules/contrib/rgmanager.if
index 1c2f9aa..5ab664c 100644
--- a/policy/modules/contrib/rgmanager.if
+++ b/policy/modules/contrib/rgmanager.if
@@ -105,10 +105,10 @@ interface(`rgmanager_admin',`
allow $1 rgmanager_t:process { ptrace signal_perms };
ps_process_pattern($1, rgmanager_t)
- init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rgmanager_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rgmanager_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, rgmanager_tmp_t)
diff --git a/policy/modules/contrib/rhcs.if b/policy/modules/contrib/rhcs.if
index c8bdea2..10828e8 100644
--- a/policy/modules/contrib/rhcs.if
+++ b/policy/modules/contrib/rhcs.if
@@ -472,10 +472,10 @@ interface(`rhcs_admin',`
allow $1 cluster_domain:process { ptrace signal_perms };
ps_process_pattern($1, cluster_domain)
- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
+ #domain_system_change_exemption($1)
+ #role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, cluster_pid)
diff --git a/policy/modules/contrib/rhsmcertd.if b/policy/modules/contrib/rhsmcertd.if
index 6dbc905..98574fe 100644
--- a/policy/modules/contrib/rhsmcertd.if
+++ b/policy/modules/contrib/rhsmcertd.if
@@ -285,10 +285,10 @@ interface(`rhsmcertd_admin',`
allow $1 rhsmcertd_t:process { ptrace signal_perms };
ps_process_pattern($1, rhsmcertd_t)
- rhsmcertd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 rhsmcertd_initrc_exec_t system_r;
- allow $2 system_r;
+ #rhsmcertd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rhsmcertd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, rhsmcertd_log_t)
diff --git a/policy/modules/contrib/ricci.if b/policy/modules/contrib/ricci.if
index 2ab3ed1..3290abc 100644
--- a/policy/modules/contrib/ricci.if
+++ b/policy/modules/contrib/ricci.if
@@ -203,10 +203,10 @@ interface(`ricci_admin',`
allow $1 ricci_t:process { ptrace signal_perms };
ps_process_pattern($1, ricci_t)
- init_labeled_script_domtrans($1, ricci_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ricci_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ricci_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ricci_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, ricci_tmp_t)
diff --git a/policy/modules/contrib/rngd.if b/policy/modules/contrib/rngd.if
index 13f788f..d182588 100644
--- a/policy/modules/contrib/rngd.if
+++ b/policy/modules/contrib/rngd.if
@@ -25,10 +25,10 @@ interface(`rngd_admin',`
allow $1 rngd_t:process { ptrace signal_perms };
ps_process_pattern($1, rngd_t)
- init_labeled_script_domtrans($1, rngd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rngd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, rngd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rngd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, rngd_var_run_t)
diff --git a/policy/modules/contrib/roundup.if b/policy/modules/contrib/roundup.if
index 975bb6a..f540ee7 100644
--- a/policy/modules/contrib/roundup.if
+++ b/policy/modules/contrib/roundup.if
@@ -26,10 +26,10 @@ interface(`roundup_admin',`
allow $1 roundup_t:process { ptrace signal_perms };
ps_process_pattern($1, roundup_t)
- init_labeled_script_domtrans($1, roundup_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 roundup_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, roundup_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 roundup_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, roundup_var_lib_t)
diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if
index 157afd9..baf9509 100644
--- a/policy/modules/contrib/rpc.if
+++ b/policy/modules/contrib/rpc.if
@@ -400,10 +400,10 @@ interface(`rpc_admin',`
allow $1 rpc_domain:process { ptrace signal_perms };
ps_process_pattern($1, rpc_domain)
- init_labeled_script_domtrans($1, { nfsd_initrc_exec_t rpcd_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { nfsd_initrc_exec_t rpcd_initrc_exec_t } system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, { nfsd_initrc_exec_t rpcd_initrc_exec_t })
+ #domain_system_change_exemption($1)
+ #role_transition $2 { nfsd_initrc_exec_t rpcd_initrc_exec_t } system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { gssd_keytab_t exports_t })
diff --git a/policy/modules/contrib/rpcbind.if b/policy/modules/contrib/rpcbind.if
index f78fef0..bfee269 100644
--- a/policy/modules/contrib/rpcbind.if
+++ b/policy/modules/contrib/rpcbind.if
@@ -160,10 +160,10 @@ interface(`rpcbind_admin',`
allow $1 rpcbind_t:process { ptrace signal_perms };
ps_process_pattern($1, rpcbind_t)
- init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rpcbind_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rpcbind_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, rpcbind_var_run_t)
diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
index fc9c8d8..4b1a6b3 100644
--- a/policy/modules/contrib/rpm.if
+++ b/policy/modules/contrib/rpm.if
@@ -634,10 +634,10 @@ interface(`rpm_admin',`
allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
ps_process_pattern($1, { rpm_t rpm_script_t })
- init_labeled_script_domtrans($1, rpm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rpm_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, rpm_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rpm_initrc_exec_t system_r;
+ #allow $2 system_r;
admin_pattern($1, rpm_file_t)
diff --git a/policy/modules/contrib/rtkit.if b/policy/modules/contrib/rtkit.if
index e904ec4..37daa13 100644
--- a/policy/modules/contrib/rtkit.if
+++ b/policy/modules/contrib/rtkit.if
@@ -90,8 +90,8 @@ interface(`rtkit_admin',`
allow $1 rtkit_daemon_t:process { ptrace signal_perms };
ps_process_pattern($1, rtkit_daemon_t)
- init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rtkit_daemon_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rtkit_daemon_initrc_exec_t system_r;
+ #allow $2 system_r;
')
diff --git a/policy/modules/contrib/rwho.if b/policy/modules/contrib/rwho.if
index 0360ff0..01b5928 100644
--- a/policy/modules/contrib/rwho.if
+++ b/policy/modules/contrib/rwho.if
@@ -142,10 +142,10 @@ interface(`rwho_admin',`
allow $1 rwho_t:process { ptrace signal_perms };
ps_process_pattern($1, rwho_t)
- init_labeled_script_domtrans($1, rwho_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rwho_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, rwho_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rwho_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, rwho_log_t)
diff --git a/policy/modules/contrib/salt.if b/policy/modules/contrib/salt.if
index 7ab9e6b..c8e33a5 100644
--- a/policy/modules/contrib/salt.if
+++ b/policy/modules/contrib/salt.if
@@ -29,12 +29,12 @@ interface(`salt_admin_master',`
allow $1 salt_master_t:process { ptrace signal_perms };
ps_process_pattern($1, salt_master_t)
- init_labeled_script_domtrans($1, salt_master_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 salt_master_initrc_exec_t system_r;
+ #init_labeled_script_domtrans($1, salt_master_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 salt_master_initrc_exec_t system_r;
# for debugging?
- role_transition $2 salt_master_exec_t system_r;
+ #role_transition $2 salt_master_exec_t system_r;
domtrans_pattern($1, salt_master_exec_t, salt_master_t)
roleattribute $2 salt_master_roles;
@@ -73,12 +73,12 @@ interface(`salt_admin_minion',`
allow $1 salt_minion_t:process { ptrace signal_perms };
ps_process_pattern($1, salt_minion_t)
- init_labeled_script_domtrans($1, salt_minion_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 salt_minion_initrc_exec_t system_r;
+ #init_labeled_script_domtrans($1, salt_minion_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 salt_minion_initrc_exec_t system_r;
# for debugging
- role_transition $2 salt_minion_exec_t system_r;
+ #role_transition $2 salt_minion_exec_t system_r;
domtrans_pattern($1, salt_minion_exec_t, salt_minion_t)
roleattribute $2 salt_minion_roles;
diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if
index 50d07fb..51e6858 100644
--- a/policy/modules/contrib/samba.if
+++ b/policy/modules/contrib/samba.if
@@ -695,10 +695,10 @@ interface(`samba_admin',`
allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { nmbd_t smbd_t })
- init_labeled_script_domtrans($1, samba_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 samba_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, samba_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 samba_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { samba_etc_t smbd_keytab_t })
diff --git a/policy/modules/contrib/sanlock.if b/policy/modules/contrib/sanlock.if
index cd6c213..98b2950 100644
--- a/policy/modules/contrib/sanlock.if
+++ b/policy/modules/contrib/sanlock.if
@@ -104,10 +104,10 @@ interface(`sanlock_admin',`
allow $1 sanlock_t:process { ptrace signal_perms };
ps_process_pattern($1, sanlock_t)
- sanlock_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 sanlock_initrc_exec_t system_r;
- allow $2 system_r;
+ #sanlock_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 sanlock_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, sanlock_var_run_t)
diff --git a/policy/modules/contrib/sasl.if b/policy/modules/contrib/sasl.if
index 8c3c151..7da737b 100644
--- a/policy/modules/contrib/sasl.if
+++ b/policy/modules/contrib/sasl.if
@@ -45,10 +45,10 @@ interface(`sasl_admin',`
allow $1 saslauthd_t:process { ptrace signal_perms };
ps_process_pattern($1, saslauthd_t)
- init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 saslauthd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 saslauthd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, saslauthd_keytab_t)
diff --git a/policy/modules/contrib/sblim.if b/policy/modules/contrib/sblim.if
index 98c9e0a..25d94a4 100644
--- a/policy/modules/contrib/sblim.if
+++ b/policy/modules/contrib/sblim.if
@@ -64,10 +64,10 @@ interface(`sblim_admin',`
allow $1 sblim_domain:process { ptrace signal_perms };
ps_process_pattern($1, sblim_domain)
- init_labeled_script_domtrans($1, sblim_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sblim_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, sblim_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 sblim_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/policy/modules/contrib/sendmail.if b/policy/modules/contrib/sendmail.if
index 35ad2a7..7a95364 100644
--- a/policy/modules/contrib/sendmail.if
+++ b/policy/modules/contrib/sendmail.if
@@ -360,9 +360,9 @@ interface(`sendmail_admin',`
allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms };
ps_process_pattern($1, { unconfined_sendmail_t sendmail_t })
- init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sendmail_initrc_exec_t system_r;
+ #init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 sendmail_initrc_exec_t system_r;
files_list_etc($1)
admin_pattern($1, sendmail_keytab_t)
diff --git a/policy/modules/contrib/sensord.if b/policy/modules/contrib/sensord.if
index d204752..ec77409 100644
--- a/policy/modules/contrib/sensord.if
+++ b/policy/modules/contrib/sensord.if
@@ -25,10 +25,10 @@ interface(`sensord_admin',`
allow $1 sensord_t:process { ptrace signal_perms };
ps_process_pattern($1, sensord_t)
- init_labeled_script_domtrans($1, sensord_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sensord_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, sensord_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 sensord_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, sensord_var_run_t)
diff --git a/policy/modules/contrib/shorewall.if b/policy/modules/contrib/shorewall.if
index 1aeef8a..abcfdf5 100644
--- a/policy/modules/contrib/shorewall.if
+++ b/policy/modules/contrib/shorewall.if
@@ -179,10 +179,10 @@ interface(`shorewall_admin',`
allow $1 shorewall_t:process { ptrace signal_perms };
ps_process_pattern($1, shorewall_t)
- init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 shorewall_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 shorewall_initrc_exec_t system_r;
+ #allow $2 system_r;
can_exec($1, shorewall_exec_t)
diff --git a/policy/modules/contrib/slpd.if b/policy/modules/contrib/slpd.if
index ca32e89..c13e32c 100644
--- a/policy/modules/contrib/slpd.if
+++ b/policy/modules/contrib/slpd.if
@@ -26,10 +26,10 @@ interface(`slpd_admin',`
allow $1 slpd_t:process { ptrace signal_perms };
ps_process_pattern($1, slpd_t)
- init_labeled_script_domtrans($1, slpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 slpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, slpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 slpd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, slpd_log_t)
diff --git a/policy/modules/contrib/smartmon.if b/policy/modules/contrib/smartmon.if
index e0644b5..b0660d6 100644
--- a/policy/modules/contrib/smartmon.if
+++ b/policy/modules/contrib/smartmon.if
@@ -45,10 +45,10 @@ interface(`smartmon_admin',`
allow $1 fsdaemon_t:process { ptrace signal_perms };
ps_process_pattern($1, fsdaemon_t)
- init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 fsdaemon_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 fsdaemon_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, fsdaemon_tmp_t)
diff --git a/policy/modules/contrib/smokeping.if b/policy/modules/contrib/smokeping.if
index 1fa51c1..8c0eefe 100644
--- a/policy/modules/contrib/smokeping.if
+++ b/policy/modules/contrib/smokeping.if
@@ -161,10 +161,10 @@ interface(`smokeping_admin',`
allow $1 smokeping_t:process { ptrace signal_perms };
ps_process_pattern($1, smokeping_t)
- smokeping_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 smokeping_initrc_exec_t system_r;
- allow $2 system_r;
+ #smokeping_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 smokeping_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, smokeping_var_lib_t)
diff --git a/policy/modules/contrib/smstools.if b/policy/modules/contrib/smstools.if
index 81136f0..2b49829 100644
--- a/policy/modules/contrib/smstools.if
+++ b/policy/modules/contrib/smstools.if
@@ -27,10 +27,10 @@ interface(`smstools_admin',`
allow $1 smsd_t:process { ptrace signal_perms };
ps_process_pattern($1, smsd_t)
- init_labeled_script_domtrans($1, smsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 smsd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, smsd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 smsd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, smsd_conf_t)
diff --git a/policy/modules/contrib/snmp.if b/policy/modules/contrib/snmp.if
index bf78fa9..0da50f0 100644
--- a/policy/modules/contrib/snmp.if
+++ b/policy/modules/contrib/snmp.if
@@ -182,10 +182,10 @@ interface(`snmp_admin',`
allow $1 snmpd_t:process { ptrace signal_perms };
ps_process_pattern($1, snmpd_t)
- init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 snmpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 snmpd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, snmpd_log_t)
diff --git a/policy/modules/contrib/snort.if b/policy/modules/contrib/snort.if
index 7d86b34..910ffb9 100644
--- a/policy/modules/contrib/snort.if
+++ b/policy/modules/contrib/snort.if
@@ -45,10 +45,10 @@ interface(`snort_admin',`
allow $1 snort_t:process { ptrace signal_perms };
ps_process_pattern($1, snort_t)
- init_labeled_script_domtrans($1, snort_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 snort_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, snort_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 snort_initrc_exec_t system_r;
+ #allow $2 system_r;
admin_pattern($1, snort_etc_t)
files_search_etc($1)
diff --git a/policy/modules/contrib/soundserver.if b/policy/modules/contrib/soundserver.if
index a5abc5a..c6d0368 100644
--- a/policy/modules/contrib/soundserver.if
+++ b/policy/modules/contrib/soundserver.if
@@ -41,10 +41,10 @@ interface(`soundserver_admin',`
allow $1 soundd_t:process { ptrace signal_perms };
ps_process_pattern($1, soundd_t)
- init_labeled_script_domtrans($1, soundd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 soundd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, soundd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 soundd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, soundd_etc_t)
diff --git a/policy/modules/contrib/spamassassin.if b/policy/modules/contrib/spamassassin.if
index 7f5a1cc..f697f7b 100644
--- a/policy/modules/contrib/spamassassin.if
+++ b/policy/modules/contrib/spamassassin.if
@@ -384,10 +384,10 @@ interface(`spamassassin_admin',`
allow $1 spamd_t:process { ptrace signal_perms };
ps_process_pattern($1, spamd_t)
- init_labeled_script_domtrans($1, spamd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 spamd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, spamd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 spamd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, spamd_tmp_t)
diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if
index 5e1f053..0d43504 100644
--- a/policy/modules/contrib/squid.if
+++ b/policy/modules/contrib/squid.if
@@ -216,10 +216,10 @@ interface(`squid_admin',`
allow $1 squid_t:process { ptrace signal_perms };
ps_process_pattern($1, squid_t)
- init_labeled_script_domtrans($1, squid_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 squid_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, squid_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 squid_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_var($1)
admin_pattern($1, squid_cache_t)
diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if
index a240455..4ba98cc 100644
--- a/policy/modules/contrib/sssd.if
+++ b/policy/modules/contrib/sssd.if
@@ -342,10 +342,10 @@ interface(`sssd_admin',`
allow $1 sssd_t:process { ptrace signal_perms };
ps_process_pattern($1, sssd_t)
- sssd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 sssd_initrc_exec_t system_r;
- allow $2 system_r;
+ #sssd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 sssd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, sssd_conf_t)
diff --git a/policy/modules/contrib/svnserve.if b/policy/modules/contrib/svnserve.if
index 5cd46e9..043ade5 100644
--- a/policy/modules/contrib/svnserve.if
+++ b/policy/modules/contrib/svnserve.if
@@ -25,10 +25,10 @@ interface(`svnserve_admin',`
allow $1 svnserve_t:process { ptrace signal_perms };
ps_process_pattern($1, svnserve_t)
- init_labeled_script_domtrans($1, svnserve_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 svnserve_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, svnserve_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 svnserve_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, svnserve_var_run_t)
diff --git a/policy/modules/contrib/sysstat.if b/policy/modules/contrib/sysstat.if
index 14ae3f2..46e08d3 100644
--- a/policy/modules/contrib/sysstat.if
+++ b/policy/modules/contrib/sysstat.if
@@ -46,10 +46,10 @@ interface(`sysstat_admin',`
allow $1 sysstat_t:process { ptrace signal_perms };
ps_process_pattern($1, sysstat_t)
- init_labeled_script_domtrans($1, sysstat_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sysstat_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, sysstat_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 sysstat_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, sysstat_log_t)
diff --git a/policy/modules/contrib/systemtap.if b/policy/modules/contrib/systemtap.if
index d60a21e..4718ca2 100644
--- a/policy/modules/contrib/systemtap.if
+++ b/policy/modules/contrib/systemtap.if
@@ -26,10 +26,10 @@ interface(`stapserver_admin',`
allow $1 stapserver_t:process { ptrace signal_perms };
ps_process_pattern($1, stapserver_t)
- init_labeled_script_domtrans($1, stapserver_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 stapserver_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, stapserver_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 stapserver_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, stapserver_conf_t)
diff --git a/policy/modules/contrib/tcsd.if b/policy/modules/contrib/tcsd.if
index b42ec1d..d4b8da8 100644
--- a/policy/modules/contrib/tcsd.if
+++ b/policy/modules/contrib/tcsd.if
@@ -141,10 +141,10 @@ interface(`tcsd_admin',`
allow $1 tcsd_t:process { ptrace signal_perms };
ps_process_pattern($1, tcsd_t)
- tcsd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 tcsd_initrc_exec_t system_r;
- allow $2 system_r;
+ #tcsd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 tcsd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, tcsd_var_lib_t)
diff --git a/policy/modules/contrib/tgtd.if b/policy/modules/contrib/tgtd.if
index dc5b46e..bde65e4 100644
--- a/policy/modules/contrib/tgtd.if
+++ b/policy/modules/contrib/tgtd.if
@@ -83,10 +83,10 @@ interface(`tgtd_admin',`
allow $1 tgtd_t:process { ptrace signal_perms };
ps_process_pattern($1, tgtd_t)
- init_labeled_script_domtrans($1, tgtd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 tgtd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, tgtd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 tgtd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, tgtd_var_lib_t)
diff --git a/policy/modules/contrib/tor.if b/policy/modules/contrib/tor.if
index 61c2e07..6ab1023 100644
--- a/policy/modules/contrib/tor.if
+++ b/policy/modules/contrib/tor.if
@@ -45,10 +45,10 @@ interface(`tor_admin',`
allow $1 tor_t:process { ptrace signal_perms };
ps_process_pattern($1, tor_t)
- init_labeled_script_domtrans($1, tor_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 tor_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, tor_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 tor_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, tor_etc_t)
diff --git a/policy/modules/contrib/transproxy.if b/policy/modules/contrib/transproxy.if
index 81a8351..20102c2 100644
--- a/policy/modules/contrib/transproxy.if
+++ b/policy/modules/contrib/transproxy.if
@@ -25,10 +25,10 @@ interface(`transproxy_admin',`
allow $1 transproxy_t:process { ptrace signal_perms };
ps_process_pattern($1, transproxy_t)
- init_labeled_script_domtrans($1, transproxy_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 transproxy_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, transproxy_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 transproxy_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, transproxy_var_run_t)
diff --git a/policy/modules/contrib/tuned.if b/policy/modules/contrib/tuned.if
index e29db63..9829bad 100644
--- a/policy/modules/contrib/tuned.if
+++ b/policy/modules/contrib/tuned.if
@@ -122,10 +122,10 @@ interface(`tuned_admin',`
allow $1 tuned_t:process { ptrace signal_perms };
ps_process_pattern($1, tuned_t)
- tuned_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 tuned_initrc_exec_t system_r;
- allow $2 system_r;
+ #tuned_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 tuned_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, { tuned_etc_t tuned_rw_etc_t })
diff --git a/policy/modules/contrib/ulogd.if b/policy/modules/contrib/ulogd.if
index 9b95c3e..43bfd7b 100644
--- a/policy/modules/contrib/ulogd.if
+++ b/policy/modules/contrib/ulogd.if
@@ -126,10 +126,10 @@ interface(`ulogd_admin',`
allow $1 ulogd_t:process { ptrace signal_perms };
ps_process_pattern($1, ulogd_t)
- init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ulogd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ulogd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, ulogd_etc_t)
diff --git a/policy/modules/contrib/uptime.if b/policy/modules/contrib/uptime.if
index 19f4724..b9f36e4 100644
--- a/policy/modules/contrib/uptime.if
+++ b/policy/modules/contrib/uptime.if
@@ -26,10 +26,10 @@ interface(`uptime_admin',`
allow $1 uptimed_t:process { ptrace signal_perms };
ps_process_pattern($1, uptimed_t)
- init_labeled_script_domtrans($1, uptimed_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 uptimed_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, uptimed_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 uptimed_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, uptimed_etc_t)
diff --git a/policy/modules/contrib/uucp.if b/policy/modules/contrib/uucp.if
index af9acc0..bf7df04 100644
--- a/policy/modules/contrib/uucp.if
+++ b/policy/modules/contrib/uucp.if
@@ -104,10 +104,10 @@ interface(`uucp_admin',`
type uucpd_var_run_t, uucpd_initrc_exec_t;
')
- init_labeled_script_domtrans($1, uucpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 uucpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, uucpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 uucpd_initrc_exec_t system_r;
+ #allow $2 system_r;
allow $1 uucpd_t:process { ptrace signal_perms };
ps_process_pattern($1, uucpd_t)
diff --git a/policy/modules/contrib/uuidd.if b/policy/modules/contrib/uuidd.if
index 6e48653..e33ec25 100644
--- a/policy/modules/contrib/uuidd.if
+++ b/policy/modules/contrib/uuidd.if
@@ -181,10 +181,10 @@ interface(`uuidd_admin',`
allow $1 uuidd_t:process signal_perms;
ps_process_pattern($1, uuidd_t)
- uuidd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 uuidd_initrc_exec_t system_r;
- allow $2 system_r;
+ #uuidd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 uuidd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, uuidd_var_lib_t)
diff --git a/policy/modules/contrib/varnishd.if b/policy/modules/contrib/varnishd.if
index 1c35171..636c20d 100644
--- a/policy/modules/contrib/varnishd.if
+++ b/policy/modules/contrib/varnishd.if
@@ -160,10 +160,10 @@ interface(`varnishd_admin_varnishlog',`
allow $1 varnishlog_t:process { ptrace signal_perms };
ps_process_pattern($1, varnishlog_t)
- init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 varnishlog_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 varnishlog_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_pids($1)
admin_pattern($1, varnishlog_var_run_t)
@@ -199,10 +199,10 @@ interface(`varnishd_admin',`
allow $1 varnishd_t:process { ptrace signal_perms };
ps_process_pattern($1, varnishd_t)
- init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 varnishd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 varnishd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, varnishd_var_lib_t)
diff --git a/policy/modules/contrib/vdagent.if b/policy/modules/contrib/vdagent.if
index 31c752e..5d3b76c 100644
--- a/policy/modules/contrib/vdagent.if
+++ b/policy/modules/contrib/vdagent.if
@@ -121,10 +121,10 @@ interface(`vdagent_admin',`
allow $1 vdagent_t:process signal_perms;
ps_process_pattern($1, vdagent_t)
- init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 vdagentd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 vdagentd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, vdagent_log_t)
diff --git a/policy/modules/contrib/vhostmd.if b/policy/modules/contrib/vhostmd.if
index 22edd58..0055667 100644
--- a/policy/modules/contrib/vhostmd.if
+++ b/policy/modules/contrib/vhostmd.if
@@ -219,10 +219,10 @@ interface(`vhostmd_admin',`
allow $1 vhostmd_t:process { ptrace signal_perms };
ps_process_pattern($1, vhostmd_t)
- vhostmd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 vhostmd_initrc_exec_t system_r;
- allow $2 system_r;
+ #vhostmd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 vhostmd_initrc_exec_t system_r;
+ #allow $2 system_r;
fs_search_tmpfs($1)
admin_pattern($1, vhostmd_tmpfs_t)
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
index 7c97c87..4f531b9 100644
--- a/policy/modules/contrib/virt.if
+++ b/policy/modules/contrib/virt.if
@@ -1176,10 +1176,10 @@ interface(`virt_admin',`
ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
- init_labeled_script_domtrans($1, virtd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 virtd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, virtd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 virtd_initrc_exec_t system_r;
+ #allow $2 system_r;
fs_search_tmpfs($1)
admin_pattern($1, virt_tmpfs_type)
diff --git a/policy/modules/contrib/vnstatd.if b/policy/modules/contrib/vnstatd.if
index 137ac44..99bddf4 100644
--- a/policy/modules/contrib/vnstatd.if
+++ b/policy/modules/contrib/vnstatd.if
@@ -168,10 +168,10 @@ interface(`vnstatd_admin',`
allow $1 vnstatd_t:process { ptrace signal_perms };
ps_process_pattern($1, vnstatd_t)
- init_labeled_script_domtrans($1, vnstatd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 vnstatd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, vnstatd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 vnstatd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, vnstatd_var_run_t)
diff --git a/policy/modules/contrib/watchdog.if b/policy/modules/contrib/watchdog.if
index 6461a77..44a1a7c 100644
--- a/policy/modules/contrib/watchdog.if
+++ b/policy/modules/contrib/watchdog.if
@@ -26,10 +26,10 @@ interface(`watchdog_admin',`
allow $1 watchdog_t:process { ptrace signal_perms };
ps_process_pattern($1, watchdog_t)
- init_labeled_script_domtrans($1, watchdog_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 watchdog_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, watchdog_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 watchdog_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, watchdog_log_t)
diff --git a/policy/modules/contrib/wdmd.if b/policy/modules/contrib/wdmd.if
index 1e3aec0..553b69a 100644
--- a/policy/modules/contrib/wdmd.if
+++ b/policy/modules/contrib/wdmd.if
@@ -45,10 +45,10 @@ interface(`wdmd_admin',`
allow $1 wdmd_t:process { ptrace signal_perms };
ps_process_pattern($1, wdmd_t)
- init_labeled_script_domtrans($1, wdmd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 wdmd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, wdmd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 wdmd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, wdmd_var_run_t)
diff --git a/policy/modules/contrib/xfs.if b/policy/modules/contrib/xfs.if
index 4570b86..3318873 100644
--- a/policy/modules/contrib/xfs.if
+++ b/policy/modules/contrib/xfs.if
@@ -84,10 +84,10 @@ interface(`xfs_admin',`
allow $1 xfs_t:process { ptrace signal_perms };
ps_process_pattern($1, xfs_t)
- init_labeled_script_domtrans($1, xfs_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 xfs_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, xfs_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 xfs_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, xfs_var_run_t)
diff --git a/policy/modules/contrib/zabbix.if b/policy/modules/contrib/zabbix.if
index 29d87d7..0a75b8a 100644
--- a/policy/modules/contrib/zabbix.if
+++ b/policy/modules/contrib/zabbix.if
@@ -146,10 +146,10 @@ interface(`zabbix_admin',`
allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms };
ps_process_pattern($1, { zabbix_t zabbix_agent_t })
- init_labeled_script_domtrans($1, { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t } system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t })
+ #domain_system_change_exemption($1)
+ #role_transition $2 { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t } system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, zabbix_log_t)
diff --git a/policy/modules/contrib/zarafa.if b/policy/modules/contrib/zarafa.if
index 83b4ca5..d2245ae 100644
--- a/policy/modules/contrib/zarafa.if
+++ b/policy/modules/contrib/zarafa.if
@@ -152,10 +152,10 @@ interface(`zarafa_admin',`
allow $1 zarafa_domain:process { ptrace signal_perms };
ps_process_pattern($1, zarafa_domain)
- init_labeled_script_domtrans($1, zarafa_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 zarafa_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, zarafa_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 zarafa_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, zarafa_etc_t)
diff --git a/policy/modules/contrib/zebra.if b/policy/modules/contrib/zebra.if
index 3416401..33aa2ed 100644
--- a/policy/modules/contrib/zebra.if
+++ b/policy/modules/contrib/zebra.if
@@ -69,10 +69,10 @@ interface(`zebra_admin',`
allow $1 zebra_t:process { ptrace signal_perms };
ps_process_pattern($1, zebra_t)
- init_labeled_script_domtrans($1, zebra_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 zebra_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, zebra_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 zebra_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, zebra_conf_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-05-11 22:57 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-05-11 22:57 UTC (permalink / raw
To: gentoo-commits
commit: 0e73c60284ee74368c9742064fe937620b15f8d4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon May 11 20:25:10 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon May 11 22:53:43 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0e73c602
remove initrc_exec_t transitions from contrib _admin interfaces
The _admin interfaces have a transition from sysadm_t to initrc_t
for the init scripts. These interfere with the run_init integration
in openrc, so they need to be removed.
policy/modules/contrib/abrt.if | 8 ++++----
policy/modules/contrib/acct.if | 8 ++++----
policy/modules/contrib/afs.if | 8 ++++----
policy/modules/contrib/aiccu.if | 8 ++++----
policy/modules/contrib/aisexec.if | 8 ++++----
policy/modules/contrib/amavis.if | 8 ++++----
policy/modules/contrib/amtu.if | 8 ++++----
policy/modules/contrib/apache.if | 8 ++++----
policy/modules/contrib/apcupsd.if | 8 ++++----
policy/modules/contrib/apm.if | 8 ++++----
policy/modules/contrib/arpwatch.if | 8 ++++----
policy/modules/contrib/asterisk.if | 8 ++++----
policy/modules/contrib/automount.if | 8 ++++----
policy/modules/contrib/avahi.if | 8 ++++----
policy/modules/contrib/bacula.if | 8 ++++----
policy/modules/contrib/bcfg2.if | 8 ++++----
policy/modules/contrib/bind.if | 8 ++++----
policy/modules/contrib/bird.if | 8 ++++----
policy/modules/contrib/bitcoin.if | 8 ++++----
policy/modules/contrib/bitlbee.if | 8 ++++----
policy/modules/contrib/bluetooth.if | 8 ++++----
policy/modules/contrib/boinc.if | 8 ++++----
policy/modules/contrib/cachefilesd.if | 8 ++++----
policy/modules/contrib/callweaver.if | 8 ++++----
policy/modules/contrib/canna.if | 8 ++++----
policy/modules/contrib/ccs.if | 8 ++++----
policy/modules/contrib/certmaster.if | 8 ++++----
policy/modules/contrib/certmonger.if | 8 ++++----
policy/modules/contrib/cfengine.if | 8 ++++----
policy/modules/contrib/cgroup.if | 10 +++++-----
policy/modules/contrib/chronyd.if | 8 ++++----
policy/modules/contrib/cipe.if | 8 ++++----
policy/modules/contrib/clamav.if | 8 ++++----
policy/modules/contrib/cmirrord.if | 8 ++++----
policy/modules/contrib/cobbler.if | 8 ++++----
policy/modules/contrib/collectd.if | 8 ++++----
policy/modules/contrib/condor.if | 8 ++++----
policy/modules/contrib/corosync.if | 8 ++++----
policy/modules/contrib/couchdb.if | 8 ++++----
policy/modules/contrib/ctdb.if | 8 ++++----
policy/modules/contrib/cups.if | 8 ++++----
policy/modules/contrib/cvs.if | 8 ++++----
policy/modules/contrib/cyphesis.if | 8 ++++----
policy/modules/contrib/cyrus.if | 8 ++++----
policy/modules/contrib/dante.if | 8 ++++----
policy/modules/contrib/ddclient.if | 8 ++++----
policy/modules/contrib/denyhosts.if | 8 ++++----
policy/modules/contrib/dhcp.if | 8 ++++----
policy/modules/contrib/dictd.if | 8 ++++----
policy/modules/contrib/dirmngr.if | 8 ++++----
policy/modules/contrib/distcc.if | 8 ++++----
policy/modules/contrib/dkim.if | 8 ++++----
policy/modules/contrib/dnsmasq.if | 8 ++++----
policy/modules/contrib/dnssectrigger.if | 8 ++++----
policy/modules/contrib/dovecot.if | 8 ++++----
policy/modules/contrib/drbd.if | 8 ++++----
policy/modules/contrib/dspam.if | 8 ++++----
policy/modules/contrib/entropyd.if | 8 ++++----
policy/modules/contrib/exim.if | 8 ++++----
policy/modules/contrib/fail2ban.if | 8 ++++----
policy/modules/contrib/fcoe.if | 8 ++++----
policy/modules/contrib/fetchmail.if | 8 ++++----
policy/modules/contrib/firewalld.if | 8 ++++----
policy/modules/contrib/ftp.if | 8 ++++----
policy/modules/contrib/gatekeeper.if | 8 ++++----
policy/modules/contrib/gdomap.if | 8 ++++----
policy/modules/contrib/glance.if | 8 ++++----
policy/modules/contrib/glusterfs.if | 8 ++++----
policy/modules/contrib/gpm.if | 8 ++++----
policy/modules/contrib/gpsd.if | 8 ++++----
policy/modules/contrib/hadoop.if | 8 ++++----
policy/modules/contrib/hddtemp.if | 8 ++++----
policy/modules/contrib/howl.if | 8 ++++----
policy/modules/contrib/hypervkvp.if | 8 ++++----
policy/modules/contrib/i18n_input.if | 8 ++++----
policy/modules/contrib/icecast.if | 8 ++++----
policy/modules/contrib/ifplugd.if | 8 ++++----
policy/modules/contrib/inn.if | 8 ++++----
policy/modules/contrib/iodine.if | 8 ++++----
policy/modules/contrib/ircd.if | 8 ++++----
policy/modules/contrib/irqbalance.if | 8 ++++----
policy/modules/contrib/iscsi.if | 8 ++++----
policy/modules/contrib/isns.if | 8 ++++----
policy/modules/contrib/jabber.if | 8 ++++----
policy/modules/contrib/kdump.if | 8 ++++----
policy/modules/contrib/kerberos.if | 8 ++++----
policy/modules/contrib/kerneloops.if | 8 ++++----
policy/modules/contrib/keystone.if | 8 ++++----
policy/modules/contrib/kismet.if | 8 ++++----
policy/modules/contrib/ksmtuned.if | 8 ++++----
policy/modules/contrib/kudzu.if | 8 ++++----
policy/modules/contrib/l2tp.if | 8 ++++----
policy/modules/contrib/ldap.if | 8 ++++----
policy/modules/contrib/likewise.if | 8 ++++----
policy/modules/contrib/lircd.if | 8 ++++----
policy/modules/contrib/lldpad.if | 8 ++++----
policy/modules/contrib/mailscanner.if | 8 ++++----
policy/modules/contrib/mcelog.if | 8 ++++----
policy/modules/contrib/memcached.if | 8 ++++----
policy/modules/contrib/minidlna.if | 8 ++++----
policy/modules/contrib/minissdpd.if | 8 ++++----
policy/modules/contrib/mongodb.if | 8 ++++----
policy/modules/contrib/monop.if | 8 ++++----
policy/modules/contrib/mpd.if | 8 ++++----
policy/modules/contrib/mrtg.if | 8 ++++----
policy/modules/contrib/munin.if | 8 ++++----
policy/modules/contrib/mysql.if | 8 ++++----
policy/modules/contrib/nagios.if | 8 ++++----
policy/modules/contrib/nessus.if | 8 ++++----
policy/modules/contrib/networkmanager.if | 8 ++++----
policy/modules/contrib/nis.if | 10 +++++-----
policy/modules/contrib/nscd.if | 8 ++++----
policy/modules/contrib/nsd.if | 8 ++++----
policy/modules/contrib/nslcd.if | 8 ++++----
policy/modules/contrib/ntop.if | 8 ++++----
policy/modules/contrib/ntp.if | 8 ++++----
policy/modules/contrib/numad.if | 8 ++++----
policy/modules/contrib/nut.if | 8 ++++----
policy/modules/contrib/oident.if | 8 ++++----
policy/modules/contrib/openct.if | 8 ++++----
policy/modules/contrib/openhpi.if | 8 ++++----
policy/modules/contrib/openvpn.if | 8 ++++----
policy/modules/contrib/openvswitch.if | 8 ++++----
policy/modules/contrib/pacemaker.if | 8 ++++----
policy/modules/contrib/pads.if | 8 ++++----
policy/modules/contrib/pcscd.if | 8 ++++----
policy/modules/contrib/pegasus.if | 8 ++++----
policy/modules/contrib/perdition.if | 8 ++++----
policy/modules/contrib/pingd.if | 8 ++++----
policy/modules/contrib/pkcs.if | 8 ++++----
policy/modules/contrib/polipo.if | 8 ++++----
policy/modules/contrib/portmap.if | 8 ++++----
policy/modules/contrib/portreserve.if | 8 ++++----
policy/modules/contrib/postfix.if | 8 ++++----
policy/modules/contrib/postfixpolicyd.if | 8 ++++----
policy/modules/contrib/postgrey.if | 8 ++++----
policy/modules/contrib/ppp.if | 8 ++++----
policy/modules/contrib/prelude.if | 8 ++++----
policy/modules/contrib/privoxy.if | 8 ++++----
policy/modules/contrib/psad.if | 8 ++++----
policy/modules/contrib/puppet.if | 8 ++++----
policy/modules/contrib/pxe.if | 8 ++++----
policy/modules/contrib/pyicqt.if | 8 ++++----
policy/modules/contrib/pyzor.if | 8 ++++----
policy/modules/contrib/qpid.if | 8 ++++----
policy/modules/contrib/quantum.if | 8 ++++----
policy/modules/contrib/quota.if | 8 ++++----
policy/modules/contrib/rabbitmq.if | 8 ++++----
policy/modules/contrib/radius.if | 8 ++++----
policy/modules/contrib/radvd.if | 8 ++++----
policy/modules/contrib/raid.if | 8 ++++----
policy/modules/contrib/redis.if | 8 ++++----
policy/modules/contrib/resmgr.if | 8 ++++----
policy/modules/contrib/rgmanager.if | 8 ++++----
policy/modules/contrib/rhcs.if | 8 ++++----
policy/modules/contrib/rhsmcertd.if | 8 ++++----
policy/modules/contrib/ricci.if | 8 ++++----
policy/modules/contrib/rngd.if | 8 ++++----
policy/modules/contrib/roundup.if | 8 ++++----
policy/modules/contrib/rpc.if | 8 ++++----
policy/modules/contrib/rpcbind.if | 8 ++++----
policy/modules/contrib/rpm.if | 8 ++++----
policy/modules/contrib/rtkit.if | 8 ++++----
policy/modules/contrib/rwho.if | 8 ++++----
policy/modules/contrib/salt.if | 16 ++++++++--------
policy/modules/contrib/samba.if | 8 ++++----
policy/modules/contrib/sanlock.if | 8 ++++----
policy/modules/contrib/sasl.if | 8 ++++----
policy/modules/contrib/sblim.if | 8 ++++----
policy/modules/contrib/sendmail.if | 6 +++---
policy/modules/contrib/sensord.if | 8 ++++----
policy/modules/contrib/shorewall.if | 8 ++++----
policy/modules/contrib/slpd.if | 8 ++++----
policy/modules/contrib/smartmon.if | 8 ++++----
policy/modules/contrib/smokeping.if | 8 ++++----
policy/modules/contrib/smstools.if | 8 ++++----
policy/modules/contrib/snmp.if | 8 ++++----
policy/modules/contrib/snort.if | 8 ++++----
policy/modules/contrib/soundserver.if | 8 ++++----
policy/modules/contrib/spamassassin.if | 8 ++++----
policy/modules/contrib/squid.if | 8 ++++----
policy/modules/contrib/sssd.if | 8 ++++----
policy/modules/contrib/svnserve.if | 8 ++++----
policy/modules/contrib/sysstat.if | 8 ++++----
policy/modules/contrib/systemtap.if | 8 ++++----
policy/modules/contrib/tcsd.if | 8 ++++----
policy/modules/contrib/tgtd.if | 8 ++++----
policy/modules/contrib/tor.if | 8 ++++----
policy/modules/contrib/transproxy.if | 8 ++++----
policy/modules/contrib/tuned.if | 8 ++++----
policy/modules/contrib/ulogd.if | 8 ++++----
policy/modules/contrib/uptime.if | 8 ++++----
policy/modules/contrib/uucp.if | 8 ++++----
policy/modules/contrib/uuidd.if | 8 ++++----
policy/modules/contrib/varnishd.if | 16 ++++++++--------
policy/modules/contrib/vdagent.if | 8 ++++----
policy/modules/contrib/vhostmd.if | 8 ++++----
policy/modules/contrib/virt.if | 8 ++++----
policy/modules/contrib/vnstatd.if | 8 ++++----
policy/modules/contrib/watchdog.if | 8 ++++----
policy/modules/contrib/wdmd.if | 8 ++++----
policy/modules/contrib/xfs.if | 8 ++++----
policy/modules/contrib/zabbix.if | 8 ++++----
policy/modules/contrib/zarafa.if | 8 ++++----
policy/modules/contrib/zebra.if | 8 ++++----
205 files changed, 829 insertions(+), 829 deletions(-)
diff --git a/policy/modules/contrib/abrt.if b/policy/modules/contrib/abrt.if
index 058d908..6195190 100644
--- a/policy/modules/contrib/abrt.if
+++ b/policy/modules/contrib/abrt.if
@@ -304,10 +304,10 @@ interface(`abrt_admin',`
allow $1 abrt_domain:process { ptrace signal_perms };
ps_process_pattern($1, abrt_domain)
- init_labeled_script_domtrans($1, abrt_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 abrt_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, abrt_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 abrt_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, abrt_etc_t)
diff --git a/policy/modules/contrib/acct.if b/policy/modules/contrib/acct.if
index 81280d0..a49181a 100644
--- a/policy/modules/contrib/acct.if
+++ b/policy/modules/contrib/acct.if
@@ -106,10 +106,10 @@ interface(`acct_admin',`
allow $1 acct_t:process { ptrace signal_perms };
ps_process_pattern($1, acct_t)
- init_labeled_script_domtrans($1, acct_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 acct_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, acct_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 acct_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, acct_data_t)
diff --git a/policy/modules/contrib/afs.if b/policy/modules/contrib/afs.if
index 3b41be6..04f8f03 100644
--- a/policy/modules/contrib/afs.if
+++ b/policy/modules/contrib/afs.if
@@ -103,10 +103,10 @@ interface(`afs_admin',`
allow $1 afs_domain:process { ptrace signal_perms };
ps_process_pattern($1, afs_domain)
- afs_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 afs_initrc_exec_t system_r;
- allow $2 system_r;
+ #afs_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 afs_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, afs_config_t)
diff --git a/policy/modules/contrib/aiccu.if b/policy/modules/contrib/aiccu.if
index 3b5dcb9..cd049ac 100644
--- a/policy/modules/contrib/aiccu.if
+++ b/policy/modules/contrib/aiccu.if
@@ -82,10 +82,10 @@ interface(`aiccu_admin',`
allow $1 aiccu_t:process { ptrace signal_perms };
ps_process_pattern($1, aiccu_t)
- aiccu_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 aiccu_initrc_exec_t system_r;
- allow $2 system_r;
+ #aiccu_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 aiccu_initrc_exec_t system_r;
+ #allow $2 system_r;
admin_pattern($1, aiccu_etc_t)
files_list_etc($1)
diff --git a/policy/modules/contrib/aisexec.if b/policy/modules/contrib/aisexec.if
index a2997fa..1bc0fcf 100644
--- a/policy/modules/contrib/aisexec.if
+++ b/policy/modules/contrib/aisexec.if
@@ -86,10 +86,10 @@ interface(`aisexecd_admin',`
allow $1 aisexec_t:process { ptrace signal_perms };
ps_process_pattern($1, aisexec_t)
- init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 aisexec_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 aisexec_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, aisexec_var_lib_t)
diff --git a/policy/modules/contrib/amavis.if b/policy/modules/contrib/amavis.if
index 60d4f8c..9b6f2b2 100644
--- a/policy/modules/contrib/amavis.if
+++ b/policy/modules/contrib/amavis.if
@@ -237,10 +237,10 @@ interface(`amavis_admin',`
allow $1 amavis_t:process { ptrace signal_perms };
ps_process_pattern($1, amavis_t)
- amavis_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 amavis_initrc_exec_t system_r;
- allow $2 system_r;
+ #amavis_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 amavis_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, amavis_etc_t)
diff --git a/policy/modules/contrib/amtu.if b/policy/modules/contrib/amtu.if
index 884b23b..fa319c7 100644
--- a/policy/modules/contrib/amtu.if
+++ b/policy/modules/contrib/amtu.if
@@ -70,8 +70,8 @@ interface(`amtu_admin',`
allow $1 amtu_t:process { ptrace signal_perms };
ps_process_pattern($1, amtu_t)
- init_labeled_script_domtrans($1, amtu_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 amtu_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, amtu_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 amtu_initrc_exec_t system_r;
+ #allow $2 system_r;
')
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index 717c6f7..b148da6 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -1318,10 +1318,10 @@ interface(`apache_admin',`
ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t })
ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t })
- init_labeled_script_domtrans($1, httpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 httpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 httpd_initrc_exec_t system_r;
+ #allow $2 system_r;
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
diff --git a/policy/modules/contrib/apcupsd.if b/policy/modules/contrib/apcupsd.if
index f3c0aba..2e2b50c 100644
--- a/policy/modules/contrib/apcupsd.if
+++ b/policy/modules/contrib/apcupsd.if
@@ -149,10 +149,10 @@ interface(`apcupsd_admin',`
allow $1 apcupsd_t:process { ptrace signal_perms };
ps_process_pattern($1, apcupsd_t)
- apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 apcupsd_initrc_exec_t system_r;
- allow $2 system_r;
+ #apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 apcupsd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_var($1)
admin_pattern($1, apcupsd_lock_t)
diff --git a/policy/modules/contrib/apm.if b/policy/modules/contrib/apm.if
index 1a7a97e..f5219a2 100644
--- a/policy/modules/contrib/apm.if
+++ b/policy/modules/contrib/apm.if
@@ -166,10 +166,10 @@ interface(`apm_admin',`
allow $1 apmd_t:process { ptrace signal_perms };
ps_process_pattern($1, apmd_t)
- init_labeled_script_domtrans($1, apmd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 apmd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, apmd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 apmd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, apmd_log_t)
diff --git a/policy/modules/contrib/arpwatch.if b/policy/modules/contrib/arpwatch.if
index 50c9b9c..7296bdf 100644
--- a/policy/modules/contrib/arpwatch.if
+++ b/policy/modules/contrib/arpwatch.if
@@ -143,10 +143,10 @@ interface(`arpwatch_admin',`
allow $1 arpwatch_t:process { ptrace signal_perms };
ps_process_pattern($1, arpwatch_t)
- arpwatch_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 arpwatch_initrc_exec_t system_r;
- allow $2 system_r;
+ #arpwatch_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 arpwatch_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, arpwatch_tmp_t)
diff --git a/policy/modules/contrib/asterisk.if b/policy/modules/contrib/asterisk.if
index 2077053..46ef939 100644
--- a/policy/modules/contrib/asterisk.if
+++ b/policy/modules/contrib/asterisk.if
@@ -127,10 +127,10 @@ interface(`asterisk_admin',`
allow $1 asterisk_t:process { ptrace signal_perms };
ps_process_pattern($1, asterisk_t)
- init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 asterisk_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 asterisk_initrc_exec_t system_r;
+ #allow $2 system_r;
asterisk_exec($1)
diff --git a/policy/modules/contrib/automount.if b/policy/modules/contrib/automount.if
index f24e369..82c1ea5 100644
--- a/policy/modules/contrib/automount.if
+++ b/policy/modules/contrib/automount.if
@@ -159,10 +159,10 @@ interface(`automount_admin',`
allow $1 automount_t:process { ptrace signal_perms };
ps_process_pattern($1, automount_t)
- init_labeled_script_domtrans($1, automount_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 automount_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, automount_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 automount_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, automount_keytab_t)
diff --git a/policy/modules/contrib/avahi.if b/policy/modules/contrib/avahi.if
index 9078c3d..b490161 100644
--- a/policy/modules/contrib/avahi.if
+++ b/policy/modules/contrib/avahi.if
@@ -264,10 +264,10 @@ interface(`avahi_admin',`
allow $1 avahi_t:process { ptrace signal_perms };
ps_process_pattern($1, avahi_t)
- avahi_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 avahi_initrc_exec_t system_r;
- allow $2 system_r;
+ #avahi_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 avahi_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, avahi_var_run_t)
diff --git a/policy/modules/contrib/bacula.if b/policy/modules/contrib/bacula.if
index dcd774e..fdfef80 100644
--- a/policy/modules/contrib/bacula.if
+++ b/policy/modules/contrib/bacula.if
@@ -74,10 +74,10 @@ interface(`bacula_admin',`
allow $1 bacula_t:process { ptrace signal_perms };
ps_process_pattern($1, bacula_t)
- init_labeled_script_domtrans($1, bacula_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bacula_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, bacula_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 bacula_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, bacula_etc_t)
diff --git a/policy/modules/contrib/bcfg2.if b/policy/modules/contrib/bcfg2.if
index ec95d36..311ab75 100644
--- a/policy/modules/contrib/bcfg2.if
+++ b/policy/modules/contrib/bcfg2.if
@@ -141,10 +141,10 @@ interface(`bcfg2_admin',`
allow $1 bcfg2_t:process { ptrace signal_perms };
ps_process_pattern($1, bcfg2_t)
- bcfg2_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 bcfg2_initrc_exec_t system_r;
- allow $2 system_r;
+ #bcfg2_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 bcfg2_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, bcfg2_var_run_t)
diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if
index 531a8f2..835b9c0 100644
--- a/policy/modules/contrib/bind.if
+++ b/policy/modules/contrib/bind.if
@@ -370,10 +370,10 @@ interface(`bind_admin',`
allow $1 { named_t ndc_t }:process { ptrace signal_perms };
ps_process_pattern($1, { named_t ndc_t })
- init_labeled_script_domtrans($1, named_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 named_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, named_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 named_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, named_tmp_t)
diff --git a/policy/modules/contrib/bird.if b/policy/modules/contrib/bird.if
index 85c035f..01278df 100644
--- a/policy/modules/contrib/bird.if
+++ b/policy/modules/contrib/bird.if
@@ -26,10 +26,10 @@ interface(`bird_admin',`
allow $1 bird_t:process { ptrace signal_perms };
ps_process_pattern($1, bird_t)
- init_labeled_script_domtrans($1, bird_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bird_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, bird_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 bird_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, bird_etc_t)
diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
index 922bc7c..a6d9018 100644
--- a/policy/modules/contrib/bitcoin.if
+++ b/policy/modules/contrib/bitcoin.if
@@ -26,10 +26,10 @@ interface(`bitcoin_admin',`
allow $1 bitcoin_t:process { ptrace signal_perms };
ps_process_pattern($1, bitcoin_t)
- init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bitcoin_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 bitcoin_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, bitcoin_tmp_t)
diff --git a/policy/modules/contrib/bitlbee.if b/policy/modules/contrib/bitlbee.if
index e73fb79..bc326c9 100644
--- a/policy/modules/contrib/bitlbee.if
+++ b/policy/modules/contrib/bitlbee.if
@@ -47,10 +47,10 @@ interface(`bitlbee_admin',`
allow $1 bitlbee_t:process { ptrace signal_perms };
ps_process_pattern($1, bitlbee_t)
- init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bitlbee_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 bitlbee_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, bitlbee_conf_t)
diff --git a/policy/modules/contrib/bluetooth.if b/policy/modules/contrib/bluetooth.if
index c723a0a..8e2eff5 100644
--- a/policy/modules/contrib/bluetooth.if
+++ b/policy/modules/contrib/bluetooth.if
@@ -216,10 +216,10 @@ interface(`bluetooth_admin',`
allow $1 bluetooth_t:process { ptrace signal_perms };
ps_process_pattern($1, bluetooth_t)
- init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bluetooth_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 bluetooth_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, bluetooth_tmp_t)
diff --git a/policy/modules/contrib/boinc.if b/policy/modules/contrib/boinc.if
index 02fefaa..3a66e75 100644
--- a/policy/modules/contrib/boinc.if
+++ b/policy/modules/contrib/boinc.if
@@ -28,10 +28,10 @@ interface(`boinc_admin',`
allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms };
ps_process_pattern($1, { boinc_t boinc_project_t })
- init_labeled_script_domtrans($1, boinc_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 boinc_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 boinc_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, boinc_log_t)
diff --git a/policy/modules/contrib/cachefilesd.if b/policy/modules/contrib/cachefilesd.if
index 8de2ab9..4c68242 100644
--- a/policy/modules/contrib/cachefilesd.if
+++ b/policy/modules/contrib/cachefilesd.if
@@ -26,10 +26,10 @@ interface(`cachefilesd_admin',`
allow $1 cachefilesd_t:process { ptrace signal_perms };
ps_process_pattern($1, cachefilesd_t)
- init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cachefilesd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cachefilesd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var($1)
admin_pattern($1, cachefilesd_cache_t)
diff --git a/policy/modules/contrib/callweaver.if b/policy/modules/contrib/callweaver.if
index 16f1855..ad4dee3 100644
--- a/policy/modules/contrib/callweaver.if
+++ b/policy/modules/contrib/callweaver.if
@@ -65,10 +65,10 @@ interface(`callweaver_admin',`
allow $1 callweaver_t:process { ptrace signal_perms };
ps_process_pattern($1, callweaver_t)
- init_labeled_script_domtrans($1, callweaver_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 callweaver_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, callweaver_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 callweaver_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, callweaver_log_t)
diff --git a/policy/modules/contrib/canna.if b/policy/modules/contrib/canna.if
index 400db07..98a34d7 100644
--- a/policy/modules/contrib/canna.if
+++ b/policy/modules/contrib/canna.if
@@ -46,10 +46,10 @@ interface(`canna_admin',`
allow $1 canna_t:process { ptrace signal_perms };
ps_process_pattern($1, canna_t)
- init_labeled_script_domtrans($1, canna_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 canna_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, canna_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 canna_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, canna_log_t)
diff --git a/policy/modules/contrib/ccs.if b/policy/modules/contrib/ccs.if
index bb17e0f..80ef99e 100644
--- a/policy/modules/contrib/ccs.if
+++ b/policy/modules/contrib/ccs.if
@@ -105,10 +105,10 @@ interface(`ccs_admin',`
allow $1 ccs_t:process { ptrace signal_perms };
ps_process_pattern($1, ccs_t)
- init_labeled_script_domtrans($1, ccs_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ccs_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ccs_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ccs_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, ccs_conf_t)
diff --git a/policy/modules/contrib/certmaster.if b/policy/modules/contrib/certmaster.if
index 0c53b18..ad86de9 100644
--- a/policy/modules/contrib/certmaster.if
+++ b/policy/modules/contrib/certmaster.if
@@ -124,10 +124,10 @@ interface(`certmaster_admin',`
allow $1 certmaster_t:process { ptrace signal_perms };
ps_process_pattern($1, certmaster_t)
- init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 certmaster_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 certmaster_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
miscfiles_manage_generic_cert_dirs($1)
diff --git a/policy/modules/contrib/certmonger.if b/policy/modules/contrib/certmonger.if
index 008f8ef..bed2a59 100644
--- a/policy/modules/contrib/certmonger.if
+++ b/policy/modules/contrib/certmonger.if
@@ -162,10 +162,10 @@ interface(`certmonger_admin',`
ps_process_pattern($1, certmonger_t)
allow $1 certmonger_t:process { ptrace signal_perms };
- certmonger_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 certmonger_initrc_exec_t system_r;
- allow $2 system_r;
+ #certmonger_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 certmonger_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, certmonger_var_lib_t)
diff --git a/policy/modules/contrib/cfengine.if b/policy/modules/contrib/cfengine.if
index a731122..d47ea2a 100644
--- a/policy/modules/contrib/cfengine.if
+++ b/policy/modules/contrib/cfengine.if
@@ -97,10 +97,10 @@ interface(`cfengine_admin',`
allow $1 cfengine_domain:process { ptrace signal_perms };
ps_process_pattern($1, cfengine_domain)
- init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cfengine_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cfengine_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
diff --git a/policy/modules/contrib/cgroup.if b/policy/modules/contrib/cgroup.if
index 85ca63f..c136d2f 100644
--- a/policy/modules/contrib/cgroup.if
+++ b/policy/modules/contrib/cgroup.if
@@ -180,11 +180,11 @@ interface(`cgroup_admin',`
admin_pattern($1, cgred_var_run_t)
files_list_pids($1)
- cgroup_initrc_domtrans_cgconfig($1)
- cgroup_initrc_domtrans_cgred($1)
- domain_system_change_exemption($1)
- role_transition $2 { cgconfig_initrc_exec_t cgred_initrc_exec_t } system_r;
- allow $2 system_r;
+ #cgroup_initrc_domtrans_cgconfig($1)
+ #cgroup_initrc_domtrans_cgred($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 { cgconfig_initrc_exec_t cgred_initrc_exec_t } system_r;
+ #allow $2 system_r;
cgroup_run_cgclear($1, $2)
')
diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if
index 32e8265..f504b7b 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -184,10 +184,10 @@ interface(`chronyd_admin',`
allow $1 chronyd_t:process { ptrace signal_perms };
ps_process_pattern($1, chronyd_t)
- chronyd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 chronyd_initrc_exec_t system_r;
- allow $2 system_r;
+ #chronyd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 chronyd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, chronyd_keys_t)
diff --git a/policy/modules/contrib/cipe.if b/policy/modules/contrib/cipe.if
index 5fb51b2..11ff777 100644
--- a/policy/modules/contrib/cipe.if
+++ b/policy/modules/contrib/cipe.if
@@ -25,8 +25,8 @@ interface(`cipe_admin',`
allow $1 ciped_t:process { ptrace signal_perms };
ps_process_pattern($1, ciped_t)
- init_labeled_script_domtrans($1, ciped_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ciped_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ciped_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ciped_initrc_exec_t system_r;
+ #allow $2 system_r;
')
diff --git a/policy/modules/contrib/clamav.if b/policy/modules/contrib/clamav.if
index 4cc4a5c..e194bb7 100644
--- a/policy/modules/contrib/clamav.if
+++ b/policy/modules/contrib/clamav.if
@@ -205,10 +205,10 @@ interface(`clamav_admin',`
allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms };
ps_process_pattern($1, { clamd_t clamscan_t freshclam_t })
- init_labeled_script_domtrans($1, clamd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 clamd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, clamd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 clamd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, clamd_etc_t)
diff --git a/policy/modules/contrib/cmirrord.if b/policy/modules/contrib/cmirrord.if
index cc4e7cb..242bbc3 100644
--- a/policy/modules/contrib/cmirrord.if
+++ b/policy/modules/contrib/cmirrord.if
@@ -106,10 +106,10 @@ interface(`cmirrord_admin',`
allow $1 cmirrord_t:process { ptrace signal_perms };
ps_process_pattern($1, cmirrord_t)
- cmirrord_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 cmirrord_initrc_exec_t system_r;
- allow $2 system_r;
+ #cmirrord_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cmirrord_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_pids($1)
admin_pattern($1, cmirrord_var_run_t)
diff --git a/policy/modules/contrib/cobbler.if b/policy/modules/contrib/cobbler.if
index c223f81..8392d01 100644
--- a/policy/modules/contrib/cobbler.if
+++ b/policy/modules/contrib/cobbler.if
@@ -183,10 +183,10 @@ interface(`cobbler_admin',`
allow $1 cobblerd_t:process { ptrace signal_perms };
ps_process_pattern($1, cobblerd_t)
- cobblerd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 cobblerd_initrc_exec_t system_r;
- allow $2 system_r;
+ #cobblerd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cobblerd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, cobbler_etc_t)
diff --git a/policy/modules/contrib/collectd.if b/policy/modules/contrib/collectd.if
index 954309e..9bb2db5 100644
--- a/policy/modules/contrib/collectd.if
+++ b/policy/modules/contrib/collectd.if
@@ -26,10 +26,10 @@ interface(`collectd_admin',`
allow $1 collectd_t:process { ptrace signal_perms };
ps_process_pattern($1, collectd_t)
- init_labeled_script_domtrans($1, collectd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 collectd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, collectd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 collectd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, collectd_var_run_t)
diff --git a/policy/modules/contrib/condor.if b/policy/modules/contrib/condor.if
index c80aaf5..b350506 100644
--- a/policy/modules/contrib/condor.if
+++ b/policy/modules/contrib/condor.if
@@ -66,10 +66,10 @@ interface(`condor_admin',`
allow $1 condor_domain:process { ptrace signal_perms };
ps_process_pattern($1, condor_domain)
- init_labeled_script_domtrans($1, condor_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 condor_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, condor_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 condor_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, condor_conf_t)
diff --git a/policy/modules/contrib/corosync.if b/policy/modules/contrib/corosync.if
index 694a037..2e5c8e0 100644
--- a/policy/modules/contrib/corosync.if
+++ b/policy/modules/contrib/corosync.if
@@ -165,10 +165,10 @@ interface(`corosync_admin',`
allow $1 corosync_t:process { ptrace signal_perms };
ps_process_pattern($1, corosync_t)
- corosync_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 corosync_initrc_exec_t system_r;
- allow $2 system_r;
+ #corosync_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 corosync_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, corosync_tmp_t)
diff --git a/policy/modules/contrib/couchdb.if b/policy/modules/contrib/couchdb.if
index 715a826..654e58a 100644
--- a/policy/modules/contrib/couchdb.if
+++ b/policy/modules/contrib/couchdb.if
@@ -103,10 +103,10 @@ interface(`couchdb_admin',`
allow $1 couchdb_t:process { ptrace signal_perms };
ps_process_pattern($1, couchdb_t)
- init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 couchdb_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 couchdb_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, couchdb_conf_t)
diff --git a/policy/modules/contrib/ctdb.if b/policy/modules/contrib/ctdb.if
index b25b01d..bb9daea 100644
--- a/policy/modules/contrib/ctdb.if
+++ b/policy/modules/contrib/ctdb.if
@@ -66,10 +66,10 @@ interface(`ctdb_admin',`
allow $1 ctdbd_t:process { ptrace signal_perms };
ps_process_pattern($1, ctdbd_t)
- init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ctdbd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ctdbd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, ctdbd_log_t)
diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
index 3023be7..f5e5fcb 100644
--- a/policy/modules/contrib/cups.if
+++ b/policy/modules/contrib/cups.if
@@ -357,10 +357,10 @@ interface(`cups_admin',`
ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
- init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cupsd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cupsd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t ptal_etc_t })
diff --git a/policy/modules/contrib/cvs.if b/policy/modules/contrib/cvs.if
index 64775fd..276840c 100644
--- a/policy/modules/contrib/cvs.if
+++ b/policy/modules/contrib/cvs.if
@@ -65,10 +65,10 @@ interface(`cvs_admin',`
allow $1 cvs_t:process { ptrace signal_perms };
ps_process_pattern($1, cvs_t)
- init_labeled_script_domtrans($1, cvs_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cvs_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, cvs_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cvs_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, cvs_keytab_t)
diff --git a/policy/modules/contrib/cyphesis.if b/policy/modules/contrib/cyphesis.if
index df8aa4a..86c1316 100644
--- a/policy/modules/contrib/cyphesis.if
+++ b/policy/modules/contrib/cyphesis.if
@@ -45,10 +45,10 @@ interface(`cyphesis_admin',`
allow $1 cyphesis_t:process { ptrace signal_perms };
ps_process_pattern($1, cyphesis_t)
- init_labeled_script_domtrans($1, cyphesis_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cyphesis_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, cyphesis_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cyphesis_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, cyphesis_log_t)
diff --git a/policy/modules/contrib/cyrus.if b/policy/modules/contrib/cyrus.if
index 83bfda6..069eec7 100644
--- a/policy/modules/contrib/cyrus.if
+++ b/policy/modules/contrib/cyrus.if
@@ -67,10 +67,10 @@ interface(`cyrus_admin',`
allow $1 cyrus_t:process { ptrace signal_perms };
ps_process_pattern($1, cyrus_t)
- init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cyrus_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 cyrus_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, cyrus_keytab_t)
diff --git a/policy/modules/contrib/dante.if b/policy/modules/contrib/dante.if
index e709177..8e26fd8 100644
--- a/policy/modules/contrib/dante.if
+++ b/policy/modules/contrib/dante.if
@@ -26,10 +26,10 @@ interface(`dante_admin',`
allow $1 dante_t:process { ptrace signal_perms };
ps_process_pattern($1, dante_t)
- init_labeled_script_domtrans($1, dante_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dante_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dante_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dante_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, dante_conf_t)
diff --git a/policy/modules/contrib/ddclient.if b/policy/modules/contrib/ddclient.if
index 5606b40..790ed46 100644
--- a/policy/modules/contrib/ddclient.if
+++ b/policy/modules/contrib/ddclient.if
@@ -73,10 +73,10 @@ interface(`ddclient_admin',`
allow $1 ddclient_t:process { ptrace signal_perms };
ps_process_pattern($1, ddclient_t)
- init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ddclient_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ddclient_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, ddclient_etc_t)
diff --git a/policy/modules/contrib/denyhosts.if b/policy/modules/contrib/denyhosts.if
index a7326da..ee887da 100644
--- a/policy/modules/contrib/denyhosts.if
+++ b/policy/modules/contrib/denyhosts.if
@@ -63,10 +63,10 @@ interface(`denyhosts_admin',`
allow $1 denyhosts_t:process { ptrace signal_perms };
ps_process_pattern($1, denyhosts_t)
- denyhosts_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 denyhosts_initrc_exec_t system_r;
- allow $2 system_r;
+ #denyhosts_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 denyhosts_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, denyhosts_var_lib_t)
diff --git a/policy/modules/contrib/dhcp.if b/policy/modules/contrib/dhcp.if
index c697edb..fe3f70a 100644
--- a/policy/modules/contrib/dhcp.if
+++ b/policy/modules/contrib/dhcp.if
@@ -84,10 +84,10 @@ interface(`dhcpd_admin',`
allow $1 dhcpd_t:process { ptrace signal_perms };
ps_process_pattern($1, dhcpd_t)
- init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dhcpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dhcpd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, dhcpd_tmp_t)
diff --git a/policy/modules/contrib/dictd.if b/policy/modules/contrib/dictd.if
index 3cc3494..5946e57 100644
--- a/policy/modules/contrib/dictd.if
+++ b/policy/modules/contrib/dictd.if
@@ -41,10 +41,10 @@ interface(`dictd_admin',`
allow $1 dictd_t:process { ptrace signal_perms };
ps_process_pattern($1, dictd_t)
- init_labeled_script_domtrans($1, dictd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dictd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dictd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dictd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, dictd_etc_t)
diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if
index e5f6733..e41f285 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -26,10 +26,10 @@ interface(`dirmngr_admin',`
allow $1 dirmngr_t:process { ptrace signal_perms };
ps_process_pattern($1, dirmngr_t)
- init_labeled_script_domtrans($1, dirmngr_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dirmngr_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dirmngr_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dirmngr_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, dirmngr_conf_t)
diff --git a/policy/modules/contrib/distcc.if b/policy/modules/contrib/distcc.if
index 473823d..28a4164 100644
--- a/policy/modules/contrib/distcc.if
+++ b/policy/modules/contrib/distcc.if
@@ -26,10 +26,10 @@ interface(`distcc_admin',`
allow $1 distccd_t:process { ptrace signal_perms };
ps_process_pattern($1, distccd_t)
- init_labeled_script_domtrans($1, distccd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 distccd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, distccd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 distccd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, distccd_log_t)
diff --git a/policy/modules/contrib/dkim.if b/policy/modules/contrib/dkim.if
index 386e494..7999295 100644
--- a/policy/modules/contrib/dkim.if
+++ b/policy/modules/contrib/dkim.if
@@ -26,10 +26,10 @@ interface(`dkim_admin',`
allow $1 dkim_milter_t:process { ptrace signal_perms };
ps_process_pattern($1, dkim_milter_t)
- init_labeled_script_domtrans($1, dkim_milter_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dkim_milter_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dkim_milter_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dkim_milter_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, dkim_milter_private_key_t)
diff --git a/policy/modules/contrib/dnsmasq.if b/policy/modules/contrib/dnsmasq.if
index 62e4948..0ea06df 100644
--- a/policy/modules/contrib/dnsmasq.if
+++ b/policy/modules/contrib/dnsmasq.if
@@ -273,10 +273,10 @@ interface(`dnsmasq_admin',`
allow $1 dnsmasq_t:process { ptrace signal_perms };
ps_process_pattern($1, dnsmasq_t)
- init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dnsmasq_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dnsmasq_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t)
diff --git a/policy/modules/contrib/dnssectrigger.if b/policy/modules/contrib/dnssectrigger.if
index 456da5c..2e1bd25 100644
--- a/policy/modules/contrib/dnssectrigger.if
+++ b/policy/modules/contrib/dnssectrigger.if
@@ -26,10 +26,10 @@ interface(`dnssectrigger_admin',`
allow $1 dnssec_triggerd_t:process { ptrace signal_perms };
ps_process_pattern($1, dnssec_triggerd_t)
- init_labeled_script_domtrans($1, dnssec_triggerd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dnssec_triggerd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dnssec_triggerd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dnssec_triggerd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, dnssec_trigger_conf_t)
diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if
index d5badb7..294d61e 100644
--- a/policy/modules/contrib/dovecot.if
+++ b/policy/modules/contrib/dovecot.if
@@ -149,10 +149,10 @@ interface(`dovecot_admin',`
allow $1 dovecot_t:process { ptrace signal_perms };
ps_process_pattern($1, dovecot_t)
- init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dovecot_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dovecot_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
diff --git a/policy/modules/contrib/drbd.if b/policy/modules/contrib/drbd.if
index 9a21639..18dbd73 100644
--- a/policy/modules/contrib/drbd.if
+++ b/policy/modules/contrib/drbd.if
@@ -46,10 +46,10 @@ interface(`drbd_admin',`
allow $1 drbd_t:process { ptrace signal_perms };
ps_process_pattern($1, drbd_t)
- init_labeled_script_domtrans($1, drbd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 drbd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, drbd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 drbd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_locks($1)
admin_pattern($1, drbd_lock_t)
diff --git a/policy/modules/contrib/dspam.if b/policy/modules/contrib/dspam.if
index 18f2452..b16cb67 100644
--- a/policy/modules/contrib/dspam.if
+++ b/policy/modules/contrib/dspam.if
@@ -66,10 +66,10 @@ interface(`dspam_admin',`
allow $1 dspam_t:process { ptrace signal_perms };
ps_process_pattern($1, dspam_t)
- init_labeled_script_domtrans($1, dspam_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dspam_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, dspam_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 dspam_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, dspam_log_t)
diff --git a/policy/modules/contrib/entropyd.if b/policy/modules/contrib/entropyd.if
index 1161fbf..1fc147c 100644
--- a/policy/modules/contrib/entropyd.if
+++ b/policy/modules/contrib/entropyd.if
@@ -25,10 +25,10 @@ interface(`entropyd_admin',`
allow $1 entropyd_t:process { ptrace signal_perms };
ps_process_pattern($1, entropyd_t)
- init_labeled_script_domtrans($1, entropyd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 entropyd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, entropyd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 entropyd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, entropyd_var_run_t)
diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if
index 9bbc690..16d2922 100644
--- a/policy/modules/contrib/exim.if
+++ b/policy/modules/contrib/exim.if
@@ -288,10 +288,10 @@ interface(`exim_admin',`
allow $1 exim_t:process { ptrace signal_perms };
ps_process_pattern($1, exim_t)
- init_labeled_script_domtrans($1, exim_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 exim_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, exim_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 exim_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, exim_keytab_t)
diff --git a/policy/modules/contrib/fail2ban.if b/policy/modules/contrib/fail2ban.if
index 50d0084..0d23647 100644
--- a/policy/modules/contrib/fail2ban.if
+++ b/policy/modules/contrib/fail2ban.if
@@ -266,10 +266,10 @@ interface(`fail2ban_admin',`
allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms };
ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
- init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 fail2ban_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 fail2ban_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, fail2ban_log_t)
diff --git a/policy/modules/contrib/fcoe.if b/policy/modules/contrib/fcoe.if
index c3484a9..e8b2446 100644
--- a/policy/modules/contrib/fcoe.if
+++ b/policy/modules/contrib/fcoe.if
@@ -44,10 +44,10 @@ interface(`fcoe_admin',`
allow $1 fcoemon_t:process { ptrace signal_perms };
ps_process_pattern($1, fcoemon_t)
- init_labeled_script_domtrans($1, fcoemon_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 fcoemon_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, fcoemon_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 fcoemon_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, fcoemon_var_run_t)
diff --git a/policy/modules/contrib/fetchmail.if b/policy/modules/contrib/fetchmail.if
index c3f7916..8823986 100644
--- a/policy/modules/contrib/fetchmail.if
+++ b/policy/modules/contrib/fetchmail.if
@@ -23,10 +23,10 @@ interface(`fetchmail_admin',`
type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t;
')
- init_labeled_script_domtrans($1, fetchmail_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 fetchmail_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, fetchmail_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 fetchmail_initrc_exec_t system_r;
+ #allow $2 system_r;
allow $1 fetchmail_t:process { ptrace signal_perms };
ps_process_pattern($1, fetchmail_t)
diff --git a/policy/modules/contrib/firewalld.if b/policy/modules/contrib/firewalld.if
index c62c567..cbe9016 100644
--- a/policy/modules/contrib/firewalld.if
+++ b/policy/modules/contrib/firewalld.if
@@ -86,10 +86,10 @@ interface(`firewalld_admin',`
allow $1 firewalld_t:process { ptrace signal_perms };
ps_process_pattern($1, firewalld_t)
- init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 firewalld_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 firewalld_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, firewalld_var_run_t)
diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if
index 65adda9..5d7a53f 100644
--- a/policy/modules/contrib/ftp.if
+++ b/policy/modules/contrib/ftp.if
@@ -182,10 +182,10 @@ interface(`ftp_admin',`
allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
- init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ftpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ftpd_initrc_exec_t system_r;
+ #allow $2 system_r;
miscfiles_manage_public_files($1)
diff --git a/policy/modules/contrib/gatekeeper.if b/policy/modules/contrib/gatekeeper.if
index 30926d7..879de37 100644
--- a/policy/modules/contrib/gatekeeper.if
+++ b/policy/modules/contrib/gatekeeper.if
@@ -26,10 +26,10 @@ interface(`gatekeeper_admin',`
allow $1 gatekeeper_t:process { ptrace signal_perms };
ps_process_pattern($1, gatekeeper_t)
- init_labeled_script_domtrans($1, gatekeeper_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 gatekeeper_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, gatekeeper_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 gatekeeper_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, gatekeeper_etc_t)
diff --git a/policy/modules/contrib/gdomap.if b/policy/modules/contrib/gdomap.if
index 7d6b6b7..b4ebe6c 100644
--- a/policy/modules/contrib/gdomap.if
+++ b/policy/modules/contrib/gdomap.if
@@ -45,10 +45,10 @@ interface(`gdomap_admin',`
allow $1 gdomap_t:process { ptrace signal_perms };
ps_process_pattern($1, gdomap_t)
- init_labeled_script_domtrans($1, gdomap_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 gdomap_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, gdomap_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 gdomap_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, gdomap_conf_t)
diff --git a/policy/modules/contrib/glance.if b/policy/modules/contrib/glance.if
index 9eacb2c..6966abb 100644
--- a/policy/modules/contrib/glance.if
+++ b/policy/modules/contrib/glance.if
@@ -245,10 +245,10 @@ interface(`glance_admin',`
allow $1 { glance_api_t glance_registry_t }:process signal_perms;
ps_process_pattern($1, { glance_api_t glance_registry_t })
- init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { glance_api_initrc_exec_t glance_registry_initrc_exec_t } system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
+ #domain_system_change_exemption($1)
+ #role_transition $2 { glance_api_initrc_exec_t glance_registry_initrc_exec_t } system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, glance_log_t)
diff --git a/policy/modules/contrib/glusterfs.if b/policy/modules/contrib/glusterfs.if
index 05233c8..c121fda 100644
--- a/policy/modules/contrib/glusterfs.if
+++ b/policy/modules/contrib/glusterfs.if
@@ -46,10 +46,10 @@ interface(`glusterfs_admin',`
type glusterd_var_run_t;
')
- init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 glusterd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 glusterd_initrc_exec_t system_r;
+ #allow $2 system_r;
allow $1 glusterd_t:process { ptrace signal_perms };
ps_process_pattern($1, glusterd_t)
diff --git a/policy/modules/contrib/gpm.if b/policy/modules/contrib/gpm.if
index f1528c9..65818dc 100644
--- a/policy/modules/contrib/gpm.if
+++ b/policy/modules/contrib/gpm.if
@@ -106,10 +106,10 @@ interface(`gpm_admin',`
allow $1 gpm_t:process { ptrace signal_perms };
ps_process_pattern($1, gpm_t)
- init_labeled_script_domtrans($1, gpm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 gpm_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, gpm_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 gpm_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, gpm_conf_t)
diff --git a/policy/modules/contrib/gpsd.if b/policy/modules/contrib/gpsd.if
index 92eb564..6d077a4 100644
--- a/policy/modules/contrib/gpsd.if
+++ b/policy/modules/contrib/gpsd.if
@@ -91,10 +91,10 @@ interface(`gpsd_admin',`
allow $1 gpsd_t:process { ptrace signal_perms };
ps_process_pattern($1, gpsd_t)
- init_labeled_script_domtrans($1, gpsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 gpsd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, gpsd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 gpsd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, gpsd_var_run_t)
diff --git a/policy/modules/contrib/hadoop.if b/policy/modules/contrib/hadoop.if
index 2b0d488..48f93d3 100644
--- a/policy/modules/contrib/hadoop.if
+++ b/policy/modules/contrib/hadoop.if
@@ -441,10 +441,10 @@ interface(`hadoop_admin',`
allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms };
ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t })
- init_labeled_script_domtrans($1, hadoop_init_script_file)
- domain_system_change_exemption($1)
- role_transition $2 hadoop_init_script_file system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, hadoop_init_script_file)
+ #domain_system_change_exemption($1)
+ #role_transition $2 hadoop_init_script_file system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, { hadoop_etc_t zookeeper_etc_t })
diff --git a/policy/modules/contrib/hddtemp.if b/policy/modules/contrib/hddtemp.if
index 1728071..718fc12 100644
--- a/policy/modules/contrib/hddtemp.if
+++ b/policy/modules/contrib/hddtemp.if
@@ -63,10 +63,10 @@ interface(`hddtemp_admin',`
allow $1 hddtemp_t:process { ptrace signal_perms };
ps_process_pattern($1, hddtemp_t)
- init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 hddtemp_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 hddtemp_initrc_exec_t system_r;
+ #allow $2 system_r;
admin_pattern($1, hddtemp_etc_t)
files_search_etc($1)
diff --git a/policy/modules/contrib/howl.if b/policy/modules/contrib/howl.if
index dc609f0..d67eac5 100644
--- a/policy/modules/contrib/howl.if
+++ b/policy/modules/contrib/howl.if
@@ -43,10 +43,10 @@ interface(`howl_admin',`
allow $1 howl_t:process { ptrace signal_perms };
ps_process_pattern($1, howl_t)
- init_labeled_script_domtrans($1, howl_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 howl_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, howl_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 howl_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, howl_var_run_t)
diff --git a/policy/modules/contrib/hypervkvp.if b/policy/modules/contrib/hypervkvp.if
index 6517fad..d483ebe 100644
--- a/policy/modules/contrib/hypervkvp.if
+++ b/policy/modules/contrib/hypervkvp.if
@@ -25,8 +25,8 @@ interface(`hypervkvp_admin',`
allow $1 hypervkvpd_t:process { ptrace signal_perms };
ps_process_pattern($1, hypervkvpd_t)
- init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 hypervkvpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 hypervkvpd_initrc_exec_t system_r;
+ #allow $2 system_r;
')
diff --git a/policy/modules/contrib/i18n_input.if b/policy/modules/contrib/i18n_input.if
index 5eab254..dd6c6a9 100644
--- a/policy/modules/contrib/i18n_input.if
+++ b/policy/modules/contrib/i18n_input.if
@@ -40,10 +40,10 @@ interface(`i18n_input_admin',`
allow $1 i18n_input_t:process { ptrace signal_perms };
ps_process_pattern($1, i18n_input_t)
- init_labeled_script_domtrans($1, i18n_input_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 i18n_input_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, i18n_input_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 i18n_input_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, i18n_input_var_run_t)
diff --git a/policy/modules/contrib/icecast.if b/policy/modules/contrib/icecast.if
index 580b533..0235592 100644
--- a/policy/modules/contrib/icecast.if
+++ b/policy/modules/contrib/icecast.if
@@ -176,10 +176,10 @@ interface(`icecast_admin',`
type icecast_var_run_t;
')
- icecast_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 icecast_initrc_exec_t system_r;
- allow $2 system_r;
+ #icecast_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 icecast_initrc_exec_t system_r;
+ #allow $2 system_r;
allow $1 icecast_t:process { ptrace signal_perms };
ps_process_pattern($1, icecast_t)
diff --git a/policy/modules/contrib/ifplugd.if b/policy/modules/contrib/ifplugd.if
index 8999899..bc3884d 100644
--- a/policy/modules/contrib/ifplugd.if
+++ b/policy/modules/contrib/ifplugd.if
@@ -122,10 +122,10 @@ interface(`ifplugd_admin',`
allow $1 ifplugd_t:process { ptrace signal_perms };
ps_process_pattern($1, ifplugd_t)
- init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ifplugd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ifplugd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, ifplugd_etc_t)
diff --git a/policy/modules/contrib/inn.if b/policy/modules/contrib/inn.if
index eb87f23..91b81e9 100644
--- a/policy/modules/contrib/inn.if
+++ b/policy/modules/contrib/inn.if
@@ -230,10 +230,10 @@ interface(`inn_admin',`
type innd_var_run_t, innd_initrc_exec_t;
')
- init_labeled_script_domtrans($1, innd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 innd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, innd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 innd_initrc_exec_t system_r;
+ #allow $2 system_r;
allow $1 innd_t:process { ptrace signal_perms };
ps_process_pattern($1, innd_t)
diff --git a/policy/modules/contrib/iodine.if b/policy/modules/contrib/iodine.if
index a0bfbd0..f034884 100644
--- a/policy/modules/contrib/iodine.if
+++ b/policy/modules/contrib/iodine.if
@@ -47,8 +47,8 @@ interface(`iodine_admin',`
allow $1 iodined_t:process { ptrace signal_perms };
ps_process_pattern($1, iodined_t)
- init_labeled_script_domtrans($1, iodined_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 iodined_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, iodined_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 iodined_initrc_exec_t system_r;
+ #allow $2 system_r;
')
diff --git a/policy/modules/contrib/ircd.if b/policy/modules/contrib/ircd.if
index 1a88664..6d057fd 100644
--- a/policy/modules/contrib/ircd.if
+++ b/policy/modules/contrib/ircd.if
@@ -23,10 +23,10 @@ interface(`ircd_admin',`
type ircd_log_t, ircd_var_lib_t, ircd_var_run_t;
')
- init_labeled_script_domtrans($1, ircd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ircd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ircd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ircd_initrc_exec_t system_r;
+ #allow $2 system_r;
allow $1 ircd_t:process { ptrace signal_perms };
ps_process_pattern($1, ircd_t)
diff --git a/policy/modules/contrib/irqbalance.if b/policy/modules/contrib/irqbalance.if
index d7113e7..5f97e41 100644
--- a/policy/modules/contrib/irqbalance.if
+++ b/policy/modules/contrib/irqbalance.if
@@ -25,10 +25,10 @@ interface(`irqbalance_admin',`
allow $1 irqbalance_t:process { ptrace signal_perms };
ps_process_pattern($1, irqbalance_t)
- init_labeled_script_domtrans($1, irqbalance_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 irqbalance_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, irqbalance_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 irqbalance_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, irqbalance_var_run_t)
diff --git a/policy/modules/contrib/iscsi.if b/policy/modules/contrib/iscsi.if
index 1a35420..9e73947 100644
--- a/policy/modules/contrib/iscsi.if
+++ b/policy/modules/contrib/iscsi.if
@@ -105,10 +105,10 @@ interface(`iscsi_admin',`
allow $1 iscsid_t:process { ptrace signal_perms };
ps_process_pattern($1, iscsid_t)
- init_labeled_script_domtrans($1, iscsi_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 iscsi_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, iscsi_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 iscsi_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/policy/modules/contrib/isns.if b/policy/modules/contrib/isns.if
index da7e970..baf3539 100644
--- a/policy/modules/contrib/isns.if
+++ b/policy/modules/contrib/isns.if
@@ -26,10 +26,10 @@ interface(`isnsd_admin',`
allow $1 isnsd_t:process { ptrace signal_perms };
ps_process_pattern($1, isnsd_t)
- init_labeled_script_domtrans($1, isnsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 isnsd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, isnsd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 isnsd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, isnsd_var_lib_t)
diff --git a/policy/modules/contrib/jabber.if b/policy/modules/contrib/jabber.if
index 7eb3811..dda272b 100644
--- a/policy/modules/contrib/jabber.if
+++ b/policy/modules/contrib/jabber.if
@@ -81,10 +81,10 @@ interface(`jabber_admin',`
allow $1 jabberd_domain:process { ptrace signal_perms };
ps_process_pattern($1, jabberd_domain)
- init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 jabberd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 jabberd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_locks($1)
admin_pattern($1, jabberd_lock_t)
diff --git a/policy/modules/contrib/kdump.if b/policy/modules/contrib/kdump.if
index 3a00b3a..804c498 100644
--- a/policy/modules/contrib/kdump.if
+++ b/policy/modules/contrib/kdump.if
@@ -102,10 +102,10 @@ interface(`kdump_admin',`
allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms };
ps_process_pattern($1, { kdump_t kdumpctl_t })
- init_labeled_script_domtrans($1, kdump_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kdump_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, kdump_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 kdump_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index 77a5c49..ab3f24e 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -493,10 +493,10 @@ interface(`kerberos_admin',`
allow $1 { kadmind_t krb5kdc_t kpropd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd_t })
- init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kerberos_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 kerberos_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, kadmind_log_t)
diff --git a/policy/modules/contrib/kerneloops.if b/policy/modules/contrib/kerneloops.if
index 714448f..7e50bdd 100644
--- a/policy/modules/contrib/kerneloops.if
+++ b/policy/modules/contrib/kerneloops.if
@@ -108,10 +108,10 @@ interface(`kerneloops_admin',`
allow $1 kerneloops_t:process { ptrace signal_perms };
ps_process_pattern($1, kerneloops_t)
- init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kerneloops_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 kerneloops_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_tmp($1)
admin_pattern($1, kerneloops_tmp_t)
diff --git a/policy/modules/contrib/keystone.if b/policy/modules/contrib/keystone.if
index e88fb16..7407597 100644
--- a/policy/modules/contrib/keystone.if
+++ b/policy/modules/contrib/keystone.if
@@ -26,10 +26,10 @@ interface(`keystone_admin',`
allow $1 keystone_t:process { ptrace signal_perms };
ps_process_pattern($1, keystone_t)
- init_labeled_script_domtrans($1, keystone_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 keystone_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, keystone_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 keystone_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, keystone_log_t)
diff --git a/policy/modules/contrib/kismet.if b/policy/modules/contrib/kismet.if
index f20de6e..1a3bc7d 100644
--- a/policy/modules/contrib/kismet.if
+++ b/policy/modules/contrib/kismet.if
@@ -286,10 +286,10 @@ interface(`kismet_admin',`
type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t;
')
- init_labeled_script_domtrans($1, kismet_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kismet_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, kismet_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 kismet_initrc_exec_t system_r;
+ #allow $2 system_r;
ps_process_pattern($1, kismet_t)
allow $1 kismet_t:process { ptrace signal_perms };
diff --git a/policy/modules/contrib/ksmtuned.if b/policy/modules/contrib/ksmtuned.if
index 93a64bc..663a091 100644
--- a/policy/modules/contrib/ksmtuned.if
+++ b/policy/modules/contrib/ksmtuned.if
@@ -61,10 +61,10 @@ interface(`ksmtuned_admin',`
type ksmtuned_initrc_exec_t, ksmtuned_log_t;
')
- ksmtuned_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 ksmtuned_initrc_exec_t system_r;
- allow $2 system_r;
+ #ksmtuned_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ksmtuned_initrc_exec_t system_r;
+ #allow $2 system_r;
allow $1 ksmtuned_t:process { ptrace signal_perms };
ps_process_pattern($1, ksmtuned_t)
diff --git a/policy/modules/contrib/kudzu.if b/policy/modules/contrib/kudzu.if
index 5297064..db57d00 100644
--- a/policy/modules/contrib/kudzu.if
+++ b/policy/modules/contrib/kudzu.if
@@ -89,10 +89,10 @@ interface(`kudzu_admin',`
allow $1 kudzu_t:process { ptrace signal_perms };
ps_process_pattern($1, kudzu_t)
- init_labeled_script_domtrans($1, kudzu_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kudzu_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, kudzu_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 kudzu_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_tmp($1)
admin_pattern($1, kudzu_tmp_t)
diff --git a/policy/modules/contrib/l2tp.if b/policy/modules/contrib/l2tp.if
index 73e2803..5f364d2 100644
--- a/policy/modules/contrib/l2tp.if
+++ b/policy/modules/contrib/l2tp.if
@@ -86,10 +86,10 @@ interface(`l2tp_admin',`
allow $1 l2tpd_t:process { ptrace signal_perms };
ps_process_pattern($1, l2tpd_t)
- init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 l2tpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 l2tpd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, l2tp_conf_t)
diff --git a/policy/modules/contrib/ldap.if b/policy/modules/contrib/ldap.if
index 7f09b4a..bb0ca32 100644
--- a/policy/modules/contrib/ldap.if
+++ b/policy/modules/contrib/ldap.if
@@ -122,10 +122,10 @@ interface(`ldap_admin',`
allow $1 slapd_t:process { ptrace signal_perms };
ps_process_pattern($1, slapd_t)
- init_labeled_script_domtrans($1, slapd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 slapd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 slapd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
diff --git a/policy/modules/contrib/likewise.if b/policy/modules/contrib/likewise.if
index bd20e8c..3813742 100644
--- a/policy/modules/contrib/likewise.if
+++ b/policy/modules/contrib/likewise.if
@@ -110,10 +110,10 @@ interface(`likewise_admin',`
allow $1 likewise_domains:process { ptrace signal_perms };
ps_process_pattern($1, likewise_domains)
- init_labeled_script_domtrans($1, likewise_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 likewise_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, likewise_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 likewise_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t })
diff --git a/policy/modules/contrib/lircd.if b/policy/modules/contrib/lircd.if
index dff21a7..50996eb 100644
--- a/policy/modules/contrib/lircd.if
+++ b/policy/modules/contrib/lircd.if
@@ -84,10 +84,10 @@ interface(`lircd_admin',`
allow $1 lircd_t:process { ptrace signal_perms };
ps_process_pattern($1, lircd_t)
- init_labeled_script_domtrans($1, lircd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 lircd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, lircd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 lircd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, lircd_etc_t)
diff --git a/policy/modules/contrib/lldpad.if b/policy/modules/contrib/lldpad.if
index d18c960..612d86f 100644
--- a/policy/modules/contrib/lldpad.if
+++ b/policy/modules/contrib/lldpad.if
@@ -45,10 +45,10 @@ interface(`lldpad_admin',`
allow $1 lldpad_t:process { ptrace signal_perms };
ps_process_pattern($1, lldpad_t)
- init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 lldpad_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 lldpad_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, lldpad_var_lib_t)
diff --git a/policy/modules/contrib/mailscanner.if b/policy/modules/contrib/mailscanner.if
index 214cb44..d3bd6c5 100644
--- a/policy/modules/contrib/mailscanner.if
+++ b/policy/modules/contrib/mailscanner.if
@@ -47,10 +47,10 @@ interface(`mscan_admin',`
allow $1 mscan_t:process { ptrace signal_perms };
ps_process_pattern($1, mscan_t)
- init_labeled_script_domtrans($1, mscan_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mscan_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, mscan_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 mscan_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, mscan_etc_t)
diff --git a/policy/modules/contrib/mcelog.if b/policy/modules/contrib/mcelog.if
index f89651e..82b0846 100644
--- a/policy/modules/contrib/mcelog.if
+++ b/policy/modules/contrib/mcelog.if
@@ -45,10 +45,10 @@ interface(`mcelog_admin',`
allow $1 mcelog_t:process { ptrace signal_perms };
ps_process_pattern($1, mcelog_t)
- init_labeled_script_domtrans($1, mcelog_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mcelog_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, mcelog_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 mcelog_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, mcelog_etc_t)
diff --git a/policy/modules/contrib/memcached.if b/policy/modules/contrib/memcached.if
index 1d4eb19..6b3c3dc 100644
--- a/policy/modules/contrib/memcached.if
+++ b/policy/modules/contrib/memcached.if
@@ -124,10 +124,10 @@ interface(`memcached_admin',`
allow $1 memcached_t:process { ptrace signal_perms };
ps_process_pattern($1, memcached_t)
- init_labeled_script_domtrans($1, memcached_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 memcached_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, memcached_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 memcached_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, memcached_var_run_t)
diff --git a/policy/modules/contrib/minidlna.if b/policy/modules/contrib/minidlna.if
index 358917a..e58f50a 100644
--- a/policy/modules/contrib/minidlna.if
+++ b/policy/modules/contrib/minidlna.if
@@ -26,10 +26,10 @@ interface(`minidlna_admin',`
allow $1 minidlna_t:process { ptrace signal_perms };
ps_process_pattern($1, minidlna_t)
- minidlna_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 minidlna_initrc_exec_t system_r;
- allow $2 system_r;
+ #minidlna_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 minidlna_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, minidlna_conf_t)
diff --git a/policy/modules/contrib/minissdpd.if b/policy/modules/contrib/minissdpd.if
index f37a116..3121ce0 100644
--- a/policy/modules/contrib/minissdpd.if
+++ b/policy/modules/contrib/minissdpd.if
@@ -45,10 +45,10 @@ interface(`minissdpd_admin',`
allow $1 minissdpd_t:process { ptrace signal_perms };
ps_process_pattern($1, minissdpd_t)
- init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 minissdpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 minissdpd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, minissdpd_conf_t)
diff --git a/policy/modules/contrib/mongodb.if b/policy/modules/contrib/mongodb.if
index b247d25..80ba75c 100644
--- a/policy/modules/contrib/mongodb.if
+++ b/policy/modules/contrib/mongodb.if
@@ -26,10 +26,10 @@ interface(`mongodb_admin',`
allow $1 mongod_t:process { ptrace signal_perms };
ps_process_pattern($1, mongod_t)
- init_labeled_script_domtrans($1, mongod_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mongod_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, mongod_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 mongod_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, mongod_log_t)
diff --git a/policy/modules/contrib/monop.if b/policy/modules/contrib/monop.if
index a6ec137..a798087 100644
--- a/policy/modules/contrib/monop.if
+++ b/policy/modules/contrib/monop.if
@@ -26,10 +26,10 @@ interface(`monop_admin',`
allow $1 monopd_t:process { ptrace signal_perms };
ps_process_pattern($1, monopd_t)
- init_labeled_script_domtrans($1, monopd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 monopd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, monopd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 monopd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, monopd_etc_t)
diff --git a/policy/modules/contrib/mpd.if b/policy/modules/contrib/mpd.if
index 5fa77c7..9be1aa8 100644
--- a/policy/modules/contrib/mpd.if
+++ b/policy/modules/contrib/mpd.if
@@ -347,10 +347,10 @@ interface(`mpd_admin',`
allow $1 mpd_t:process { ptrace signal_perms };
ps_process_pattern($1, mpd_t)
- mpd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 mpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #mpd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 mpd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, mpd_etc_t)
diff --git a/policy/modules/contrib/mrtg.if b/policy/modules/contrib/mrtg.if
index c595094..aeac4b2 100644
--- a/policy/modules/contrib/mrtg.if
+++ b/policy/modules/contrib/mrtg.if
@@ -47,10 +47,10 @@ interface(`mrtg_admin',`
allow $1 mrtg_t:process { ptrace signal_perms };
ps_process_pattern($1, mrtg_t)
- init_labeled_script_domtrans($1, mrtg_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mrtg_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, mrtg_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 mrtg_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, mrtg_etc_t)
diff --git a/policy/modules/contrib/munin.if b/policy/modules/contrib/munin.if
index b744fe3..b540634 100644
--- a/policy/modules/contrib/munin.if
+++ b/policy/modules/contrib/munin.if
@@ -173,10 +173,10 @@ interface(`munin_admin',`
allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms };
ps_process_pattern($1, { munin_plugin_domain munin_t })
- init_labeled_script_domtrans($1, munin_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 munin_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, munin_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 munin_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, { munin_tmp_t munin_plugin_tmp_content })
diff --git a/policy/modules/contrib/mysql.if b/policy/modules/contrib/mysql.if
index 590748a..5535d22 100644
--- a/policy/modules/contrib/mysql.if
+++ b/policy/modules/contrib/mysql.if
@@ -450,10 +450,10 @@ interface(`mysql_admin',`
allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t })
- init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t })
+ #domain_system_change_exemption($1)
+ #role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t })
diff --git a/policy/modules/contrib/nagios.if b/policy/modules/contrib/nagios.if
index 0641e97..8289ecb 100644
--- a/policy/modules/contrib/nagios.if
+++ b/policy/modules/contrib/nagios.if
@@ -204,10 +204,10 @@ interface(`nagios_admin',`
allow $1 { nagios_t nrpe_t nagios_plugin_domain }:process { ptrace signal_perms };
ps_process_pattern($1, { nagios_t nrpe_t nagios_plugin_domain })
- init_labeled_script_domtrans($1, nagios_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nagios_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, nagios_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 nagios_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_tmp($1)
admin_pattern($1, { nagios_eventhandler_plugin_tmp_t nagios_tmp_t nagios_system_plugin_tmp_t })
diff --git a/policy/modules/contrib/nessus.if b/policy/modules/contrib/nessus.if
index 42e9ed4..5fa68ad 100644
--- a/policy/modules/contrib/nessus.if
+++ b/policy/modules/contrib/nessus.if
@@ -40,10 +40,10 @@ interface(`nessus_admin',`
allow $1 nessusd_t:process { ptrace signal_perms };
ps_process_pattern($1, nessusd_t)
- init_labeled_script_domtrans($1, nessusd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nessusd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, nessusd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 nessusd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, nessusd_log_t)
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index b512ce0..7e1b861 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -297,10 +297,10 @@ interface(`networkmanager_admin',`
allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms };
ps_process_pattern($1, { wpa_cli_t NetworkManager_t })
- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 NetworkManager_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 NetworkManager_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t })
diff --git a/policy/modules/contrib/nis.if b/policy/modules/contrib/nis.if
index 46e55c3..8000aa6 100644
--- a/policy/modules/contrib/nis.if
+++ b/policy/modules/contrib/nis.if
@@ -381,11 +381,11 @@ interface(`nis_admin',`
allow $1 { ypbind_t yppasswdd_t ypserv_t ypxfr_t }:process { ptrace signal_perms };
ps_process_pattern($1, { ypbind_t yppasswdd_t ypserv_t ypxfr_t })
- nis_initrc_domtrans($1)
- nis_initrc_domtrans_ypbind($1)
- domain_system_change_exemption($1)
- role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r;
- allow $2 system_r;
+ #nis_initrc_domtrans($1)
+ #nis_initrc_domtrans_ypbind($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, { ypserv_tmp_t ypbind_tmp_t })
diff --git a/policy/modules/contrib/nscd.if b/policy/modules/contrib/nscd.if
index 8f2ab09..7d046d2 100644
--- a/policy/modules/contrib/nscd.if
+++ b/policy/modules/contrib/nscd.if
@@ -299,10 +299,10 @@ interface(`nscd_admin',`
allow $1 nscd_t:process { ptrace signal_perms };
ps_process_pattern($1, nscd_t)
- init_labeled_script_domtrans($1, nscd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nscd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, nscd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 nscd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, nscd_log_t)
diff --git a/policy/modules/contrib/nsd.if b/policy/modules/contrib/nsd.if
index a9c60ff..6b42add 100644
--- a/policy/modules/contrib/nsd.if
+++ b/policy/modules/contrib/nsd.if
@@ -54,10 +54,10 @@ interface(`nsd_admin',`
allow $1 nsd_t:process { ptrace signal_perms };
ps_process_pattern($1, nsd_t)
- init_labeled_script_domtrans($1, nsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nsd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, nsd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 nsd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, { nsd_conf_t nsd_db_t })
diff --git a/policy/modules/contrib/nslcd.if b/policy/modules/contrib/nslcd.if
index bbd7cac..4c7aee8 100644
--- a/policy/modules/contrib/nslcd.if
+++ b/policy/modules/contrib/nslcd.if
@@ -102,10 +102,10 @@ interface(`nslcd_admin',`
allow $1 nslcd_t:process { ptrace signal_perms };
ps_process_pattern($1, nslcd_t)
- nslcd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 nslcd_initrc_exec_t system_r;
- allow $2 system_r;
+ #nslcd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 nslcd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, nslcd_conf_t)
diff --git a/policy/modules/contrib/ntop.if b/policy/modules/contrib/ntop.if
index beaee73..756b0cc 100644
--- a/policy/modules/contrib/ntop.if
+++ b/policy/modules/contrib/ntop.if
@@ -26,10 +26,10 @@ interface(`ntop_admin',`
allow $1 ntop_t:process { ptrace signal_perms };
ps_process_pattern($1, ntop_t)
- init_labeled_script_domtrans($1, ntop_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ntop_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ntop_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ntop_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, ntop_etc_t)
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index 6a83626..02e6320 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -166,10 +166,10 @@ interface(`ntp_admin',`
allow $1 ntpd_t:process { ptrace signal_perms };
ps_process_pattern($1, ntpd_t)
- init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ntpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ntpd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { ntpd_key_t ntp_conf_t })
diff --git a/policy/modules/contrib/numad.if b/policy/modules/contrib/numad.if
index 0d3c270..d5c4a6d 100644
--- a/policy/modules/contrib/numad.if
+++ b/policy/modules/contrib/numad.if
@@ -26,10 +26,10 @@ interface(`numad_admin',`
allow $1 numad_t:process { ptrace signal_perms };
ps_process_pattern($1, numad_t)
- init_labeled_script_domtrans($1, numad_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 numad_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, numad_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 numad_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, numad_log_t)
diff --git a/policy/modules/contrib/nut.if b/policy/modules/contrib/nut.if
index c606ae6..f0f6b74 100644
--- a/policy/modules/contrib/nut.if
+++ b/policy/modules/contrib/nut.if
@@ -26,10 +26,10 @@ interface(`nut_admin',`
allow $1 nut_domain:process { ptrace signal_perms };
ps_process_pattern($1, nut_domain)
- init_labeled_script_domtrans($1, nut_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nut_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, nut_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 nut_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, nut_conf_t)
diff --git a/policy/modules/contrib/oident.if b/policy/modules/contrib/oident.if
index 513f452..c4d4419 100644
--- a/policy/modules/contrib/oident.if
+++ b/policy/modules/contrib/oident.if
@@ -131,10 +131,10 @@ interface(`oident_admin',`
allow $1 oidentd_t:process { ptrace signal_perms };
ps_process_pattern($1, oidentd_t)
- init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 oidentd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 oidentd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, oidentd_config_t)
diff --git a/policy/modules/contrib/openct.if b/policy/modules/contrib/openct.if
index a55238b..4fe22f9 100644
--- a/policy/modules/contrib/openct.if
+++ b/policy/modules/contrib/openct.if
@@ -120,10 +120,10 @@ interface(`openct_admin',`
allow $1 openct_t:process { ptrace signal_perms };
ps_process_pattern($1, openct_t)
- init_labeled_script_domtrans($1, openct_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openct_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, openct_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 openct_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, openct_var_run_t)
diff --git a/policy/modules/contrib/openhpi.if b/policy/modules/contrib/openhpi.if
index 3c86958..141f3c8 100644
--- a/policy/modules/contrib/openhpi.if
+++ b/policy/modules/contrib/openhpi.if
@@ -26,10 +26,10 @@ interface(`openhpi_admin',`
allow $1 openhpid_t:process { ptrace signal_perms };
ps_process_pattern($1, openhpid_t)
- init_labeled_script_domtrans($1, openhpid_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openhpid_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, openhpid_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 openhpid_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, openhpid_var_lib_t)
diff --git a/policy/modules/contrib/openvpn.if b/policy/modules/contrib/openvpn.if
index 6837e9a..7efa5a5 100644
--- a/policy/modules/contrib/openvpn.if
+++ b/policy/modules/contrib/openvpn.if
@@ -150,10 +150,10 @@ interface(`openvpn_admin',`
allow $1 openvpn_t:process { ptrace signal_perms };
ps_process_pattern($1, openvpn_t)
- init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openvpn_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 openvpn_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t })
diff --git a/policy/modules/contrib/openvswitch.if b/policy/modules/contrib/openvswitch.if
index 9b15730..131e6dc 100644
--- a/policy/modules/contrib/openvswitch.if
+++ b/policy/modules/contrib/openvswitch.if
@@ -64,10 +64,10 @@ interface(`openvswitch_admin',`
allow $1 openvswitch_t:process { ptrace signal_perms };
ps_process_pattern($1, openvswitch_t)
- init_labeled_script_domtrans($1, openvswitch_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openvswitch_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, openvswitch_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 openvswitch_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, openvswitch_conf_t)
diff --git a/policy/modules/contrib/pacemaker.if b/policy/modules/contrib/pacemaker.if
index 9682d9a..3ae9dcf 100644
--- a/policy/modules/contrib/pacemaker.if
+++ b/policy/modules/contrib/pacemaker.if
@@ -26,10 +26,10 @@ interface(`pacemaker_admin',`
allow $1 pacemaker_t:process { ptrace signal_perms };
ps_process_pattern($1, pacemaker_t)
- init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pacemaker_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pacemaker_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, pacemaker_var_lib_t)
diff --git a/policy/modules/contrib/pads.if b/policy/modules/contrib/pads.if
index 6e097c9..e9fa6d2 100644
--- a/policy/modules/contrib/pads.if
+++ b/policy/modules/contrib/pads.if
@@ -26,10 +26,10 @@ interface(`pads_admin', `
allow $1 pads_t:process { ptrace signal_perms };
ps_process_pattern($1, pads_t)
- init_labeled_script_domtrans($1, pads_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pads_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pads_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pads_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, pads_var_run_t)
diff --git a/policy/modules/contrib/pcscd.if b/policy/modules/contrib/pcscd.if
index 7f77d32..aa414bd 100644
--- a/policy/modules/contrib/pcscd.if
+++ b/policy/modules/contrib/pcscd.if
@@ -128,10 +128,10 @@ interface(`pcscd_admin',`
allow $1 pcscd_t:process { ptrace signal_perms };
ps_process_pattern($1, pcscd_t)
- init_labeled_script_domtrans($1, pcscd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pcscd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pcscd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pcscd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, pcscd_var_run_t)
diff --git a/policy/modules/contrib/pegasus.if b/policy/modules/contrib/pegasus.if
index d2fc677..3b509a4 100644
--- a/policy/modules/contrib/pegasus.if
+++ b/policy/modules/contrib/pegasus.if
@@ -27,10 +27,10 @@ interface(`pegasus_admin',`
allow $1 pegasus_t:process { ptrace signal_perms };
ps_process_pattern($1, pegasus_t)
- init_labeled_script_domtrans($1, pegasus_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pegasus_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pegasus_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pegasus_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, pegasus_conf_t)
diff --git a/policy/modules/contrib/perdition.if b/policy/modules/contrib/perdition.if
index 47e09e1..ffe3965 100644
--- a/policy/modules/contrib/perdition.if
+++ b/policy/modules/contrib/perdition.if
@@ -40,10 +40,10 @@ interface(`perdition_admin',`
allow $1 perdition_t:process { ptrace signal_perms };
ps_process_pattern($1, perdition_t)
- init_labeled_script_domtrans($1, perdition_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 perdition_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, perdition_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 perdition_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, perdition_etc_t)
diff --git a/policy/modules/contrib/pingd.if b/policy/modules/contrib/pingd.if
index 21a6ecb..4194b84 100644
--- a/policy/modules/contrib/pingd.if
+++ b/policy/modules/contrib/pingd.if
@@ -84,10 +84,10 @@ interface(`pingd_admin',`
allow $1 pingd_t:process { ptrace signal_perms };
ps_process_pattern($1, pingd_t)
- init_labeled_script_domtrans($1, pingd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pingd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pingd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pingd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, pingd_etc_t)
diff --git a/policy/modules/contrib/pkcs.if b/policy/modules/contrib/pkcs.if
index 69be2aa..c3b3223 100644
--- a/policy/modules/contrib/pkcs.if
+++ b/policy/modules/contrib/pkcs.if
@@ -26,10 +26,10 @@ interface(`pkcs_admin_slotd',`
allow $1 pkcs_slotd_t:process { ptrace signal_perms };
ps_process_pattern($1, pkcs_slotd_t)
- init_labeled_script_domtrans($1, pkcs_slotd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pkcs_slotd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pkcs_slotd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pkcs_slotd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, pkcs_slotd_var_lib_t)
diff --git a/policy/modules/contrib/polipo.if b/policy/modules/contrib/polipo.if
index ae27bb7..c6c431e 100644
--- a/policy/modules/contrib/polipo.if
+++ b/policy/modules/contrib/polipo.if
@@ -125,10 +125,10 @@ interface(`polipo_admin',`
allow $1 polipo_system_t:process { ptrace signal_perms };
ps_process_pattern($1, polipo_system_t)
- polipo_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 polipo_initrc_exec_t system_r;
- allow $2 system_r;
+ #polipo_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 polipo_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var($1)
admin_pattern($1, polipo_cache_t)
diff --git a/policy/modules/contrib/portmap.if b/policy/modules/contrib/portmap.if
index 9f982b5..7cc0695 100644
--- a/policy/modules/contrib/portmap.if
+++ b/policy/modules/contrib/portmap.if
@@ -114,10 +114,10 @@ interface(`portmap_admin',`
allow $1 { portmap_t portmap_helper_t }:process { ptrace signal_perms };
ps_process_pattern($1, { portmap_t portmap_helper_t })
- init_labeled_script_domtrans($1, portmap_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 portmap_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, portmap_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 portmap_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, portmap_var_run_t)
diff --git a/policy/modules/contrib/portreserve.if b/policy/modules/contrib/portreserve.if
index 5ad5291..ecffbfc 100644
--- a/policy/modules/contrib/portreserve.if
+++ b/policy/modules/contrib/portreserve.if
@@ -108,10 +108,10 @@ interface(`portreserve_admin',`
allow $1 portreserve_t:process { ptrace signal_perms };
ps_process_pattern($1, portreserve_t)
- portreserve_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 portreserve_initrc_exec_t system_r;
- allow $2 system_r;
+ #portreserve_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 portreserve_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, portreserve_etc_t)
diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
index 8e7d1e7..603f2e3 100644
--- a/policy/modules/contrib/postfix.if
+++ b/policy/modules/contrib/postfix.if
@@ -720,10 +720,10 @@ interface(`postfix_admin',`
allow $1 postfix_domain:process { ptrace signal_perms };
ps_process_pattern($1, postfix_domain)
- init_labeled_script_domtrans($1, postfix_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 postfix_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 postfix_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })
diff --git a/policy/modules/contrib/postfixpolicyd.if b/policy/modules/contrib/postfixpolicyd.if
index 5de8173..d74f378 100644
--- a/policy/modules/contrib/postfixpolicyd.if
+++ b/policy/modules/contrib/postfixpolicyd.if
@@ -26,10 +26,10 @@ interface(`postfixpolicyd_admin',`
allow $1 postfix_policyd_t:process { ptrace signal_perms };
ps_process_pattern($1, postfix_policyd_t)
- init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 postfix_policyd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 postfix_policyd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, postfix_policyd_conf_t)
diff --git a/policy/modules/contrib/postgrey.if b/policy/modules/contrib/postgrey.if
index b9e71b5..05a4cd4 100644
--- a/policy/modules/contrib/postgrey.if
+++ b/policy/modules/contrib/postgrey.if
@@ -67,10 +67,10 @@ interface(`postgrey_admin',`
allow $1 postgrey_t:process { ptrace signal_perms };
ps_process_pattern($1, postgrey_t)
- init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 postgrey_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 postgrey_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, postgrey_etc_t)
diff --git a/policy/modules/contrib/ppp.if b/policy/modules/contrib/ppp.if
index cd8b8b9..71455d1 100644
--- a/policy/modules/contrib/ppp.if
+++ b/policy/modules/contrib/ppp.if
@@ -487,10 +487,10 @@ interface(`ppp_admin',`
allow $1 { pptp_t pppd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { pptp_t pppd_t })
- ppp_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 pppd_initrc_exec_t system_r;
- allow $2 system_r;
+ #ppp_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pppd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, pppd_tmp_t)
diff --git a/policy/modules/contrib/prelude.if b/policy/modules/contrib/prelude.if
index db8f510..573fac7 100644
--- a/policy/modules/contrib/prelude.if
+++ b/policy/modules/contrib/prelude.if
@@ -126,10 +126,10 @@ interface(`prelude_admin',`
allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms };
ps_process_pattern($1, { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t })
- init_labeled_script_domtrans($1, prelude_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 prelude_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, prelude_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 prelude_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_spool($1)
admin_pattern($1, prelude_spool_t)
diff --git a/policy/modules/contrib/privoxy.if b/policy/modules/contrib/privoxy.if
index bdcee30..182267b 100644
--- a/policy/modules/contrib/privoxy.if
+++ b/policy/modules/contrib/privoxy.if
@@ -26,10 +26,10 @@ interface(`privoxy_admin',`
allow $1 privoxy_t:process { ptrace signal_perms };
ps_process_pattern($1, privoxy_t)
- init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 privoxy_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 privoxy_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, privoxy_log_t)
diff --git a/policy/modules/contrib/psad.if b/policy/modules/contrib/psad.if
index cdc83d2..a04483a 100644
--- a/policy/modules/contrib/psad.if
+++ b/policy/modules/contrib/psad.if
@@ -242,10 +242,10 @@ interface(`psad_admin',`
allow $1 psad_t:process { ptrace signal_perms };
ps_process_pattern($1, psad_t)
- init_labeled_script_domtrans($1, psad_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 psad_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, psad_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 psad_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, psad_etc_t)
diff --git a/policy/modules/contrib/puppet.if b/policy/modules/contrib/puppet.if
index 7cb8b1f..9d0c95c 100644
--- a/policy/modules/contrib/puppet.if
+++ b/policy/modules/contrib/puppet.if
@@ -211,10 +211,10 @@ interface(`puppet_admin',`
allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms };
ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t })
- init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
+ #domain_system_change_exemption($1)
+ #role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, puppet_etc_t)
diff --git a/policy/modules/contrib/pxe.if b/policy/modules/contrib/pxe.if
index 7da286f..3a60f9b 100644
--- a/policy/modules/contrib/pxe.if
+++ b/policy/modules/contrib/pxe.if
@@ -26,10 +26,10 @@ interface(`pxe_admin',`
allow $1 pxe_t:process { ptrace signal_perms };
ps_process_pattern($1, pxe_t)
- init_labeled_script_domtrans($1, pxe_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pxe_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pxe_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pxe_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, pxe_log_t)
diff --git a/policy/modules/contrib/pyicqt.if b/policy/modules/contrib/pyicqt.if
index 0ccea82..683d0ee 100644
--- a/policy/modules/contrib/pyicqt.if
+++ b/policy/modules/contrib/pyicqt.if
@@ -26,10 +26,10 @@ interface(`pyicqt_admin',`
allow $1 pyicqt_t:process { ptrace signal_perms };
ps_process_pattern($1, pyicqt_t)
- init_labeled_script_domtrans($1, pyicqt_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pyicqt_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pyicqt_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pyicqt_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, pyicqt_conf_t)
diff --git a/policy/modules/contrib/pyzor.if b/policy/modules/contrib/pyzor.if
index c05a504..664b594 100644
--- a/policy/modules/contrib/pyzor.if
+++ b/policy/modules/contrib/pyzor.if
@@ -118,10 +118,10 @@ interface(`pyzor_admin',`
allow $1 pyzord_t:process { ptrace signal_perms };
ps_process_pattern($1, pyzord_t)
- init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pyzord_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 pyzord_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, pyzor_etc_t)
diff --git a/policy/modules/contrib/qpid.if b/policy/modules/contrib/qpid.if
index fe2adf8..307b419 100644
--- a/policy/modules/contrib/qpid.if
+++ b/policy/modules/contrib/qpid.if
@@ -177,10 +177,10 @@ interface(`qpidd_admin',`
allow $1 qpidd_t:process { ptrace signal_perms };
ps_process_pattern($1, qpidd_t)
- qpidd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 qpidd_initrc_exec_t system_r;
- allow $2 system_r;
+ #qpidd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 qpidd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, qpidd_var_lib_t)
diff --git a/policy/modules/contrib/quantum.if b/policy/modules/contrib/quantum.if
index afc0068..2d9ec09 100644
--- a/policy/modules/contrib/quantum.if
+++ b/policy/modules/contrib/quantum.if
@@ -26,10 +26,10 @@ interface(`quantum_admin',`
allow $1 quantum_t:process { ptrace signal_perms };
ps_process_pattern($1, quantum_t)
- init_labeled_script_domtrans($1, quantum_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 quantum_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, quantum_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 quantum_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, quantum_log_t)
diff --git a/policy/modules/contrib/quota.if b/policy/modules/contrib/quota.if
index 68611e3..6af6364 100644
--- a/policy/modules/contrib/quota.if
+++ b/policy/modules/contrib/quota.if
@@ -184,10 +184,10 @@ interface(`quota_admin',`
allow $1 { quota_nld_t quota_t }:process { ptrace signal_perms };
ps_process_pattern($1, { quota_nld_t quota_t })
- init_labeled_script_domtrans($1, quota_nld_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 quota_nld_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, quota_nld_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 quota_nld_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_all($1)
admin_pattern($1, { quota_db_t quota_flag_t quota_nld_var_run_t })
diff --git a/policy/modules/contrib/rabbitmq.if b/policy/modules/contrib/rabbitmq.if
index 2c3d338..64bd4db 100644
--- a/policy/modules/contrib/rabbitmq.if
+++ b/policy/modules/contrib/rabbitmq.if
@@ -45,10 +45,10 @@ interface(`rabbitmq_admin',`
allow $1 { rabbitmq_epmd_t rabbitmq_beam_t }:process { ptrace signal_perms };
ps_process_pattern($1, { rabbitmq_epmd_t rabbitmq_beam_t })
- init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rabbitmq_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rabbitmq_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, rabbitmq_var_log_t)
diff --git a/policy/modules/contrib/radius.if b/policy/modules/contrib/radius.if
index 4460582..785c40a 100644
--- a/policy/modules/contrib/radius.if
+++ b/policy/modules/contrib/radius.if
@@ -41,10 +41,10 @@ interface(`radius_admin',`
allow $1 radiusd_t:process { ptrace signal_perms };
ps_process_pattern($1, radiusd_t)
- init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 radiusd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 radiusd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { radiusd_etc_t radiusd_etc_rw_t })
diff --git a/policy/modules/contrib/radvd.if b/policy/modules/contrib/radvd.if
index ac7058d..33a3f31 100644
--- a/policy/modules/contrib/radvd.if
+++ b/policy/modules/contrib/radvd.if
@@ -26,10 +26,10 @@ interface(`radvd_admin',`
allow $1 radvd_t:process { ptrace signal_perms };
ps_process_pattern($1, radvd_t)
- init_labeled_script_domtrans($1, radvd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 radvd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, radvd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 radvd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, radvd_etc_t)
diff --git a/policy/modules/contrib/raid.if b/policy/modules/contrib/raid.if
index 951db7f..f865481 100644
--- a/policy/modules/contrib/raid.if
+++ b/policy/modules/contrib/raid.if
@@ -91,10 +91,10 @@ interface(`raid_admin_mdadm',`
allow $1 mdadm_t:process { ptrace signal_perms };
ps_process_pattern($1, mdadm_t)
- init_labeled_script_domtrans($1, mdadm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mdadm_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, mdadm_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 mdadm_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, mdadm_var_run_t)
diff --git a/policy/modules/contrib/redis.if b/policy/modules/contrib/redis.if
index 3969450..13812be 100644
--- a/policy/modules/contrib/redis.if
+++ b/policy/modules/contrib/redis.if
@@ -26,10 +26,10 @@ interface(`redis_admin',`
allow $1 redis_t:process { ptrace signal_perms };
ps_process_pattern($1, redis_t)
- init_labeled_script_domtrans($1, redis_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 redis_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, redis_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 redis_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, redis_log_t)
diff --git a/policy/modules/contrib/resmgr.if b/policy/modules/contrib/resmgr.if
index 0d93db6..b6a5cec 100644
--- a/policy/modules/contrib/resmgr.if
+++ b/policy/modules/contrib/resmgr.if
@@ -46,10 +46,10 @@ interface(`resmgr_admin',`
allow $1 resmgrd_t:process { ptrace signal_perms };
ps_process_pattern($1, resmgrd_t)
- init_labeled_script_domtrans($1, resmgrd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 resmgrd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, resmgrd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 resmgrd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, resmgrd_etc_t)
diff --git a/policy/modules/contrib/rgmanager.if b/policy/modules/contrib/rgmanager.if
index 1c2f9aa..5ab664c 100644
--- a/policy/modules/contrib/rgmanager.if
+++ b/policy/modules/contrib/rgmanager.if
@@ -105,10 +105,10 @@ interface(`rgmanager_admin',`
allow $1 rgmanager_t:process { ptrace signal_perms };
ps_process_pattern($1, rgmanager_t)
- init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rgmanager_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rgmanager_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, rgmanager_tmp_t)
diff --git a/policy/modules/contrib/rhcs.if b/policy/modules/contrib/rhcs.if
index c8bdea2..10828e8 100644
--- a/policy/modules/contrib/rhcs.if
+++ b/policy/modules/contrib/rhcs.if
@@ -472,10 +472,10 @@ interface(`rhcs_admin',`
allow $1 cluster_domain:process { ptrace signal_perms };
ps_process_pattern($1, cluster_domain)
- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
+ #domain_system_change_exemption($1)
+ #role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, cluster_pid)
diff --git a/policy/modules/contrib/rhsmcertd.if b/policy/modules/contrib/rhsmcertd.if
index 6dbc905..98574fe 100644
--- a/policy/modules/contrib/rhsmcertd.if
+++ b/policy/modules/contrib/rhsmcertd.if
@@ -285,10 +285,10 @@ interface(`rhsmcertd_admin',`
allow $1 rhsmcertd_t:process { ptrace signal_perms };
ps_process_pattern($1, rhsmcertd_t)
- rhsmcertd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 rhsmcertd_initrc_exec_t system_r;
- allow $2 system_r;
+ #rhsmcertd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rhsmcertd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, rhsmcertd_log_t)
diff --git a/policy/modules/contrib/ricci.if b/policy/modules/contrib/ricci.if
index 2ab3ed1..3290abc 100644
--- a/policy/modules/contrib/ricci.if
+++ b/policy/modules/contrib/ricci.if
@@ -203,10 +203,10 @@ interface(`ricci_admin',`
allow $1 ricci_t:process { ptrace signal_perms };
ps_process_pattern($1, ricci_t)
- init_labeled_script_domtrans($1, ricci_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ricci_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ricci_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ricci_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, ricci_tmp_t)
diff --git a/policy/modules/contrib/rngd.if b/policy/modules/contrib/rngd.if
index 13f788f..d182588 100644
--- a/policy/modules/contrib/rngd.if
+++ b/policy/modules/contrib/rngd.if
@@ -25,10 +25,10 @@ interface(`rngd_admin',`
allow $1 rngd_t:process { ptrace signal_perms };
ps_process_pattern($1, rngd_t)
- init_labeled_script_domtrans($1, rngd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rngd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, rngd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rngd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, rngd_var_run_t)
diff --git a/policy/modules/contrib/roundup.if b/policy/modules/contrib/roundup.if
index 975bb6a..f540ee7 100644
--- a/policy/modules/contrib/roundup.if
+++ b/policy/modules/contrib/roundup.if
@@ -26,10 +26,10 @@ interface(`roundup_admin',`
allow $1 roundup_t:process { ptrace signal_perms };
ps_process_pattern($1, roundup_t)
- init_labeled_script_domtrans($1, roundup_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 roundup_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, roundup_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 roundup_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, roundup_var_lib_t)
diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if
index 157afd9..baf9509 100644
--- a/policy/modules/contrib/rpc.if
+++ b/policy/modules/contrib/rpc.if
@@ -400,10 +400,10 @@ interface(`rpc_admin',`
allow $1 rpc_domain:process { ptrace signal_perms };
ps_process_pattern($1, rpc_domain)
- init_labeled_script_domtrans($1, { nfsd_initrc_exec_t rpcd_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { nfsd_initrc_exec_t rpcd_initrc_exec_t } system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, { nfsd_initrc_exec_t rpcd_initrc_exec_t })
+ #domain_system_change_exemption($1)
+ #role_transition $2 { nfsd_initrc_exec_t rpcd_initrc_exec_t } system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { gssd_keytab_t exports_t })
diff --git a/policy/modules/contrib/rpcbind.if b/policy/modules/contrib/rpcbind.if
index f78fef0..bfee269 100644
--- a/policy/modules/contrib/rpcbind.if
+++ b/policy/modules/contrib/rpcbind.if
@@ -160,10 +160,10 @@ interface(`rpcbind_admin',`
allow $1 rpcbind_t:process { ptrace signal_perms };
ps_process_pattern($1, rpcbind_t)
- init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rpcbind_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rpcbind_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, rpcbind_var_run_t)
diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
index fc9c8d8..4b1a6b3 100644
--- a/policy/modules/contrib/rpm.if
+++ b/policy/modules/contrib/rpm.if
@@ -634,10 +634,10 @@ interface(`rpm_admin',`
allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
ps_process_pattern($1, { rpm_t rpm_script_t })
- init_labeled_script_domtrans($1, rpm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rpm_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, rpm_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rpm_initrc_exec_t system_r;
+ #allow $2 system_r;
admin_pattern($1, rpm_file_t)
diff --git a/policy/modules/contrib/rtkit.if b/policy/modules/contrib/rtkit.if
index e904ec4..37daa13 100644
--- a/policy/modules/contrib/rtkit.if
+++ b/policy/modules/contrib/rtkit.if
@@ -90,8 +90,8 @@ interface(`rtkit_admin',`
allow $1 rtkit_daemon_t:process { ptrace signal_perms };
ps_process_pattern($1, rtkit_daemon_t)
- init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rtkit_daemon_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rtkit_daemon_initrc_exec_t system_r;
+ #allow $2 system_r;
')
diff --git a/policy/modules/contrib/rwho.if b/policy/modules/contrib/rwho.if
index 0360ff0..01b5928 100644
--- a/policy/modules/contrib/rwho.if
+++ b/policy/modules/contrib/rwho.if
@@ -142,10 +142,10 @@ interface(`rwho_admin',`
allow $1 rwho_t:process { ptrace signal_perms };
ps_process_pattern($1, rwho_t)
- init_labeled_script_domtrans($1, rwho_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rwho_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, rwho_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 rwho_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, rwho_log_t)
diff --git a/policy/modules/contrib/salt.if b/policy/modules/contrib/salt.if
index 7ab9e6b..c8e33a5 100644
--- a/policy/modules/contrib/salt.if
+++ b/policy/modules/contrib/salt.if
@@ -29,12 +29,12 @@ interface(`salt_admin_master',`
allow $1 salt_master_t:process { ptrace signal_perms };
ps_process_pattern($1, salt_master_t)
- init_labeled_script_domtrans($1, salt_master_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 salt_master_initrc_exec_t system_r;
+ #init_labeled_script_domtrans($1, salt_master_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 salt_master_initrc_exec_t system_r;
# for debugging?
- role_transition $2 salt_master_exec_t system_r;
+ #role_transition $2 salt_master_exec_t system_r;
domtrans_pattern($1, salt_master_exec_t, salt_master_t)
roleattribute $2 salt_master_roles;
@@ -73,12 +73,12 @@ interface(`salt_admin_minion',`
allow $1 salt_minion_t:process { ptrace signal_perms };
ps_process_pattern($1, salt_minion_t)
- init_labeled_script_domtrans($1, salt_minion_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 salt_minion_initrc_exec_t system_r;
+ #init_labeled_script_domtrans($1, salt_minion_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 salt_minion_initrc_exec_t system_r;
# for debugging
- role_transition $2 salt_minion_exec_t system_r;
+ #role_transition $2 salt_minion_exec_t system_r;
domtrans_pattern($1, salt_minion_exec_t, salt_minion_t)
roleattribute $2 salt_minion_roles;
diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if
index 50d07fb..51e6858 100644
--- a/policy/modules/contrib/samba.if
+++ b/policy/modules/contrib/samba.if
@@ -695,10 +695,10 @@ interface(`samba_admin',`
allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { nmbd_t smbd_t })
- init_labeled_script_domtrans($1, samba_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 samba_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, samba_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 samba_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { samba_etc_t smbd_keytab_t })
diff --git a/policy/modules/contrib/sanlock.if b/policy/modules/contrib/sanlock.if
index cd6c213..98b2950 100644
--- a/policy/modules/contrib/sanlock.if
+++ b/policy/modules/contrib/sanlock.if
@@ -104,10 +104,10 @@ interface(`sanlock_admin',`
allow $1 sanlock_t:process { ptrace signal_perms };
ps_process_pattern($1, sanlock_t)
- sanlock_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 sanlock_initrc_exec_t system_r;
- allow $2 system_r;
+ #sanlock_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 sanlock_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, sanlock_var_run_t)
diff --git a/policy/modules/contrib/sasl.if b/policy/modules/contrib/sasl.if
index 8c3c151..7da737b 100644
--- a/policy/modules/contrib/sasl.if
+++ b/policy/modules/contrib/sasl.if
@@ -45,10 +45,10 @@ interface(`sasl_admin',`
allow $1 saslauthd_t:process { ptrace signal_perms };
ps_process_pattern($1, saslauthd_t)
- init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 saslauthd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 saslauthd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, saslauthd_keytab_t)
diff --git a/policy/modules/contrib/sblim.if b/policy/modules/contrib/sblim.if
index 98c9e0a..25d94a4 100644
--- a/policy/modules/contrib/sblim.if
+++ b/policy/modules/contrib/sblim.if
@@ -64,10 +64,10 @@ interface(`sblim_admin',`
allow $1 sblim_domain:process { ptrace signal_perms };
ps_process_pattern($1, sblim_domain)
- init_labeled_script_domtrans($1, sblim_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sblim_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, sblim_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 sblim_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/policy/modules/contrib/sendmail.if b/policy/modules/contrib/sendmail.if
index 35ad2a7..7a95364 100644
--- a/policy/modules/contrib/sendmail.if
+++ b/policy/modules/contrib/sendmail.if
@@ -360,9 +360,9 @@ interface(`sendmail_admin',`
allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms };
ps_process_pattern($1, { unconfined_sendmail_t sendmail_t })
- init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sendmail_initrc_exec_t system_r;
+ #init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 sendmail_initrc_exec_t system_r;
files_list_etc($1)
admin_pattern($1, sendmail_keytab_t)
diff --git a/policy/modules/contrib/sensord.if b/policy/modules/contrib/sensord.if
index d204752..ec77409 100644
--- a/policy/modules/contrib/sensord.if
+++ b/policy/modules/contrib/sensord.if
@@ -25,10 +25,10 @@ interface(`sensord_admin',`
allow $1 sensord_t:process { ptrace signal_perms };
ps_process_pattern($1, sensord_t)
- init_labeled_script_domtrans($1, sensord_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sensord_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, sensord_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 sensord_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, sensord_var_run_t)
diff --git a/policy/modules/contrib/shorewall.if b/policy/modules/contrib/shorewall.if
index 1aeef8a..abcfdf5 100644
--- a/policy/modules/contrib/shorewall.if
+++ b/policy/modules/contrib/shorewall.if
@@ -179,10 +179,10 @@ interface(`shorewall_admin',`
allow $1 shorewall_t:process { ptrace signal_perms };
ps_process_pattern($1, shorewall_t)
- init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 shorewall_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 shorewall_initrc_exec_t system_r;
+ #allow $2 system_r;
can_exec($1, shorewall_exec_t)
diff --git a/policy/modules/contrib/slpd.if b/policy/modules/contrib/slpd.if
index ca32e89..c13e32c 100644
--- a/policy/modules/contrib/slpd.if
+++ b/policy/modules/contrib/slpd.if
@@ -26,10 +26,10 @@ interface(`slpd_admin',`
allow $1 slpd_t:process { ptrace signal_perms };
ps_process_pattern($1, slpd_t)
- init_labeled_script_domtrans($1, slpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 slpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, slpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 slpd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, slpd_log_t)
diff --git a/policy/modules/contrib/smartmon.if b/policy/modules/contrib/smartmon.if
index e0644b5..b0660d6 100644
--- a/policy/modules/contrib/smartmon.if
+++ b/policy/modules/contrib/smartmon.if
@@ -45,10 +45,10 @@ interface(`smartmon_admin',`
allow $1 fsdaemon_t:process { ptrace signal_perms };
ps_process_pattern($1, fsdaemon_t)
- init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 fsdaemon_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 fsdaemon_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, fsdaemon_tmp_t)
diff --git a/policy/modules/contrib/smokeping.if b/policy/modules/contrib/smokeping.if
index 1fa51c1..8c0eefe 100644
--- a/policy/modules/contrib/smokeping.if
+++ b/policy/modules/contrib/smokeping.if
@@ -161,10 +161,10 @@ interface(`smokeping_admin',`
allow $1 smokeping_t:process { ptrace signal_perms };
ps_process_pattern($1, smokeping_t)
- smokeping_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 smokeping_initrc_exec_t system_r;
- allow $2 system_r;
+ #smokeping_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 smokeping_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, smokeping_var_lib_t)
diff --git a/policy/modules/contrib/smstools.if b/policy/modules/contrib/smstools.if
index 81136f0..2b49829 100644
--- a/policy/modules/contrib/smstools.if
+++ b/policy/modules/contrib/smstools.if
@@ -27,10 +27,10 @@ interface(`smstools_admin',`
allow $1 smsd_t:process { ptrace signal_perms };
ps_process_pattern($1, smsd_t)
- init_labeled_script_domtrans($1, smsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 smsd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, smsd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 smsd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, smsd_conf_t)
diff --git a/policy/modules/contrib/snmp.if b/policy/modules/contrib/snmp.if
index bf78fa9..0da50f0 100644
--- a/policy/modules/contrib/snmp.if
+++ b/policy/modules/contrib/snmp.if
@@ -182,10 +182,10 @@ interface(`snmp_admin',`
allow $1 snmpd_t:process { ptrace signal_perms };
ps_process_pattern($1, snmpd_t)
- init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 snmpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 snmpd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, snmpd_log_t)
diff --git a/policy/modules/contrib/snort.if b/policy/modules/contrib/snort.if
index 7d86b34..910ffb9 100644
--- a/policy/modules/contrib/snort.if
+++ b/policy/modules/contrib/snort.if
@@ -45,10 +45,10 @@ interface(`snort_admin',`
allow $1 snort_t:process { ptrace signal_perms };
ps_process_pattern($1, snort_t)
- init_labeled_script_domtrans($1, snort_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 snort_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, snort_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 snort_initrc_exec_t system_r;
+ #allow $2 system_r;
admin_pattern($1, snort_etc_t)
files_search_etc($1)
diff --git a/policy/modules/contrib/soundserver.if b/policy/modules/contrib/soundserver.if
index a5abc5a..c6d0368 100644
--- a/policy/modules/contrib/soundserver.if
+++ b/policy/modules/contrib/soundserver.if
@@ -41,10 +41,10 @@ interface(`soundserver_admin',`
allow $1 soundd_t:process { ptrace signal_perms };
ps_process_pattern($1, soundd_t)
- init_labeled_script_domtrans($1, soundd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 soundd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, soundd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 soundd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, soundd_etc_t)
diff --git a/policy/modules/contrib/spamassassin.if b/policy/modules/contrib/spamassassin.if
index 7f5a1cc..f697f7b 100644
--- a/policy/modules/contrib/spamassassin.if
+++ b/policy/modules/contrib/spamassassin.if
@@ -384,10 +384,10 @@ interface(`spamassassin_admin',`
allow $1 spamd_t:process { ptrace signal_perms };
ps_process_pattern($1, spamd_t)
- init_labeled_script_domtrans($1, spamd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 spamd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, spamd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 spamd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, spamd_tmp_t)
diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if
index 5e1f053..0d43504 100644
--- a/policy/modules/contrib/squid.if
+++ b/policy/modules/contrib/squid.if
@@ -216,10 +216,10 @@ interface(`squid_admin',`
allow $1 squid_t:process { ptrace signal_perms };
ps_process_pattern($1, squid_t)
- init_labeled_script_domtrans($1, squid_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 squid_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, squid_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 squid_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_var($1)
admin_pattern($1, squid_cache_t)
diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if
index a240455..4ba98cc 100644
--- a/policy/modules/contrib/sssd.if
+++ b/policy/modules/contrib/sssd.if
@@ -342,10 +342,10 @@ interface(`sssd_admin',`
allow $1 sssd_t:process { ptrace signal_perms };
ps_process_pattern($1, sssd_t)
- sssd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 sssd_initrc_exec_t system_r;
- allow $2 system_r;
+ #sssd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 sssd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, sssd_conf_t)
diff --git a/policy/modules/contrib/svnserve.if b/policy/modules/contrib/svnserve.if
index 5cd46e9..043ade5 100644
--- a/policy/modules/contrib/svnserve.if
+++ b/policy/modules/contrib/svnserve.if
@@ -25,10 +25,10 @@ interface(`svnserve_admin',`
allow $1 svnserve_t:process { ptrace signal_perms };
ps_process_pattern($1, svnserve_t)
- init_labeled_script_domtrans($1, svnserve_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 svnserve_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, svnserve_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 svnserve_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, svnserve_var_run_t)
diff --git a/policy/modules/contrib/sysstat.if b/policy/modules/contrib/sysstat.if
index 14ae3f2..46e08d3 100644
--- a/policy/modules/contrib/sysstat.if
+++ b/policy/modules/contrib/sysstat.if
@@ -46,10 +46,10 @@ interface(`sysstat_admin',`
allow $1 sysstat_t:process { ptrace signal_perms };
ps_process_pattern($1, sysstat_t)
- init_labeled_script_domtrans($1, sysstat_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sysstat_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, sysstat_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 sysstat_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, sysstat_log_t)
diff --git a/policy/modules/contrib/systemtap.if b/policy/modules/contrib/systemtap.if
index d60a21e..4718ca2 100644
--- a/policy/modules/contrib/systemtap.if
+++ b/policy/modules/contrib/systemtap.if
@@ -26,10 +26,10 @@ interface(`stapserver_admin',`
allow $1 stapserver_t:process { ptrace signal_perms };
ps_process_pattern($1, stapserver_t)
- init_labeled_script_domtrans($1, stapserver_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 stapserver_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, stapserver_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 stapserver_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, stapserver_conf_t)
diff --git a/policy/modules/contrib/tcsd.if b/policy/modules/contrib/tcsd.if
index b42ec1d..d4b8da8 100644
--- a/policy/modules/contrib/tcsd.if
+++ b/policy/modules/contrib/tcsd.if
@@ -141,10 +141,10 @@ interface(`tcsd_admin',`
allow $1 tcsd_t:process { ptrace signal_perms };
ps_process_pattern($1, tcsd_t)
- tcsd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 tcsd_initrc_exec_t system_r;
- allow $2 system_r;
+ #tcsd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 tcsd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, tcsd_var_lib_t)
diff --git a/policy/modules/contrib/tgtd.if b/policy/modules/contrib/tgtd.if
index dc5b46e..bde65e4 100644
--- a/policy/modules/contrib/tgtd.if
+++ b/policy/modules/contrib/tgtd.if
@@ -83,10 +83,10 @@ interface(`tgtd_admin',`
allow $1 tgtd_t:process { ptrace signal_perms };
ps_process_pattern($1, tgtd_t)
- init_labeled_script_domtrans($1, tgtd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 tgtd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, tgtd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 tgtd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, tgtd_var_lib_t)
diff --git a/policy/modules/contrib/tor.if b/policy/modules/contrib/tor.if
index 61c2e07..6ab1023 100644
--- a/policy/modules/contrib/tor.if
+++ b/policy/modules/contrib/tor.if
@@ -45,10 +45,10 @@ interface(`tor_admin',`
allow $1 tor_t:process { ptrace signal_perms };
ps_process_pattern($1, tor_t)
- init_labeled_script_domtrans($1, tor_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 tor_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, tor_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 tor_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, tor_etc_t)
diff --git a/policy/modules/contrib/transproxy.if b/policy/modules/contrib/transproxy.if
index 81a8351..20102c2 100644
--- a/policy/modules/contrib/transproxy.if
+++ b/policy/modules/contrib/transproxy.if
@@ -25,10 +25,10 @@ interface(`transproxy_admin',`
allow $1 transproxy_t:process { ptrace signal_perms };
ps_process_pattern($1, transproxy_t)
- init_labeled_script_domtrans($1, transproxy_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 transproxy_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, transproxy_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 transproxy_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, transproxy_var_run_t)
diff --git a/policy/modules/contrib/tuned.if b/policy/modules/contrib/tuned.if
index e29db63..9829bad 100644
--- a/policy/modules/contrib/tuned.if
+++ b/policy/modules/contrib/tuned.if
@@ -122,10 +122,10 @@ interface(`tuned_admin',`
allow $1 tuned_t:process { ptrace signal_perms };
ps_process_pattern($1, tuned_t)
- tuned_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 tuned_initrc_exec_t system_r;
- allow $2 system_r;
+ #tuned_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 tuned_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, { tuned_etc_t tuned_rw_etc_t })
diff --git a/policy/modules/contrib/ulogd.if b/policy/modules/contrib/ulogd.if
index 9b95c3e..43bfd7b 100644
--- a/policy/modules/contrib/ulogd.if
+++ b/policy/modules/contrib/ulogd.if
@@ -126,10 +126,10 @@ interface(`ulogd_admin',`
allow $1 ulogd_t:process { ptrace signal_perms };
ps_process_pattern($1, ulogd_t)
- init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ulogd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 ulogd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, ulogd_etc_t)
diff --git a/policy/modules/contrib/uptime.if b/policy/modules/contrib/uptime.if
index 19f4724..b9f36e4 100644
--- a/policy/modules/contrib/uptime.if
+++ b/policy/modules/contrib/uptime.if
@@ -26,10 +26,10 @@ interface(`uptime_admin',`
allow $1 uptimed_t:process { ptrace signal_perms };
ps_process_pattern($1, uptimed_t)
- init_labeled_script_domtrans($1, uptimed_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 uptimed_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, uptimed_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 uptimed_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, uptimed_etc_t)
diff --git a/policy/modules/contrib/uucp.if b/policy/modules/contrib/uucp.if
index af9acc0..bf7df04 100644
--- a/policy/modules/contrib/uucp.if
+++ b/policy/modules/contrib/uucp.if
@@ -104,10 +104,10 @@ interface(`uucp_admin',`
type uucpd_var_run_t, uucpd_initrc_exec_t;
')
- init_labeled_script_domtrans($1, uucpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 uucpd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, uucpd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 uucpd_initrc_exec_t system_r;
+ #allow $2 system_r;
allow $1 uucpd_t:process { ptrace signal_perms };
ps_process_pattern($1, uucpd_t)
diff --git a/policy/modules/contrib/uuidd.if b/policy/modules/contrib/uuidd.if
index 6e48653..e33ec25 100644
--- a/policy/modules/contrib/uuidd.if
+++ b/policy/modules/contrib/uuidd.if
@@ -181,10 +181,10 @@ interface(`uuidd_admin',`
allow $1 uuidd_t:process signal_perms;
ps_process_pattern($1, uuidd_t)
- uuidd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 uuidd_initrc_exec_t system_r;
- allow $2 system_r;
+ #uuidd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 uuidd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, uuidd_var_lib_t)
diff --git a/policy/modules/contrib/varnishd.if b/policy/modules/contrib/varnishd.if
index 1c35171..636c20d 100644
--- a/policy/modules/contrib/varnishd.if
+++ b/policy/modules/contrib/varnishd.if
@@ -160,10 +160,10 @@ interface(`varnishd_admin_varnishlog',`
allow $1 varnishlog_t:process { ptrace signal_perms };
ps_process_pattern($1, varnishlog_t)
- init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 varnishlog_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 varnishlog_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_pids($1)
admin_pattern($1, varnishlog_var_run_t)
@@ -199,10 +199,10 @@ interface(`varnishd_admin',`
allow $1 varnishd_t:process { ptrace signal_perms };
ps_process_pattern($1, varnishd_t)
- init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 varnishd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 varnishd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, varnishd_var_lib_t)
diff --git a/policy/modules/contrib/vdagent.if b/policy/modules/contrib/vdagent.if
index 31c752e..5d3b76c 100644
--- a/policy/modules/contrib/vdagent.if
+++ b/policy/modules/contrib/vdagent.if
@@ -121,10 +121,10 @@ interface(`vdagent_admin',`
allow $1 vdagent_t:process signal_perms;
ps_process_pattern($1, vdagent_t)
- init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 vdagentd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 vdagentd_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, vdagent_log_t)
diff --git a/policy/modules/contrib/vhostmd.if b/policy/modules/contrib/vhostmd.if
index 22edd58..0055667 100644
--- a/policy/modules/contrib/vhostmd.if
+++ b/policy/modules/contrib/vhostmd.if
@@ -219,10 +219,10 @@ interface(`vhostmd_admin',`
allow $1 vhostmd_t:process { ptrace signal_perms };
ps_process_pattern($1, vhostmd_t)
- vhostmd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 vhostmd_initrc_exec_t system_r;
- allow $2 system_r;
+ #vhostmd_initrc_domtrans($1)
+ #domain_system_change_exemption($1)
+ #role_transition $2 vhostmd_initrc_exec_t system_r;
+ #allow $2 system_r;
fs_search_tmpfs($1)
admin_pattern($1, vhostmd_tmpfs_t)
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
index 7c97c87..4f531b9 100644
--- a/policy/modules/contrib/virt.if
+++ b/policy/modules/contrib/virt.if
@@ -1176,10 +1176,10 @@ interface(`virt_admin',`
ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
- init_labeled_script_domtrans($1, virtd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 virtd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, virtd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 virtd_initrc_exec_t system_r;
+ #allow $2 system_r;
fs_search_tmpfs($1)
admin_pattern($1, virt_tmpfs_type)
diff --git a/policy/modules/contrib/vnstatd.if b/policy/modules/contrib/vnstatd.if
index 137ac44..99bddf4 100644
--- a/policy/modules/contrib/vnstatd.if
+++ b/policy/modules/contrib/vnstatd.if
@@ -168,10 +168,10 @@ interface(`vnstatd_admin',`
allow $1 vnstatd_t:process { ptrace signal_perms };
ps_process_pattern($1, vnstatd_t)
- init_labeled_script_domtrans($1, vnstatd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 vnstatd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, vnstatd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 vnstatd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, vnstatd_var_run_t)
diff --git a/policy/modules/contrib/watchdog.if b/policy/modules/contrib/watchdog.if
index 6461a77..44a1a7c 100644
--- a/policy/modules/contrib/watchdog.if
+++ b/policy/modules/contrib/watchdog.if
@@ -26,10 +26,10 @@ interface(`watchdog_admin',`
allow $1 watchdog_t:process { ptrace signal_perms };
ps_process_pattern($1, watchdog_t)
- init_labeled_script_domtrans($1, watchdog_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 watchdog_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, watchdog_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 watchdog_initrc_exec_t system_r;
+ #allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, watchdog_log_t)
diff --git a/policy/modules/contrib/wdmd.if b/policy/modules/contrib/wdmd.if
index 1e3aec0..553b69a 100644
--- a/policy/modules/contrib/wdmd.if
+++ b/policy/modules/contrib/wdmd.if
@@ -45,10 +45,10 @@ interface(`wdmd_admin',`
allow $1 wdmd_t:process { ptrace signal_perms };
ps_process_pattern($1, wdmd_t)
- init_labeled_script_domtrans($1, wdmd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 wdmd_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, wdmd_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 wdmd_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, wdmd_var_run_t)
diff --git a/policy/modules/contrib/xfs.if b/policy/modules/contrib/xfs.if
index 4570b86..3318873 100644
--- a/policy/modules/contrib/xfs.if
+++ b/policy/modules/contrib/xfs.if
@@ -84,10 +84,10 @@ interface(`xfs_admin',`
allow $1 xfs_t:process { ptrace signal_perms };
ps_process_pattern($1, xfs_t)
- init_labeled_script_domtrans($1, xfs_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 xfs_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, xfs_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 xfs_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_pids($1)
admin_pattern($1, xfs_var_run_t)
diff --git a/policy/modules/contrib/zabbix.if b/policy/modules/contrib/zabbix.if
index 29d87d7..0a75b8a 100644
--- a/policy/modules/contrib/zabbix.if
+++ b/policy/modules/contrib/zabbix.if
@@ -146,10 +146,10 @@ interface(`zabbix_admin',`
allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms };
ps_process_pattern($1, { zabbix_t zabbix_agent_t })
- init_labeled_script_domtrans($1, { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t } system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t })
+ #domain_system_change_exemption($1)
+ #role_transition $2 { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t } system_r;
+ #allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, zabbix_log_t)
diff --git a/policy/modules/contrib/zarafa.if b/policy/modules/contrib/zarafa.if
index 83b4ca5..d2245ae 100644
--- a/policy/modules/contrib/zarafa.if
+++ b/policy/modules/contrib/zarafa.if
@@ -152,10 +152,10 @@ interface(`zarafa_admin',`
allow $1 zarafa_domain:process { ptrace signal_perms };
ps_process_pattern($1, zarafa_domain)
- init_labeled_script_domtrans($1, zarafa_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 zarafa_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, zarafa_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 zarafa_initrc_exec_t system_r;
+ #allow $2 system_r;
files_search_etc($1)
admin_pattern($1, zarafa_etc_t)
diff --git a/policy/modules/contrib/zebra.if b/policy/modules/contrib/zebra.if
index 3416401..33aa2ed 100644
--- a/policy/modules/contrib/zebra.if
+++ b/policy/modules/contrib/zebra.if
@@ -69,10 +69,10 @@ interface(`zebra_admin',`
allow $1 zebra_t:process { ptrace signal_perms };
ps_process_pattern($1, zebra_t)
- init_labeled_script_domtrans($1, zebra_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 zebra_initrc_exec_t system_r;
- allow $2 system_r;
+ #init_labeled_script_domtrans($1, zebra_initrc_exec_t)
+ #domain_system_change_exemption($1)
+ #role_transition $2 zebra_initrc_exec_t system_r;
+ #allow $2 system_r;
files_list_etc($1)
admin_pattern($1, zebra_conf_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-02 18:07 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-02 18:07 UTC (permalink / raw
To: gentoo-commits
commit: dfac21413962d786be190c1cc9063ee00ea76001
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jul 2 17:05:54 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 2 17:07:04 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dfac2141
android: dontaudit because it is noisy in /proc
policy/modules/contrib/android.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
index 08f3c83..a76061f 100644
--- a/policy/modules/contrib/android.te
+++ b/policy/modules/contrib/android.te
@@ -91,6 +91,8 @@ corenet_tcp_connect_adb_port(android_tools_t)
corenet_tcp_connect_http_port(android_tools_t)
corenet_udp_bind_generic_node(android_java_t)
+domain_dontaudit_getattr_all_domains(android_java_t)
+
miscfiles_read_fonts(android_java_t)
miscfiles_read_localization(android_java_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-02 18:07 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-02 18:07 UTC (permalink / raw
To: gentoo-commits
commit: 66e018165d78d4128923e5211b7d63137ac121e6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jul 1 17:11:05 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jul 1 17:11:05 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=66e01816
Recent salt-minion require setsched/getsched and sys_nice, otherwise process just stalls and cannot be connected to by the master
policy/modules/contrib/salt.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 554e927..89995ce 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -207,9 +207,9 @@ tunable_policy(`salt_master_read_nfs',`
# salt_minion_t policy
#
-allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_tty_config };
+allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
allow salt_minion_t self:capability2 block_suspend;
-allow salt_minion_t self:process { signal signull };
+allow salt_minion_t self:process { getsched setsched signal signull };
allow salt_minion_t self:tcp_socket create_stream_socket_perms;
allow salt_minion_t self:udp_socket create_socket_perms;
allow salt_minion_t self:unix_dgram_socket create_socket_perms;
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-02 18:07 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-02 18:07 UTC (permalink / raw
To: gentoo-commits
commit: ebfa09de178fd10f0b853b65548a255aaa3a777f
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jun 20 12:11:18 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 2 17:07:04 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ebfa09de
consolekit: needs to be able to chown dev nodes
policy/modules/contrib/consolekit.te | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 050c5c5..a7506c1 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -147,3 +147,12 @@ optional_policy(`
optional_policy(`
unconfined_stream_connect(consolekit_t)
')
+
+ifdef(`distro_gentoo',`
+ # consolekit needs to be able to chown /dev nodes when logging in
+ dev_setattr_all_chr_files(consolekit_t)
+
+ optional_policy(`
+ udev_read_pid_files(consolekit_t)
+ ')
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-02 18:07 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-02 18:07 UTC (permalink / raw
To: gentoo-commits
commit: ffab4e60223f7e4c8a8fbb2995a4c468e902a278
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jun 27 15:02:57 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jun 27 15:02:57 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ffab4e60
Gentoo has chronyd keyfile by default in /etc/chrony/
policy/modules/contrib/chronyd.fc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc
index 4e4143e..fd5fbbb 100644
--- a/policy/modules/contrib/chronyd.fc
+++ b/policy/modules/contrib/chronyd.fc
@@ -11,3 +11,7 @@
/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
/var/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+/etc/chrony/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-07-02 17:07 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-07-02 18:07 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-02 18:07 UTC (permalink / raw
To: gentoo-commits
commit: c9df4e6221b8f12d1683350b6a729837e3f22ddc
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jun 20 13:01:05 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 2 17:07:04 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c9df4e62
consolekit: add suspend perms for ConsoleKit2
policy/modules/contrib/consolekit.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index a7506c1..1adb72e 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -155,4 +155,10 @@ ifdef(`distro_gentoo',`
optional_policy(`
udev_read_pid_files(consolekit_t)
')
+
+ # needs to write to sys for suspend
+ dev_rw_sysfs(consolekit_t)
+ optional_policy(`
+ devicekit_manage_log_files(consolekit_t)
+ ')
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-02 18:37 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-02 18:37 UTC (permalink / raw
To: gentoo-commits
commit: 5e553876568eeb34bd2611a377a9ce6fa8506494
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jul 2 18:36:39 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 2 18:36:39 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5e553876
qemu: add policy for qemu-guest-agent
policy/modules/contrib/qemu.fc | 9 +++++++++
policy/modules/contrib/qemu.te | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 44 insertions(+)
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index 86ea53c..f1304fb 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -4,3 +4,12 @@
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0)
+
+/var/log/qemu-ga.log -- gen_context(system_u:object_r:qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? -- gen_context(system_u:object_r:qemu_ga_log_t,s0)
+
+/var/run/qemu-ga.pid -- gen_context(system_u:object_r:qemu_ga_run_t,s0)
+')
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index cf647bb..73dd715 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -77,4 +77,39 @@ ifdef(`distro_gentoo',`
optional_policy(`
vde_connect(qemu_t)
')
+
+ #################################
+ #
+ # QEMU Guest Agent policy
+ #
+ type qemu_ga_t;
+ type qemu_ga_exec_t;
+ init_system_domain(qemu_ga_t, qemu_ga_exec_t)
+
+ type qemu_ga_log_t;
+ logging_log_file(qemu_ga_log_t)
+
+ type qemu_ga_run_t;
+ files_pid_file(qemu_ga_run_t)
+
+ allow qemu_ga_t self:capability sys_admin;
+ allow qemu_ga_t self:unix_dgram_socket create connect;
+
+ manage_dirs_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ append_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ create_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ setattr_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ logging_log_filetrans(qemu_ga_t, qemu_ga_log_t, { dir file })
+
+ allow qemu_ga_t qemu_ga_run_t:file manage_file_perms;
+ files_pid_filetrans(qemu_ga_t, qemu_ga_run_t, file)
+
+ corecmd_exec_bin(qemu_ga_t)
+ corecmd_exec_shell(qemu_ga_t)
+
+ miscfiles_read_localization(qemu_ga_t)
+
+ userdom_use_user_terminals(qemu_ga_t)
+
+ term_use_virtio_console(qemu_ga_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-02 19:28 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-02 19:28 UTC (permalink / raw
To: gentoo-commits
commit: cb74ab5588b3c5b8575ca0a8ba933dc52f7c249a
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jul 2 18:36:39 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 2 19:28:18 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cb74ab55
qemu: add policy for qemu-guest-agent
policy/modules/contrib/qemu.fc | 9 +++++++++
policy/modules/contrib/qemu.te | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 44 insertions(+)
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index 86ea53c..f1304fb 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -4,3 +4,12 @@
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0)
+
+/var/log/qemu-ga.log -- gen_context(system_u:object_r:qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? -- gen_context(system_u:object_r:qemu_ga_log_t,s0)
+
+/var/run/qemu-ga.pid -- gen_context(system_u:object_r:qemu_ga_run_t,s0)
+')
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index cf647bb..136f6f3 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -77,4 +77,39 @@ ifdef(`distro_gentoo',`
optional_policy(`
vde_connect(qemu_t)
')
+
+ #################################
+ #
+ # QEMU Guest Agent policy
+ #
+ type qemu_ga_t;
+ type qemu_ga_exec_t;
+ init_system_domain(qemu_ga_t, qemu_ga_exec_t)
+
+ type qemu_ga_log_t;
+ logging_log_file(qemu_ga_log_t)
+
+ type qemu_ga_run_t;
+ files_pid_file(qemu_ga_run_t)
+
+ allow qemu_ga_t self:capability sys_admin;
+ allow qemu_ga_t self:unix_dgram_socket create_socket_perms;
+
+ manage_dirs_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ append_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ create_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ setattr_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ logging_log_filetrans(qemu_ga_t, qemu_ga_log_t, { dir file })
+
+ allow qemu_ga_t qemu_ga_run_t:file manage_file_perms;
+ files_pid_filetrans(qemu_ga_t, qemu_ga_run_t, file)
+
+ corecmd_exec_bin(qemu_ga_t)
+ corecmd_exec_shell(qemu_ga_t)
+
+ miscfiles_read_localization(qemu_ga_t)
+
+ userdom_use_user_terminals(qemu_ga_t)
+
+ term_use_virtio_console(qemu_ga_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-11 19:52 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-11 19:52 UTC (permalink / raw
To: gentoo-commits
commit: c28c751821b9d75b38f0c89a070be2de09a26604
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jul 2 18:36:39 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 09:29:04 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c28c7518
qemu: add policy for qemu-guest-agent
policy/modules/contrib/qemu.fc | 9 +++++++++
policy/modules/contrib/qemu.te | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 44 insertions(+)
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index 86ea53c..f1304fb 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -4,3 +4,12 @@
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0)
+
+/var/log/qemu-ga.log -- gen_context(system_u:object_r:qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? -- gen_context(system_u:object_r:qemu_ga_log_t,s0)
+
+/var/run/qemu-ga.pid -- gen_context(system_u:object_r:qemu_ga_run_t,s0)
+')
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index cf647bb..136f6f3 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -77,4 +77,39 @@ ifdef(`distro_gentoo',`
optional_policy(`
vde_connect(qemu_t)
')
+
+ #################################
+ #
+ # QEMU Guest Agent policy
+ #
+ type qemu_ga_t;
+ type qemu_ga_exec_t;
+ init_system_domain(qemu_ga_t, qemu_ga_exec_t)
+
+ type qemu_ga_log_t;
+ logging_log_file(qemu_ga_log_t)
+
+ type qemu_ga_run_t;
+ files_pid_file(qemu_ga_run_t)
+
+ allow qemu_ga_t self:capability sys_admin;
+ allow qemu_ga_t self:unix_dgram_socket create_socket_perms;
+
+ manage_dirs_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ append_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ create_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ setattr_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ logging_log_filetrans(qemu_ga_t, qemu_ga_log_t, { dir file })
+
+ allow qemu_ga_t qemu_ga_run_t:file manage_file_perms;
+ files_pid_filetrans(qemu_ga_t, qemu_ga_run_t, file)
+
+ corecmd_exec_bin(qemu_ga_t)
+ corecmd_exec_shell(qemu_ga_t)
+
+ miscfiles_read_localization(qemu_ga_t)
+
+ userdom_use_user_terminals(qemu_ga_t)
+
+ term_use_virtio_console(qemu_ga_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-11 19:52 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-11 19:52 UTC (permalink / raw
To: gentoo-commits
commit: 5296c2b1094c7426469ece96dd90387022c83ec9
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 18:41:39 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 18:41:39 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5296c2b1
sysstat: exec shell and read logs
The cron entry runs a shell script and needs to be able to read
its logs
type=AVC msg=audit(1436639401.545:833311): avc: denied { read } for
pid=10340 comm="sa1" path="/bin/bash" dev="md3" ino=14263160
scontext=system_u:system_r:sysstat_t
tcontext=system_u:object_r:shell_exec_t tclass=file
type=SYSCALL msg=audit(1436639401.545:833311): arch=c000003e syscall=10
success=yes exit=0 a0=d9545b6e000 a1=3000 a2=1 a3=76a19c4ec148 items=0
ppid=10330 pid=10340 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=1211 comm="sa1" exe="/bin/bash"
subj=system_u:system_r:sysstat_t key=(null)
type=AVC msg=audit(1436639401.549:833312): avc: denied { read } for
pid=10340 comm="sadc" name="sa12" dev="md3" ino=9183233
scontext=system_u:system_r:sysstat_t
tcontext=system_u:object_r:sysstat_log_t tclass=file
policy/modules/contrib/sysstat.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te
index fd167ee..65da9ae 100644
--- a/policy/modules/contrib/sysstat.te
+++ b/policy/modules/contrib/sysstat.te
@@ -67,3 +67,8 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t)
optional_policy(`
cron_system_entry(sysstat_t, sysstat_exec_t)
')
+
+ifdef(`distro_gentoo',`
+ corecmd_exec_shell(sysstat_t)
+ read_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-11 19:52 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-11 19:52 UTC (permalink / raw
To: gentoo-commits
commit: 68f348699a16ed79e25f29fc78a6e6a14c02b275
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jul 7 14:11:38 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 7 14:11:38 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=68f34869
Add setsched/getsched to salt_master_t
The salt master daemon also requires the getsched/setsched permissions
(like added for salt_minion_t in the past) as otherwise the master
daemon is defunct and all connections to it are stalled.
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 89995ce..576d424 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -101,7 +101,7 @@ files_pid_file(salt_var_run_t)
allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
allow salt_master_t self:capability2 block_suspend;
-allow salt_master_t self:process signal;
+allow salt_master_t self:process { getsched setschd signal };
allow salt_master_t self:tcp_socket create_stream_socket_perms;
allow salt_master_t self:udp_socket create_socket_perms;
allow salt_master_t self:fifo_file rw_fifo_file_perms;
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-11 19:52 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-11 19:52 UTC (permalink / raw
To: gentoo-commits
commit: 1fe4a68fc6e8a979fb6db744109500bf32f8283b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jul 7 14:38:57 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 7 14:38:57 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1fe4a68f
Salt minion uses blkid for mount info
To view the mount state information, salt minion calls the blkid binary.
policy/modules/contrib/salt.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 576d424..00d1931 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -284,6 +284,8 @@ files_manage_all_non_security_file_types(salt_minion_t)
fs_getattr_all_fs(salt_minion_t)
+fstools_domtrans(salt_minion_t)
+
getty_use_fds(salt_minion_t)
init_exec_rc(salt_minion_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-11 19:52 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-11 19:52 UTC (permalink / raw
To: gentoo-commits
commit: 70f80e75e0d49c1c26d4887b8613c60dd5311866
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 14:56:08 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 14:56:08 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70f80e75
Introduce policy for subsonic music server
policy/modules/contrib/subsonic.fc | 6 +++++
policy/modules/contrib/subsonic.if | 1 +
policy/modules/contrib/subsonic.te | 48 ++++++++++++++++++++++++++++++++++++++
3 files changed, 55 insertions(+)
diff --git a/policy/modules/contrib/subsonic.fc b/policy/modules/contrib/subsonic.fc
new file mode 100644
index 0000000..b1d2550
--- /dev/null
+++ b/policy/modules/contrib/subsonic.fc
@@ -0,0 +1,6 @@
+
+/usr/bin/subsonic -- gen_context(system_u:object_r:subsonic_exec_t,s0)
+
+/var/lib/subsonic(/.*)? gen_context(system_u:object_r:subsonic_var_lib_t,s0)
+
+/var/run/subsonic(/.*)? gen_context(system_u:object_r:subsonic_run_t,s0)
diff --git a/policy/modules/contrib/subsonic.if b/policy/modules/contrib/subsonic.if
new file mode 100644
index 0000000..97e7342
--- /dev/null
+++ b/policy/modules/contrib/subsonic.if
@@ -0,0 +1 @@
+## <summary>Subsonic Music Streaming Server</summary>
diff --git a/policy/modules/contrib/subsonic.te b/policy/modules/contrib/subsonic.te
new file mode 100644
index 0000000..cb0c5ac
--- /dev/null
+++ b/policy/modules/contrib/subsonic.te
@@ -0,0 +1,48 @@
+policy_module(subsonic, 0.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type subsonic_t;
+type subsonic_exec_t;
+init_daemon_domain(subsonic_t, subsonic_exec_t)
+
+type subsonic_var_lib_t;
+files_type(subsonic_var_lib_t)
+
+type subsonic_run_t;
+files_pid_file(subsonic_run_t)
+
+##############################
+#
+# Subsonic local policy
+#
+
+allow subsonic_t self:tcp_socket listen;
+
+java_domain_type(subsonic_t)
+
+kernel_dontaudit_list_all_proc(subsonic_t)
+
+manage_dirs_pattern(subsonic_t, subsonic_run_t, subsonic_run_t)
+manage_files_pattern(subsonic_t, subsonic_run_t, subsonic_run_t)
+files_pid_filetrans(subsonic_t, subsonic_run_t, dir)
+
+manage_dirs_pattern(subsonic_t, subsonic_var_lib_t, subsonic_var_lib_t)
+manage_files_pattern(subsonic_t, subsonic_var_lib_t, subsonic_var_lib_t)
+files_var_lib_filetrans(subsonic_t, subsonic_var_lib_t, dir)
+
+corecmd_exec_bin(subsonic_t)
+corecmd_exec_shell(subsonic_t)
+
+corenet_tcp_bind_all_unreserved_ports(subsonic_t)
+corenet_tcp_bind_generic_node(subsonic_t)
+corenet_tcp_connect_http_port(subsonic_t)
+
+domain_use_interactive_fds(subsonic_t)
+
+optional_policy(`
+ miscfiles_read_public_files(subsonic_t)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-11 19:52 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-11 19:52 UTC (permalink / raw
To: gentoo-commits
commit: 07550bf0f108ce01887245680ffb1693a2f43b95
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 19:44:51 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 19:44:51 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=07550bf0
vnstatd: user terminals and sysfs
needs to read sysfs to enumerate the network interfaces to update
and needs to use user terminals to output.
policy/modules/contrib/vnstatd.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index 79351c4..9630fe9 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -84,3 +84,8 @@ miscfiles_read_localization(vnstat_t)
optional_policy(`
cron_system_entry(vnstat_t, vnstat_exec_t)
')
+
+ifdef(`distro_gentoo',`
+ dev_read_sysfs(vnstat_t)
+ userdom_use_user_terminals(vnstat_t)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-11 19:55 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-11 19:55 UTC (permalink / raw
To: gentoo-commits
commit: 719bb6fcfab49d6630c0b893ccfe0337b9866e74
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 19:44:51 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 19:54:20 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=719bb6fc
vnstatd: allow user terminals and sysfs
needs to read sysfs to enumerate the network interfaces to update
and needs to use user terminals to output.
type=AVC msg=audit(1436643487.611:833572): avc: denied { read } for
pid=13632 comm="vnstat" name="bond0" dev="sysfs" ino=18625
scontext=staff_u:sysadm_r:vnstat_t tcontext=system_u:object_r:sysfs_t
tclass=lnk_file
type=AVC msg=audit(1436643691.358:833596): avc: denied { read write }
for pid=13802 comm="vnstat" path="/dev/pts/5" dev="devpts" ino=8
scontext=staff_u:sysadm_r:vnstat_t
tcontext=staff_u:object_r:user_devpts_t tclass=chr_file
policy/modules/contrib/vnstatd.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index 79351c4..9630fe9 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -84,3 +84,8 @@ miscfiles_read_localization(vnstat_t)
optional_policy(`
cron_system_entry(vnstat_t, vnstat_exec_t)
')
+
+ifdef(`distro_gentoo',`
+ dev_read_sysfs(vnstat_t)
+ userdom_use_user_terminals(vnstat_t)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-11 19:57 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-11 19:57 UTC (permalink / raw
To: gentoo-commits
commit: d86d22c76f9b27c117a3a2d14539ca2ac23fb8a4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 14:56:08 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 19:56:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d86d22c7
Introduce policy for subsonic music server
policy/modules/contrib/subsonic.fc | 6 +++++
policy/modules/contrib/subsonic.if | 1 +
policy/modules/contrib/subsonic.te | 48 ++++++++++++++++++++++++++++++++++++++
3 files changed, 55 insertions(+)
diff --git a/policy/modules/contrib/subsonic.fc b/policy/modules/contrib/subsonic.fc
new file mode 100644
index 0000000..b1d2550
--- /dev/null
+++ b/policy/modules/contrib/subsonic.fc
@@ -0,0 +1,6 @@
+
+/usr/bin/subsonic -- gen_context(system_u:object_r:subsonic_exec_t,s0)
+
+/var/lib/subsonic(/.*)? gen_context(system_u:object_r:subsonic_var_lib_t,s0)
+
+/var/run/subsonic(/.*)? gen_context(system_u:object_r:subsonic_run_t,s0)
diff --git a/policy/modules/contrib/subsonic.if b/policy/modules/contrib/subsonic.if
new file mode 100644
index 0000000..97e7342
--- /dev/null
+++ b/policy/modules/contrib/subsonic.if
@@ -0,0 +1 @@
+## <summary>Subsonic Music Streaming Server</summary>
diff --git a/policy/modules/contrib/subsonic.te b/policy/modules/contrib/subsonic.te
new file mode 100644
index 0000000..cb0c5ac
--- /dev/null
+++ b/policy/modules/contrib/subsonic.te
@@ -0,0 +1,48 @@
+policy_module(subsonic, 0.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type subsonic_t;
+type subsonic_exec_t;
+init_daemon_domain(subsonic_t, subsonic_exec_t)
+
+type subsonic_var_lib_t;
+files_type(subsonic_var_lib_t)
+
+type subsonic_run_t;
+files_pid_file(subsonic_run_t)
+
+##############################
+#
+# Subsonic local policy
+#
+
+allow subsonic_t self:tcp_socket listen;
+
+java_domain_type(subsonic_t)
+
+kernel_dontaudit_list_all_proc(subsonic_t)
+
+manage_dirs_pattern(subsonic_t, subsonic_run_t, subsonic_run_t)
+manage_files_pattern(subsonic_t, subsonic_run_t, subsonic_run_t)
+files_pid_filetrans(subsonic_t, subsonic_run_t, dir)
+
+manage_dirs_pattern(subsonic_t, subsonic_var_lib_t, subsonic_var_lib_t)
+manage_files_pattern(subsonic_t, subsonic_var_lib_t, subsonic_var_lib_t)
+files_var_lib_filetrans(subsonic_t, subsonic_var_lib_t, dir)
+
+corecmd_exec_bin(subsonic_t)
+corecmd_exec_shell(subsonic_t)
+
+corenet_tcp_bind_all_unreserved_ports(subsonic_t)
+corenet_tcp_bind_generic_node(subsonic_t)
+corenet_tcp_connect_http_port(subsonic_t)
+
+domain_use_interactive_fds(subsonic_t)
+
+optional_policy(`
+ miscfiles_read_public_files(subsonic_t)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-11 19:57 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-11 19:57 UTC (permalink / raw
To: gentoo-commits
commit: e65a2857d90b4c7be249a89b7571e3a2215d9111
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 11 13:43:52 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 13:43:52 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e65a2857
Fix typo
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 00d1931..ab19bf7 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -101,7 +101,7 @@ files_pid_file(salt_var_run_t)
allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
allow salt_master_t self:capability2 block_suspend;
-allow salt_master_t self:process { getsched setschd signal };
+allow salt_master_t self:process { getsched setsched signal };
allow salt_master_t self:tcp_socket create_stream_socket_perms;
allow salt_master_t self:udp_socket create_socket_perms;
allow salt_master_t self:fifo_file rw_fifo_file_perms;
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-11 19:57 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-11 19:57 UTC (permalink / raw
To: gentoo-commits
commit: f03e69fce25a75b8c41d3ca79ea48e7792cd9589
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 18:41:39 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 19:56:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f03e69fc
sysstat: exec shell and read logs
The cron entry runs a shell script and needs to be able to read
its logs
type=AVC msg=audit(1436639401.545:833311): avc: denied { read } for
pid=10340 comm="sa1" path="/bin/bash" dev="md3" ino=14263160
scontext=system_u:system_r:sysstat_t
tcontext=system_u:object_r:shell_exec_t tclass=file
type=SYSCALL msg=audit(1436639401.545:833311): arch=c000003e syscall=10
success=yes exit=0 a0=d9545b6e000 a1=3000 a2=1 a3=76a19c4ec148 items=0
ppid=10330 pid=10340 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=1211 comm="sa1" exe="/bin/bash"
subj=system_u:system_r:sysstat_t key=(null)
type=AVC msg=audit(1436639401.549:833312): avc: denied { read } for
pid=10340 comm="sadc" name="sa12" dev="md3" ino=9183233
scontext=system_u:system_r:sysstat_t
tcontext=system_u:object_r:sysstat_log_t tclass=file
policy/modules/contrib/sysstat.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te
index fd167ee..65da9ae 100644
--- a/policy/modules/contrib/sysstat.te
+++ b/policy/modules/contrib/sysstat.te
@@ -67,3 +67,8 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t)
optional_policy(`
cron_system_entry(sysstat_t, sysstat_exec_t)
')
+
+ifdef(`distro_gentoo',`
+ corecmd_exec_shell(sysstat_t)
+ read_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-11 19:57 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-11 19:57 UTC (permalink / raw
To: gentoo-commits
commit: e5345f67796ea3454d2804890dea251852173910
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 19:44:51 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 19:56:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e5345f67
vnstatd: allow user terminals and sysfs
needs to read sysfs to enumerate the network interfaces to update
and needs to use user terminals to output.
type=AVC msg=audit(1436643487.611:833572): avc: denied { read } for
pid=13632 comm="vnstat" name="bond0" dev="sysfs" ino=18625
scontext=staff_u:sysadm_r:vnstat_t tcontext=system_u:object_r:sysfs_t
tclass=lnk_file
type=AVC msg=audit(1436643691.358:833596): avc: denied { read write }
for pid=13802 comm="vnstat" path="/dev/pts/5" dev="devpts" ino=8
scontext=staff_u:sysadm_r:vnstat_t
tcontext=staff_u:object_r:user_devpts_t tclass=chr_file
policy/modules/contrib/vnstatd.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index 79351c4..9630fe9 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -84,3 +84,8 @@ miscfiles_read_localization(vnstat_t)
optional_policy(`
cron_system_entry(vnstat_t, vnstat_exec_t)
')
+
+ifdef(`distro_gentoo',`
+ dev_read_sysfs(vnstat_t)
+ userdom_use_user_terminals(vnstat_t)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-11 19:57 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-11 19:57 UTC (permalink / raw
To: gentoo-commits
commit: 10ccec942a6f7f098c10ee7fe65a80e6d2374f8f
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jul 2 18:36:39 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 19:56:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=10ccec94
qemu: add policy for qemu-guest-agent
policy/modules/contrib/qemu.fc | 9 +++++++++
policy/modules/contrib/qemu.te | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 44 insertions(+)
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index 86ea53c..f1304fb 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -4,3 +4,12 @@
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0)
+
+/var/log/qemu-ga.log -- gen_context(system_u:object_r:qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? -- gen_context(system_u:object_r:qemu_ga_log_t,s0)
+
+/var/run/qemu-ga.pid -- gen_context(system_u:object_r:qemu_ga_run_t,s0)
+')
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index cf647bb..136f6f3 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -77,4 +77,39 @@ ifdef(`distro_gentoo',`
optional_policy(`
vde_connect(qemu_t)
')
+
+ #################################
+ #
+ # QEMU Guest Agent policy
+ #
+ type qemu_ga_t;
+ type qemu_ga_exec_t;
+ init_system_domain(qemu_ga_t, qemu_ga_exec_t)
+
+ type qemu_ga_log_t;
+ logging_log_file(qemu_ga_log_t)
+
+ type qemu_ga_run_t;
+ files_pid_file(qemu_ga_run_t)
+
+ allow qemu_ga_t self:capability sys_admin;
+ allow qemu_ga_t self:unix_dgram_socket create_socket_perms;
+
+ manage_dirs_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ append_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ create_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ setattr_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ logging_log_filetrans(qemu_ga_t, qemu_ga_log_t, { dir file })
+
+ allow qemu_ga_t qemu_ga_run_t:file manage_file_perms;
+ files_pid_filetrans(qemu_ga_t, qemu_ga_run_t, file)
+
+ corecmd_exec_bin(qemu_ga_t)
+ corecmd_exec_shell(qemu_ga_t)
+
+ miscfiles_read_localization(qemu_ga_t)
+
+ userdom_use_user_terminals(qemu_ga_t)
+
+ term_use_virtio_console(qemu_ga_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-13 21:45 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-13 21:45 UTC (permalink / raw
To: gentoo-commits
commit: 0f47d840e764a60842d65f2e641283936946d2c7
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 19:44:51 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 21:43:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0f47d840
vnstatd: allow user terminals and sysfs
needs to read sysfs to enumerate the network interfaces to update
and needs to use user terminals to output.
type=AVC msg=audit(1436643487.611:833572): avc: denied { read } for
pid=13632 comm="vnstat" name="bond0" dev="sysfs" ino=18625
scontext=staff_u:sysadm_r:vnstat_t tcontext=system_u:object_r:sysfs_t
tclass=lnk_file
type=AVC msg=audit(1436643691.358:833596): avc: denied { read write }
for pid=13802 comm="vnstat" path="/dev/pts/5" dev="devpts" ino=8
scontext=staff_u:sysadm_r:vnstat_t
tcontext=staff_u:object_r:user_devpts_t tclass=chr_file
policy/modules/contrib/vnstatd.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index 79351c4..9630fe9 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -84,3 +84,8 @@ miscfiles_read_localization(vnstat_t)
optional_policy(`
cron_system_entry(vnstat_t, vnstat_exec_t)
')
+
+ifdef(`distro_gentoo',`
+ dev_read_sysfs(vnstat_t)
+ userdom_use_user_terminals(vnstat_t)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-13 21:45 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-13 21:45 UTC (permalink / raw
To: gentoo-commits
commit: 8d39472678948b838904f31d1b3467b1fa427668
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jul 13 19:47:28 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 20:59:50 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8d394726
Add portage_enable_test boolean for FEATURES=test
policy/modules/contrib/portage.te | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 2e8ab9e..2f62eb6 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -375,6 +375,13 @@ ifdef(`distro_gentoo',`
## </desc>
gen_tunable(portage_mount_fs, false)
+## <desc>
+## <p>
+## Extra rules which are sometimes needed when FEATURES=test is enabled
+## </p>
+## </desc>
+gen_tunable(portage_enable_test, false)
+
##########################################
#
@@ -388,7 +395,7 @@ gen_tunable(portage_mount_fs, false)
attribute portage_eselect_domain;
##########################################
- #
+ #
# Portage fetch local policy
#
@@ -476,6 +483,13 @@ gen_tunable(portage_mount_fs, false)
# install-xattr does listxattr() which throws a lot of this
dontaudit portage_sandbox_t self:capability sys_admin;
+ tunable_policy(`portage_enable_test',`
+ # lots of tests connect over loopback
+ corenet_tcp_bind_generic_node(portage_sandbox_t)
+ corenet_tcp_bind_all_unreserved_ports(portage_sandbox_t)
+ corenet_tcp_connect_all_unreserved_ports(portage_sandbox_t)
+ ')
+
##########################################
#
# Portage eselect module domain
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-13 21:45 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-13 21:45 UTC (permalink / raw
To: gentoo-commits
commit: fc4534a206e1c2508a77c087cb55212a0ecf1882
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jul 2 18:36:39 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 21:43:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fc4534a2
qemu: add policy for qemu-guest-agent
policy/modules/contrib/qemu.fc | 9 +++++++++
policy/modules/contrib/qemu.te | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 44 insertions(+)
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index 86ea53c..f1304fb 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -4,3 +4,12 @@
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0)
+
+/var/log/qemu-ga.log -- gen_context(system_u:object_r:qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? -- gen_context(system_u:object_r:qemu_ga_log_t,s0)
+
+/var/run/qemu-ga.pid -- gen_context(system_u:object_r:qemu_ga_run_t,s0)
+')
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index cf647bb..136f6f3 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -77,4 +77,39 @@ ifdef(`distro_gentoo',`
optional_policy(`
vde_connect(qemu_t)
')
+
+ #################################
+ #
+ # QEMU Guest Agent policy
+ #
+ type qemu_ga_t;
+ type qemu_ga_exec_t;
+ init_system_domain(qemu_ga_t, qemu_ga_exec_t)
+
+ type qemu_ga_log_t;
+ logging_log_file(qemu_ga_log_t)
+
+ type qemu_ga_run_t;
+ files_pid_file(qemu_ga_run_t)
+
+ allow qemu_ga_t self:capability sys_admin;
+ allow qemu_ga_t self:unix_dgram_socket create_socket_perms;
+
+ manage_dirs_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ append_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ create_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ setattr_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ logging_log_filetrans(qemu_ga_t, qemu_ga_log_t, { dir file })
+
+ allow qemu_ga_t qemu_ga_run_t:file manage_file_perms;
+ files_pid_filetrans(qemu_ga_t, qemu_ga_run_t, file)
+
+ corecmd_exec_bin(qemu_ga_t)
+ corecmd_exec_shell(qemu_ga_t)
+
+ miscfiles_read_localization(qemu_ga_t)
+
+ userdom_use_user_terminals(qemu_ga_t)
+
+ term_use_virtio_console(qemu_ga_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-07-13 21:45 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-07-13 21:45 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-13 21:45 UTC (permalink / raw
To: gentoo-commits
commit: 430ece6c0478072338d29aaff7f9d842c77b35b6
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 18:41:39 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 21:43:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=430ece6c
sysstat: exec shell and read logs
The cron entry runs a shell script and needs to be able to manage its
logs
type=AVC msg=audit(1436639401.545:833311): avc: denied { read } for pid=10340 comm="sa1" path="/bin/bash" dev="md3" ino=14263160 scontext=system_u:system_r:sysstat_t tcontext=system_u:object_r:shell_exec_t tclass=file
type=AVC msg=audit(1436639401.549:833312): avc: denied { read } for pid=10340 comm="sadc" name="sa12" dev="md3" ino=9183233 scontext=system_u:system_r:sysstat_t tcontext=system_u:object_r:sysstat_log_t tclass=file
type=AVC msg=audit(1436716381.830:836456): avc: denied { write } for pid=31504 comm="sa2" path="/var/log/sa/sar12" dev="md3" ino=9183238 scontext=system_u:system_r:sysstat_t tcontext=system_u:object_r:sysstat_log_t tclass=file
type=AVC msg=audit(1436716381.909:836457): avc: denied { unlink } for pid=31506 comm="rm" name="sar20" dev="md3" ino=9183237 scontext=system_u:system_r:sysstat_t tcontext=system_u:object_r:sysstat_log_t tclass=file
policy/modules/contrib/sysstat.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te
index fd167ee..c4af8d9 100644
--- a/policy/modules/contrib/sysstat.te
+++ b/policy/modules/contrib/sysstat.te
@@ -67,3 +67,8 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t)
optional_policy(`
cron_system_entry(sysstat_t, sysstat_exec_t)
')
+
+ifdef(`distro_gentoo',`
+ corecmd_exec_shell(sysstat_t)
+ manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-13 21:45 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-13 21:45 UTC (permalink / raw
To: gentoo-commits
commit: e030706d32967b72aca1937437c3d81636f97f08
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Jul 13 17:40:59 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 17:40:59 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e030706d
Introduce Ceph policy
policy/modules/contrib/ceph.fc | 30 ++++++++++++
policy/modules/contrib/ceph.if | 104 +++++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/ceph.te | 92 ++++++++++++++++++++++++++++++++++++
3 files changed, 226 insertions(+)
diff --git a/policy/modules/contrib/ceph.fc b/policy/modules/contrib/ceph.fc
new file mode 100644
index 0000000..1548b1e
--- /dev/null
+++ b/policy/modules/contrib/ceph.fc
@@ -0,0 +1,30 @@
+#
+# /etc
+#
+/etc/ceph(/.*)? gen_context(system_u:object_r:ceph_conf_t,s0)
+/etc/ceph/.*\.secret -- gen_context(system_u:object_r:ceph_key_t,s0)
+/etc/ceph/.*\.keyring -- gen_context(system_u:object_r:ceph_key_t,s0)
+/etc/rc\.d/init\.d/ceph.* gen_context(system_u:object_r:ceph_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/ceph-mds -- gen_context(system_u:object_r:ceph_mds_exec_t,s0)
+/usr/bin/ceph-mon -- gen_context(system_u:object_r:ceph_mon_exec_t,s0)
+/usr/bin/ceph-osd -- gen_context(system_u:object_r:ceph_osd_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/ceph(/.*)? gen_context(system_u:object_r:ceph_var_lib_t,s0)
+/var/lib/ceph/mds(/.*)? gen_context(system_u:object_r:ceph_mds_data_t,s0)
+/var/lib/ceph/mon(/.*)? gen_context(system_u:object_r:ceph_mon_data_t,s0)
+/var/lib/ceph/osd(/.*)? gen_context(system_u:object_r:ceph_osd_data_t,s0)
+
+/var/log/ceph(/.*)? gen_context(system_u:object_r:ceph_log_t,s0)
+
+/var/run/ceph -d gen_context(system_u:object_r:ceph_var_run_t,s0)
+/var/run/ceph/ceph-osd.* gen_context(system_u:object_r:ceph_osd_var_run_t,s0)
+/var/run/ceph/ceph-mon.* gen_context(system_u:object_r:ceph_mon_var_run_t,s0)
+/var/run/ceph/ceph-mds.* gen_context(system_u:object_r:ceph_mds_var_run_t,s0)
+/var/run/ceph/mds.* -- gen_context(system_u:object_r:ceph_mds_var_run_t,s0)
diff --git a/policy/modules/contrib/ceph.if b/policy/modules/contrib/ceph.if
new file mode 100644
index 0000000..26db16f
--- /dev/null
+++ b/policy/modules/contrib/ceph.if
@@ -0,0 +1,104 @@
+## <summary>Ceph distributed object storage</summary>
+
+#########################################
+## <summary>
+## Create the individual Ceph domains
+## </summary>
+## <param name="cephdaemon">
+## <summary>
+## The daemon (osd, mds or mon) for which the rules are created
+## </summary>
+## </param>
+#
+template(`ceph_domain_template',`
+ gen_require(`
+ attribute cephdomain;
+ attribute cephdata;
+ attribute cephpidfile;
+ attribute_role ceph_roles;
+
+ type ceph_var_run_t;
+ ')
+
+ type ceph_$1_t, cephdomain;
+ type ceph_$1_exec_t;
+ init_system_domain(ceph_$1_t, ceph_$1_exec_t)
+ role ceph_roles types ceph_$1_t;
+
+ type ceph_$1_data_t, cephdata;
+ files_type(ceph_$1_data_t)
+
+ type ceph_$1_var_run_t, cephpidfile;
+ files_pid_file(ceph_$1_var_run_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+ # Rules which cannot be made part of the domain
+
+ allow ceph_$1_t ceph_$1_var_run_t:file manage_file_perms;
+ allow ceph_$1_t ceph_$1_var_run_t:sock_file manage_file_perms;
+ allow ceph_$1_t ceph_$1_data_t:dir manage_dir_perms;
+ allow ceph_$1_t ceph_$1_data_t:file manage_file_perms;
+
+ filetrans_pattern(ceph_$1_t, ceph_var_run_t, ceph_$1_var_run_t, { file sock_file })
+
+ files_var_lib_filetrans(ceph_$1_t, ceph_$1_data_t, { file dir })
+')
+
+#########################################
+## <summary>
+## Administrative access for Ceph
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`ceph_admin',`
+ gen_require(`
+ attribute cephdomain;
+ attribute cephdata;
+ type ceph_initrc_exec_t;
+ ')
+
+ allow $1 cephdomain:process { ptrace signal_perms };
+ ps_process_pattern($1, cephdomain)
+
+ init_startstop_service($1, $2, cephdomain, ceph_initrc_exec_t)
+ allow $1 ceph_initrc_exec_t:lnk_file read_lnk_file_perms;
+ allow $1 ceph_initrc_exec_t:file read_file_perms;
+
+ files_list_etc($1)
+ admin_pattern($1, ceph_conf_t)
+ admin_pattern($1, ceph_key_t)
+
+ admin_pattern($1, cephdata)
+
+ admin_pattern($1, ceph_log_t)
+')
+
+#########################################
+## <summary>
+## Read Ceph key files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`ceph_read_key',`
+ gen_require(`
+ type ceph_key_t;
+ ')
+
+ allow $1 ceph_key_t:file read_file_perms;
+')
diff --git a/policy/modules/contrib/ceph.te b/policy/modules/contrib/ceph.te
new file mode 100644
index 0000000..9704dd4
--- /dev/null
+++ b/policy/modules/contrib/ceph.te
@@ -0,0 +1,92 @@
+policy_module(ceph, 1.0)
+
+attribute_role ceph_roles;
+
+# Attribute for all ceph runtime domains (not clients)
+attribute cephdomain;
+
+# Attribute for the ceph runtime daemon data
+attribute cephdata;
+
+# Attribute for the ceph pidfile data
+attribute cephpidfile;
+
+# Init support
+type ceph_initrc_exec_t;
+init_script_file(ceph_initrc_exec_t)
+
+type ceph_conf_t;
+files_config_file(ceph_conf_t)
+
+# Private / shared keys for cephx support
+type ceph_key_t;
+files_type(ceph_key_t)
+
+type ceph_log_t;
+logging_log_file(ceph_log_t)
+
+type ceph_var_lib_t;
+files_type(ceph_var_lib_t)
+
+type ceph_var_run_t;
+files_pid_file(ceph_var_run_t)
+
+#########################################
+#
+# General Ceph domain rules
+#
+
+ceph_domain_template(osd)
+ceph_domain_template(mds)
+ceph_domain_template(mon)
+
+allow cephdomain self:fifo_file rw_file_perms;
+
+read_files_pattern(cephdomain, ceph_conf_t, { ceph_conf_t ceph_key_t })
+allow cephdomain ceph_log_t:dir manage_dir_perms;
+allow cephdomain ceph_log_t:file { create_file_perms rw_file_perms };
+allow cephdomain ceph_var_lib_t:dir search_dir_perms;
+allow cephdomain self:netlink_route_socket { rw_netlink_socket_perms };
+allow cephdomain self:tcp_socket { create_socket_perms listen accept };
+allow cephdomain ceph_var_run_t:file manage_file_perms;
+allow cephdomain ceph_var_run_t:dir manage_dir_perms;
+
+kernel_read_system_state(cephdomain)
+
+corenet_tcp_bind_generic_node(cephdomain)
+corenet_tcp_bind_all_unreserved_ports(cephdomain)
+corenet_tcp_connect_all_unreserved_ports(cephdomain)
+
+files_read_etc_files(cephdomain)
+files_search_pids(cephdomain)
+files_search_var_lib(cephdomain)
+files_pid_filetrans(cephdomain, ceph_var_run_t, dir)
+
+fs_getattr_all_fs(cephdomain)
+
+logging_search_logs(cephdomain)
+
+miscfiles_read_localization(cephdomain)
+
+init_use_script_ptys(cephdomain)
+
+
+#########################################
+#
+# Local OSD policy
+#
+
+corecmd_exec_shell(ceph_osd_t)
+
+
+#########################################
+#
+# Local MDS policy
+#
+
+
+#########################################
+#
+# Local MON policy
+#
+
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-07-13 20:59 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-07-13 21:45 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-13 21:45 UTC (permalink / raw
To: gentoo-commits
commit: 503297a9b5e11f5b898dfffc6194f95abe755b65
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jul 13 20:57:26 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 20:57:26 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=503297a9
ceph: fix require in ceph_admin()
policy/modules/contrib/ceph.if | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/ceph.if b/policy/modules/contrib/ceph.if
index 26db16f..c922531 100644
--- a/policy/modules/contrib/ceph.if
+++ b/policy/modules/contrib/ceph.if
@@ -64,9 +64,9 @@ template(`ceph_domain_template',`
#
interface(`ceph_admin',`
gen_require(`
- attribute cephdomain;
- attribute cephdata;
- type ceph_initrc_exec_t;
+ attribute cephdomain, cephdata;
+ type ceph_initrc_exec_t, ceph_log_t;
+ type ceph_conf_t, ceph_key_t;
')
allow $1 cephdomain:process { ptrace signal_perms };
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-07-13 21:45 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-07-13 21:45 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-13 21:45 UTC (permalink / raw
To: gentoo-commits
commit: c4b26faf064b20ca42e230b0192fcf08430a5fe5
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 14:56:08 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 21:43:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4b26faf
Introduce policy for subsonic music server
policy/modules/contrib/subsonic.fc | 6 +++++
policy/modules/contrib/subsonic.if | 1 +
policy/modules/contrib/subsonic.te | 48 ++++++++++++++++++++++++++++++++++++++
3 files changed, 55 insertions(+)
diff --git a/policy/modules/contrib/subsonic.fc b/policy/modules/contrib/subsonic.fc
new file mode 100644
index 0000000..b1d2550
--- /dev/null
+++ b/policy/modules/contrib/subsonic.fc
@@ -0,0 +1,6 @@
+
+/usr/bin/subsonic -- gen_context(system_u:object_r:subsonic_exec_t,s0)
+
+/var/lib/subsonic(/.*)? gen_context(system_u:object_r:subsonic_var_lib_t,s0)
+
+/var/run/subsonic(/.*)? gen_context(system_u:object_r:subsonic_run_t,s0)
diff --git a/policy/modules/contrib/subsonic.if b/policy/modules/contrib/subsonic.if
new file mode 100644
index 0000000..97e7342
--- /dev/null
+++ b/policy/modules/contrib/subsonic.if
@@ -0,0 +1 @@
+## <summary>Subsonic Music Streaming Server</summary>
diff --git a/policy/modules/contrib/subsonic.te b/policy/modules/contrib/subsonic.te
new file mode 100644
index 0000000..cb0c5ac
--- /dev/null
+++ b/policy/modules/contrib/subsonic.te
@@ -0,0 +1,48 @@
+policy_module(subsonic, 0.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type subsonic_t;
+type subsonic_exec_t;
+init_daemon_domain(subsonic_t, subsonic_exec_t)
+
+type subsonic_var_lib_t;
+files_type(subsonic_var_lib_t)
+
+type subsonic_run_t;
+files_pid_file(subsonic_run_t)
+
+##############################
+#
+# Subsonic local policy
+#
+
+allow subsonic_t self:tcp_socket listen;
+
+java_domain_type(subsonic_t)
+
+kernel_dontaudit_list_all_proc(subsonic_t)
+
+manage_dirs_pattern(subsonic_t, subsonic_run_t, subsonic_run_t)
+manage_files_pattern(subsonic_t, subsonic_run_t, subsonic_run_t)
+files_pid_filetrans(subsonic_t, subsonic_run_t, dir)
+
+manage_dirs_pattern(subsonic_t, subsonic_var_lib_t, subsonic_var_lib_t)
+manage_files_pattern(subsonic_t, subsonic_var_lib_t, subsonic_var_lib_t)
+files_var_lib_filetrans(subsonic_t, subsonic_var_lib_t, dir)
+
+corecmd_exec_bin(subsonic_t)
+corecmd_exec_shell(subsonic_t)
+
+corenet_tcp_bind_all_unreserved_ports(subsonic_t)
+corenet_tcp_bind_generic_node(subsonic_t)
+corenet_tcp_connect_http_port(subsonic_t)
+
+domain_use_interactive_fds(subsonic_t)
+
+optional_policy(`
+ miscfiles_read_public_files(subsonic_t)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-13 21:45 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-07-13 21:45 UTC (permalink / raw
To: gentoo-commits
commit: ff13e7e4cbbeddbc298d5d94e16ad8afddc614fa
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jul 13 13:00:21 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 13:00:21 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ff13e7e4
portage: add fcontext for emaint
Thanks to Matthias Dahl for reporting
policy/modules/contrib/portage.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/portage.fc b/policy/modules/contrib/portage.fc
index 5f07098..655f986 100644
--- a/policy/modules/contrib/portage.fc
+++ b/policy/modules/contrib/portage.fc
@@ -42,6 +42,7 @@ ifdef(`distro_gentoo',`
/usr/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
/usr/lib/python-exec/python[0-9]\.[0-9]*/glsa-check -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib/python-exec/python[0-9]\.[0-9]*/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
+/usr/lib/python-exec/python[0-9]\.[0-9]*/emaint -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib/python-exec/python[0-9]\.[0-9]*/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
/var/log/sandbox(/.*)? gen_context(system_u:object_r:portage_log_t,s0)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-02 19:06 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-02 19:06 UTC (permalink / raw
To: gentoo-commits
commit: 0e8ef804e3c6409094334dda3b320bcfd5bf29b8
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jul 28 14:46:43 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jul 31 08:09:03 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0e8ef804
android: add sdk in /opt and sysfs
adb needs to be able to read sysfs to find the USB device
policy/modules/contrib/android.fc | 4 ++++
policy/modules/contrib/android.if | 5 +++++
policy/modules/contrib/android.te | 11 +++++++++--
3 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
index a16fc47..af98311 100644
--- a/policy/modules/contrib/android.fc
+++ b/policy/modules/contrib/android.fc
@@ -4,3 +4,7 @@ HOME_DIR/\.gradle(/.*)? gen_context(system_u:object_r:android_home_t,s0)
/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0)
+/opt/android-sdk-update-manager/platform-tools/adb -- gen_context(system_u:object_r:android_tools_exec_t,s0)
+/opt/android-sdk-update-manager/platform-tools/fastboot -- gen_context(system_u:object_r:android_tools_exec_t,s0)
+/opt/android-sdk-update-manager/tools/android -- gen_context(system_u:object_r:android_java_exec_t,s0)
+/opt/android-sdk-update-manager(/.*)? gen_context(system_u:object_r:android_sdk_t,s0)
diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
index f0173d5..a50093a 100644
--- a/policy/modules/contrib/android.if
+++ b/policy/modules/contrib/android.if
@@ -23,6 +23,7 @@ interface(`android_role',`
type android_tmp_t;
type android_java_t;
type android_java_exec_t;
+ type android_sdk_t;
')
role $1 types android_tools_t;
@@ -38,6 +39,10 @@ interface(`android_role',`
manage_files_pattern($2, android_home_t, android_home_t)
manage_lnk_files_pattern($2, android_home_t, android_home_t)
+ list_dirs_pattern($2, android_sdk_t, android_sdk_t)
+ read_files_pattern($2, android_sdk_t, android_sdk_t)
+ read_lnk_files_pattern($2, android_sdk_t, android_sdk_t)
+
userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
index a76061f..930c6b3 100644
--- a/policy/modules/contrib/android.te
+++ b/policy/modules/contrib/android.te
@@ -28,6 +28,8 @@ type android_home_t; # customizable
userdom_user_home_content(android_home_t)
userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+type android_sdk_t;
+files_type(android_sdk_t)
############################
#
@@ -55,6 +57,7 @@ corenet_tcp_bind_adb_port(android_tools_t)
corenet_tcp_bind_generic_node(android_tools_t)
corenet_tcp_connect_adb_port(android_tools_t)
+dev_read_sysfs(android_tools_t)
dev_rw_generic_usb_dev(android_tools_t)
userdom_manage_user_home_content_dirs(android_tools_t)
@@ -75,10 +78,14 @@ allow android_java_t self:tcp_socket { accept listen };
can_exec(android_java_t, android_home_t)
can_exec(android_java_t, android_java_exec_t)
+can_exec(android_java_t, android_sdk_t)
manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
manage_files_pattern(android_java_t, android_home_t, android_home_t)
+manage_dirs_pattern(android_java_t, android_sdk_t, android_sdk_t)
+manage_files_pattern(android_java_t, android_sdk_t, android_sdk_t)
+
manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
@@ -87,8 +94,8 @@ corecmd_exec_shell(android_java_t)
corenet_tcp_bind_all_unreserved_ports(android_java_t)
corenet_tcp_bind_generic_node(android_java_t)
-corenet_tcp_connect_adb_port(android_tools_t)
-corenet_tcp_connect_http_port(android_tools_t)
+corenet_tcp_connect_adb_port(android_java_t)
+corenet_tcp_connect_http_port(android_java_t)
corenet_udp_bind_generic_node(android_java_t)
domain_dontaudit_getattr_all_domains(android_java_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-02 19:06 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-02 19:06 UTC (permalink / raw
To: gentoo-commits
commit: e37615c40f756dcaf85c7d5f2d1bd904f898f721
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 2 19:01:11 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Aug 2 19:01:11 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e37615c4
A whole slew before master is started correctly
Without these changes, subprocesses of the salt master keep
crashing/exiting without any sign. Although the denials are extremely
frequent (as the main salt master restarts those processes over and over
again) there is no information in the salt logs that points to anything.
After allowing these operations (which is mainly reading information)
the salt master starts fine.
policy/modules/contrib/salt.te | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index c00aa50..0f3dba4 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -99,7 +99,7 @@ files_pid_file(salt_var_run_t)
# salt_master_t policy
#
-allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_master_t self:capability { net_admin sys_admin sys_nice sys_tty_config };
allow salt_master_t self:capability2 block_suspend;
allow salt_master_t self:process { getsched setsched signal };
allow salt_master_t self:tcp_socket create_stream_socket_perms;
@@ -167,6 +167,7 @@ files_pid_filetrans(salt_master_t, salt_var_run_t, dir)
files_pid_filetrans(salt_master_t, salt_master_var_run_t, file, "salt-master.pid")
kernel_read_network_state(salt_master_t)
+kernel_read_software_raid_state(salt_master_t)
kernel_read_system_state(salt_master_t)
corecmd_exec_bin(salt_master_t)
@@ -189,7 +190,16 @@ fs_getattr_tmpfs(salt_master_t)
getty_use_fds(salt_master_t)
+init_exec(salt_master_t)
+init_read_state(salt_master_t)
+
+libs_exec_ldconfig(salt_master_t)
+
miscfiles_read_localization(salt_master_t)
+miscfiles_read_generic_certs(salt_master_t)
+
+selinux_get_enforce_mode(salt_master_t)
+selinux_getattr_fs(salt_master_t)
sysnet_exec_ifconfig(salt_master_t)
sysnet_read_config(salt_master_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-02 19:06 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-02 19:06 UTC (permalink / raw
To: gentoo-commits
commit: 539bbc9b693447bf2dadb0031b318eb4049ada9b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jul 2 18:36:39 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 30 16:44:43 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=539bbc9b
qemu: add policy for qemu-guest-agent
policy/modules/contrib/qemu.fc | 9 +++++++++
policy/modules/contrib/qemu.te | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 44 insertions(+)
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index 86ea53c..f1304fb 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -4,3 +4,12 @@
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0)
+
+/var/log/qemu-ga.log -- gen_context(system_u:object_r:qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? -- gen_context(system_u:object_r:qemu_ga_log_t,s0)
+
+/var/run/qemu-ga.pid -- gen_context(system_u:object_r:qemu_ga_run_t,s0)
+')
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index cf647bb..136f6f3 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -77,4 +77,39 @@ ifdef(`distro_gentoo',`
optional_policy(`
vde_connect(qemu_t)
')
+
+ #################################
+ #
+ # QEMU Guest Agent policy
+ #
+ type qemu_ga_t;
+ type qemu_ga_exec_t;
+ init_system_domain(qemu_ga_t, qemu_ga_exec_t)
+
+ type qemu_ga_log_t;
+ logging_log_file(qemu_ga_log_t)
+
+ type qemu_ga_run_t;
+ files_pid_file(qemu_ga_run_t)
+
+ allow qemu_ga_t self:capability sys_admin;
+ allow qemu_ga_t self:unix_dgram_socket create_socket_perms;
+
+ manage_dirs_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ append_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ create_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ setattr_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ logging_log_filetrans(qemu_ga_t, qemu_ga_log_t, { dir file })
+
+ allow qemu_ga_t qemu_ga_run_t:file manage_file_perms;
+ files_pid_filetrans(qemu_ga_t, qemu_ga_run_t, file)
+
+ corecmd_exec_bin(qemu_ga_t)
+ corecmd_exec_shell(qemu_ga_t)
+
+ miscfiles_read_localization(qemu_ga_t)
+
+ userdom_use_user_terminals(qemu_ga_t)
+
+ term_use_virtio_console(qemu_ga_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-02 19:06 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-02 19:06 UTC (permalink / raw
To: gentoo-commits
commit: 017cc90bb5f7acd0d5497b17b24c537d96b5400b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Aug 2 18:21:15 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Aug 2 19:04:45 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=017cc90b
subsonic: also needs accept perms on the tcp_socket
otherwise it can bind and listen but not accept
policy/modules/contrib/subsonic.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/subsonic.te b/policy/modules/contrib/subsonic.te
index cb0c5ac..a64a814 100644
--- a/policy/modules/contrib/subsonic.te
+++ b/policy/modules/contrib/subsonic.te
@@ -20,7 +20,7 @@ files_pid_file(subsonic_run_t)
# Subsonic local policy
#
-allow subsonic_t self:tcp_socket listen;
+allow subsonic_t self:tcp_socket { listen accept };
java_domain_type(subsonic_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-02 19:06 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-02 19:06 UTC (permalink / raw
To: gentoo-commits
commit: ff5aa0ddb82327c352fa3b83586dd790b0bca09c
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Jul 17 12:13:28 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 30 16:41:33 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ff5aa0dd
Module version bump for cron_admin interface from Jason Zaman.
policy/modules/contrib/cron.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 45cce5f..d22885f 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.8.0)
+policy_module(cron, 2.8.1)
gen_require(`
class passwd rootok;
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-02 19:06 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-02 19:06 UTC (permalink / raw
To: gentoo-commits
commit: bf421d08e93e0e098620587655d9326d826f4a5d
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 2 18:05:49 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Aug 2 18:05:49 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bf421d08
Salt minion requires execute rights on init to start
Without execute rights, the salt minion continuously restarts with the
following in the log:
2015-08-02 20:02:57,671 [salt.scripts ][INFO ][30383] Sleeping random_reauth_delay of 6 seconds
2015-08-02 20:03:13,558 [salt.cli.daemons ][INFO ][30833] Setting up the Salt Minion "salt.internal.genfic.local"
2015-08-02 20:03:13,913 [salt.utils.process][DEBUG ][30833] Created pidfile: /var/run/salt-minion.pid
2015-08-02 20:03:13,914 [salt.config ][DEBUG ][30833] Reading configuration from /etc/salt/minion
2015-08-02 20:03:13,915 [salt.config ][DEBUG ][30833] Including configuration from '/etc/salt/minion.d/_schedule.conf'
2015-08-02 20:03:13,915 [salt.config ][DEBUG ][30833] Reading configuration from /etc/salt/minion.d/_schedule.conf
2015-08-02 20:03:14,188 [salt.utils ][TRACE ][30833] 'init' could not be found in the following search path: ['/bin', '/sbin', '/bin', '/sbin', '/usr/bin', '/usr/sbin', '/usr/bin', '/usr/sbin', '/usr/local/bin', '/usr/local/sbin', '/opt/bin', '/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.4']
2015-08-02 20:03:14,189 [salt.cli.daemons ][INFO ][30833] The salt minion is shut down
2015-08-02 20:03:14,190 [salt.scripts ][ERROR ][30833] coercing to Unicode: need string or buffer, NoneType found
2015-08-02 20:03:14,190 [salt.scripts ][WARNING ][30833] ** Restarting minion **
The denial:
type=AVC msg=audit(1438538594.186:99014): avc: denied { execute } for pid=30833 comm="salt-minion" name="init" dev="vda3" ino=2900377 scontext=system_u:system_r:salt_minion_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0
policy/modules/contrib/salt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index ab19bf7..c00aa50 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -288,6 +288,7 @@ fstools_domtrans(salt_minion_t)
getty_use_fds(salt_minion_t)
+init_exec(salt_minion_t)
init_exec_rc(salt_minion_t)
miscfiles_read_localization(salt_minion_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-07-31 14:15 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-08-02 19:06 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-02 19:06 UTC (permalink / raw
To: gentoo-commits
commit: 668db9970fcfe4c20ba9619272799c3dd258fce0
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jul 16 13:09:44 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 30 16:41:33 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=668db997
Introduce cron_admin interface
policy/modules/contrib/cron.if | 53 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 53 insertions(+)
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index 868d89f..3925811 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -835,3 +835,56 @@ interface(`cron_dontaudit_write_system_job_tmp_files',`
dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate a cron environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cron_admin',`
+ gen_require(`
+ type crond_t, cronjob_t, crond_initrc_exec_t;
+ type cron_var_lib_t, system_cronjob_var_lib_t;
+ type crond_tmp_t, admin_crontab_tmp_t;
+ type crontab_tmp_t, system_cronjob_tmp_t;
+ type cron_var_run_t, system_cronjob_var_run_t, crond_var_run_t;
+ type cron_log_t, system_cronjob_lock_t, user_cron_spool_log_t;
+ attribute cron_spool_type;
+ ')
+
+ allow $1 { crond_t cronjob_t }:process { ptrace signal_perms };
+ ps_process_pattern($1, { crond_t cronjob_t })
+
+ init_startstop_service($1, $2, crond_t, crond_initrc_exec_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, { cron_var_lib_t system_cronjob_var_lib_t })
+
+ files_search_tmp($1)
+ admin_pattern($1, { crond_tmp_t admin_crontab_tmp_t })
+ admin_pattern($1, { crontab_tmp_t system_cronjob_tmp_t })
+
+ files_search_pids($1)
+ admin_pattern($1, { cron_var_run_t crond_var_run_t system_cronjob_var_run_t })
+
+ files_search_locks($1)
+ admin_pattern($1, system_cronjob_lock_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, { cron_log_t user_cron_spool_log_t })
+
+ files_search_spool($1)
+ admin_pattern($1, cron_spool_type)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-26 6:46 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-26 6:46 UTC (permalink / raw
To: gentoo-commits
commit: 39053e06affa1f85a487412b2ec6bf6ba2aa12b8
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 2 19:06:19 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Aug 10 20:46:21 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=39053e06
Allow salt minion to read software raid state
policy/modules/contrib/salt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 0f3dba4..0a3d45a 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -277,6 +277,7 @@ files_pid_filetrans(salt_minion_t, salt_var_run_t, dir)
files_pid_filetrans(salt_minion_t, salt_minion_var_run_t, file, "salt-minion.pid")
kernel_read_network_state(salt_minion_t)
+kernel_read_software_raid_state(salt_minion_t)
kernel_read_system_state(salt_minion_t)
kernel_rw_all_sysctls(salt_minion_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-26 6:46 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-26 6:46 UTC (permalink / raw
To: gentoo-commits
commit: 1573307619ff359843b960f808459e2ab51df340
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 2 19:13:04 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Aug 10 20:46:21 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=15733076
Comment on init_exec use case for salt_master_t
policy/modules/contrib/salt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 0a3d45a..2a4e84d 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -190,6 +190,7 @@ fs_getattr_tmpfs(salt_master_t)
getty_use_fds(salt_master_t)
+# Actually seems to require getattr read execute on init_exec_t
init_exec(salt_master_t)
init_read_state(salt_master_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-26 6:46 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-26 6:46 UTC (permalink / raw
To: gentoo-commits
commit: 74d30592c6783e80a8fab93628563cdba1536773
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 22 16:11:22 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 22 16:11:22 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=74d30592
pulseaudio: allow clients to list user tmp dirs
/tmp/pulse-* gets created by the clients usually as user_tmp_t
bug 556526
policy/modules/contrib/pulseaudio.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index d7f48be..ea5b2a9 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -277,4 +277,7 @@ ifdef(`distro_gentoo',`
manage_lnk_files_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
manage_dirs_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
xdg_config_home_filetrans(pulseaudio_client, pulseaudio_xdg_config_t, dir, "pulse")
+
+ # /tmp/pulse-* gets created by the clients usually as user_tmp_t, bug 556526
+ userdom_list_user_tmp(pulseaudio_client)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-08-23 4:13 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-08-26 6:46 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-26 6:46 UTC (permalink / raw
To: gentoo-commits
commit: dcc726fd493cae4e694163d0fd303b7e36c0ffa6
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 22 16:20:23 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 22 16:20:23 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dcc726fd
android: android_tools needs to be able to read the sdk
policy/modules/contrib/android.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
index 930c6b3..6d6c94b 100644
--- a/policy/modules/contrib/android.te
+++ b/policy/modules/contrib/android.te
@@ -49,6 +49,9 @@ can_exec(android_tools_t, android_tools_exec_t)
manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+list_dirs_pattern(android_tools_t, android_sdk_t, android_sdk_t)
+read_files_pattern(android_tools_t, android_sdk_t, android_sdk_t)
+
files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-26 6:46 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-26 6:46 UTC (permalink / raw
To: gentoo-commits
commit: 9ae80e8d3f13c18043f4e8306a4991824acec91a
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 26 06:19:58 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 26 06:36:59 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ae80e8d
Add policy for cgmanager
policy/modules/contrib/cgmanager.fc | 3 ++
policy/modules/contrib/cgmanager.if | 21 ++++++++++
policy/modules/contrib/cgmanager.te | 76 +++++++++++++++++++++++++++++++++++++
3 files changed, 100 insertions(+)
diff --git a/policy/modules/contrib/cgmanager.fc b/policy/modules/contrib/cgmanager.fc
new file mode 100644
index 0000000..8ea4a46
--- /dev/null
+++ b/policy/modules/contrib/cgmanager.fc
@@ -0,0 +1,3 @@
+/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
diff --git a/policy/modules/contrib/cgmanager.if b/policy/modules/contrib/cgmanager.if
new file mode 100644
index 0000000..ef04583
--- /dev/null
+++ b/policy/modules/contrib/cgmanager.if
@@ -0,0 +1,21 @@
+## <summary>Control Group manager daemon.</summary>
+
+########################################
+## <summary>
+## Mark the domain as a cgmanager client, automatically granting
+## the necessary privileges (connect to cgmanager and allow
+## cgmanager to inspect the process).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgmanager_client_domain',`
+ gen_require(`
+ attribute cgmanager_client;
+ ')
+
+ typeattribute $1 cgmanager_client;
+')
diff --git a/policy/modules/contrib/cgmanager.te b/policy/modules/contrib/cgmanager.te
new file mode 100644
index 0000000..d79f506
--- /dev/null
+++ b/policy/modules/contrib/cgmanager.te
@@ -0,0 +1,76 @@
+policy_module(cgmanager, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cgmanager_t;
+type cgmanager_exec_t;
+init_daemon_domain(cgmanager_t, cgmanager_exec_t)
+
+type cgmanager_run_t;
+files_pid_file(cgmanager_run_t)
+
+type cgmanager_cgroup_t;
+files_type(cgmanager_cgroup_t)
+
+attribute cgmanager_client;
+
+########################################
+#
+# CGManager local policy
+#
+
+allow cgmanager_t self:capability { sys_admin dac_override };
+allow cgmanager_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })
+allow cgmanager_t cgmanager_run_t:dir mounton;
+
+manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")
+
+kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
+kernel_read_system_state(cgmanager_t)
+
+corecmd_exec_bin(cgmanager_t)
+can_exec(cgmanager_t, cgmanager_exec_t)
+
+files_read_etc_files(cgmanager_t)
+
+# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things
+files_mounton_all_mountpoints(cgmanager_t)
+files_unmount_all_file_type_fs(cgmanager_t)
+fs_unmount_xattr_fs(cgmanager_t)
+
+fs_manage_cgroup_dirs(cgmanager_t)
+fs_manage_cgroup_files(cgmanager_t)
+
+fs_getattr_tmpfs(cgmanager_t)
+
+fs_manage_tmpfs_dirs(cgmanager_t)
+fs_manage_tmpfs_files(cgmanager_t)
+
+fs_mount_cgroup(cgmanager_t)
+fs_mount_tmpfs(cgmanager_t)
+fs_mounton_tmpfs(cgmanager_t)
+fs_remount_cgroup(cgmanager_t)
+fs_remount_tmpfs(cgmanager_t)
+fs_unmount_cgroup(cgmanager_t)
+fs_unmount_tmpfs(cgmanager_t)
+
+########################################
+#
+# CGManager client domains policy
+#
+
+fs_search_cgroup_dirs(cgmanager_client)
+list_dirs_pattern(cgmanager_client, cgmanager_cgroup_t, cgmanager_cgroup_t)
+stream_connect_pattern(cgmanager_client, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t)
+ps_process_pattern(cgmanager_t, cgmanager_client)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-08-27 18:58 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-08-26 6:46 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-26 6:46 UTC (permalink / raw
To: gentoo-commits
commit: fa28033a97aca727f711c19a5198a8566f13f627
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 24 17:37:52 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Aug 24 17:37:52 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fa28033a
android: dontaudit the /proc dir accesses
commit dfac21413962d786be190c1cc9063ee00ea76001 dontaudited the process
class but that is not enough to quiet it down. Add in a dontaudit rule
for domain:dir too.
policy/modules/contrib/android.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
index 6d6c94b..ff1fcac 100644
--- a/policy/modules/contrib/android.te
+++ b/policy/modules/contrib/android.te
@@ -102,6 +102,7 @@ corenet_tcp_connect_http_port(android_java_t)
corenet_udp_bind_generic_node(android_java_t)
domain_dontaudit_getattr_all_domains(android_java_t)
+domain_dontaudit_search_all_domains_state(android_java_t)
miscfiles_read_fonts(android_java_t)
miscfiles_read_localization(android_java_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-27 13:26 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-27 13:26 UTC (permalink / raw
To: gentoo-commits
commit: 88891e0e6d86f54b792f673cfe29e7bfccc18a8f
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 27 13:26:12 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 13:26:12 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=88891e0e
switch from ps_process_pattern to allow cgmanager to inspect all processes
policy/modules/contrib/cgmanager.if | 8 ++++----
policy/modules/contrib/cgmanager.te | 3 ++-
2 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/cgmanager.if b/policy/modules/contrib/cgmanager.if
index ef04583..6e24c0d 100644
--- a/policy/modules/contrib/cgmanager.if
+++ b/policy/modules/contrib/cgmanager.if
@@ -2,9 +2,9 @@
########################################
## <summary>
-## Mark the domain as a cgmanager client, automatically granting
-## the necessary privileges (connect to cgmanager and allow
-## cgmanager to inspect the process).
+## Mark the domain as a cgmanager
+## client, and grant the stream
+## connect privs.
## </summary>
## <param name="domain">
## <summary>
@@ -12,7 +12,7 @@
## </summary>
## </param>
#
-interface(`cgmanager_client_domain',`
+interface(`cgmanager_stream_connect',`
gen_require(`
attribute cgmanager_client;
')
diff --git a/policy/modules/contrib/cgmanager.te b/policy/modules/contrib/cgmanager.te
index d79f506..f6ef7a6 100644
--- a/policy/modules/contrib/cgmanager.te
+++ b/policy/modules/contrib/cgmanager.te
@@ -42,6 +42,8 @@ kernel_read_system_state(cgmanager_t)
corecmd_exec_bin(cgmanager_t)
can_exec(cgmanager_t, cgmanager_exec_t)
+domain_read_all_domains_state(cgmanager_t)
+
files_read_etc_files(cgmanager_t)
# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things
@@ -73,4 +75,3 @@ fs_unmount_tmpfs(cgmanager_t)
fs_search_cgroup_dirs(cgmanager_client)
list_dirs_pattern(cgmanager_client, cgmanager_cgroup_t, cgmanager_cgroup_t)
stream_connect_pattern(cgmanager_client, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t)
-ps_process_pattern(cgmanager_t, cgmanager_client)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-27 17:49 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-27 17:49 UTC (permalink / raw
To: gentoo-commits
commit: 50e4d66472c4432731e166db3378006203f711e2
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 26 06:19:58 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 15:44:32 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=50e4d664
Add policy for cgmanager
policy/modules/contrib/cgmanager.fc | 3 ++
policy/modules/contrib/cgmanager.if | 23 +++++++++++++
policy/modules/contrib/cgmanager.te | 66 +++++++++++++++++++++++++++++++++++++
3 files changed, 92 insertions(+)
diff --git a/policy/modules/contrib/cgmanager.fc b/policy/modules/contrib/cgmanager.fc
new file mode 100644
index 0000000..8ea4a46
--- /dev/null
+++ b/policy/modules/contrib/cgmanager.fc
@@ -0,0 +1,3 @@
+/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
diff --git a/policy/modules/contrib/cgmanager.if b/policy/modules/contrib/cgmanager.if
new file mode 100644
index 0000000..ecadabd
--- /dev/null
+++ b/policy/modules/contrib/cgmanager.if
@@ -0,0 +1,23 @@
+## <summary>Control Group manager daemon.</summary>
+
+########################################
+## <summary>
+## Mark the domain as a cgmanager
+## client, and grant the stream
+## connect privs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgmanager_stream_connect',`
+ gen_require(`
+ type cgmanager_t, cgmanager_cgroup_t;
+ ')
+
+ fs_search_cgroup_dirs($1)
+ list_dirs_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t)
+ stream_connect_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t)
+')
diff --git a/policy/modules/contrib/cgmanager.te b/policy/modules/contrib/cgmanager.te
new file mode 100644
index 0000000..5c32295
--- /dev/null
+++ b/policy/modules/contrib/cgmanager.te
@@ -0,0 +1,66 @@
+policy_module(cgmanager, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cgmanager_t;
+type cgmanager_exec_t;
+init_daemon_domain(cgmanager_t, cgmanager_exec_t)
+
+type cgmanager_run_t;
+files_pid_file(cgmanager_run_t)
+
+type cgmanager_cgroup_t;
+files_type(cgmanager_cgroup_t)
+
+########################################
+#
+# CGManager local policy
+#
+
+allow cgmanager_t self:capability { sys_admin dac_override };
+allow cgmanager_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })
+allow cgmanager_t cgmanager_run_t:dir mounton;
+
+manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")
+
+kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
+kernel_read_system_state(cgmanager_t)
+
+corecmd_exec_bin(cgmanager_t)
+can_exec(cgmanager_t, cgmanager_exec_t)
+
+domain_read_all_domains_state(cgmanager_t)
+
+files_read_etc_files(cgmanager_t)
+
+# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things
+files_mounton_all_mountpoints(cgmanager_t)
+files_unmount_all_file_type_fs(cgmanager_t)
+fs_unmount_xattr_fs(cgmanager_t)
+
+fs_manage_cgroup_dirs(cgmanager_t)
+fs_manage_cgroup_files(cgmanager_t)
+
+fs_getattr_tmpfs(cgmanager_t)
+
+fs_manage_tmpfs_dirs(cgmanager_t)
+fs_manage_tmpfs_files(cgmanager_t)
+
+fs_mount_cgroup(cgmanager_t)
+fs_mount_tmpfs(cgmanager_t)
+fs_mounton_tmpfs(cgmanager_t)
+fs_remount_cgroup(cgmanager_t)
+fs_remount_tmpfs(cgmanager_t)
+fs_unmount_cgroup(cgmanager_t)
+fs_unmount_tmpfs(cgmanager_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-27 18:00 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-27 18:00 UTC (permalink / raw
To: gentoo-commits
commit: 0e45905f66e4db5450838600491521a25fbcb3fb
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 26 06:19:58 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 17:59:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0e45905f
Add policy for cgmanager
policy/modules/contrib/cgmanager.fc | 3 ++
policy/modules/contrib/cgmanager.if | 22 +++++++++++++
policy/modules/contrib/cgmanager.te | 66 +++++++++++++++++++++++++++++++++++++
3 files changed, 91 insertions(+)
diff --git a/policy/modules/contrib/cgmanager.fc b/policy/modules/contrib/cgmanager.fc
new file mode 100644
index 0000000..8ea4a46
--- /dev/null
+++ b/policy/modules/contrib/cgmanager.fc
@@ -0,0 +1,3 @@
+/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
diff --git a/policy/modules/contrib/cgmanager.if b/policy/modules/contrib/cgmanager.if
new file mode 100644
index 0000000..ad459a6
--- /dev/null
+++ b/policy/modules/contrib/cgmanager.if
@@ -0,0 +1,22 @@
+## <summary>Control Group manager daemon.</summary>
+
+########################################
+## <summary>
+## Connect to cgmanager with a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgmanager_stream_connect',`
+ gen_require(`
+ type cgmanager_t, cgmanager_cgroup_t;
+ ')
+
+ fs_search_cgroup_dirs($1)
+ list_dirs_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t)
+ stream_connect_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t)
+')
diff --git a/policy/modules/contrib/cgmanager.te b/policy/modules/contrib/cgmanager.te
new file mode 100644
index 0000000..5c32295
--- /dev/null
+++ b/policy/modules/contrib/cgmanager.te
@@ -0,0 +1,66 @@
+policy_module(cgmanager, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cgmanager_t;
+type cgmanager_exec_t;
+init_daemon_domain(cgmanager_t, cgmanager_exec_t)
+
+type cgmanager_run_t;
+files_pid_file(cgmanager_run_t)
+
+type cgmanager_cgroup_t;
+files_type(cgmanager_cgroup_t)
+
+########################################
+#
+# CGManager local policy
+#
+
+allow cgmanager_t self:capability { sys_admin dac_override };
+allow cgmanager_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })
+allow cgmanager_t cgmanager_run_t:dir mounton;
+
+manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")
+
+kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
+kernel_read_system_state(cgmanager_t)
+
+corecmd_exec_bin(cgmanager_t)
+can_exec(cgmanager_t, cgmanager_exec_t)
+
+domain_read_all_domains_state(cgmanager_t)
+
+files_read_etc_files(cgmanager_t)
+
+# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things
+files_mounton_all_mountpoints(cgmanager_t)
+files_unmount_all_file_type_fs(cgmanager_t)
+fs_unmount_xattr_fs(cgmanager_t)
+
+fs_manage_cgroup_dirs(cgmanager_t)
+fs_manage_cgroup_files(cgmanager_t)
+
+fs_getattr_tmpfs(cgmanager_t)
+
+fs_manage_tmpfs_dirs(cgmanager_t)
+fs_manage_tmpfs_files(cgmanager_t)
+
+fs_mount_cgroup(cgmanager_t)
+fs_mount_tmpfs(cgmanager_t)
+fs_mounton_tmpfs(cgmanager_t)
+fs_remount_cgroup(cgmanager_t)
+fs_remount_tmpfs(cgmanager_t)
+fs_unmount_cgroup(cgmanager_t)
+fs_unmount_tmpfs(cgmanager_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-27 19:11 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-27 19:11 UTC (permalink / raw
To: gentoo-commits
commit: 5431a073ad8aa918d7e7e0dbfdb208a033971a8d
Author: Niklas Haas <git <AT> nand <DOT> wakku <DOT> to>
AuthorDate: Sat Aug 15 14:17:58 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:08:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5431a073
pulse: don't give pulseaudio_client full access to user_home_t
This doesn't seem to be necessary at all, and the comment immediately
above it doesn't make things any less mysterious, as pulseaudio clients
don't even need access to ~/.cache. I cannot observe any breakage on my
machine due to this change, and the permission being present was causing
unexpected behavior (eg. Skype could freely read the contents of my home
dir even with the boolean supposedly toggling that permission disabled,
because skype_t was marked as pulseaudio_client and thus had full access
regardless).
The original source seems to be 5851ec54, which doesn't really help
explaining the original purpose of the lines.
policy/modules/contrib/pulseaudio.te | 3 ---
1 file changed, 3 deletions(-)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index ea5b2a9..af4779d 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -227,9 +227,6 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth")
pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie")
pulseaudio_signull(pulseaudio_client)
-# TODO: ~/.cache
-userdom_manage_user_home_content_files(pulseaudio_client)
-
userdom_read_user_tmpfs_files(pulseaudio_client)
# userdom_delete_user_tmpfs_files(pulseaudio_client)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-08-27 19:11 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-08-27 19:11 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-27 19:11 UTC (permalink / raw
To: gentoo-commits
commit: 258ba5c6c223988749d75bd11087b43dc1443462
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Sat Aug 15 14:31:34 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:08:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=258ba5c6
Module version bump for changes to the pulseaudio module by Niklas Haas.
policy/modules/contrib/pulseaudio.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index af4779d..1a25024 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.7.1)
+policy_module(pulseaudio, 1.7.2)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-27 19:11 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-27 19:11 UTC (permalink / raw
To: gentoo-commits
commit: 7f5ece84232e3a6704b7e781203f4038a45417c3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 24 15:10:09 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:08:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7f5ece84
hadoop: init_startstop_service() can not take attributes
policy/modules/contrib/hadoop.if | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/hadoop.if b/policy/modules/contrib/hadoop.if
index a0a819f..5908119 100644
--- a/policy/modules/contrib/hadoop.if
+++ b/policy/modules/contrib/hadoop.if
@@ -426,7 +426,6 @@ interface(`hadoop_admin',`
attribute hadoop_domain;
attribute hadoop_initrc_domain;
- attribute hadoop_init_script_file;
attribute hadoop_pid_file;
attribute hadoop_lock_file;
attribute hadoop_log_file;
@@ -436,12 +435,22 @@ interface(`hadoop_admin',`
type hadoop_t, hadoop_etc_t, hadoop_hsperfdata_t;
type zookeeper_t, zookeeper_etc_t, zookeeper_server_t;
type zookeeper_server_var_t;
+
+ type hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t;
+ type hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t;
+ type hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t;
+ type hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t;
+ type hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t;
')
allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms };
ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t })
- init_startstop_service($1, $2, hadoop_domain, hadoop_init_script_file)
+ init_startstop_service($1, $2, hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t)
+ init_startstop_service($1, $2, hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t)
+ init_startstop_service($1, $2, hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t)
+ init_startstop_service($1, $2, hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t)
+ init_startstop_service($1, $2, hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, { hadoop_etc_t zookeeper_etc_t })
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-08-27 19:11 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-08-27 19:11 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-27 19:11 UTC (permalink / raw
To: gentoo-commits
commit: 1f34097ea332cf9cc6c07a997afa2ab56d772f01
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Mon Aug 24 17:00:05 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:08:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1f34097e
Changes to the git, hadoop and rsync modules by Jason Zaman.
policy/modules/contrib/git.te | 2 +-
policy/modules/contrib/hadoop.te | 2 +-
policy/modules/contrib/rsync.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index 517d513..27e68f3 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -1,4 +1,4 @@
-policy_module(git, 1.5.1)
+policy_module(git, 1.5.2)
########################################
#
diff --git a/policy/modules/contrib/hadoop.te b/policy/modules/contrib/hadoop.te
index a40e85b..b9ffe96 100644
--- a/policy/modules/contrib/hadoop.te
+++ b/policy/modules/contrib/hadoop.te
@@ -1,4 +1,4 @@
-policy_module(hadoop, 1.3.2)
+policy_module(hadoop, 1.3.3)
########################################
#
diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
index abeb302..eae1b4c 100644
--- a/policy/modules/contrib/rsync.te
+++ b/policy/modules/contrib/rsync.te
@@ -1,4 +1,4 @@
-policy_module(rsync, 1.13.0)
+policy_module(rsync, 1.13.1)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-08-27 19:11 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-08-27 19:11 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-27 19:11 UTC (permalink / raw
To: gentoo-commits
commit: 7107daec01a595033aa8d356226b7220d150115b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 24 15:10:07 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:08:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7107daec
rsync: remove rsync_run from admin interface
Admining rsync does not require running it in the rsync_t domain and
this causes problems for backups and the like which would originally run
in the user's domain now run in rsync_t.
policy/modules/contrib/rsync.if | 2 --
1 file changed, 2 deletions(-)
diff --git a/policy/modules/contrib/rsync.if b/policy/modules/contrib/rsync.if
index e916de8..c7b19aa 100644
--- a/policy/modules/contrib/rsync.if
+++ b/policy/modules/contrib/rsync.if
@@ -276,6 +276,4 @@ interface(`rsync_admin',`
files_search_pids($1)
admin_pattern($1, rsync_var_run_t)
-
- rsync_run($1, $2)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-08-27 19:11 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-08-27 19:11 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-27 19:11 UTC (permalink / raw
To: gentoo-commits
commit: 4896ffe78b0ad5ce485f252084c40853323945dd
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 24 15:10:08 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:08:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4896ffe7
git: allow git_system_t to listen on tcp_sockets
git_session_t already has these permissions but they are missing on
git_system_t. Instead add the perms on the git_daemon attribute which
covers both system and session daemons.
policy/modules/contrib/git.te | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index 1ca8c24..517d513 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -103,8 +103,6 @@ userdom_user_home_content(git_user_content_t)
# Session policy
#
-allow git_session_t self:tcp_socket { accept listen };
-
userdom_search_user_home_dirs(git_session_t)
corenet_all_recvfrom_netlabel(git_session_t)
@@ -266,6 +264,7 @@ tunable_policy(`git_cgi_use_nfs',`
#
allow git_daemon self:fifo_file rw_fifo_file_perms;
+allow git_daemon self:tcp_socket { accept listen };
list_dirs_pattern(git_daemon, git_user_content_t, git_user_content_t)
read_files_pattern(git_daemon, git_user_content_t, git_user_content_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-08-27 19:52 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-08-27 19:52 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-08-27 19:52 UTC (permalink / raw
To: gentoo-commits
commit: dfdefb495631b52c859d13bc047924743e1b4ef2
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 27 19:51:44 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:51:44 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dfdefb49
apache: remove gentoo-specific fcontext
Has been upstreamed in commit
4cdea0f683f332134f3f93d79099f71d79d5f718
policy/modules/contrib/apache.fc | 4 ----
1 file changed, 4 deletions(-)
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index 4222f2e..96006a0 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -172,7 +172,3 @@ ifdef(`distro_suse',`
/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-
-ifdef(`distro_gentoo',`
-/usr/share/build-1/libtool -- gen_context(system_u:object_r:bin_t,s0)
-')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-09-02 14:41 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-09-02 14:41 UTC (permalink / raw
To: gentoo-commits
commit: 9371d4a13dad0af981681a631591f8c0f7d85203
Author: Niklas Haas <git <AT> nand <DOT> wakku <DOT> to>
AuthorDate: Tue Sep 1 07:10:52 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Sep 2 03:47:46 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9371d4a1
vnstat: fix context on /usr/bin/vnstatd
policy/modules/contrib/vnstatd.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/vnstatd.fc b/policy/modules/contrib/vnstatd.fc
index 52f8f68..0252ce4 100644
--- a/policy/modules/contrib/vnstatd.fc
+++ b/policy/modules/contrib/vnstatd.fc
@@ -11,5 +11,5 @@
ifdef(`distro_gentoo',`
# Fix bug 528602 - name is vnstatd in Gentoo
/etc/rc\.d/init\.d/vnstatd -- gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0)
-/usr/bin/vnstatd -- gen_context(system_u:object_r:vnstat_exec_t,s0)
+/usr/bin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-09-02 14:41 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-09-02 14:41 UTC (permalink / raw
To: gentoo-commits
commit: f52d0d3cdd127ac6a824b4724448aa985c6e102a
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Sep 2 03:44:36 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Sep 2 03:44:36 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f52d0d3c
cgmanager: add fcontexts for /run and cgroupfs sock
policy/modules/contrib/cgmanager.fc | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/cgmanager.fc b/policy/modules/contrib/cgmanager.fc
index 8ea4a46..17c6f88 100644
--- a/policy/modules/contrib/cgmanager.fc
+++ b/policy/modules/contrib/cgmanager.fc
@@ -1,3 +1,9 @@
-/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
-/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
-/usr/sbin/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+
+/sys/fs/cgroup/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_cgroup_t,s0)
+
+/var/run/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_run_t,s0)
+/var/run/cgmanager.pid gen_context(system_u:object_r:cgmanager_run_t,s0)
+/var/run/cgmanager/fs(/.*)? <<none>>
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-09-06 11:25 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-09-06 11:23 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-09-06 11:23 UTC (permalink / raw
To: gentoo-commits
commit: c4421326f5b50b190ea67e01721ca32a1a175c77
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Sep 5 13:43:49 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 6 11:10:59 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4421326
virt: Allow creating qemu guest agent socket
This is needed for the host side guest agent socket for qemu.
type=AVC msg=audit(1441210375.086:110241): avc: denied { create } for
pid=25153 comm="libvirtd"
scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:svirt_t:s0:c110,c185
tclass=unix_stream_socket permissive=0
policy/modules/contrib/virt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 42cb462..ec84b5b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -438,7 +438,7 @@ allow virtd_t self:netlink_route_socket nlmsg_write;
allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
-allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
+allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-09-06 11:23 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-09-06 11:23 UTC (permalink / raw
To: gentoo-commits
commit: 468b82617272cc7b23364f1d0ce2aa153ebbb3fc
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Sat Sep 5 15:24:35 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 6 11:10:59 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=468b8261
Module version bump for changes to the virt module by Jason Zaman
policy/modules/contrib/virt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 5648e9d..2966d29 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.8.2)
+policy_module(virt, 1.8.3)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-09-06 11:23 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-09-06 11:23 UTC (permalink / raw
To: gentoo-commits
commit: 2a26ba597c47fe006e1c18cdd9224e74aba02bf8
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 6 10:58:43 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 6 10:58:43 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2a26ba59
chromium: v45 needs setcap perms
type=AVC msg=audit(1441536942.937:329): avc: denied { setcap } for
pid=4857 comm="chrome" scontext=staff_u:staff_r:chromium_t:s0-s0:c0.c511
tcontext=staff_u:staff_r:chromium_t:s0-s0:c0.c511 tclass=process
permissive=0
type=SYSCALL msg=audit(1441536942.937:329): arch=c000003e syscall=126
success=no exit=-13 a0=3f40091b950 a1=3f40091b960 a2=3ce87534090
a3=3ce87530010 items=0 ppid=4772 pid=4857 auid=1000 uid=1000 gid=100
euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 tty=pts4
ses=3 comm="chrome" exe="/usr/lib64/chromium-browser/chrome"
subj=staff_u:staff_r:chromium_t:s0-s0:c0.c511 key=(null)
type=ANOM_ABEND msg=audit(1441536942.937:330): auid=1000 uid=1000
gid=100 ses=3 subj=staff_u:staff_r:chromium_t:s0-s0:c0.c511 pid=4857
comm="chrome" exe="/usr/lib64/chromium-browser/chrome" sig=6
[4:4:0906/185542:FATAL:credentials.cc(306)] Check failed:
DropAllCapabilitiesOnCurrentThread(). : Permission denied
[4765:4783:0906/185542:ERROR:zygote_host_impl_linux.cc(374)] Did not
receive ping from zygote child
[3:3:0906/185542:ERROR:zygote_linux.cc(573)] Zygote could not fork:
process_type renderer numfds 5 child_pid -1
policy/modules/contrib/chromium.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index b2c9ccc..3185640 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -88,7 +88,7 @@ xdg_cache_home_content(chromium_xdg_cache_t)
# chromium local policy
#
-allow chromium_t self:process { getsched setrlimit setsched sigkill signal };
+allow chromium_t self:process { getsched setcap setrlimit setsched sigkill signal };
allow chromium_t self:fifo_file rw_fifo_file_perms;;
allow chromium_t self:sem create_sem_perms;
allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-09-06 11:25 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-09-06 11:23 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-09-06 11:23 UTC (permalink / raw
To: gentoo-commits
commit: b99a22fc6960896dcf82a02e92b1b913732bc774
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Sep 5 14:43:34 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 6 11:10:59 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b99a22fc
virt: Add policy for virtlockd the Virtual machine lock manager
policy/modules/contrib/virt.fc | 4 +++
policy/modules/contrib/virt.te | 56 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 60 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index b38007b..ea197d0 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -27,6 +27,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/fence_virtd -- gen_context(system_u:object_r:virsh_exec_t,s0)
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
@@ -35,6 +36,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
+/var/lib/libvirt/lockd(/.*)? gen_context(system_u:object_r:virtlockd_var_lib_t,s0)
/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
@@ -48,5 +50,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
+/var/run/libvirt/virtlockd-sock -s gen_context(system_u:object_r:virtlockd_run_t,s0)
/var/run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/run/virtlockd.pid -- gen_context(system_u:object_r:virtlockd_run_t,s0)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index ec84b5b..5648e9d 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -190,6 +190,24 @@ type virsh_t;
type virsh_exec_t;
init_system_domain(virsh_t, virsh_exec_t)
+type virtlockd_t;
+type virtlockd_exec_t;
+init_daemon_domain(virtlockd_t, virtlockd_exec_t)
+
+type virtlockd_run_t;
+files_pid_file(virtlockd_run_t)
+
+type virtlockd_var_lib_t;
+files_type(virtlockd_var_lib_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+')
+
########################################
#
# Common virt domain local policy
@@ -221,6 +239,7 @@ manage_lnk_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t)
files_pid_filetrans(virt_domain, svirt_var_run_t, { dir file })
stream_connect_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t, virtd_t)
+stream_connect_pattern(virt_domain, virt_var_run_t, virtlockd_run_t, virtlockd_t)
dontaudit virt_domain virt_tmpfs_type:file { read write };
@@ -526,6 +545,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1243,3 +1263,39 @@ manage_files_pattern(virt_leaseshelper_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virt_leaseshelper_t, virt_var_run_t, file)
kernel_dontaudit_read_system_state(virt_leaseshelper_t)
+
+########################################
+#
+# Virtlockd local policy
+#
+
+allow virtlockd_t self:capability dac_override;
+allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlockd_t virt_image_type:dir list_dir_perms;
+allow virtlockd_t virt_image_type:file rw_file_perms;
+
+create_files_pattern(virtlockd_t, virt_log_t, virt_log_t)
+
+list_dirs_pattern(virtlockd_t, virt_var_lib_t, virt_var_lib_t)
+
+manage_dirs_pattern(virtlockd_t, { virt_var_lib_t virtlockd_var_lib_t }, virtlockd_var_lib_t)
+manage_files_pattern(virtlockd_t, virtlockd_var_lib_t, virtlockd_var_lib_t)
+filetrans_pattern(virtlockd_t, virt_var_lib_t, virtlockd_var_lib_t, dir)
+
+manage_files_pattern(virtlockd_t, virt_var_run_t, virtlockd_run_t)
+manage_sock_files_pattern(virtlockd_t, virt_var_run_t, virtlockd_run_t)
+filetrans_pattern(virtlockd_t, virt_var_run_t, virtlockd_run_t, sock_file)
+files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
+
+can_exec(virtlockd_t, virtlockd_exec_t)
+
+ps_process_pattern(virtlockd_t, virtd_t)
+
+files_read_etc_files(virtlockd_t)
+files_list_var_lib(virtlockd_t)
+
+miscfiles_read_localization(virtlockd_t)
+
+virt_append_log(virtlockd_t)
+virt_read_config(virtlockd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-10-11 10:48 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-10-11 10:48 UTC (permalink / raw
To: gentoo-commits
commit: 1b899c0409bfc59f0ff4c03259d658578902b9b3
Author: Alexander Wetzel <alexander.wetzel <AT> web <DOT> de>
AuthorDate: Sat Sep 5 07:41:47 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 06:52:58 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1b899c04
add vfio support for libvirt
Signed-off-by: Alexander Wetzel <alexander.wetzel <AT> web.de>
policy/modules/contrib/virt.te | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 2966d29..881560f 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -70,6 +70,14 @@ gen_tunable(virt_use_usb, false)
## </desc>
gen_tunable(virt_use_xserver, false)
+## <desc>
+### <p>
+### Determine whether confined virtual guests
+### can use vfio for pci device pass through (vt-d).
+### </p>
+### </desc>
+gen_tunable(virt_use_vfio, false)
+
attribute virt_ptynode;
attribute virt_domain;
attribute virt_image_type;
@@ -438,6 +446,10 @@ corenet_tcp_bind_all_ports(svirt_t)
corenet_sendrecv_all_client_packets(svirt_t)
corenet_tcp_connect_all_ports(svirt_t)
+tunable_policy(`virt_use_vfio',`
+ dev_rw_vfio_dev(svirt_t)
+')
+
########################################
#
# virtd local policy
@@ -682,6 +694,13 @@ tunable_policy(`virt_use_samba',`
fs_read_cifs_symlinks(virtd_t)
')
+tunable_policy(`virt_use_vfio',`
+ allow virtd_t self:capability sys_resource;
+ allow virtd_t self:process setrlimit;
+ allow virtd_t svirt_t:process rlimitinh;
+ dev_relabelfrom_vfio_dev(virtd_t)
+')
+
optional_policy(`
brctl_domtrans(virtd_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-10-11 10:48 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-10-11 10:48 UTC (permalink / raw
To: gentoo-commits
commit: 27f6d9af783c744d3f420f5cc20abf8eff5c6c38
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Sep 15 12:38:26 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 06:52:58 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=27f6d9af
Module version bump for vfio support for libvirt from Alexander Wetzel.
policy/modules/contrib/virt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 8fa2a5b..ec81a76 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.8.3)
+policy_module(virt, 1.8.4)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-09-20 7:00 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-10-11 10:48 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-10-11 10:48 UTC (permalink / raw
To: gentoo-commits
commit: 1247c3940b065599bf0eaa57005bc3b927acc420
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Sep 15 12:27:07 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 06:52:58 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1247c394
Comment/whitespace fix in virt.te.
policy/modules/contrib/virt.te | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 881560f..8fa2a5b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -71,11 +71,11 @@ gen_tunable(virt_use_usb, false)
gen_tunable(virt_use_xserver, false)
## <desc>
-### <p>
-### Determine whether confined virtual guests
-### can use vfio for pci device pass through (vt-d).
-### </p>
-### </desc>
+## <p>
+## Determine whether confined virtual guests
+## can use vfio for pci device pass through (vt-d).
+## </p>
+## </desc>
gen_tunable(virt_use_vfio, false)
attribute virt_ptynode;
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-10-17 17:02 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-10-17 17:02 UTC (permalink / raw
To: gentoo-commits
commit: 854f95bf84612c79037dbe83dd06223d4cf3154c
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Thu Oct 15 10:44:43 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Oct 17 16:47:50 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=854f95bf
portage: Add new interfaces to portage_ro_role
policy/modules/contrib/portage.if | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 962dcca..e9de28e 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -410,6 +410,8 @@ interface(`portage_ro_role',`
portage_read_config($1)
portage_read_db($1)
portage_read_ebuild($1)
+ portage_read_log($1)
+ portage_read_srcrepo($1)
portage_dontaudit_write_cache($1)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-10-17 17:02 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-10-17 17:02 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-10-17 17:02 UTC (permalink / raw
To: gentoo-commits
commit: 26930c8978e8ae49829ee8b13e9da9ca05e024ce
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Thu Oct 15 10:44:42 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Oct 17 16:47:50 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=26930c89
portage: New read-only interfaces for srcrepo and logs
Create portage_read_srcrepo and portage_read_log interfaces.
policy/modules/contrib/portage.if | 40 +++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 4652319..962dcca 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -498,6 +498,46 @@ interface(`portage_read_ebuild',`
########################################
## <summary>
+## Read portage log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`portage_read_log',`
+ gen_require(`
+ type portage_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, portage_log_t, portage_log_t)
+')
+
+########################################
+## <summary>
+## Read portage src repository files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`portage_read_srcrepo',`
+ gen_require(`
+ type portage_ebuild_t, portage_srcrepo_t;
+ ')
+
+ files_search_usr($1)
+ list_dirs_pattern($1, portage_ebuild_t, portage_srcrepo_t)
+ read_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+ read_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+')
+
+########################################
+## <summary>
## Do not audit writing portage cache files
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-10-17 17:02 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-10-17 17:02 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-10-17 17:02 UTC (permalink / raw
To: gentoo-commits
commit: ef3895b29d224ba5c64e12242b5fb85fc1e9405d
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Thu Oct 15 10:44:41 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Oct 17 16:47:50 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef3895b2
portage: Fix the gen_require of the portage_compile_domain interface
The portage_compile_domain interface used portage_sandbox_t without
requiring it.
policy/modules/contrib/portage.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index c98a763..4652319 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -68,8 +68,8 @@ interface(`portage_run',`
interface(`portage_compile_domain',`
gen_require(`
class dbus send_msg;
- type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
- type portage_tmpfs_t;
+ type portage_devpts_t, portage_log_t, portage_sandbox_t, portage_srcrepo_t;
+ type portage_tmp_t, portage_tmpfs_t;
')
allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-10-17 17:02 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-10-17 17:02 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-10-17 17:02 UTC (permalink / raw
To: gentoo-commits
commit: 061bd420d98e138a44a5fc328738b2ea1dd562ff
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Thu Oct 15 10:44:40 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Oct 17 16:47:50 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=061bd420
portage: Dontaudit setattr in portage_dontaudit_write_cache
policy/modules/contrib/portage.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 640a63b..c98a763 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -511,6 +511,6 @@ interface(`portage_dontaudit_write_cache',`
type portage_cache_t;
')
- dontaudit $1 portage_cache_t:dir { write };
+ dontaudit $1 portage_cache_t:dir { setattr write };
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-10-22 13:44 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-10-22 13:44 UTC (permalink / raw
To: gentoo-commits
commit: 56782f09e37e1fbd0868f38084563d9f1aa0f8c7
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon Oct 19 12:04:06 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Oct 22 13:40:59 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=56782f09
contrib/portage: Fix portage_ro_role interface
According to its documentation, portage_ro_role expects a role for $1
and a type for $2, just like other _role interfaces. However, the policy
directives inside the interface don't match its documentation and expect
$1 to be a type.
This interface isn't used anywhere in the policy, so no other fixes are
neccessary.
policy/modules/contrib/portage.if | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index e9de28e..14c4fb6 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -406,13 +406,13 @@ interface(`portage_eselect_module',`
## </param>
#
interface(`portage_ro_role',`
- portage_read_cache($1)
- portage_read_config($1)
- portage_read_db($1)
- portage_read_ebuild($1)
- portage_read_log($1)
- portage_read_srcrepo($1)
- portage_dontaudit_write_cache($1)
+ portage_read_cache($2)
+ portage_read_config($2)
+ portage_read_db($2)
+ portage_read_ebuild($2)
+ portage_read_log($2)
+ portage_read_srcrepo($2)
+ portage_dontaudit_write_cache($2)
')
########################################
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-10-26 5:48 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-10-26 5:36 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-10-26 5:36 UTC (permalink / raw
To: gentoo-commits
commit: 4f1ef29d168da11699a2dd5dcf9d7242bf5d1515
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Oct 23 18:35:45 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 04:10:16 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4f1ef29d
Add systemd socket activations.
policy/modules/contrib/avahi.te | 1 +
policy/modules/contrib/cups.te | 1 +
policy/modules/contrib/dbus.te | 1 +
policy/modules/contrib/iscsi.te | 1 +
policy/modules/contrib/rpcbind.te | 1 +
5 files changed, 5 insertions(+)
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index 46d5aba..161763f 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -8,6 +8,7 @@ policy_module(avahi, 1.15.1)
type avahi_t;
type avahi_exec_t;
init_daemon_domain(avahi_t, avahi_exec_t)
+init_named_socket_activation(avahi_t, avahi_var_run_t)
type avahi_initrc_exec_t;
init_script_file(avahi_initrc_exec_t)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 662b991..261dc06 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
type cupsd_t;
type cupsd_exec_t;
init_daemon_domain(cupsd_t, cupsd_exec_t)
+init_named_socket_activation(cupsd_t, cupsd_var_run_t)
mls_trusted_object(cupsd_t)
type cupsd_etc_t;
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index e79a81a..e32b70a 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -35,6 +35,7 @@ userdom_user_tmp_file(session_dbusd_tmp_t)
type system_dbusd_t;
init_system_domain(system_dbusd_t, dbusd_exec_t)
+init_named_socket_activation(system_dbusd_t, system_dbusd_var_run_t)
type system_dbusd_tmp_t;
files_tmp_file(system_dbusd_tmp_t)
diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te
index 070f8e3..43f85f3 100644
--- a/policy/modules/contrib/iscsi.te
+++ b/policy/modules/contrib/iscsi.te
@@ -8,6 +8,7 @@ policy_module(iscsi, 1.9.1)
type iscsid_t;
type iscsid_exec_t;
init_daemon_domain(iscsid_t, iscsid_exec_t)
+init_abstract_socket_activation(iscsid_t)
type iscsi_initrc_exec_t;
init_script_file(iscsi_initrc_exec_t)
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 9cdb548..fab6184 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -8,6 +8,7 @@ policy_module(rpcbind, 1.8.2)
type rpcbind_t;
type rpcbind_exec_t;
init_daemon_domain(rpcbind_t, rpcbind_exec_t)
+init_named_socket_activation(rpcbind_t, rpcbind_var_run_t)
type rpcbind_initrc_exec_t;
init_script_file(rpcbind_initrc_exec_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-10-26 5:36 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-10-26 5:36 UTC (permalink / raw
To: gentoo-commits
commit: cc84af253feefbacb7155575e1126a7abf0227ca
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Oct 23 18:35:33 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 04:10:16 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cc84af25
Add systemd unit types.
Primarily contributed by the Tresys CLIP team.
policy/modules/contrib/alsa.fc | 5 +++++
policy/modules/contrib/alsa.te | 3 +++
policy/modules/contrib/bluetooth.fc | 3 +++
policy/modules/contrib/bluetooth.te | 3 +++
policy/modules/contrib/chronyd.fc | 5 +++++
policy/modules/contrib/chronyd.te | 3 +++
policy/modules/contrib/dbus.fc | 3 +++
policy/modules/contrib/dbus.te | 3 +++
policy/modules/contrib/dnsmasq.fc | 3 +++
policy/modules/contrib/dnsmasq.te | 3 +++
policy/modules/contrib/kdump.te | 3 +++
policy/modules/contrib/lircd.fc | 3 +++
policy/modules/contrib/lircd.te | 3 +++
policy/modules/contrib/logrotate.fc | 3 +++
policy/modules/contrib/logrotate.te | 3 +++
policy/modules/contrib/mandb.fc | 3 +++
policy/modules/contrib/mandb.te | 3 +++
policy/modules/contrib/networkmanager.fc | 4 ++++
policy/modules/contrib/networkmanager.te | 3 +++
policy/modules/contrib/ntp.fc | 3 +++
policy/modules/contrib/ntp.te | 3 +++
policy/modules/contrib/pcscd.fc | 3 +++
policy/modules/contrib/pcscd.te | 3 +++
policy/modules/contrib/plymouthd.fc | 3 +++
policy/modules/contrib/plymouthd.te | 3 +++
policy/modules/contrib/policykit.fc | 3 +++
policy/modules/contrib/policykit.te | 3 +++
policy/modules/contrib/qemu.fc | 2 ++
policy/modules/contrib/qemu.te | 3 +++
policy/modules/contrib/raid.fc | 4 ++++
policy/modules/contrib/raid.te | 3 +++
policy/modules/contrib/rpm.fc | 4 ++++
policy/modules/contrib/rpm.te | 3 +++
policy/modules/contrib/rtkit.fc | 3 +++
policy/modules/contrib/rtkit.te | 3 +++
policy/modules/contrib/shutdown.if | 18 ++++++++++++++++++
policy/modules/contrib/tcsd.fc | 3 +++
policy/modules/contrib/tcsd.te | 3 +++
38 files changed, 135 insertions(+)
diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc
index 6c3c0ba..a8c8a64 100644
--- a/policy/modules/contrib/alsa.fc
+++ b/policy/modules/contrib/alsa.fc
@@ -14,6 +14,11 @@ ifdef(`distro_debian',`
/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
+# Systemd unit files
+/usr/lib/systemd/system/[^/]*alsa-restore.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
+/usr/lib/systemd/system/[^/]*alsa-state.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
+/usr/lib/systemd/system/[^/]*alsa-store.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
+
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 46d12e8..24d5287 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -21,6 +21,9 @@ files_tmp_file(alsa_tmp_t)
type alsa_tmpfs_t;
files_tmpfs_file(alsa_tmpfs_t)
+type alsa_unit_t;
+init_unit_file(alsa_unit_t)
+
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
diff --git a/policy/modules/contrib/bluetooth.fc b/policy/modules/contrib/bluetooth.fc
index a28101f..bcce998 100644
--- a/policy/modules/contrib/bluetooth.fc
+++ b/policy/modules/contrib/bluetooth.fc
@@ -10,6 +10,9 @@
/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_t,s0)
+
/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index 08f3c20..d69c283 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -43,6 +43,9 @@ files_lock_file(bluetooth_lock_t)
type bluetooth_tmp_t;
files_tmp_file(bluetooth_tmp_t)
+type bluetooth_unit_t;
+init_unit_file(bluetooth_unit_t)
+
type bluetooth_var_lib_t;
files_type(bluetooth_var_lib_t)
diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc
index fd5fbbb..a4a42ea 100644
--- a/policy/modules/contrib/chronyd.fc
+++ b/policy/modules/contrib/chronyd.fc
@@ -2,6 +2,11 @@
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+# Systend unit files
+/usr/lib/systemd/system/[^/]*chrony-wait.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
+/usr/lib/systemd/system/[^/]*chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
+
+
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 7a16731..3167bae 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
type chronyd_tmpfs_t;
files_tmpfs_file(chronyd_tmpfs_t)
+type chronyd_unit_t;
+init_unit_file(chronyd_unit_t)
+
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc
index dda905b..309a462 100644
--- a/policy/modules/contrib/dbus.fc
+++ b/policy/modules/contrib/dbus.fc
@@ -10,6 +10,9 @@ HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*dbus.* -- gen_context(system_u:object_r:dbusd_unit_t,s0)
+
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 6f2b890..e79a81a 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -22,6 +22,9 @@ type dbusd_exec_t;
corecmd_executable_file(dbusd_exec_t)
typealias dbusd_exec_t alias system_dbusd_exec_t;
+type dbusd_unit_t;
+init_unit_file(dbusd_unit_t)
+
type session_dbusd_home_t;
userdom_user_home_content(session_dbusd_home_t)
diff --git a/policy/modules/contrib/dnsmasq.fc b/policy/modules/contrib/dnsmasq.fc
index 8ca133c..89edbaa 100644
--- a/policy/modules/contrib/dnsmasq.fc
+++ b/policy/modules/contrib/dnsmasq.fc
@@ -3,6 +3,9 @@
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_t,s0)
+
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index 15b29cb..c71ace8 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -18,6 +18,9 @@ files_config_file(dnsmasq_etc_t)
type dnsmasq_lease_t;
files_type(dnsmasq_lease_t)
+type dnsmasq_unit_t;
+init_unit_file(dnsmasq_unit_t)
+
type dnsmasq_var_log_t;
logging_log_file(dnsmasq_var_log_t)
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index 7c4e3f1..57e24e6 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -15,6 +15,9 @@ files_config_file(kdump_etc_t)
type kdump_initrc_exec_t;
init_script_file(kdump_initrc_exec_t)
+type kdump_unit_t;
+init_unit_file(kdump_unit_t)
+
type kdumpctl_t;
type kdumpctl_exec_t;
init_daemon_domain(kdumpctl_t, kdumpctl_exec_t)
diff --git a/policy/modules/contrib/lircd.fc b/policy/modules/contrib/lircd.fc
index c7a726a..76e497e 100644
--- a/policy/modules/contrib/lircd.fc
+++ b/policy/modules/contrib/lircd.fc
@@ -5,6 +5,9 @@
/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*lircd.* -- gen_context(system_u:object_r:lircd_unit_t,s0)
+
/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
/var/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te
index 0064b06..26690f2 100644
--- a/policy/modules/contrib/lircd.te
+++ b/policy/modules/contrib/lircd.te
@@ -15,6 +15,9 @@ init_script_file(lircd_initrc_exec_t)
type lircd_etc_t;
files_type(lircd_etc_t)
+type lircd_unit_t;
+init_unit_file(lircd_unit_t)
+
type lircd_var_run_t alias lircd_sock_t;
files_pid_file(lircd_var_run_t)
diff --git a/policy/modules/contrib/logrotate.fc b/policy/modules/contrib/logrotate.fc
index 207ec10..ad21596 100644
--- a/policy/modules/contrib/logrotate.fc
+++ b/policy/modules/contrib/logrotate.fc
@@ -1,6 +1,9 @@
/etc/cron\.(daily|weekly)/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*logrotate.* -- gen_context(system_u:object_r:logrotate_unit_t,s0)
+
/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 311defd..33f534b 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -25,6 +25,9 @@ files_tmp_file(logrotate_tmp_t)
type logrotate_var_lib_t;
files_type(logrotate_var_lib_t)
+type logrotate_unit_t;
+init_unit_file(logrotate_unit_t)
+
mta_base_mail_template(logrotate)
role system_r types logrotate_mail_t;
diff --git a/policy/modules/contrib/mandb.fc b/policy/modules/contrib/mandb.fc
index 8ae78b5..9f2825e 100644
--- a/policy/modules/contrib/mandb.fc
+++ b/policy/modules/contrib/mandb.fc
@@ -1 +1,4 @@
/etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*man-db.* -- gen_context(system_u:object_r:mandb_unit_t,s0)
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index e29882f..46860dd 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -13,6 +13,9 @@ type mandb_exec_t;
application_domain(mandb_t, mandb_exec_t)
role mandb_roles types mandb_t;
+type mandb_unit_t;
+init_unit_file(mandb_unit_t)
+
########################################
#
# Local policy
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index 5ffd285..c192c7f 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -17,6 +17,10 @@
/usr/lib/networkmanager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+# Systemd unit files
+/usr/lib/systemd/system/[^/]*NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
+/usr/lib/systemd/system/[^/]*wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
+
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 427dfe4..a977b9a 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -24,6 +24,9 @@ logging_log_file(NetworkManager_log_t)
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
+type NetworkManager_unit_t;
+init_unit_file(NetworkManager_unit_t)
+
type NetworkManager_var_lib_t;
files_type(NetworkManager_var_lib_t)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index c74d996..c01eb54 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -11,6 +11,9 @@
/etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
+
/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 7600674..1f24dab 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -33,6 +33,9 @@ files_tmp_file(ntpd_tmp_t)
type ntpd_tmpfs_t;
files_tmpfs_file(ntpd_tmpfs_t)
+type ntpd_unit_t;
+init_unit_file(ntpd_unit_t)
+
type ntpd_var_run_t;
files_pid_file(ntpd_var_run_t)
diff --git a/policy/modules/contrib/pcscd.fc b/policy/modules/contrib/pcscd.fc
index 58363c7..5d1beba 100644
--- a/policy/modules/contrib/pcscd.fc
+++ b/policy/modules/contrib/pcscd.fc
@@ -2,6 +2,9 @@
/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*pcscd.* -- gen_context(system_u:object_r:pcscd_unit_t,s0)
+
/var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
/var/run/pcscd(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
/var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index bf5066f..f863ba2 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -12,6 +12,9 @@ init_daemon_domain(pcscd_t, pcscd_exec_t)
type pcscd_initrc_exec_t;
init_script_file(pcscd_initrc_exec_t)
+type pcscd_unit_t;
+init_unit_file(pcscd_unit_t)
+
type pcscd_var_run_t;
files_pid_file(pcscd_var_run_t)
init_daemon_pid_file(pcscd_var_run_t, dir, "pcscd")
diff --git a/policy/modules/contrib/plymouthd.fc b/policy/modules/contrib/plymouthd.fc
index 735500f..2d9b956 100644
--- a/policy/modules/contrib/plymouthd.fc
+++ b/policy/modules/contrib/plymouthd.fc
@@ -4,6 +4,9 @@
/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*plymouth-.* -- gen_context(system_u:object_r:plymouthd_unit_t,s0)
+
/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index 3078ce9..8dadb33 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -17,6 +17,9 @@ init_daemon_domain(plymouthd_t, plymouthd_exec_t)
type plymouthd_spool_t;
files_type(plymouthd_spool_t)
+type plymouthd_unit_t;
+init_unit_file(plymouthd_unit_t)
+
type plymouthd_var_lib_t;
files_type(plymouthd_var_lib_t)
diff --git a/policy/modules/contrib/policykit.fc b/policy/modules/contrib/policykit.fc
index 1d76c72..774c12b 100644
--- a/policy/modules/contrib/policykit.fc
+++ b/policy/modules/contrib/policykit.fc
@@ -8,6 +8,9 @@
/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*polkit.* -- gen_context(system_u:object_r:policykit_unit_t,s0)
+
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index ee91778..108007e 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -34,6 +34,9 @@ files_type(policykit_reload_t)
type policykit_tmp_t;
files_tmp_file(policykit_tmp_t)
+type policykit_unit_t;
+init_unit_file(policykit_unit_t)
+
type policykit_var_lib_t alias polkit_var_lib_t;
files_type(policykit_var_lib_t)
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index f1304fb..cfb18ec 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -3,6 +3,8 @@
/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/lib/systemd/system/[^/]*qemu-guest-agent.* -- gen_context(system_u:object_r:qemu_unit_t,s0)
+
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
ifdef(`distro_gentoo',`
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 136f6f3..a17ed0c 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -22,6 +22,9 @@ application_executable_file(qemu_exec_t)
virt_domain_template(qemu)
role qemu_roles types qemu_t;
+type qemu_unit_t;
+init_unit_file(qemu_unit_t)
+
########################################
#
# Local policy
diff --git a/policy/modules/contrib/raid.fc b/policy/modules/contrib/raid.fc
index 5806046..2ea0889 100644
--- a/policy/modules/contrib/raid.fc
+++ b/policy/modules/contrib/raid.fc
@@ -11,6 +11,10 @@
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+# Systemd unit files
+/usr/lib/systemd/system/[^/]*mdadm-.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
+/usr/lib/systemd/system/[^/]*mdmon.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
+
/usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index dfe62e3..b6aea09 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t;
init_script_file(mdadm_initrc_exec_t)
+type mdadm_unit_t;
+init_unit_file(mdadm_unit_t)
+
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
dev_associate(mdadm_var_run_t)
diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
index ebe91fc..1ebd4a1 100644
--- a/policy/modules/contrib/rpm.fc
+++ b/policy/modules/contrib/rpm.fc
@@ -13,6 +13,10 @@
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*dnf-makecache.* -- gen_context(system_u:object_r:rpm_unit_t,s0)
+/usr/lib/systemd/system/[^/]*yum-makecache.* -- gen_context(system_u:object_r:rpm_unit_t,s0)
+
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index de5c91f..5cac092 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -37,6 +37,9 @@ files_lock_file(rpm_lock_t)
type rpm_log_t;
logging_log_file(rpm_log_t)
+type rpm_unit_t;
+init_unit_file(rpm_unit_t)
+
type rpm_var_lib_t;
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
diff --git a/policy/modules/contrib/rtkit.fc b/policy/modules/contrib/rtkit.fc
index 75bbf38..a3021da 100644
--- a/policy/modules/contrib/rtkit.fc
+++ b/policy/modules/contrib/rtkit.fc
@@ -3,3 +3,6 @@
/usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
/usr/lib/rtkit/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
+
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*rtkit-daemon.* -- gen_context(system_u:object_r:rtkit_daemon_unit_t,s0)
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index 906ebb5..1aa52c4 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -12,6 +12,9 @@ init_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
type rtkit_daemon_initrc_exec_t;
init_script_file(rtkit_daemon_initrc_exec_t)
+type rtkit_daemon_unit_t;
+init_unit_file(rtkit_daemon_unit_t)
+
########################################
#
# Local policy
diff --git a/policy/modules/contrib/shutdown.if b/policy/modules/contrib/shutdown.if
index d1706bf..819d19b 100644
--- a/policy/modules/contrib/shutdown.if
+++ b/policy/modules/contrib/shutdown.if
@@ -91,6 +91,24 @@ interface(`shutdown_signal',`
########################################
## <summary>
+## Send SIGCHLD signals to shutdown.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shutdown_sigchld',`
+ gen_require(`
+ type shutdown_t;
+ ')
+
+ allow $1 shutdown_t:process sigchld;
+')
+
+########################################
+## <summary>
## Get attributes of shutdown executable files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/tcsd.fc b/policy/modules/contrib/tcsd.fc
index c2c2636..0e086e7 100644
--- a/policy/modules/contrib/tcsd.fc
+++ b/policy/modules/contrib/tcsd.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/(tcsd|trousers) -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*tcsd.* -- gen_context(system_u:object_r:tcsd_unit_t,s0)
+
/usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0)
/var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0)
diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te
index 272c114..439cf27 100644
--- a/policy/modules/contrib/tcsd.te
+++ b/policy/modules/contrib/tcsd.te
@@ -12,6 +12,9 @@ init_daemon_domain(tcsd_t, tcsd_exec_t)
type tcsd_initrc_exec_t;
init_script_file(tcsd_initrc_exec_t)
+type tcsd_unit_t;
+init_unit_file(tcsd_unit_t)
+
type tcsd_var_lib_t;
files_type(tcsd_var_lib_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-10-26 5:48 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-10-26 5:36 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-10-26 5:36 UTC (permalink / raw
To: gentoo-commits
commit: 69a218d604593c1a3c459b3935bc03e86b08b765
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Oct 23 18:50:08 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 04:10:16 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=69a218d6
Module version bump for systemd additions.
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/bluetooth.te | 2 +-
policy/modules/contrib/chronyd.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/iscsi.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/lircd.te | 2 +-
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/mandb.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/pcscd.te | 2 +-
policy/modules/contrib/plymouthd.te | 2 +-
policy/modules/contrib/policykit.te | 2 +-
policy/modules/contrib/qemu.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/rtkit.te | 2 +-
policy/modules/contrib/shutdown.te | 2 +-
policy/modules/contrib/tcsd.te | 2 +-
24 files changed, 24 insertions(+), 24 deletions(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 24d5287..d325af4 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.14.0)
+policy_module(alsa, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index 161763f..bb06564 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.15.1)
+policy_module(avahi, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index d69c283..0c99cd9 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -1,4 +1,4 @@
-policy_module(bluetooth, 3.5.1)
+policy_module(bluetooth, 3.5.2)
########################################
#
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 3167bae..c0d266e 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -1,4 +1,4 @@
-policy_module(chronyd, 1.2.1)
+policy_module(chronyd, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 261dc06..b5ff529 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.18.1)
+policy_module(cups, 1.18.2)
########################################
#
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index e32b70a..bc3999f 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.20.0)
+policy_module(dbus, 1.20.1)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index c71ace8..601831b 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.12.3)
+policy_module(dnsmasq, 1.12.4)
########################################
#
diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te
index 43f85f3..502a1bb 100644
--- a/policy/modules/contrib/iscsi.te
+++ b/policy/modules/contrib/iscsi.te
@@ -1,4 +1,4 @@
-policy_module(iscsi, 1.9.1)
+policy_module(iscsi, 1.9.2)
########################################
#
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index 57e24e6..fb31bbf 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.3.1)
+policy_module(kdump, 1.3.2)
#######################################
#
diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te
index 26690f2..bfdd92e 100644
--- a/policy/modules/contrib/lircd.te
+++ b/policy/modules/contrib/lircd.te
@@ -1,4 +1,4 @@
-policy_module(lircd, 1.2.1)
+policy_module(lircd, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 33f534b..a256564 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.16.0)
+policy_module(logrotate, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index 46860dd..8336559 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -1,4 +1,4 @@
-policy_module(mandb, 1.2.0)
+policy_module(mandb, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index a977b9a..83088ca 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.17.2)
+policy_module(networkmanager, 1.17.3)
########################################
#
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 1f24dab..2425edc 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.13.1)
+policy_module(ntp, 1.13.2)
########################################
#
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index f863ba2..d1cdf9f 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -1,4 +1,4 @@
-policy_module(pcscd, 1.10.1)
+policy_module(pcscd, 1.10.2)
########################################
#
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index 8dadb33..c235706 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -1,4 +1,4 @@
-policy_module(plymouthd, 1.2.0)
+policy_module(plymouthd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index 108007e..6bb283f 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.3.0)
+policy_module(policykit, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index a17ed0c..9714860 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.8.0)
+policy_module(qemu, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index b6aea09..f561fdd 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.14.2)
+policy_module(raid, 1.14.3)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index fab6184..8c3575c 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.8.2)
+policy_module(rpcbind, 1.8.3)
########################################
#
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 5cac092..3da1c61 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.17.2)
+policy_module(rpm, 1.17.3)
########################################
#
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index 1aa52c4..e9baab6 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -1,4 +1,4 @@
-policy_module(rtkit, 1.2.1)
+policy_module(rtkit, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
index e2544e1..88a1436 100644
--- a/policy/modules/contrib/shutdown.te
+++ b/policy/modules/contrib/shutdown.te
@@ -1,4 +1,4 @@
-policy_module(shutdown, 1.2.0)
+policy_module(shutdown, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te
index 439cf27..6c56bba 100644
--- a/policy/modules/contrib/tcsd.te
+++ b/policy/modules/contrib/tcsd.te
@@ -1,4 +1,4 @@
-policy_module(tcsd, 1.2.1)
+policy_module(tcsd, 1.2.2)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-11-22 10:14 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-11-22 10:14 UTC (permalink / raw
To: gentoo-commits
commit: e848a95c2e0d96123aead79676beaf7084ac8d31
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 18 06:05:29 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Nov 18 06:06:06 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e848a95c
ntp: add perms for socket /run/ntpd.sock for openntpd
policy/modules/contrib/ntp.fc | 1 +
policy/modules/contrib/ntp.te | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index c01eb54..b58ce47 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -27,6 +27,7 @@
/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
+/var/run/ntpd\.sock -s gen_context(system_u:object_r:ntpd_var_run_t,s0)
ifdef(`distro_gentoo',`
/usr/bin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 2425edc..7af3a6d 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -78,7 +78,8 @@ manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
-files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
+manage_sock_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
+files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file sock_file })
can_exec(ntpd_t, ntpd_exec_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-11-22 10:14 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-11-22 10:14 UTC (permalink / raw
To: gentoo-commits
commit: 9ce39c14756e16c12ef1f09e9e0e063e14fb18d4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 18 06:10:02 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Nov 18 06:10:02 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ce39c14
pulseaudio: add fd perms for v7
avc: denied { use } for pid=19660 comm="threaded-ml"
path="anon_inode:[eventfd]" dev="anon_inodefs" ino=7523
scontext=staff_u:staff_r:mplayer_t:s0-s0:c0.c511
tcontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c511 tclass=fd
permissive=0
avc: denied { write } for pid=19792 comm="threaded-ml"
name="pulse-shm-1853902321" dev="tmpfs" ino=183175232
scontext=staff_u:staff_r:mplayer_t:s0-s0:c0.c511
tcontext=staff_u:object_r:pulseaudio_tmpfs_t:s0 tclass=file permissive=0
policy/modules/contrib/pulseaudio.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 1a25024..4dc75b1 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -277,4 +277,8 @@ ifdef(`distro_gentoo',`
# /tmp/pulse-* gets created by the clients usually as user_tmp_t, bug 556526
userdom_list_user_tmp(pulseaudio_client)
+
+ # pulse 7 uses fd's
+ allow pulseaudio_client pulseaudio_t:fd use;
+ allow pulseaudio_client pulseaudio_tmpfs_t:file rw_file_perms;
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-11-23 13:42 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-11-23 13:42 UTC (permalink / raw
To: gentoo-commits
commit: 476723f5d02b3222109358f99c9d76ede915e71b
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Sun Nov 22 12:28:43 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Nov 23 13:40:51 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=476723f5
Use fowner for salt_minion_t
Enable the fowner capability for the salt minion so that directory
metadata can be updated (such as the mode).
For instance, when trying to set mode 755 on a directory, the following
came up in the salt minion log (and the operation failed):
2015-11-22 13:18:01,242 [salt.state ][ERROR ][3290] Failed to
change mode to 0775
In the audit logs, the following occurred:
type=AVC msg=audit(1448194681.239:118): avc: denied { fowner } for
pid=3290 comm="salt-minion" capability=3
scontext=system_u:system_r:salt_minion_t:s0
tcontext=system_u:system_r:salt_minion_t:s0 tclass=capability
permissive=0
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 2a4e84d..9a8a4ad 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -218,7 +218,7 @@ tunable_policy(`salt_master_read_nfs',`
# salt_minion_t policy
#
-allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
+allow salt_minion_t self:capability { fowner fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
allow salt_minion_t self:capability2 block_suspend;
allow salt_minion_t self:process { getsched setsched signal signull };
allow salt_minion_t self:tcp_socket create_stream_socket_perms;
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:49 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: 6291ea2e53987b71c967dd941be65c6eb58cb18b
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Oct 29 11:27:27 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:32:11 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6291ea2e
Module version bump for dbus systemd patch from Laurent Bigonville.
policy/modules/contrib/dbus.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index bc3999f..7677478 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.20.1)
+policy_module(dbus, 1.20.2)
gen_require(`
class dbus all_dbus_perms;
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:49 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: ca03f8aa14fec8faf06c9d9b56c1273b175ce0e4
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Dec 8 14:53:02 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ca03f8aa
Update Changelog for release.
policy/modules/contrib/Changelog | 93 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 93 insertions(+)
diff --git a/policy/modules/contrib/Changelog b/policy/modules/contrib/Changelog
index 66e7d7c..63c8ea9 100644
--- a/policy/modules/contrib/Changelog
+++ b/policy/modules/contrib/Changelog
@@ -1,3 +1,96 @@
+* Tue Dec 08 2015 Chris PeBenito <selinux@tresys.com> - 2.20151208
+Alexander Wetzel (1):
+ add vfio support for libvirt
+
+Chas Williams - CONTRACTOR (1):
+ afs: update labels, file contexts and allow access to urandom
+
+Chris PeBenito (14):
+ Module version bump for hadoop_admin() fix from Jazon Zaman.
+ Module version bump for fc typo in radius from Sven Vermeulen.
+ Module version bump for patches from Jason Zaman.
+ Module version bump for init_startstop_service from Jason Zaman.
+ Module version bump for cron_admin interface from Jason Zaman.
+ Comment/whitespace fix in virt.te.
+ Module version bump for vfio support for libvirt from Alexander Wetzel.
+ Add systemd unit types.
+ Add systemd socket activations.
+ Merge branch 'pebenito-master'
+ Module version bump for systemd additions.
+ Merge branch 'bigon-systemd'
+ Module version bump for dbus systemd patch from Laurent Bigonville.
+ Bump module versions for release.
+
+Dominick Grift (16):
+ Module version bump for courier fixes from Sven Vermeulen.
+ Module version bump for afs fixes from Chas Williams.
+ Redundant rules and afs_files_t is not a filesystem type
+ Various samhain fixes
+ Cachefilesd module updates
+ Module version bump for changes to the dnsmasq policy module by Jason
+ Zaman
+ Module version bump for changes to the snmp policy module by Jason Zaman
+ Module version bump for changes to the pulseaudio policy module by Jason
+ Zaman
+ cachefiles: It is cachefilesd_cache_t
+ Module version bump for update to the networkmanager policy module by
+ Stephen Smalley.
+ Module version bumps for "Remove run interface calls from admin
+ interfaces" changes by Jason Zaman.
+ Module version bump for changes to the pulseaudio module by Niklas Haas.
+ Changes to the git, hadoop and rsync modules by Jason Zaman.
+ Module version bump for changes to the virt module by Jason Zaman
+ Module version bump for changes to the mozilla module from Laurent
+ Bigonville.
+ Module version bump for changes to the wine module by Nicolas Iooss
+
+Jason Zaman (19):
+ hadoop: remove _role from _admin interface
+ rpcbind: typo fix
+ git: make inetd interface optional
+ rpc: introduce allow_gssd_write_tmp boolean
+ rpc: allow setgid capability
+ virt: add virt_tmpfs_t type and permissions
+ introduce virt_leaseshelper_t
+ dnsmasq: allow exec shell for scripts
+ snmp: missing fcontext for snmpd
+ pulseaudio: filetrans for autospawn.lock
+ Use init_startstop_service in admin interfaces A-M
+ Use init_startstop_service in admin interfaces N-Z
+ Remove _run() interfaces from _admin()
+ Introduce cron_admin interface
+ rsync: remove rsync_run from admin interface
+ git: allow git_system_t to listen on tcp_sockets
+ hadoop: init_startstop_service() can not take attributes
+ virt: Allow creating qemu guest agent socket
+ virt: Add policy for virtlockd the Virtual machine lock manager
+
+Laurent Bigonville (2):
+ Transition D-Bus system service out of the init_t domain when PID1 is
+ systemd
+ Label iceweasel plugin-container executable as mozilla_plugin_exec_t
+
+Nicolas Iooss (1):
+ wine: remove use of nonexisting interface
+
+Niklas Haas (1):
+ pulse: don't give pulseaudio_client full access to user_home_t
+
+Stephen Smalley (1):
+ contrib: networkmanager: allow netlink_generic_socket access
+
+Sven Vermeulen (6):
+ Locate authdaemon socket and communicate with authdaemon
+ Allow authdaemon to access selinux fs to check SELinux state
+ Grant setuid/setgid to courier_pop_t
+ Execute courier helper script after authentication
+ Courier IMAP needs to manage the users' maildir
+ Fix typo for radiusd /var/lib location
+
+doverride (2):
+ Merge pull request #3 from haasn/pulse-nohome
+ Merge pull request #6 from bigon/mozilla-1
+
* Wed Dec 03 2014 Chris PeBenito <selinux@tresys.com> - 2.20141203
Chris PeBenito (26):
Whitespace fix in ntp.fc.
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:49 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: b73110702bd037d2d2ab10d90a278e4e0afdaa31
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Mon Nov 16 22:14:59 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b7311070
wine: remove use of nonexisting interface
wine_role_template uses userdom_unpriv_usertype, which is not defined
anywhere in the policy.
policy/modules/contrib/wine.if | 1 -
1 file changed, 1 deletion(-)
diff --git a/policy/modules/contrib/wine.if b/policy/modules/contrib/wine.if
index fd2b6cc..2dba621 100644
--- a/policy/modules/contrib/wine.if
+++ b/policy/modules/contrib/wine.if
@@ -88,7 +88,6 @@ template(`wine_role_template',`
corecmd_bin_domtrans($1_wine_t, $3)
- userdom_unpriv_usertype($1, $1_wine_t)
userdom_manage_user_tmpfs_files($1_wine_t)
domain_mmap_low($1_wine_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:49 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: f5c7f2bfa8430aa707ac0966750e05d1b81ae40a
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Nov 4 12:28:52 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f5c7f2bf
Label iceweasel plugin-container executable as mozilla_plugin_exec_t
policy/modules/contrib/mozilla.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/mozilla.fc b/policy/modules/contrib/mozilla.fc
index 54e1ba4..c614f8c 100644
--- a/policy/modules/contrib/mozilla.fc
+++ b/policy/modules/contrib/mozilla.fc
@@ -21,6 +21,7 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/iceweasel/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:49 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: b2c793dfb6d4fc880e041cede280683df0244263
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Tue Nov 17 08:17:56 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2c793df
Module version bump for changes to the wine module by Nicolas Iooss
policy/modules/contrib/wine.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te
index 491b87b..8efd659 100644
--- a/policy/modules/contrib/wine.te
+++ b/policy/modules/contrib/wine.te
@@ -1,4 +1,4 @@
-policy_module(wine, 1.11.0)
+policy_module(wine, 1.11.1)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:49 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: 5594149bf7f62722500151aedf29711bf607105a
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Dec 9 13:26:24 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5594149b
Add initial geoclue 2 module
This has been tested with geoclue 2.4.0 on Debian
policy/modules/contrib/geoclue.fc | 7 +++++++
policy/modules/contrib/geoclue.if | 1 +
policy/modules/contrib/geoclue.te | 37 +++++++++++++++++++++++++++++++++++++
3 files changed, 45 insertions(+)
diff --git a/policy/modules/contrib/geoclue.fc b/policy/modules/contrib/geoclue.fc
new file mode 100644
index 0000000..faca546
--- /dev/null
+++ b/policy/modules/contrib/geoclue.fc
@@ -0,0 +1,7 @@
+/etc/geoclue(/.*)? gen_context(system_u:object_r:geoclue_etc_t,s0)
+
+/usr/lib/geoclue-2.0/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0)
+
+/usr/libexec/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0)
+
+/var/lib/geoclue(/.*)? gen_context(system_u:object_r:geoclue_var_lib_t,s0)
diff --git a/policy/modules/contrib/geoclue.if b/policy/modules/contrib/geoclue.if
new file mode 100644
index 0000000..9df3608
--- /dev/null
+++ b/policy/modules/contrib/geoclue.if
@@ -0,0 +1 @@
+## <summary>Geoclue is a D-Bus service that provides location information.</summary>
diff --git a/policy/modules/contrib/geoclue.te b/policy/modules/contrib/geoclue.te
new file mode 100644
index 0000000..fc72974
--- /dev/null
+++ b/policy/modules/contrib/geoclue.te
@@ -0,0 +1,37 @@
+policy_module(geoclue, 1.0.0)
+
+type geoclue_t;
+type geoclue_exec_t;
+dbus_system_domain(geoclue_t, geoclue_exec_t)
+
+type geoclue_etc_t;
+files_config_file(geoclue_etc_t)
+
+type geoclue_var_lib_t;
+files_type(geoclue_var_lib_t)
+
+read_files_pattern(geoclue_t, geoclue_etc_t, geoclue_etc_t)
+
+corenet_tcp_connect_http_port(geoclue_t)
+
+dev_read_urand(geoclue_t)
+
+# Reads /etc/nsswitch.conf
+files_read_etc_files(geoclue_t)
+
+miscfiles_read_generic_certs(geoclue_t)
+miscfiles_read_localization(geoclue_t)
+
+sysnet_dns_name_resolve(geoclue_t)
+
+optional_policy(`
+ avahi_dbus_chat(geoclue_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(geoclue_t)
+')
+
+optional_policy(`
+ modemmanager_dbus_chat(geoclue_t)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:49 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: bff223743be8e5b29ef36125aa0b3734da4f5f34
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Thu Dec 10 10:38:34 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bff22374
Properly escape dot in the path to the geoclue daemon
policy/modules/contrib/geoclue.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/geoclue.fc b/policy/modules/contrib/geoclue.fc
index faca546..e7de9e8 100644
--- a/policy/modules/contrib/geoclue.fc
+++ b/policy/modules/contrib/geoclue.fc
@@ -1,6 +1,6 @@
/etc/geoclue(/.*)? gen_context(system_u:object_r:geoclue_etc_t,s0)
-/usr/lib/geoclue-2.0/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0)
+/usr/lib/geoclue-2\.0/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0)
/usr/libexec/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:49 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: 574b23826b265be34284368cea90fa8185413a91
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Mon Oct 26 12:26:06 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:32:11 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=574b2382
Transition D-Bus system service out of the init_t domain when PID1 is systemd
D-Bus is not starting the activated system services anymore when PID1 is
systemd, but it delegate the job to systemd.
policy/modules/contrib/dbus.if | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
index 077dabc..89bbb25 100644
--- a/policy/modules/contrib/dbus.if
+++ b/policy/modules/contrib/dbus.if
@@ -573,6 +573,10 @@ interface(`dbus_system_domain',`
userdom_read_all_users_state($1)
+ ifdef(`init_systemd',`
+ init_daemon_domain($1, $2)
+ ')
+
ifdef(`hide_broken_symptoms', `
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-12-17 16:10 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-12-17 18:49 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: 5ffb6f47ebd043d333f603d3dbf9d81119c7133e
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Dec 8 14:53:02 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5ffb6f47
Bump module versions for release.
policy/modules/contrib/abrt.te | 2 +-
policy/modules/contrib/acct.te | 2 +-
policy/modules/contrib/afs.te | 2 +-
policy/modules/contrib/aiccu.te | 2 +-
policy/modules/contrib/aisexec.te | 2 +-
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/amavis.te | 2 +-
policy/modules/contrib/amtu.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/apcupsd.te | 2 +-
policy/modules/contrib/apm.te | 2 +-
policy/modules/contrib/arpwatch.te | 2 +-
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/automount.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/bacula.te | 2 +-
policy/modules/contrib/bcfg2.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/bird.te | 2 +-
policy/modules/contrib/bitlbee.te | 2 +-
policy/modules/contrib/bluetooth.te | 2 +-
policy/modules/contrib/boinc.te | 2 +-
policy/modules/contrib/cachefilesd.te | 2 +-
policy/modules/contrib/callweaver.te | 2 +-
policy/modules/contrib/canna.te | 2 +-
policy/modules/contrib/ccs.te | 2 +-
policy/modules/contrib/certmaster.te | 2 +-
policy/modules/contrib/certmonger.te | 2 +-
policy/modules/contrib/cfengine.te | 2 +-
policy/modules/contrib/cgroup.te | 2 +-
policy/modules/contrib/chronyd.te | 2 +-
policy/modules/contrib/cipe.te | 2 +-
policy/modules/contrib/clamav.te | 2 +-
policy/modules/contrib/cmirrord.te | 2 +-
policy/modules/contrib/cobbler.te | 2 +-
policy/modules/contrib/collectd.te | 2 +-
policy/modules/contrib/condor.te | 2 +-
policy/modules/contrib/corosync.te | 2 +-
policy/modules/contrib/couchdb.te | 2 +-
policy/modules/contrib/courier.te | 2 +-
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/ctdb.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/cvs.te | 2 +-
policy/modules/contrib/cyphesis.te | 2 +-
policy/modules/contrib/cyrus.te | 2 +-
policy/modules/contrib/dante.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/ddclient.te | 2 +-
policy/modules/contrib/denyhosts.te | 2 +-
policy/modules/contrib/dhcp.te | 2 +-
policy/modules/contrib/dictd.te | 2 +-
policy/modules/contrib/dirmngr.te | 2 +-
policy/modules/contrib/distcc.te | 2 +-
policy/modules/contrib/dkim.te | 2 +-
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/dnssectrigger.te | 2 +-
policy/modules/contrib/dovecot.te | 2 +-
policy/modules/contrib/drbd.te | 2 +-
policy/modules/contrib/dspam.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/fail2ban.te | 2 +-
policy/modules/contrib/fcoe.te | 2 +-
policy/modules/contrib/fetchmail.te | 2 +-
policy/modules/contrib/firewalld.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/gatekeeper.te | 2 +-
policy/modules/contrib/gdomap.te | 2 +-
policy/modules/contrib/git.te | 2 +-
policy/modules/contrib/glance.te | 2 +-
policy/modules/contrib/glusterfs.te | 2 +-
policy/modules/contrib/gpm.te | 2 +-
policy/modules/contrib/gpsd.te | 2 +-
policy/modules/contrib/hadoop.te | 2 +-
policy/modules/contrib/hddtemp.te | 2 +-
policy/modules/contrib/howl.te | 2 +-
policy/modules/contrib/hypervkvp.te | 2 +-
policy/modules/contrib/i18n_input.te | 2 +-
policy/modules/contrib/icecast.te | 2 +-
policy/modules/contrib/ifplugd.te | 2 +-
policy/modules/contrib/inn.te | 2 +-
policy/modules/contrib/iodine.te | 2 +-
policy/modules/contrib/ircd.te | 2 +-
policy/modules/contrib/irqbalance.te | 2 +-
policy/modules/contrib/iscsi.te | 2 +-
policy/modules/contrib/isns.te | 2 +-
policy/modules/contrib/jabber.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/kerberos.te | 2 +-
policy/modules/contrib/kerneloops.te | 2 +-
policy/modules/contrib/keystone.te | 2 +-
policy/modules/contrib/kismet.te | 2 +-
policy/modules/contrib/ksmtuned.te | 2 +-
policy/modules/contrib/kudzu.te | 2 +-
policy/modules/contrib/l2tp.te | 2 +-
policy/modules/contrib/ldap.te | 2 +-
policy/modules/contrib/likewise.te | 2 +-
policy/modules/contrib/lircd.te | 2 +-
policy/modules/contrib/lldpad.te | 2 +-
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/mailscanner.te | 2 +-
policy/modules/contrib/mandb.te | 2 +-
policy/modules/contrib/mcelog.te | 2 +-
policy/modules/contrib/memcached.te | 2 +-
policy/modules/contrib/minissdpd.te | 2 +-
policy/modules/contrib/mongodb.te | 2 +-
policy/modules/contrib/monop.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/mpd.te | 2 +-
policy/modules/contrib/mrtg.te | 2 +-
policy/modules/contrib/munin.te | 2 +-
policy/modules/contrib/mysql.te | 2 +-
policy/modules/contrib/nagios.te | 2 +-
policy/modules/contrib/nessus.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/nis.te | 2 +-
policy/modules/contrib/nscd.te | 2 +-
policy/modules/contrib/nsd.te | 2 +-
policy/modules/contrib/nslcd.te | 2 +-
policy/modules/contrib/ntop.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/numad.te | 2 +-
policy/modules/contrib/nut.te | 2 +-
policy/modules/contrib/oident.te | 2 +-
policy/modules/contrib/openct.te | 2 +-
policy/modules/contrib/openhpi.te | 2 +-
policy/modules/contrib/openvpn.te | 2 +-
policy/modules/contrib/openvswitch.te | 2 +-
policy/modules/contrib/pacemaker.te | 2 +-
policy/modules/contrib/pads.te | 2 +-
policy/modules/contrib/pcscd.te | 2 +-
policy/modules/contrib/pegasus.te | 2 +-
policy/modules/contrib/perdition.te | 2 +-
policy/modules/contrib/pingd.te | 2 +-
policy/modules/contrib/pkcs.te | 2 +-
policy/modules/contrib/plymouthd.te | 2 +-
policy/modules/contrib/policykit.te | 2 +-
policy/modules/contrib/polipo.te | 2 +-
policy/modules/contrib/portmap.te | 2 +-
policy/modules/contrib/portreserve.te | 2 +-
policy/modules/contrib/postfix.te | 2 +-
policy/modules/contrib/postfixpolicyd.te | 2 +-
policy/modules/contrib/postgrey.te | 2 +-
policy/modules/contrib/ppp.te | 2 +-
policy/modules/contrib/prelude.te | 2 +-
policy/modules/contrib/privoxy.te | 2 +-
policy/modules/contrib/psad.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/puppet.te | 2 +-
policy/modules/contrib/pxe.te | 2 +-
policy/modules/contrib/pyicqt.te | 2 +-
policy/modules/contrib/pyzor.te | 2 +-
policy/modules/contrib/qemu.te | 2 +-
policy/modules/contrib/qpid.te | 2 +-
policy/modules/contrib/quantum.te | 2 +-
policy/modules/contrib/quota.te | 2 +-
policy/modules/contrib/rabbitmq.te | 2 +-
policy/modules/contrib/radius.te | 2 +-
policy/modules/contrib/radvd.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/redis.te | 2 +-
policy/modules/contrib/resmgr.te | 2 +-
policy/modules/contrib/rgmanager.te | 2 +-
policy/modules/contrib/rhcs.te | 2 +-
policy/modules/contrib/rhsmcertd.te | 2 +-
policy/modules/contrib/ricci.te | 2 +-
policy/modules/contrib/rngd.te | 2 +-
policy/modules/contrib/roundup.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/rsync.te | 2 +-
policy/modules/contrib/rtkit.te | 2 +-
policy/modules/contrib/rwho.te | 2 +-
policy/modules/contrib/samba.te | 2 +-
policy/modules/contrib/samhain.te | 2 +-
policy/modules/contrib/sanlock.te | 2 +-
policy/modules/contrib/sasl.te | 2 +-
policy/modules/contrib/sblim.te | 2 +-
policy/modules/contrib/sendmail.te | 2 +-
policy/modules/contrib/sensord.te | 2 +-
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/shutdown.te | 2 +-
policy/modules/contrib/slpd.te | 2 +-
policy/modules/contrib/smartmon.te | 2 +-
policy/modules/contrib/smokeping.te | 2 +-
policy/modules/contrib/smstools.te | 2 +-
policy/modules/contrib/snmp.te | 2 +-
policy/modules/contrib/snort.te | 2 +-
policy/modules/contrib/soundserver.te | 2 +-
policy/modules/contrib/spamassassin.te | 2 +-
policy/modules/contrib/squid.te | 2 +-
policy/modules/contrib/sssd.te | 2 +-
policy/modules/contrib/svnserve.te | 2 +-
policy/modules/contrib/sysstat.te | 2 +-
policy/modules/contrib/systemtap.te | 2 +-
policy/modules/contrib/tcsd.te | 2 +-
policy/modules/contrib/tgtd.te | 2 +-
policy/modules/contrib/tor.te | 2 +-
policy/modules/contrib/transproxy.te | 2 +-
policy/modules/contrib/tuned.te | 2 +-
policy/modules/contrib/ulogd.te | 2 +-
policy/modules/contrib/uptime.te | 2 +-
policy/modules/contrib/uucp.te | 2 +-
policy/modules/contrib/uuidd.te | 2 +-
policy/modules/contrib/varnishd.te | 2 +-
policy/modules/contrib/vdagent.te | 2 +-
policy/modules/contrib/vhostmd.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
policy/modules/contrib/vnstatd.te | 2 +-
policy/modules/contrib/watchdog.te | 2 +-
policy/modules/contrib/wdmd.te | 2 +-
policy/modules/contrib/wine.te | 2 +-
policy/modules/contrib/xfs.te | 2 +-
policy/modules/contrib/zabbix.te | 2 +-
policy/modules/contrib/zarafa.te | 2 +-
policy/modules/contrib/zebra.te | 2 +-
218 files changed, 218 insertions(+), 218 deletions(-)
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index dedf055..c83fba6 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -1,4 +1,4 @@
-policy_module(abrt, 1.5.1)
+policy_module(abrt, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/acct.te b/policy/modules/contrib/acct.te
index 7d6e06d..6f6fd13 100644
--- a/policy/modules/contrib/acct.te
+++ b/policy/modules/contrib/acct.te
@@ -1,4 +1,4 @@
-policy_module(acct, 1.6.1)
+policy_module(acct, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te
index c2840ba..e685b5d 100644
--- a/policy/modules/contrib/afs.te
+++ b/policy/modules/contrib/afs.te
@@ -1,4 +1,4 @@
-policy_module(afs, 1.9.3)
+policy_module(afs, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/aiccu.te b/policy/modules/contrib/aiccu.te
index 44a23e6..de1c465 100644
--- a/policy/modules/contrib/aiccu.te
+++ b/policy/modules/contrib/aiccu.te
@@ -1,4 +1,4 @@
-policy_module(aiccu, 1.1.1)
+policy_module(aiccu, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/aisexec.te b/policy/modules/contrib/aisexec.te
index 73e7382..6270b44 100644
--- a/policy/modules/contrib/aisexec.te
+++ b/policy/modules/contrib/aisexec.te
@@ -1,4 +1,4 @@
-policy_module(aisexec, 1.2.1)
+policy_module(aisexec, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index d325af4..17bb145 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.14.1)
+policy_module(alsa, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/amavis.te b/policy/modules/contrib/amavis.te
index 1214ac1..2c9313e 100644
--- a/policy/modules/contrib/amavis.te
+++ b/policy/modules/contrib/amavis.te
@@ -1,4 +1,4 @@
-policy_module(amavis, 1.15.1)
+policy_module(amavis, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/amtu.te b/policy/modules/contrib/amtu.te
index 918580d..9342d56 100644
--- a/policy/modules/contrib/amtu.te
+++ b/policy/modules/contrib/amtu.te
@@ -1,4 +1,4 @@
-policy_module(amtu, 1.3.1)
+policy_module(amtu, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index a7fd097..d3299a2 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.9.1)
+policy_module(apache, 2.10.0)
########################################
#
diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te
index 407ca94..d5bf5bd 100644
--- a/policy/modules/contrib/apcupsd.te
+++ b/policy/modules/contrib/apcupsd.te
@@ -1,4 +1,4 @@
-policy_module(apcupsd, 1.9.1)
+policy_module(apcupsd, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index b6e5447..d6344dc 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -1,4 +1,4 @@
-policy_module(apm, 1.13.1)
+policy_module(apm, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
index f52071c..97ecc55 100644
--- a/policy/modules/contrib/arpwatch.te
+++ b/policy/modules/contrib/arpwatch.te
@@ -1,4 +1,4 @@
-policy_module(arpwatch, 1.11.1)
+policy_module(arpwatch, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index f51e183..fc25311 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -1,4 +1,4 @@
-policy_module(asterisk, 1.14.1)
+policy_module(asterisk, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index 6c5e7ed..be5adee 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -1,4 +1,4 @@
-policy_module(automount, 1.15.1)
+policy_module(automount, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index bb06564..461cef0 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.15.2)
+policy_module(avahi, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/bacula.te b/policy/modules/contrib/bacula.te
index a69da67..16b89e7 100644
--- a/policy/modules/contrib/bacula.te
+++ b/policy/modules/contrib/bacula.te
@@ -1,4 +1,4 @@
-policy_module(bacula, 1.2.2)
+policy_module(bacula, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/bcfg2.te b/policy/modules/contrib/bcfg2.te
index 8709020..d723140 100644
--- a/policy/modules/contrib/bcfg2.te
+++ b/policy/modules/contrib/bcfg2.te
@@ -1,4 +1,4 @@
-policy_module(bcfg2, 1.1.1)
+policy_module(bcfg2, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index dd8f70d..6991aeb 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.15.2)
+policy_module(bind, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/bird.te b/policy/modules/contrib/bird.te
index 2f6c545..eac303e 100644
--- a/policy/modules/contrib/bird.te
+++ b/policy/modules/contrib/bird.te
@@ -1,4 +1,4 @@
-policy_module(bird, 1.1.1)
+policy_module(bird, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/bitlbee.te b/policy/modules/contrib/bitlbee.te
index 45d8a4b..8f95e0c 100644
--- a/policy/modules/contrib/bitlbee.te
+++ b/policy/modules/contrib/bitlbee.te
@@ -1,4 +1,4 @@
-policy_module(bitlbee, 1.5.1)
+policy_module(bitlbee, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index 0c99cd9..f44a616 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -1,4 +1,4 @@
-policy_module(bluetooth, 3.5.2)
+policy_module(bluetooth, 3.6.0)
########################################
#
diff --git a/policy/modules/contrib/boinc.te b/policy/modules/contrib/boinc.te
index 4ada99d..c24cb7b 100644
--- a/policy/modules/contrib/boinc.te
+++ b/policy/modules/contrib/boinc.te
@@ -1,4 +1,4 @@
-policy_module(boinc, 1.2.1)
+policy_module(boinc, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index 4e5a1a1..cf07bb4 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -1,4 +1,4 @@
-policy_module(cachefilesd, 1.1.3)
+policy_module(cachefilesd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/callweaver.te b/policy/modules/contrib/callweaver.te
index 9218e45..93486b9 100644
--- a/policy/modules/contrib/callweaver.te
+++ b/policy/modules/contrib/callweaver.te
@@ -1,4 +1,4 @@
-policy_module(callweaver, 1.1.1)
+policy_module(callweaver, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/canna.te b/policy/modules/contrib/canna.te
index 9ee10b6..a35f192 100644
--- a/policy/modules/contrib/canna.te
+++ b/policy/modules/contrib/canna.te
@@ -1,4 +1,4 @@
-policy_module(canna, 1.12.1)
+policy_module(canna, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index 88cc4ad..1d02e63 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -1,4 +1,4 @@
-policy_module(ccs, 1.8.1)
+policy_module(ccs, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/certmaster.te b/policy/modules/contrib/certmaster.te
index 5ab985b..79b8ffc 100644
--- a/policy/modules/contrib/certmaster.te
+++ b/policy/modules/contrib/certmaster.te
@@ -1,4 +1,4 @@
-policy_module(certmaster, 1.3.1)
+policy_module(certmaster, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index 2d5ecbc..7c3126e 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -1,4 +1,4 @@
-policy_module(certmonger, 1.2.1)
+policy_module(certmonger, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/cfengine.te b/policy/modules/contrib/cfengine.te
index 2fff324..c888ff2 100644
--- a/policy/modules/contrib/cfengine.te
+++ b/policy/modules/contrib/cfengine.te
@@ -1,4 +1,4 @@
-policy_module(cfengine, 1.1.1)
+policy_module(cfengine, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te
index 82c0c0c..d96a8f6 100644
--- a/policy/modules/contrib/cgroup.te
+++ b/policy/modules/contrib/cgroup.te
@@ -1,4 +1,4 @@
-policy_module(cgroup, 1.2.1)
+policy_module(cgroup, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index c0d266e..845b9c4 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -1,4 +1,4 @@
-policy_module(chronyd, 1.2.2)
+policy_module(chronyd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/cipe.te b/policy/modules/contrib/cipe.te
index 76c1954..e2a5c13 100644
--- a/policy/modules/contrib/cipe.te
+++ b/policy/modules/contrib/cipe.te
@@ -1,4 +1,4 @@
-policy_module(cipe, 1.6.1)
+policy_module(cipe, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index cdb3492..c157b65 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.11.1)
+policy_module(clamav, 1.12.0)
## <desc>
## <p>
diff --git a/policy/modules/contrib/cmirrord.te b/policy/modules/contrib/cmirrord.te
index 45bdca7..6caace1 100644
--- a/policy/modules/contrib/cmirrord.te
+++ b/policy/modules/contrib/cmirrord.te
@@ -1,4 +1,4 @@
-policy_module(cmirrord, 1.1.1)
+policy_module(cmirrord, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/cobbler.te b/policy/modules/contrib/cobbler.te
index e81dcc4..6177ef4 100644
--- a/policy/modules/contrib/cobbler.te
+++ b/policy/modules/contrib/cobbler.te
@@ -1,4 +1,4 @@
-policy_module(cobbler, 1.2.1)
+policy_module(cobbler, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/collectd.te b/policy/modules/contrib/collectd.te
index 07fb350..0dfb1c5 100644
--- a/policy/modules/contrib/collectd.te
+++ b/policy/modules/contrib/collectd.te
@@ -1,4 +1,4 @@
-policy_module(collectd, 1.0.1)
+policy_module(collectd, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 7b0092e..c642e06 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -1,4 +1,4 @@
-policy_module(condor, 1.2.1)
+policy_module(condor, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/corosync.te b/policy/modules/contrib/corosync.te
index fa18d76..7ee058f 100644
--- a/policy/modules/contrib/corosync.te
+++ b/policy/modules/contrib/corosync.te
@@ -1,4 +1,4 @@
-policy_module(corosync, 1.1.1)
+policy_module(corosync, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/couchdb.te b/policy/modules/contrib/couchdb.te
index cd5f079..c0f68c2 100644
--- a/policy/modules/contrib/couchdb.te
+++ b/policy/modules/contrib/couchdb.te
@@ -1,4 +1,4 @@
-policy_module(couchdb, 1.3.1)
+policy_module(couchdb, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index dd23992..3db053f 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -1,4 +1,4 @@
-policy_module(courier, 1.14.1)
+policy_module(courier, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index d22885f..523b8cb 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.8.1)
+policy_module(cron, 2.9.0)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/ctdb.te b/policy/modules/contrib/ctdb.te
index d1fad83..e4cc9dc 100644
--- a/policy/modules/contrib/ctdb.te
+++ b/policy/modules/contrib/ctdb.te
@@ -1,4 +1,4 @@
-policy_module(ctdb, 1.2.1)
+policy_module(ctdb, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index b5ff529..1edccbe 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.18.2)
+policy_module(cups, 1.19.0)
########################################
#
diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te
index 47a4822..6b8f836 100644
--- a/policy/modules/contrib/cvs.te
+++ b/policy/modules/contrib/cvs.te
@@ -1,4 +1,4 @@
-policy_module(cvs, 1.11.1)
+policy_module(cvs, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/cyphesis.te b/policy/modules/contrib/cyphesis.te
index 956a7ab..0262cf1 100644
--- a/policy/modules/contrib/cyphesis.te
+++ b/policy/modules/contrib/cyphesis.te
@@ -1,4 +1,4 @@
-policy_module(cyphesis, 1.3.1)
+policy_module(cyphesis, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
index c43ee11..9707c7e 100644
--- a/policy/modules/contrib/cyrus.te
+++ b/policy/modules/contrib/cyrus.te
@@ -1,4 +1,4 @@
-policy_module(cyrus, 1.14.1)
+policy_module(cyrus, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/dante.te b/policy/modules/contrib/dante.te
index 4c86835..67c9ad7 100644
--- a/policy/modules/contrib/dante.te
+++ b/policy/modules/contrib/dante.te
@@ -1,4 +1,4 @@
-policy_module(dante, 1.9.1)
+policy_module(dante, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 7677478..0f1d8a7 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.20.2)
+policy_module(dbus, 1.21.0)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/ddclient.te b/policy/modules/contrib/ddclient.te
index b4fc53f..396b3fb 100644
--- a/policy/modules/contrib/ddclient.te
+++ b/policy/modules/contrib/ddclient.te
@@ -1,4 +1,4 @@
-policy_module(ddclient, 1.10.1)
+policy_module(ddclient, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/denyhosts.te b/policy/modules/contrib/denyhosts.te
index 9d3ca70..342e623 100644
--- a/policy/modules/contrib/denyhosts.te
+++ b/policy/modules/contrib/denyhosts.te
@@ -1,4 +1,4 @@
-policy_module(denyhosts, 1.1.1)
+policy_module(denyhosts, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index c7d00ed..2d64a81 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -1,4 +1,4 @@
-policy_module(dhcp, 1.11.1)
+policy_module(dhcp, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te
index 15582e2..f475605 100644
--- a/policy/modules/contrib/dictd.te
+++ b/policy/modules/contrib/dictd.te
@@ -1,4 +1,4 @@
-policy_module(dictd, 1.8.1)
+policy_module(dictd, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index d0d9241..7f03616 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -1,4 +1,4 @@
-policy_module(dirmngr, 1.0.1)
+policy_module(dirmngr, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/distcc.te b/policy/modules/contrib/distcc.te
index 2378d0c..44c3eed 100644
--- a/policy/modules/contrib/distcc.te
+++ b/policy/modules/contrib/distcc.te
@@ -1,4 +1,4 @@
-policy_module(distcc, 1.10.1)
+policy_module(distcc, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index 925ca6f..e2e44eb 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -1,4 +1,4 @@
-policy_module(dkim, 1.3.1)
+policy_module(dkim, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index 601831b..5a9f0fe 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.12.4)
+policy_module(dnsmasq, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/dnssectrigger.te b/policy/modules/contrib/dnssectrigger.te
index 181540f..c0e01a5 100644
--- a/policy/modules/contrib/dnssectrigger.te
+++ b/policy/modules/contrib/dnssectrigger.te
@@ -1,4 +1,4 @@
-policy_module(dnssectrigger, 1.1.1)
+policy_module(dnssectrigger, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index 8e6b35e..19e32af 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.17.1)
+policy_module(dovecot, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/drbd.te b/policy/modules/contrib/drbd.te
index d89520c..0d8ed27 100644
--- a/policy/modules/contrib/drbd.te
+++ b/policy/modules/contrib/drbd.te
@@ -1,4 +1,4 @@
-policy_module(drbd, 1.1.1)
+policy_module(drbd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/dspam.te b/policy/modules/contrib/dspam.te
index 0a36018..4259fbc 100644
--- a/policy/modules/contrib/dspam.te
+++ b/policy/modules/contrib/dspam.te
@@ -1,4 +1,4 @@
-policy_module(dspam, 1.1.1)
+policy_module(dspam, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
index 2f71ed6..e82f4f5 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -1,4 +1,4 @@
-policy_module(entropyd, 1.8.1)
+policy_module(entropyd, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index b3c7066..ce4336d 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.8.1)
+policy_module(exim, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te
index bc6bd8e..5654c4e 100644
--- a/policy/modules/contrib/fail2ban.te
+++ b/policy/modules/contrib/fail2ban.te
@@ -1,4 +1,4 @@
-policy_module(fail2ban, 1.5.1)
+policy_module(fail2ban, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/fcoe.te b/policy/modules/contrib/fcoe.te
index 9719a51..384ac0e 100644
--- a/policy/modules/contrib/fcoe.te
+++ b/policy/modules/contrib/fcoe.te
@@ -1,4 +1,4 @@
-policy_module(fcoe, 1.1.1)
+policy_module(fcoe, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te
index 0c1c51a..580548d 100644
--- a/policy/modules/contrib/fetchmail.te
+++ b/policy/modules/contrib/fetchmail.te
@@ -1,4 +1,4 @@
-policy_module(fetchmail, 1.14.1)
+policy_module(fetchmail, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 781295c..742a951 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -1,4 +1,4 @@
-policy_module(firewalld, 1.2.1)
+policy_module(firewalld, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index 7a1ec37..774bc9e 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.17.1)
+policy_module(ftp, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/gatekeeper.te b/policy/modules/contrib/gatekeeper.te
index 25093fd..ad84ce6 100644
--- a/policy/modules/contrib/gatekeeper.te
+++ b/policy/modules/contrib/gatekeeper.te
@@ -1,4 +1,4 @@
-policy_module(gatekeeper, 1.8.1)
+policy_module(gatekeeper, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/gdomap.te b/policy/modules/contrib/gdomap.te
index 2f2df8c..1e6bd25 100644
--- a/policy/modules/contrib/gdomap.te
+++ b/policy/modules/contrib/gdomap.te
@@ -1,4 +1,4 @@
-policy_module(gdomap, 1.1.1)
+policy_module(gdomap, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index 27e68f3..45b25f0 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -1,4 +1,4 @@
-policy_module(git, 1.5.2)
+policy_module(git, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/glance.te b/policy/modules/contrib/glance.te
index 7bfd3a8..75d7ef2 100644
--- a/policy/modules/contrib/glance.te
+++ b/policy/modules/contrib/glance.te
@@ -1,4 +1,4 @@
-policy_module(glance, 1.1.1)
+policy_module(glance, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te
index 49e52ce..5584606 100644
--- a/policy/modules/contrib/glusterfs.te
+++ b/policy/modules/contrib/glusterfs.te
@@ -1,4 +1,4 @@
-policy_module(glusterfs, 1.2.1)
+policy_module(glusterfs, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te
index ef16279..ebd73b3 100644
--- a/policy/modules/contrib/gpm.te
+++ b/policy/modules/contrib/gpm.te
@@ -1,4 +1,4 @@
-policy_module(gpm, 1.9.1)
+policy_module(gpm, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/gpsd.te b/policy/modules/contrib/gpsd.te
index d57a144..d925ff1 100644
--- a/policy/modules/contrib/gpsd.te
+++ b/policy/modules/contrib/gpsd.te
@@ -1,4 +1,4 @@
-policy_module(gpsd, 1.2.1)
+policy_module(gpsd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/hadoop.te b/policy/modules/contrib/hadoop.te
index b9ffe96..d98fd27 100644
--- a/policy/modules/contrib/hadoop.te
+++ b/policy/modules/contrib/hadoop.te
@@ -1,4 +1,4 @@
-policy_module(hadoop, 1.3.3)
+policy_module(hadoop, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/hddtemp.te b/policy/modules/contrib/hddtemp.te
index 23f5a54..90b148e 100644
--- a/policy/modules/contrib/hddtemp.te
+++ b/policy/modules/contrib/hddtemp.te
@@ -1,4 +1,4 @@
-policy_module(hddtemp, 1.2.1)
+policy_module(hddtemp, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/howl.te b/policy/modules/contrib/howl.te
index 626a92c..f1023b3 100644
--- a/policy/modules/contrib/howl.te
+++ b/policy/modules/contrib/howl.te
@@ -1,4 +1,4 @@
-policy_module(howl, 1.10.1)
+policy_module(howl, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/hypervkvp.te b/policy/modules/contrib/hypervkvp.te
index 1359b2a..5f3e48d 100644
--- a/policy/modules/contrib/hypervkvp.te
+++ b/policy/modules/contrib/hypervkvp.te
@@ -1,4 +1,4 @@
-policy_module(hypervkvp, 1.0.1)
+policy_module(hypervkvp, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/i18n_input.te b/policy/modules/contrib/i18n_input.te
index 069305c..3c8bd53 100644
--- a/policy/modules/contrib/i18n_input.te
+++ b/policy/modules/contrib/i18n_input.te
@@ -1,4 +1,4 @@
-policy_module(i18n_input, 1.9.1)
+policy_module(i18n_input, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/icecast.te b/policy/modules/contrib/icecast.te
index b44b952..13ed013 100644
--- a/policy/modules/contrib/icecast.te
+++ b/policy/modules/contrib/icecast.te
@@ -1,4 +1,4 @@
-policy_module(icecast, 1.2.1)
+policy_module(icecast, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/ifplugd.te b/policy/modules/contrib/ifplugd.te
index 8154360..85ce6de 100644
--- a/policy/modules/contrib/ifplugd.te
+++ b/policy/modules/contrib/ifplugd.te
@@ -1,4 +1,4 @@
-policy_module(ifplugd, 1.1.1)
+policy_module(ifplugd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/inn.te b/policy/modules/contrib/inn.te
index bf33eb4..c32275e 100644
--- a/policy/modules/contrib/inn.te
+++ b/policy/modules/contrib/inn.te
@@ -1,4 +1,4 @@
-policy_module(inn, 1.11.1)
+policy_module(inn, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te
index 61572da..6eb8409 100644
--- a/policy/modules/contrib/iodine.te
+++ b/policy/modules/contrib/iodine.te
@@ -1,4 +1,4 @@
-policy_module(iodine, 1.1.1)
+policy_module(iodine, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/ircd.te b/policy/modules/contrib/ircd.te
index 1682d5c..3f1f63e 100644
--- a/policy/modules/contrib/ircd.te
+++ b/policy/modules/contrib/ircd.te
@@ -1,4 +1,4 @@
-policy_module(ircd, 1.8.1)
+policy_module(ircd, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/irqbalance.te b/policy/modules/contrib/irqbalance.te
index 089e6d7..414ad21 100644
--- a/policy/modules/contrib/irqbalance.te
+++ b/policy/modules/contrib/irqbalance.te
@@ -1,4 +1,4 @@
-policy_module(irqbalance, 1.7.1)
+policy_module(irqbalance, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te
index 502a1bb..60b95c2 100644
--- a/policy/modules/contrib/iscsi.te
+++ b/policy/modules/contrib/iscsi.te
@@ -1,4 +1,4 @@
-policy_module(iscsi, 1.9.2)
+policy_module(iscsi, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/isns.te b/policy/modules/contrib/isns.te
index 5b82de7..ede3c05 100644
--- a/policy/modules/contrib/isns.te
+++ b/policy/modules/contrib/isns.te
@@ -1,4 +1,4 @@
-policy_module(isns, 1.0.1)
+policy_module(isns, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/jabber.te b/policy/modules/contrib/jabber.te
index 8f71642..cdca29d 100644
--- a/policy/modules/contrib/jabber.te
+++ b/policy/modules/contrib/jabber.te
@@ -1,4 +1,4 @@
-policy_module(jabber, 1.10.1)
+policy_module(jabber, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index fb31bbf..3749ddf 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.3.2)
+policy_module(kdump, 1.4.0)
#######################################
#
diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
index 43df956..38532d3 100644
--- a/policy/modules/contrib/kerberos.te
+++ b/policy/modules/contrib/kerberos.te
@@ -1,4 +1,4 @@
-policy_module(kerberos, 1.13.1)
+policy_module(kerberos, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/kerneloops.te b/policy/modules/contrib/kerneloops.te
index 9360bde..f6083e5 100644
--- a/policy/modules/contrib/kerneloops.te
+++ b/policy/modules/contrib/kerneloops.te
@@ -1,4 +1,4 @@
-policy_module(kerneloops, 1.5.1)
+policy_module(kerneloops, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/keystone.te b/policy/modules/contrib/keystone.te
index b832ee1..9e051ad 100644
--- a/policy/modules/contrib/keystone.te
+++ b/policy/modules/contrib/keystone.te
@@ -1,4 +1,4 @@
-policy_module(keystone, 1.1.1)
+policy_module(keystone, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/kismet.te b/policy/modules/contrib/kismet.te
index 9b8fedf..eb4e233 100644
--- a/policy/modules/contrib/kismet.te
+++ b/policy/modules/contrib/kismet.te
@@ -1,4 +1,4 @@
-policy_module(kismet, 1.8.1)
+policy_module(kismet, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/ksmtuned.te b/policy/modules/contrib/ksmtuned.te
index a799535..c5ca5b1 100644
--- a/policy/modules/contrib/ksmtuned.te
+++ b/policy/modules/contrib/ksmtuned.te
@@ -1,4 +1,4 @@
-policy_module(ksmtuned, 1.2.1)
+policy_module(ksmtuned, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
index 915a88a..13a3005 100644
--- a/policy/modules/contrib/kudzu.te
+++ b/policy/modules/contrib/kudzu.te
@@ -1,4 +1,4 @@
-policy_module(kudzu, 1.10.2)
+policy_module(kudzu, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/l2tp.te b/policy/modules/contrib/l2tp.te
index f1de38f..e5ebed5 100644
--- a/policy/modules/contrib/l2tp.te
+++ b/policy/modules/contrib/l2tp.te
@@ -1,4 +1,4 @@
-policy_module(l2tp, 1.1.1)
+policy_module(l2tp, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 1adbf03..70bc151 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.12.1)
+policy_module(ldap, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/likewise.te b/policy/modules/contrib/likewise.te
index e33495b..5f5b47c 100644
--- a/policy/modules/contrib/likewise.te
+++ b/policy/modules/contrib/likewise.te
@@ -1,4 +1,4 @@
-policy_module(likewise, 1.3.1)
+policy_module(likewise, 1.4.0)
#################################
#
diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te
index bfdd92e..e38c4d3 100644
--- a/policy/modules/contrib/lircd.te
+++ b/policy/modules/contrib/lircd.te
@@ -1,4 +1,4 @@
-policy_module(lircd, 1.2.2)
+policy_module(lircd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te
index 7d580f2..9e875d6 100644
--- a/policy/modules/contrib/lldpad.te
+++ b/policy/modules/contrib/lldpad.te
@@ -1,4 +1,4 @@
-policy_module(lldpad, 1.1.1)
+policy_module(lldpad, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index a256564..a1670d0 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.16.1)
+policy_module(logrotate, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/mailscanner.te b/policy/modules/contrib/mailscanner.te
index 509de59..f2f0aad 100644
--- a/policy/modules/contrib/mailscanner.te
+++ b/policy/modules/contrib/mailscanner.te
@@ -1,4 +1,4 @@
-policy_module(mailscanner, 1.1.1)
+policy_module(mailscanner, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index 8336559..ce0ac3c 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -1,4 +1,4 @@
-policy_module(mandb, 1.2.1)
+policy_module(mandb, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/mcelog.te b/policy/modules/contrib/mcelog.te
index 3fd0dc5..73b2d81 100644
--- a/policy/modules/contrib/mcelog.te
+++ b/policy/modules/contrib/mcelog.te
@@ -1,4 +1,4 @@
-policy_module(mcelog, 1.3.1)
+policy_module(mcelog, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/memcached.te b/policy/modules/contrib/memcached.te
index 54738e9..5c76e2d 100644
--- a/policy/modules/contrib/memcached.te
+++ b/policy/modules/contrib/memcached.te
@@ -1,4 +1,4 @@
-policy_module(memcached, 1.4.1)
+policy_module(memcached, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/minissdpd.te b/policy/modules/contrib/minissdpd.te
index fdfa9a0..aa0f214 100644
--- a/policy/modules/contrib/minissdpd.te
+++ b/policy/modules/contrib/minissdpd.te
@@ -1,4 +1,4 @@
-policy_module(minissdpd, 1.1.1)
+policy_module(minissdpd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/mongodb.te b/policy/modules/contrib/mongodb.te
index 29b0ab5..cdee03c 100644
--- a/policy/modules/contrib/mongodb.te
+++ b/policy/modules/contrib/mongodb.te
@@ -1,4 +1,4 @@
-policy_module(mongodb, 1.1.1)
+policy_module(mongodb, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/monop.te b/policy/modules/contrib/monop.te
index fe78c10..e079049 100644
--- a/policy/modules/contrib/monop.te
+++ b/policy/modules/contrib/monop.te
@@ -1,4 +1,4 @@
-policy_module(monop, 1.8.1)
+policy_module(monop, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 43b5087..ac76d19 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.8.1)
+policy_module(mozilla, 2.9.0)
########################################
#
diff --git a/policy/modules/contrib/mpd.te b/policy/modules/contrib/mpd.te
index e37c363..01ded5d 100644
--- a/policy/modules/contrib/mpd.te
+++ b/policy/modules/contrib/mpd.te
@@ -1,4 +1,4 @@
-policy_module(mpd, 1.2.1)
+policy_module(mpd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te
index 1730669..f32641a 100644
--- a/policy/modules/contrib/mrtg.te
+++ b/policy/modules/contrib/mrtg.te
@@ -1,4 +1,4 @@
-policy_module(mrtg, 1.9.1)
+policy_module(mrtg, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/munin.te b/policy/modules/contrib/munin.te
index 2a8152f..e444b63 100644
--- a/policy/modules/contrib/munin.te
+++ b/policy/modules/contrib/munin.te
@@ -1,4 +1,4 @@
-policy_module(munin, 1.10.1)
+policy_module(munin, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 60a7763..0db8319 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.16.1)
+policy_module(mysql, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te
index dbdfbeb..b62181c 100644
--- a/policy/modules/contrib/nagios.te
+++ b/policy/modules/contrib/nagios.te
@@ -1,4 +1,4 @@
-policy_module(nagios, 1.13.1)
+policy_module(nagios, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/nessus.te b/policy/modules/contrib/nessus.te
index 13f24c1..398d408 100644
--- a/policy/modules/contrib/nessus.te
+++ b/policy/modules/contrib/nessus.te
@@ -1,4 +1,4 @@
-policy_module(nessus, 1.9.1)
+policy_module(nessus, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 83088ca..d4bcc16 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.17.3)
+policy_module(networkmanager, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te
index 6e13b92..71a2e6f 100644
--- a/policy/modules/contrib/nis.te
+++ b/policy/modules/contrib/nis.te
@@ -1,4 +1,4 @@
-policy_module(nis, 1.12.1)
+policy_module(nis, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te
index aee77dc..998dcdd 100644
--- a/policy/modules/contrib/nscd.te
+++ b/policy/modules/contrib/nscd.te
@@ -1,4 +1,4 @@
-policy_module(nscd, 1.12.1)
+policy_module(nscd, 1.13.0)
gen_require(`
class nscd all_nscd_perms;
diff --git a/policy/modules/contrib/nsd.te b/policy/modules/contrib/nsd.te
index 28ed38f..1f79e50 100644
--- a/policy/modules/contrib/nsd.te
+++ b/policy/modules/contrib/nsd.te
@@ -1,4 +1,4 @@
-policy_module(nsd, 1.8.1)
+policy_module(nsd, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/nslcd.te b/policy/modules/contrib/nslcd.te
index ad09d51..9b78828 100644
--- a/policy/modules/contrib/nslcd.te
+++ b/policy/modules/contrib/nslcd.te
@@ -1,4 +1,4 @@
-policy_module(nslcd, 1.5.1)
+policy_module(nslcd, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/ntop.te b/policy/modules/contrib/ntop.te
index 43171f4..e526b40 100644
--- a/policy/modules/contrib/ntop.te
+++ b/policy/modules/contrib/ntop.te
@@ -1,4 +1,4 @@
-policy_module(ntop, 1.10.1)
+policy_module(ntop, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 7af3a6d..e60149a 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.13.2)
+policy_module(ntp, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/numad.te b/policy/modules/contrib/numad.te
index cecc64a..d65d670 100644
--- a/policy/modules/contrib/numad.te
+++ b/policy/modules/contrib/numad.te
@@ -1,4 +1,4 @@
-policy_module(numad, 1.1.1)
+policy_module(numad, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
index 1a4907d..745c6c9 100644
--- a/policy/modules/contrib/nut.te
+++ b/policy/modules/contrib/nut.te
@@ -1,4 +1,4 @@
-policy_module(nut, 1.4.1)
+policy_module(nut, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/oident.te b/policy/modules/contrib/oident.te
index e72ffea..0cf6cfe 100644
--- a/policy/modules/contrib/oident.te
+++ b/policy/modules/contrib/oident.te
@@ -1,4 +1,4 @@
-policy_module(oident, 2.3.1)
+policy_module(oident, 2.4.0)
########################################
#
diff --git a/policy/modules/contrib/openct.te b/policy/modules/contrib/openct.te
index a001328..696b86e 100644
--- a/policy/modules/contrib/openct.te
+++ b/policy/modules/contrib/openct.te
@@ -1,4 +1,4 @@
-policy_module(openct, 1.7.1)
+policy_module(openct, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/openhpi.te b/policy/modules/contrib/openhpi.te
index d0c61ba..1334924 100644
--- a/policy/modules/contrib/openhpi.te
+++ b/policy/modules/contrib/openhpi.te
@@ -1,4 +1,4 @@
-policy_module(openhpi, 1.1.1)
+policy_module(openhpi, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index bdb689e..fb30050 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -1,4 +1,4 @@
-policy_module(openvpn, 1.13.1)
+policy_module(openvpn, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te
index 84d7e60..3c3450c 100644
--- a/policy/modules/contrib/openvswitch.te
+++ b/policy/modules/contrib/openvswitch.te
@@ -1,4 +1,4 @@
-policy_module(openvswitch, 1.2.1)
+policy_module(openvswitch, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/pacemaker.te b/policy/modules/contrib/pacemaker.te
index 8db2c1f..c3b60db 100644
--- a/policy/modules/contrib/pacemaker.te
+++ b/policy/modules/contrib/pacemaker.te
@@ -1,4 +1,4 @@
-policy_module(pacemaker, 1.1.1)
+policy_module(pacemaker, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/pads.te b/policy/modules/contrib/pads.te
index 4992358..7a4d282 100644
--- a/policy/modules/contrib/pads.te
+++ b/policy/modules/contrib/pads.te
@@ -1,4 +1,4 @@
-policy_module(pads, 1.1.1)
+policy_module(pads, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index d1cdf9f..1828900 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -1,4 +1,4 @@
-policy_module(pcscd, 1.10.2)
+policy_module(pcscd, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/pegasus.te b/policy/modules/contrib/pegasus.te
index 3e66bb7..0f4d0a7 100644
--- a/policy/modules/contrib/pegasus.te
+++ b/policy/modules/contrib/pegasus.te
@@ -1,4 +1,4 @@
-policy_module(pegasus, 1.10.1)
+policy_module(pegasus, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/perdition.te b/policy/modules/contrib/perdition.te
index 1887d96..bb1a16b 100644
--- a/policy/modules/contrib/perdition.te
+++ b/policy/modules/contrib/perdition.te
@@ -1,4 +1,4 @@
-policy_module(perdition, 1.8.1)
+policy_module(perdition, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/pingd.te b/policy/modules/contrib/pingd.te
index 5a91a3c..fbe7291 100644
--- a/policy/modules/contrib/pingd.te
+++ b/policy/modules/contrib/pingd.te
@@ -1,4 +1,4 @@
-policy_module(pingd, 1.1.1)
+policy_module(pingd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index 0e583e1..2bc3060 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -1,4 +1,4 @@
-policy_module(pkcs, 1.1.1)
+policy_module(pkcs, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index c235706..635c962 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -1,4 +1,4 @@
-policy_module(plymouthd, 1.2.1)
+policy_module(plymouthd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index 6bb283f..50f8b6a 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.3.1)
+policy_module(policykit, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/polipo.te b/policy/modules/contrib/polipo.te
index 5189e55..a964e1b 100644
--- a/policy/modules/contrib/polipo.te
+++ b/policy/modules/contrib/polipo.te
@@ -1,4 +1,4 @@
-policy_module(polipo, 1.2.1)
+policy_module(polipo, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te
index 94500e6..d498b49 100644
--- a/policy/modules/contrib/portmap.te
+++ b/policy/modules/contrib/portmap.te
@@ -1,4 +1,4 @@
-policy_module(portmap, 1.11.2)
+policy_module(portmap, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/portreserve.te b/policy/modules/contrib/portreserve.te
index 162fe08..cf075de 100644
--- a/policy/modules/contrib/portreserve.te
+++ b/policy/modules/contrib/portreserve.te
@@ -1,4 +1,4 @@
-policy_module(portreserve, 1.4.1)
+policy_module(portreserve, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 1c0e8a6..1f1a396 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.16.1)
+policy_module(postfix, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te
index 20e9b79..7022a81 100644
--- a/policy/modules/contrib/postfixpolicyd.te
+++ b/policy/modules/contrib/postfixpolicyd.te
@@ -1,4 +1,4 @@
-policy_module(postfixpolicyd, 1.3.1)
+policy_module(postfixpolicyd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/postgrey.te b/policy/modules/contrib/postgrey.te
index 705a5b6..59c8630 100644
--- a/policy/modules/contrib/postgrey.te
+++ b/policy/modules/contrib/postgrey.te
@@ -1,4 +1,4 @@
-policy_module(postgrey, 1.9.1)
+policy_module(postgrey, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index dc115b1..1d3079f 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -1,4 +1,4 @@
-policy_module(ppp, 1.14.1)
+policy_module(ppp, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/prelude.te b/policy/modules/contrib/prelude.te
index 6effe7f..69e4b2c 100644
--- a/policy/modules/contrib/prelude.te
+++ b/policy/modules/contrib/prelude.te
@@ -1,4 +1,4 @@
-policy_module(prelude, 1.5.1)
+policy_module(prelude, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/privoxy.te b/policy/modules/contrib/privoxy.te
index b2873f6..4a89c52 100644
--- a/policy/modules/contrib/privoxy.te
+++ b/policy/modules/contrib/privoxy.te
@@ -1,4 +1,4 @@
-policy_module(privoxy, 1.12.1)
+policy_module(privoxy, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/psad.te b/policy/modules/contrib/psad.te
index ee61046..f59e9b4 100644
--- a/policy/modules/contrib/psad.te
+++ b/policy/modules/contrib/psad.te
@@ -1,4 +1,4 @@
-policy_module(psad, 1.2.1)
+policy_module(psad, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 4dc75b1..9b8d84e 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.7.2)
+policy_module(pulseaudio, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index f7f95b0..5fd4c8b 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -1,4 +1,4 @@
-policy_module(puppet, 1.5.1)
+policy_module(puppet, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/pxe.te b/policy/modules/contrib/pxe.te
index d3b0e6d..d82cf03 100644
--- a/policy/modules/contrib/pxe.te
+++ b/policy/modules/contrib/pxe.te
@@ -1,4 +1,4 @@
-policy_module(pxe, 1.5.1)
+policy_module(pxe, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/pyicqt.te b/policy/modules/contrib/pyicqt.te
index 45cccaf..aa74d38 100644
--- a/policy/modules/contrib/pyicqt.te
+++ b/policy/modules/contrib/pyicqt.te
@@ -1,4 +1,4 @@
-policy_module(pyicqt, 1.1.1)
+policy_module(pyicqt, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/pyzor.te b/policy/modules/contrib/pyzor.te
index 8462ee0..2a8772a 100644
--- a/policy/modules/contrib/pyzor.te
+++ b/policy/modules/contrib/pyzor.te
@@ -1,4 +1,4 @@
-policy_module(pyzor, 2.4.1)
+policy_module(pyzor, 2.5.0)
########################################
#
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 9714860..9dc0997 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.8.1)
+policy_module(qemu, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/qpid.te b/policy/modules/contrib/qpid.te
index 0ecfe15..fc4de2f 100644
--- a/policy/modules/contrib/qpid.te
+++ b/policy/modules/contrib/qpid.te
@@ -1,4 +1,4 @@
-policy_module(qpid, 1.1.1)
+policy_module(qpid, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/quantum.te b/policy/modules/contrib/quantum.te
index 32c1379..f4d304a 100644
--- a/policy/modules/contrib/quantum.te
+++ b/policy/modules/contrib/quantum.te
@@ -1,4 +1,4 @@
-policy_module(quantum, 1.1.1)
+policy_module(quantum, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te
index 45d9ca7..4847589 100644
--- a/policy/modules/contrib/quota.te
+++ b/policy/modules/contrib/quota.te
@@ -1,4 +1,4 @@
-policy_module(quota, 1.7.2)
+policy_module(quota, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/rabbitmq.te b/policy/modules/contrib/rabbitmq.te
index 5bdde4c..326a811 100644
--- a/policy/modules/contrib/rabbitmq.te
+++ b/policy/modules/contrib/rabbitmq.te
@@ -1,4 +1,4 @@
-policy_module(rabbitmq, 1.1.1)
+policy_module(rabbitmq, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te
index 52c05da..1239a2e 100644
--- a/policy/modules/contrib/radius.te
+++ b/policy/modules/contrib/radius.te
@@ -1,4 +1,4 @@
-policy_module(radius, 1.13.2)
+policy_module(radius, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/radvd.te b/policy/modules/contrib/radvd.te
index 76bba12..6cf0944 100644
--- a/policy/modules/contrib/radvd.te
+++ b/policy/modules/contrib/radvd.te
@@ -1,4 +1,4 @@
-policy_module(radvd, 1.14.1)
+policy_module(radvd, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index f561fdd..f4b2b38 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.14.3)
+policy_module(raid, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index bf6e4e9..c116691 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -1,4 +1,4 @@
-policy_module(redis, 1.1.1)
+policy_module(redis, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/resmgr.te b/policy/modules/contrib/resmgr.te
index a5b9878..6fb9a23 100644
--- a/policy/modules/contrib/resmgr.te
+++ b/policy/modules/contrib/resmgr.te
@@ -1,4 +1,4 @@
-policy_module(resmgr, 1.3.1)
+policy_module(resmgr, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/rgmanager.te b/policy/modules/contrib/rgmanager.te
index 4ef5d59..0cf43ec 100644
--- a/policy/modules/contrib/rgmanager.te
+++ b/policy/modules/contrib/rgmanager.te
@@ -1,4 +1,4 @@
-policy_module(rgmanager, 1.4.1)
+policy_module(rgmanager, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index ef7c72b..90a19c9 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -1,4 +1,4 @@
-policy_module(rhcs, 1.4.1)
+policy_module(rhcs, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/rhsmcertd.te b/policy/modules/contrib/rhsmcertd.te
index 3fb1e18..8371a2c 100644
--- a/policy/modules/contrib/rhsmcertd.te
+++ b/policy/modules/contrib/rhsmcertd.te
@@ -1,4 +1,4 @@
-policy_module(rhsmcertd, 1.2.1)
+policy_module(rhsmcertd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/ricci.te b/policy/modules/contrib/ricci.te
index dd763c4..cc0514f 100644
--- a/policy/modules/contrib/ricci.te
+++ b/policy/modules/contrib/ricci.te
@@ -1,4 +1,4 @@
-policy_module(ricci, 1.8.1)
+policy_module(ricci, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/rngd.te b/policy/modules/contrib/rngd.te
index 17b9504..5f97a72 100644
--- a/policy/modules/contrib/rngd.te
+++ b/policy/modules/contrib/rngd.te
@@ -1,4 +1,4 @@
-policy_module(rngd, 1.2.1)
+policy_module(rngd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/roundup.te b/policy/modules/contrib/roundup.te
index 11a013f..015c344 100644
--- a/policy/modules/contrib/roundup.te
+++ b/policy/modules/contrib/roundup.te
@@ -1,4 +1,4 @@
-policy_module(roundup, 1.8.1)
+policy_module(roundup, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index a150dc2..8849e92 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.16.2)
+policy_module(rpc, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 8c3575c..9ba71b5 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.8.3)
+policy_module(rpcbind, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 3da1c61..3b786b8 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.17.3)
+policy_module(rpm, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
index eae1b4c..1599d93 100644
--- a/policy/modules/contrib/rsync.te
+++ b/policy/modules/contrib/rsync.te
@@ -1,4 +1,4 @@
-policy_module(rsync, 1.13.1)
+policy_module(rsync, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index e9baab6..d6390c7 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -1,4 +1,4 @@
-policy_module(rtkit, 1.2.2)
+policy_module(rtkit, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/rwho.te b/policy/modules/contrib/rwho.te
index 24a685a..0cd90ac 100644
--- a/policy/modules/contrib/rwho.te
+++ b/policy/modules/contrib/rwho.te
@@ -1,4 +1,4 @@
-policy_module(rwho, 1.7.1)
+policy_module(rwho, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 45f2b36..f6e9be3 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.17.2)
+policy_module(samba, 1.18.0)
#################################
#
diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te
index f2e4eaf..ac6a0f0 100644
--- a/policy/modules/contrib/samhain.te
+++ b/policy/modules/contrib/samhain.te
@@ -1,4 +1,4 @@
-policy_module(samhain, 1.2.2)
+policy_module(samhain, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/sanlock.te b/policy/modules/contrib/sanlock.te
index af72f44..c05edec 100644
--- a/policy/modules/contrib/sanlock.te
+++ b/policy/modules/contrib/sanlock.te
@@ -1,4 +1,4 @@
-policy_module(sanlock, 1.1.1)
+policy_module(sanlock, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/sasl.te b/policy/modules/contrib/sasl.te
index d1028b7..d4b3a35 100644
--- a/policy/modules/contrib/sasl.te
+++ b/policy/modules/contrib/sasl.te
@@ -1,4 +1,4 @@
-policy_module(sasl, 1.16.1)
+policy_module(sasl, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/sblim.te b/policy/modules/contrib/sblim.te
index 0834784..04c5f61 100644
--- a/policy/modules/contrib/sblim.te
+++ b/policy/modules/contrib/sblim.te
@@ -1,4 +1,4 @@
-policy_module(sblim, 1.1.1)
+policy_module(sblim, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
index 52a6efa..04aa439 100644
--- a/policy/modules/contrib/sendmail.te
+++ b/policy/modules/contrib/sendmail.te
@@ -1,4 +1,4 @@
-policy_module(sendmail, 1.13.1)
+policy_module(sendmail, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/sensord.te b/policy/modules/contrib/sensord.te
index f9bed73..bc97a09 100644
--- a/policy/modules/contrib/sensord.te
+++ b/policy/modules/contrib/sensord.te
@@ -1,4 +1,4 @@
-policy_module(sensord, 1.0.1)
+policy_module(sensord, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index 107bd15..d82e7a2 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -1,4 +1,4 @@
-policy_module(shorewall, 1.4.1)
+policy_module(shorewall, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
index 88a1436..d8b655b 100644
--- a/policy/modules/contrib/shutdown.te
+++ b/policy/modules/contrib/shutdown.te
@@ -1,4 +1,4 @@
-policy_module(shutdown, 1.2.1)
+policy_module(shutdown, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/slpd.te b/policy/modules/contrib/slpd.te
index 65a999d..a5f6fa5 100644
--- a/policy/modules/contrib/slpd.te
+++ b/policy/modules/contrib/slpd.te
@@ -1,4 +1,4 @@
-policy_module(slpd, 1.1.1)
+policy_module(slpd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te
index e29affa..3792501 100644
--- a/policy/modules/contrib/smartmon.te
+++ b/policy/modules/contrib/smartmon.te
@@ -1,4 +1,4 @@
-policy_module(smartmon, 1.12.1)
+policy_module(smartmon, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te
index b2dafb4..b64ddfe 100644
--- a/policy/modules/contrib/smokeping.te
+++ b/policy/modules/contrib/smokeping.te
@@ -1,4 +1,4 @@
-policy_module(smokeping, 1.2.1)
+policy_module(smokeping, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/smstools.te b/policy/modules/contrib/smstools.te
index 1edf97d..6dbacf4 100644
--- a/policy/modules/contrib/smstools.te
+++ b/policy/modules/contrib/smstools.te
@@ -1,4 +1,4 @@
-policy_module(smstools, 1.0.1)
+policy_module(smstools, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/snmp.te b/policy/modules/contrib/snmp.te
index afa86ff..3f20eba 100644
--- a/policy/modules/contrib/snmp.te
+++ b/policy/modules/contrib/snmp.te
@@ -1,4 +1,4 @@
-policy_module(snmp, 1.14.2)
+policy_module(snmp, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index 2cc5761..c4d6a4a 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -1,4 +1,4 @@
-policy_module(snort, 1.12.1)
+policy_module(snort, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/soundserver.te b/policy/modules/contrib/soundserver.te
index b9d3104..29c9659 100644
--- a/policy/modules/contrib/soundserver.te
+++ b/policy/modules/contrib/soundserver.te
@@ -1,4 +1,4 @@
-policy_module(soundserver, 1.9.1)
+policy_module(soundserver, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 22c3fd4..06ce8b7 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.8.1)
+policy_module(spamassassin, 2.9.0)
########################################
#
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index deb497a..950ade1 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -1,4 +1,4 @@
-policy_module(squid, 1.13.1)
+policy_module(squid, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index 17218c2..1c28648 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -1,4 +1,4 @@
-policy_module(sssd, 1.2.1)
+policy_module(sssd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/svnserve.te b/policy/modules/contrib/svnserve.te
index 48e5704..f949c32 100644
--- a/policy/modules/contrib/svnserve.te
+++ b/policy/modules/contrib/svnserve.te
@@ -1,4 +1,4 @@
-policy_module(svnserve, 1.2.1)
+policy_module(svnserve, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te
index c4af8d9..ac249ac 100644
--- a/policy/modules/contrib/sysstat.te
+++ b/policy/modules/contrib/sysstat.te
@@ -1,4 +1,4 @@
-policy_module(sysstat, 1.8.1)
+policy_module(sysstat, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/systemtap.te b/policy/modules/contrib/systemtap.te
index b368f33..1b2eef3 100644
--- a/policy/modules/contrib/systemtap.te
+++ b/policy/modules/contrib/systemtap.te
@@ -1,4 +1,4 @@
-policy_module(systemtap, 1.2.1)
+policy_module(systemtap, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te
index 6c56bba..ca98bf8 100644
--- a/policy/modules/contrib/tcsd.te
+++ b/policy/modules/contrib/tcsd.te
@@ -1,4 +1,4 @@
-policy_module(tcsd, 1.2.2)
+policy_module(tcsd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/tgtd.te b/policy/modules/contrib/tgtd.te
index ecd3bfb..d2d964f 100644
--- a/policy/modules/contrib/tgtd.te
+++ b/policy/modules/contrib/tgtd.te
@@ -1,4 +1,4 @@
-policy_module(tgtd, 1.4.1)
+policy_module(tgtd, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 519f9bf..418eb29 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.10.1)
+policy_module(tor, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/transproxy.te b/policy/modules/contrib/transproxy.te
index 44dc6c0..a32a869 100644
--- a/policy/modules/contrib/transproxy.te
+++ b/policy/modules/contrib/transproxy.te
@@ -1,4 +1,4 @@
-policy_module(transproxy, 1.8.1)
+policy_module(transproxy, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/tuned.te b/policy/modules/contrib/tuned.te
index 5b16bda..5431724 100644
--- a/policy/modules/contrib/tuned.te
+++ b/policy/modules/contrib/tuned.te
@@ -1,4 +1,4 @@
-policy_module(tuned, 1.2.1)
+policy_module(tuned, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te
index e244c11..6c3a3ea 100644
--- a/policy/modules/contrib/ulogd.te
+++ b/policy/modules/contrib/ulogd.te
@@ -1,4 +1,4 @@
-policy_module(ulogd, 1.3.1)
+policy_module(ulogd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/uptime.te b/policy/modules/contrib/uptime.te
index c0fe79b..8658f9a 100644
--- a/policy/modules/contrib/uptime.te
+++ b/policy/modules/contrib/uptime.te
@@ -1,4 +1,4 @@
-policy_module(uptime, 1.6.1)
+policy_module(uptime, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/uucp.te b/policy/modules/contrib/uucp.te
index b6666a5..9c884c4 100644
--- a/policy/modules/contrib/uucp.te
+++ b/policy/modules/contrib/uucp.te
@@ -1,4 +1,4 @@
-policy_module(uucp, 1.13.1)
+policy_module(uucp, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/uuidd.te b/policy/modules/contrib/uuidd.te
index 52f8a7a..b9dd990 100644
--- a/policy/modules/contrib/uuidd.te
+++ b/policy/modules/contrib/uuidd.te
@@ -1,4 +1,4 @@
-policy_module(uuidd, 1.1.1)
+policy_module(uuidd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
index 77fb5b6..05f1042 100644
--- a/policy/modules/contrib/varnishd.te
+++ b/policy/modules/contrib/varnishd.te
@@ -1,4 +1,4 @@
-policy_module(varnishd, 1.2.1)
+policy_module(varnishd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/vdagent.te b/policy/modules/contrib/vdagent.te
index 01403ab..af99feb 100644
--- a/policy/modules/contrib/vdagent.te
+++ b/policy/modules/contrib/vdagent.te
@@ -1,4 +1,4 @@
-policy_module(vdagent, 1.2.1)
+policy_module(vdagent, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/vhostmd.te b/policy/modules/contrib/vhostmd.te
index dabfe40..0157afb 100644
--- a/policy/modules/contrib/vhostmd.te
+++ b/policy/modules/contrib/vhostmd.te
@@ -1,4 +1,4 @@
-policy_module(vhostmd, 1.1.1)
+policy_module(vhostmd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index ec81a76..c689d2f 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.8.4)
+policy_module(virt, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index 9630fe9..dc0d66b 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -1,4 +1,4 @@
-policy_module(vnstatd, 1.1.1)
+policy_module(vnstatd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index 25b17a0..0f13e2b 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -1,4 +1,4 @@
-policy_module(watchdog, 1.9.1)
+policy_module(watchdog, 1.10.0)
#################################
#
diff --git a/policy/modules/contrib/wdmd.te b/policy/modules/contrib/wdmd.te
index 823f289..fb5c40f 100644
--- a/policy/modules/contrib/wdmd.te
+++ b/policy/modules/contrib/wdmd.te
@@ -1,4 +1,4 @@
-policy_module(wdmd, 1.1.1)
+policy_module(wdmd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te
index 8efd659..391d59e 100644
--- a/policy/modules/contrib/wine.te
+++ b/policy/modules/contrib/wine.te
@@ -1,4 +1,4 @@
-policy_module(wine, 1.11.1)
+policy_module(wine, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/xfs.te b/policy/modules/contrib/xfs.te
index 46ab354..1e76478 100644
--- a/policy/modules/contrib/xfs.te
+++ b/policy/modules/contrib/xfs.te
@@ -1,4 +1,4 @@
-policy_module(xfs, 1.7.1)
+policy_module(xfs, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te
index f297da0..50c94c1 100644
--- a/policy/modules/contrib/zabbix.te
+++ b/policy/modules/contrib/zabbix.te
@@ -1,4 +1,4 @@
-policy_module(zabbix, 1.8.1)
+policy_module(zabbix, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/zarafa.te b/policy/modules/contrib/zarafa.te
index f03331e..82f5fcb 100644
--- a/policy/modules/contrib/zarafa.te
+++ b/policy/modules/contrib/zarafa.te
@@ -1,4 +1,4 @@
-policy_module(zarafa, 1.2.1)
+policy_module(zarafa, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te
index 0f726fc..f169722 100644
--- a/policy/modules/contrib/zebra.te
+++ b/policy/modules/contrib/zebra.te
@@ -1,4 +1,4 @@
-policy_module(zebra, 1.13.1)
+policy_module(zebra, 1.14.0)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-12-17 16:10 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-12-17 18:49 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: 8ae92d308e0631194085b08f3d9db7ba948ca641
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Wed Nov 4 13:54:37 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8ae92d30
Module version bump for changes to the mozilla module from Laurent Bigonville.
policy/modules/contrib/mozilla.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 6d7bac7..43b5087 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.8.0)
+policy_module(mozilla, 2.8.1)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-12-17 16:10 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-12-17 18:49 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: 0f33943959c1bdf50ecd42ca5112c776ca6f141c
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Dec 9 14:45:29 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0f339439
Add additional comments in geoclue.
policy/modules/contrib/geoclue.te | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/policy/modules/contrib/geoclue.te b/policy/modules/contrib/geoclue.te
index fc72974..68e6a16 100644
--- a/policy/modules/contrib/geoclue.te
+++ b/policy/modules/contrib/geoclue.te
@@ -1,5 +1,10 @@
policy_module(geoclue, 1.0.0)
+########################################
+#
+# Declarations
+#
+
type geoclue_t;
type geoclue_exec_t;
dbus_system_domain(geoclue_t, geoclue_exec_t)
@@ -10,6 +15,11 @@ files_config_file(geoclue_etc_t)
type geoclue_var_lib_t;
files_type(geoclue_var_lib_t)
+########################################
+#
+# Local policy
+#
+
read_files_pattern(geoclue_t, geoclue_etc_t, geoclue_etc_t)
corenet_tcp_connect_http_port(geoclue_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:49 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: 9ff0f255c3db718232e734ce131b92beec85f876
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Nov 23 15:23:32 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 16:24:55 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ff0f255
portage: allow portage to rw all MLS levels
policy/modules/contrib/portage.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 2f62eb6..19bd8c8 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -449,6 +449,11 @@ gen_tunable(portage_enable_test, false)
corecmd_relabel_bin_files(portage_t)
corecmd_relabel_bin_lnk_files(portage_t)
+ mls_file_read_all_levels(portage_t)
+ mls_file_write_all_levels(portage_t)
+ mls_file_upgrade(portage_t)
+ mls_file_downgrade(portage_t)
+
auth_use_nsswitch(portage_t)
# Support cgroup FEATURES
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:49 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: 3378c1fbe95ec4fad1c986204510804436559cf0
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Mon Dec 14 01:03:35 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 16:03:28 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3378c1fb
networkmanager.fc: nm-dispatcher.action has been renamed to nm-dispatcher
policy/modules/contrib/networkmanager.fc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index c192c7f..5bab4ba 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -13,8 +13,8 @@
/etc/wicd/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
/etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
-/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/usr/lib/networkmanager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/lib/NetworkManager/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/lib/networkmanager/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
# Systemd unit files
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:49 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: d97f7b9dddbe44fbc16878a137266c312acd6dd7
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Mon Dec 14 00:37:43 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d97f7b9d
virt.fc: Add some debian contexts
policy/modules/contrib/virt.fc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index ea197d0..f7e0ce8 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -16,6 +16,10 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/usr/lib/libvirt/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
+/usr/lib/libvirt/libvirt_leaseshelper -- gen_context(system_u:object_r:virt_leaseshelper_exec_t,s0)
+/usr/lib/qemu/qemu-bridge-helper -- gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
+
/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
/usr/libexec/libvirt_leaseshelper -- gen_context(system_u:object_r:virt_leaseshelper_exec_t,s0)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-12-17 16:10 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-12-17 18:49 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: b5f2d0dd7c3c533bd0cac83d19ca52e2e3e00342
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Thu Dec 10 10:47:41 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b5f2d0dd
Use auth_use_nsswitch() as we need DNS resolving and access nsswitch.conf
Use auth_use_nsswitch() instead of files_read_etc_files() and
sysnet_dns_name_resolve()
policy/modules/contrib/geoclue.te | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/geoclue.te b/policy/modules/contrib/geoclue.te
index 68e6a16..34ed075 100644
--- a/policy/modules/contrib/geoclue.te
+++ b/policy/modules/contrib/geoclue.te
@@ -22,18 +22,15 @@ files_type(geoclue_var_lib_t)
read_files_pattern(geoclue_t, geoclue_etc_t, geoclue_etc_t)
+auth_use_nsswitch(geoclue_t)
+
corenet_tcp_connect_http_port(geoclue_t)
dev_read_urand(geoclue_t)
-# Reads /etc/nsswitch.conf
-files_read_etc_files(geoclue_t)
-
miscfiles_read_generic_certs(geoclue_t)
miscfiles_read_localization(geoclue_t)
-sysnet_dns_name_resolve(geoclue_t)
-
optional_policy(`
avahi_dbus_chat(geoclue_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-12-17 16:10 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-12-17 18:49 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: 3c56e38a5546282f9a72830af1bca9ea7bd4f043
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Dec 14 15:36:44 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 16:03:28 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3c56e38a
Module version bump for virt and networkmanager patches from Laurent Bigonville.
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index d4bcc16..6f3f895 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.18.0)
+policy_module(networkmanager, 1.18.1)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index c689d2f..36f46a2 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.9.0)
+policy_module(virt, 1.9.1)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2015-12-17 16:10 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-12-17 18:49 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: f30bc6343d09e2f08a97d6428b6c1c020892fe05
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Thu Dec 10 11:02:06 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f30bc634
Module version bump for changes to the geoclue module by Laurent Bigonville.
Moved auth_use_nsswitch() call to the proper location.
policy/modules/contrib/geoclue.te | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/geoclue.te b/policy/modules/contrib/geoclue.te
index 34ed075..b8413a5 100644
--- a/policy/modules/contrib/geoclue.te
+++ b/policy/modules/contrib/geoclue.te
@@ -1,4 +1,4 @@
-policy_module(geoclue, 1.0.0)
+policy_module(geoclue, 1.0.1)
########################################
#
@@ -22,12 +22,12 @@ files_type(geoclue_var_lib_t)
read_files_pattern(geoclue_t, geoclue_etc_t, geoclue_etc_t)
-auth_use_nsswitch(geoclue_t)
-
corenet_tcp_connect_http_port(geoclue_t)
dev_read_urand(geoclue_t)
+auth_use_nsswitch(geoclue_t)
+
miscfiles_read_generic_certs(geoclue_t)
miscfiles_read_localization(geoclue_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:52 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-12-17 18:52 UTC (permalink / raw
To: gentoo-commits
commit: 5d53781c9e1acf2faa64a23540330a520d2757f6
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Nov 23 15:23:32 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 18:51:56 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5d53781c
portage: allow portage to rw all MLS levels
policy/modules/contrib/portage.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 2f62eb6..19bd8c8 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -449,6 +449,11 @@ gen_tunable(portage_enable_test, false)
corecmd_relabel_bin_files(portage_t)
corecmd_relabel_bin_lnk_files(portage_t)
+ mls_file_read_all_levels(portage_t)
+ mls_file_write_all_levels(portage_t)
+ mls_file_upgrade(portage_t)
+ mls_file_downgrade(portage_t)
+
auth_use_nsswitch(portage_t)
# Support cgroup FEATURES
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-18 3:49 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-12-18 3:49 UTC (permalink / raw
To: gentoo-commits
commit: b88becf9d92e6db7a0d1c31cdf8b720088b0fffd
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Nov 23 15:23:32 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Dec 18 03:32:59 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b88becf9
portage: allow portage to rw all MLS levels
policy/modules/contrib/portage.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 2f62eb6..19bd8c8 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -449,6 +449,11 @@ gen_tunable(portage_enable_test, false)
corecmd_relabel_bin_files(portage_t)
corecmd_relabel_bin_lnk_files(portage_t)
+ mls_file_read_all_levels(portage_t)
+ mls_file_write_all_levels(portage_t)
+ mls_file_upgrade(portage_t)
+ mls_file_downgrade(portage_t)
+
auth_use_nsswitch(portage_t)
# Support cgroup FEATURES
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-18 4:14 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2015-12-18 4:14 UTC (permalink / raw
To: gentoo-commits
commit: dde4f0a4790224931947b35e47588513e3e6f523
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Nov 23 15:23:32 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Dec 18 04:13:02 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dde4f0a4
portage: allow portage to rw all MLS levels
policy/modules/contrib/portage.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 2f62eb6..19bd8c8 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -449,6 +449,11 @@ gen_tunable(portage_enable_test, false)
corecmd_relabel_bin_files(portage_t)
corecmd_relabel_bin_lnk_files(portage_t)
+ mls_file_read_all_levels(portage_t)
+ mls_file_write_all_levels(portage_t)
+ mls_file_upgrade(portage_t)
+ mls_file_downgrade(portage_t)
+
auth_use_nsswitch(portage_t)
# Support cgroup FEATURES
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-05-26 15:54 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-05-26 15:54 UTC (permalink / raw
To: gentoo-commits
commit: c38fc6050c35f37a7b39479c51a3d9a96f290e7c
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 13 15:12:50 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 26 15:45:29 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c38fc605
pulseaudio: fcontext and filetrans for /run/user/ID/pulse/
policy/modules/contrib/pulseaudio.te | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 9b8d84e..5e39ebd 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
+userdom_user_runtime_dir_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "autospawn.lock")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
@@ -203,8 +204,9 @@ optional_policy(`
#
allow pulseaudio_client self:unix_dgram_socket sendto;
+allow pulseaudio_client self:process signull;
-allow pulseaudio_client pulseaudio_client:process signull;
+allow pulseaudio_client pulseaudio_tmp_t:dir list_dir_perms;
read_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t })
delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfile)
@@ -228,6 +230,7 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cooki
pulseaudio_signull(pulseaudio_client)
userdom_read_user_tmpfs_files(pulseaudio_client)
+userdom_user_runtime_dir_filetrans(pulseaudio_client, pulseaudio_tmp_t, dir, "pulse")
# userdom_delete_user_tmpfs_files(pulseaudio_client)
tunable_policy(`use_nfs_home_dirs',`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-05-26 15:54 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-05-26 15:54 UTC (permalink / raw
To: gentoo-commits
commit: 98321f738e0c199019f396a453dfc225ec9f87e1
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 22 16:42:36 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 26 15:45:29 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=98321f73
consolekit: Add a filetrans on /run/user
policy/modules/contrib/consolekit.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index cd02890..f4628e0 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -79,6 +79,7 @@ miscfiles_read_localization(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)
+userdom_pid_filetrans_user_runtime_root(consolekit_t, dir, "user")
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(consolekit_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-05-26 17:39 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-05-26 17:39 UTC (permalink / raw
To: gentoo-commits
commit: 26bb0b9e050dd2d69c6a75c5869455e8f3b739aa
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 22 16:42:36 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 26 16:11:13 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=26bb0b9e
consolekit: Add a filetrans on /run/user
policy/modules/contrib/consolekit.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index cd02890..f4628e0 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -79,6 +79,7 @@ miscfiles_read_localization(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)
+userdom_pid_filetrans_user_runtime_root(consolekit_t, dir, "user")
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(consolekit_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-05-26 17:39 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-05-26 17:39 UTC (permalink / raw
To: gentoo-commits
commit: ce3493dfde5cdc0a7047cb2ee03e226ef3bdb53d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 13 15:12:50 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 26 16:11:13 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ce3493df
pulseaudio: fcontext and filetrans for /run/user/ID/pulse/
policy/modules/contrib/pulseaudio.te | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 9b8d84e..5e39ebd 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
+userdom_user_runtime_dir_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "autospawn.lock")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
@@ -203,8 +204,9 @@ optional_policy(`
#
allow pulseaudio_client self:unix_dgram_socket sendto;
+allow pulseaudio_client self:process signull;
-allow pulseaudio_client pulseaudio_client:process signull;
+allow pulseaudio_client pulseaudio_tmp_t:dir list_dir_perms;
read_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t })
delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfile)
@@ -228,6 +230,7 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cooki
pulseaudio_signull(pulseaudio_client)
userdom_read_user_tmpfs_files(pulseaudio_client)
+userdom_user_runtime_dir_filetrans(pulseaudio_client, pulseaudio_tmp_t, dir, "pulse")
# userdom_delete_user_tmpfs_files(pulseaudio_client)
tunable_policy(`use_nfs_home_dirs',`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-05-26 19:28 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-05-26 19:28 UTC (permalink / raw
To: gentoo-commits
commit: 96e599e9c8f391c5145f1bd7ffb354bbd745050b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 13 15:12:50 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 26 18:44:57 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=96e599e9
pulseaudio: fcontext and filetrans for /run/user/ID/pulse/
policy/modules/contrib/pulseaudio.te | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 9b8d84e..5e39ebd 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
+userdom_user_runtime_dir_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "autospawn.lock")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
@@ -203,8 +204,9 @@ optional_policy(`
#
allow pulseaudio_client self:unix_dgram_socket sendto;
+allow pulseaudio_client self:process signull;
-allow pulseaudio_client pulseaudio_client:process signull;
+allow pulseaudio_client pulseaudio_tmp_t:dir list_dir_perms;
read_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t })
delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfile)
@@ -228,6 +230,7 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cooki
pulseaudio_signull(pulseaudio_client)
userdom_read_user_tmpfs_files(pulseaudio_client)
+userdom_user_runtime_dir_filetrans(pulseaudio_client, pulseaudio_tmp_t, dir, "pulse")
# userdom_delete_user_tmpfs_files(pulseaudio_client)
tunable_policy(`use_nfs_home_dirs',`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-05-26 19:28 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-05-26 19:28 UTC (permalink / raw
To: gentoo-commits
commit: 2faae7f14ce8551774fd796ed172c691e8e8ae7d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 22 16:42:36 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 26 18:44:57 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2faae7f1
consolekit: Add a filetrans on /run/user
policy/modules/contrib/consolekit.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index cd02890..f4628e0 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -79,6 +79,7 @@ miscfiles_read_localization(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)
+userdom_pid_filetrans_user_runtime_root(consolekit_t, dir, "user")
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(consolekit_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-13 18:35 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: 15d627de48ef8cca29e31abfdcf984a808f14eb0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Aug 2 23:29:05 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=15d627de
rpcbind: Read /sys/devices/system/cpu/online from Russell Coker.
policy/modules/contrib/rpcbind.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 9ba71b5..88dbc6b 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.9.0)
+policy_module(rpcbind, 1.9.1)
########################################
#
@@ -61,6 +61,8 @@ corenet_udp_bind_all_rpc_ports(rpcbind_t)
corecmd_exec_shell(rpcbind_t)
+dev_read_cpu_online(rpcbind_t)
+
domain_use_interactive_fds(rpcbind_t)
files_read_etc_runtime_files(rpcbind_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-13 18:35 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: 70531e52da1a835f82a2db952c0a408b9e9e1cfe
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Sun Jul 31 09:31:37 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70531e52
watchdog reads pid files
This patch allows watchdog to read all pid files for the "pidfile" feature.
policy/modules/contrib/watchdog.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index 0f13e2b..8cb7a08 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -75,6 +75,8 @@ fs_search_auto_mountpoints(watchdog_t)
auth_append_login_records(watchdog_t)
+files_read_all_pids(watchdog_t)
+
logging_send_syslog_msg(watchdog_t)
miscfiles_read_localization(watchdog_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-13 18:35 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: 6e8d429d4a26f3e6c1ceccd320fe6d57b1f5c3c0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Aug 2 23:40:21 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6e8d429d
watchdog: Move line.
policy/modules/contrib/watchdog.te | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index 8cb7a08..a7eac30 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -68,6 +68,7 @@ domain_kill_all_domains(watchdog_t)
files_read_etc_files(watchdog_t)
files_manage_etc_runtime_files(watchdog_t)
files_etc_filetrans_etc_runtime(watchdog_t, file)
+files_read_all_pids(watchdog_t)
fs_unmount_xattr_fs(watchdog_t)
fs_getattr_all_fs(watchdog_t)
@@ -75,8 +76,6 @@ fs_search_auto_mountpoints(watchdog_t)
auth_append_login_records(watchdog_t)
-files_read_all_pids(watchdog_t)
-
logging_send_syslog_msg(watchdog_t)
miscfiles_read_localization(watchdog_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-13 18:35 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: dff809f64be7fe7c03e5738e2a0711bce014b370
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 8 06:21:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dff809f6
pulseaudio: fix user runtime fcontext
policy/modules/contrib/pulseaudio.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pulseaudio.fc b/policy/modules/contrib/pulseaudio.fc
index cde5a80..e005030 100644
--- a/policy/modules/contrib/pulseaudio.fc
+++ b/policy/modules/contrib/pulseaudio.fc
@@ -7,7 +7,7 @@ HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
-/var/run/%{USERID}/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_tmp_t,s0)
+/var/run/user/%{USERID}/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_tmp_t,s0)
ifdef(`distro_gentoo',`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-08-13 18:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-08-13 18:35 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: e8e8d4ac0695c051293cc8ed94d03630df38e997
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Tue Aug 9 20:31:13 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e8e8d4ac
Policykit module: add fs_getattr_xattr_fs()
Add a single permission to the policykit module.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/policykit.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index 50f8b6a..da0187b 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -92,6 +92,7 @@ domain_read_all_domains_state(policykit_t)
files_dontaudit_search_all_mountpoints(policykit_t)
+fs_getattr_xattr_fs(policykit_t)
fs_list_inotifyfs(policykit_t)
auth_use_nsswitch(policykit_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-08-13 18:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-08-13 18:35 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: af12f6d8e80bc5072ca18eb1ff4162931d73f8df
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Aug 13 13:12:35 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=af12f6d8
cpucontrol: revise cpucontrol_conf_t labeling, from Guido Trentalancia.
policy/modules/contrib/cpucontrol.fc | 2 +-
policy/modules/contrib/cpucontrol.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/cpucontrol.fc b/policy/modules/contrib/cpucontrol.fc
index 3ffda4c..32bd499 100644
--- a/policy/modules/contrib/cpucontrol.fc
+++ b/policy/modules/contrib/cpucontrol.fc
@@ -1,4 +1,4 @@
-/etc/firmware/.* -- gen_context(system_u:object_r:cpucontrol_conf_t,s0)
+/lib/firmware/microcode.*\.dat -- gen_context(system_u:object_r:cpucontrol_conf_t,s0)
/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
diff --git a/policy/modules/contrib/cpucontrol.te b/policy/modules/contrib/cpucontrol.te
index af72c4e..901911b 100644
--- a/policy/modules/contrib/cpucontrol.te
+++ b/policy/modules/contrib/cpucontrol.te
@@ -1,4 +1,4 @@
-policy_module(cpucontrol, 1.4.0)
+policy_module(cpucontrol, 1.4.1)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-08-13 18:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-08-13 18:35 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: 9b78f18aa12787812bd7a663205f8d2e836f6577
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Aug 13 14:51:13 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9b78f18a
Module version bumps for patches from Guido Trentalancia.
policy/modules/contrib/apm.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/policykit.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/rtkit.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index e2ac3c1..449f23f 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -1,4 +1,4 @@
-policy_module(apm, 1.14.1)
+policy_module(apm, 1.14.2)
########################################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 748f143..072047d 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.9.0)
+policy_module(gpg, 2.9.1)
########################################
#
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index da0187b..b0e00eb 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.4.0)
+policy_module(policykit, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index e011c3a..e7511a8 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.2)
+policy_module(pulseaudio, 1.8.3)
########################################
#
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index 2e8ac03..3e68e7f 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -1,4 +1,4 @@
-policy_module(rtkit, 1.3.0)
+policy_module(rtkit, 1.3.1)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-13 18:35 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: 1e92b35184febdff52e8731acd013d61a3778265
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Aug 2 23:40:44 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1e92b351
Module version bump for watchdog pidfile option from Russell Coker.
policy/modules/contrib/watchdog.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index a7eac30..0793afa 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -1,4 +1,4 @@
-policy_module(watchdog, 1.10.0)
+policy_module(watchdog, 1.10.1)
#################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-13 18:35 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: a20312035fa6040148369683119ca8529edd4fac
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Aug 13 13:02:19 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a2031203
Module version bump for pulseaudio fc fix from Jason Zaman.
policy/modules/contrib/pulseaudio.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 118c86a..e011c3a 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.1)
+policy_module(pulseaudio, 1.8.2)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-08-13 18:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-08-13 18:35 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: 3c6c3b732e4d868791d86ddf777fa5d75889b168
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Wed Aug 10 20:44:15 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3c6c3b73
Update the policy for module apm
Update needed for the normal functioning of the acpi daemon.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/apm.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index 3acc764..e2ac3c1 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -67,6 +67,7 @@ dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrac
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:netlink_socket create_socket_perms;
+allow apmd_t self:netlink_generic_socket create_socket_perms;
allow apmd_t self:unix_stream_socket { accept listen };
allow apmd_t apmd_lock_t:file manage_file_perms;
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-13 18:35 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: 953f0de61ff6969382d34002fc7d4b4992e88c1a
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Wed Aug 10 23:29:17 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=953f0de6
Let gpg disable core dumps
Update the gpg role interface so that core dumps can be disabled
at runtime (required for successful execution of gpg).
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/gpg.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index b299418..0370dd1 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -31,6 +31,7 @@ interface(`gpg_role',`
domtrans_pattern($2, gpg_exec_t, gpg_t)
domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
+ allow $2 self:process setrlimit;
allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms };
ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t })
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-13 18:35 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: 8a3ee1b331c4066f0ce3641fb5ca886f0c479650
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Wed Aug 3 05:39:37 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8a3ee1b3
named reads vm sysctls
On Wed, 3 Aug 2016 09:43:18 AM Chris PeBenito wrote:
> > kernel_read_kernel_sysctls(named_t)
> >
> > +kernel_read_vm_sysctls(named_t)
> >
> > kernel_read_system_state(named_t)
> > kernel_read_network_state(named_t)
>
> Yes, there is a kernel_read_vm_overcommit_sysctl().
I've attached a new patch.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
policy/modules/contrib/bind.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index 2a72066..0683298 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -110,6 +110,7 @@ read_files_pattern(named_t, named_zone_t, named_zone_t)
read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
kernel_read_kernel_sysctls(named_t)
+kernel_read_vm_overcommit_sysctl(named_t)
kernel_read_system_state(named_t)
kernel_read_network_state(named_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-08-13 18:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-08-13 18:35 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: 89d1ba7ab8b4bd7188379b36d18464a912491e55
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Aug 6 23:13:32 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=89d1ba7a
Systemd units from Russell Coker.
policy/modules/contrib/apache.fc | 2 ++
policy/modules/contrib/apache.te | 5 ++++-
policy/modules/contrib/apcupsd.fc | 2 ++
policy/modules/contrib/apcupsd.te | 5 ++++-
policy/modules/contrib/apm.fc | 2 ++
policy/modules/contrib/apm.te | 5 ++++-
policy/modules/contrib/arpwatch.fc | 2 ++
policy/modules/contrib/arpwatch.te | 5 ++++-
policy/modules/contrib/automount.fc | 2 ++
policy/modules/contrib/automount.te | 5 ++++-
policy/modules/contrib/avahi.fc | 2 ++
policy/modules/contrib/avahi.te | 5 ++++-
policy/modules/contrib/bind.fc | 3 +++
policy/modules/contrib/bind.te | 5 ++++-
policy/modules/contrib/clamav.fc | 2 ++
policy/modules/contrib/clamav.te | 5 ++++-
policy/modules/contrib/consolekit.fc | 2 ++
policy/modules/contrib/consolekit.te | 5 ++++-
policy/modules/contrib/cron.fc | 3 +++
policy/modules/contrib/cron.te | 5 ++++-
policy/modules/contrib/cups.fc | 1 +
policy/modules/contrib/cups.te | 5 ++++-
policy/modules/contrib/dhcp.fc | 2 ++
policy/modules/contrib/dhcp.te | 5 ++++-
policy/modules/contrib/ftp.fc | 3 +++
policy/modules/contrib/ftp.te | 5 ++++-
policy/modules/contrib/kdump.fc | 2 ++
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/ldap.fc | 1 +
policy/modules/contrib/ldap.te | 5 ++++-
policy/modules/contrib/mysql.fc | 2 ++
policy/modules/contrib/mysql.te | 5 ++++-
policy/modules/contrib/nis.fc | 5 +++++
policy/modules/contrib/nis.te | 8 +++++++-
policy/modules/contrib/nscd.te | 5 ++++-
policy/modules/contrib/ntp.fc | 1 +
policy/modules/contrib/ppp.fc | 2 ++
policy/modules/contrib/ppp.te | 5 ++++-
policy/modules/contrib/rpc.fc | 3 +++
policy/modules/contrib/rpc.te | 8 +++++++-
policy/modules/contrib/samba.fc | 2 ++
policy/modules/contrib/samba.te | 5 ++++-
policy/modules/contrib/tor.fc | 2 ++
policy/modules/contrib/tor.te | 5 ++++-
44 files changed, 139 insertions(+), 22 deletions(-)
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index 96006a0..808cc65 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -50,6 +50,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:objec
/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
+/usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index d3299a2..e02fcdc 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.10.0)
+policy_module(apache, 2.10.1)
########################################
#
@@ -327,6 +327,9 @@ files_tmp_file(httpd_tmp_t)
type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t)
+type httpd_unit_t;
+init_unit_file(httpd_unit_t)
+
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
userdom_user_home_content(httpd_user_content_t)
diff --git a/policy/modules/contrib/apcupsd.fc b/policy/modules/contrib/apcupsd.fc
index 5ec0e13..82d48b1 100644
--- a/policy/modules/contrib/apcupsd.fc
+++ b/policy/modules/contrib/apcupsd.fc
@@ -2,6 +2,8 @@
/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
+/usr/lib/systemd/system/apcupsd.*\.service -- gen_context(system_u:object_r:apcupsd_unit_t,s0)
+
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te
index d5bf5bd..586104d 100644
--- a/policy/modules/contrib/apcupsd.te
+++ b/policy/modules/contrib/apcupsd.te
@@ -1,4 +1,4 @@
-policy_module(apcupsd, 1.10.0)
+policy_module(apcupsd, 1.10.1)
########################################
#
@@ -21,6 +21,9 @@ logging_log_file(apcupsd_log_t)
type apcupsd_tmp_t;
files_tmp_file(apcupsd_tmp_t)
+type apcupsd_unit_t;
+init_unit_file(apcupsd_unit_t)
+
type apcupsd_var_run_t;
files_pid_file(apcupsd_var_run_t)
diff --git a/policy/modules/contrib/apm.fc b/policy/modules/contrib/apm.fc
index ce27d2f..0b5cf18 100644
--- a/policy/modules/contrib/apm.fc
+++ b/policy/modules/contrib/apm.fc
@@ -2,6 +2,8 @@
/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
+/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:apmd_unit_t,s0)
+
/usr/sbin/acpid -- gen_context(system_u:object_r:apmd_exec_t,s0)
/usr/sbin/apmd -- gen_context(system_u:object_r:apmd_exec_t,s0)
/usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0)
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index d6344dc..3acc764 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -1,4 +1,4 @@
-policy_module(apm, 1.14.0)
+policy_module(apm, 1.14.1)
########################################
#
@@ -29,6 +29,9 @@ logging_log_file(apmd_log_t)
type apmd_tmp_t;
files_tmp_file(apmd_tmp_t)
+type apmd_unit_t;
+init_unit_file(apmd_unit_t)
+
type apmd_var_lib_t;
files_type(apmd_var_lib_t)
diff --git a/policy/modules/contrib/arpwatch.fc b/policy/modules/contrib/arpwatch.fc
index 9ca0d0f..59498be 100644
--- a/policy/modules/contrib/arpwatch.fc
+++ b/policy/modules/contrib/arpwatch.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
+/usr/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)
+
/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
index 97ecc55..0cda29a 100644
--- a/policy/modules/contrib/arpwatch.te
+++ b/policy/modules/contrib/arpwatch.te
@@ -1,4 +1,4 @@
-policy_module(arpwatch, 1.12.0)
+policy_module(arpwatch, 1.12.1)
########################################
#
@@ -18,6 +18,9 @@ files_type(arpwatch_data_t)
type arpwatch_tmp_t;
files_tmp_file(arpwatch_tmp_t)
+type arpwatch_unit_t;
+init_unit_file(arpwatch_unit_t)
+
type arpwatch_var_run_t;
files_pid_file(arpwatch_var_run_t)
diff --git a/policy/modules/contrib/automount.fc b/policy/modules/contrib/automount.fc
index 92adb37..989c10e 100644
--- a/policy/modules/contrib/automount.fc
+++ b/policy/modules/contrib/automount.fc
@@ -1,6 +1,8 @@
/etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
/etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0)
+/usr/lib/systemd/system/autofs.*\.service -- gen_context(system_u:object_r:automount_unit_t,s0)
+
/usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0)
/var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index be5adee..2f5852e 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -1,4 +1,4 @@
-policy_module(automount, 1.16.0)
+policy_module(automount, 1.16.1)
########################################
#
@@ -22,6 +22,9 @@ type automount_tmp_t;
files_tmp_file(automount_tmp_t)
files_mountpoint(automount_tmp_t)
+type automount_unit_t;
+init_unit_file(automount_unit_t)
+
type automount_var_run_t;
files_pid_file(automount_var_run_t)
diff --git a/policy/modules/contrib/avahi.fc b/policy/modules/contrib/avahi.fc
index e9fe2ca..f6604ae 100644
--- a/policy/modules/contrib/avahi.fc
+++ b/policy/modules/contrib/avahi.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
+/usr/lib/systemd/system/avahi.*\.service -- gen_context(system_u:object_r:avahi_unit_t,s0)
+
/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index 461cef0..40cba10 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.16.0)
+policy_module(avahi, 1.16.1)
########################################
#
@@ -13,6 +13,9 @@ init_named_socket_activation(avahi_t, avahi_var_run_t)
type avahi_initrc_exec_t;
init_script_file(avahi_initrc_exec_t)
+type avahi_unit_t;
+init_unit_file(avahi_unit_t)
+
type avahi_var_lib_t;
files_pid_file(avahi_var_lib_t)
diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc
index 2b9a3a1..d0c6d58 100644
--- a/policy/modules/contrib/bind.fc
+++ b/policy/modules/contrib/bind.fc
@@ -14,6 +14,9 @@
/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/usr/lib/systemd/system/named.*\.service -- gen_context(system_u:object_r:named_unit_t,s0)
+/usr/lib/systemd/system/unbound.*\.service -- gen_context(system_u:object_r:named_unit_t,s0)
+
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index 0683298..e3072c7 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.16.1)
+policy_module(bind, 1.16.2)
########################################
#
@@ -53,6 +53,9 @@ logging_log_file(named_log_t)
type named_tmp_t;
files_tmp_file(named_tmp_t)
+type named_unit_t;
+init_unit_file(named_unit_t)
+
type named_var_run_t;
files_pid_file(named_var_run_t)
init_daemon_pid_file(named_var_run_t, dir, "named")
diff --git a/policy/modules/contrib/clamav.fc b/policy/modules/contrib/clamav.fc
index d72afcc..f12497d 100644
--- a/policy/modules/contrib/clamav.fc
+++ b/policy/modules/contrib/clamav.fc
@@ -6,6 +6,8 @@
/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
+/usr/lib/systemd/system/clamd.*\.service -- gen_context(system_u:object_r:clamd_unit_t,s0)
+
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index c157b65..d733ffb 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.12.0)
+policy_module(clamav, 1.12.1)
## <desc>
## <p>
@@ -41,6 +41,9 @@ init_script_file(clamd_initrc_exec_t)
type clamd_tmp_t;
files_tmp_file(clamd_tmp_t)
+type clamd_unit_t;
+init_unit_file(clamd_unit_t)
+
type clamd_var_log_t;
logging_log_file(clamd_var_log_t)
diff --git a/policy/modules/contrib/consolekit.fc b/policy/modules/contrib/consolekit.fc
index 0ce1e53..3ce852a 100644
--- a/policy/modules/contrib/consolekit.fc
+++ b/policy/modules/contrib/consolekit.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/console-kit.*\.service -- gen_context(system_u:object_r:consolekit_unit_t,s0)
+
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index a3fd0bf..80c18fa 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -1,4 +1,4 @@
-policy_module(consolekit, 1.10.1)
+policy_module(consolekit, 1.10.2)
########################################
#
@@ -15,6 +15,9 @@ logging_log_file(consolekit_log_t)
type consolekit_tmpfs_t;
files_tmpfs_file(consolekit_tmpfs_t)
+type consolekit_unit_t;
+init_unit_file(consolekit_unit_t)
+
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit")
diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc
index cbb19b7..21ca917 100644
--- a/policy/modules/contrib/cron.fc
+++ b/policy/modules/contrib/cron.fc
@@ -6,6 +6,9 @@
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/lib/systemd/system/atd.*\.service -- gen_context(system_u:object_r:crond_unit_t,s0)
+/usr/lib/systemd/system/crond.*\.service -- gen_context(system_u:object_r:crond_unit_t,s0)
+
/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index d26bdb2..0125df0 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.9.1)
+policy_module(cron, 2.9.2)
gen_require(`
class passwd rootok;
@@ -76,6 +76,9 @@ files_tmp_file(crond_tmp_t)
files_poly_parent(crond_tmp_t)
mta_system_content(crond_tmp_t)
+type crond_unit_t;
+init_unit_file(crond_unit_t)
+
type crond_var_run_t;
files_pid_file(crond_var_run_t)
mta_system_content(crond_var_run_t)
diff --git a/policy/modules/contrib/cups.fc b/policy/modules/contrib/cups.fc
index 949011e..ecea069 100644
--- a/policy/modules/contrib/cups.fc
+++ b/policy/modules/contrib/cups.fc
@@ -34,6 +34,7 @@
/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib/systemd/system/cups.*\.service -- gen_context(system_u:object_r:cupsd_unit_t,s0)
/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 1edccbe..6fd2ee5 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.19.0)
+policy_module(cups, 1.19.1)
########################################
#
@@ -58,6 +58,9 @@ files_tmp_file(cups_pdf_tmp_t)
type cupsd_tmp_t;
files_tmp_file(cupsd_tmp_t)
+type cupsd_unit_t;
+init_unit_file(cupsd_unit_t)
+
type cupsd_var_run_t;
files_pid_file(cupsd_var_run_t)
init_daemon_pid_file(cupsd_var_run_t, dir, "cups")
diff --git a/policy/modules/contrib/dhcp.fc b/policy/modules/contrib/dhcp.fc
index 8182c48..bf65642 100644
--- a/policy/modules/contrib/dhcp.fc
+++ b/policy/modules/contrib/dhcp.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+/usr/lib/systemd/system/dhcpcd.*\.service -- gen_context(system_u:object_r:dhcpd_unit_t,s0)
+
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index 2d64a81..927e1d9 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -1,4 +1,4 @@
-policy_module(dhcp, 1.12.0)
+policy_module(dhcp, 1.12.1)
########################################
#
@@ -26,6 +26,9 @@ files_type(dhcpd_state_t)
type dhcpd_tmp_t;
files_tmp_file(dhcpd_tmp_t)
+type dhcpd_unit_t;
+init_unit_file(dhcpd_unit_t)
+
type dhcpd_var_run_t;
files_pid_file(dhcpd_var_run_t)
diff --git a/policy/modules/contrib/ftp.fc b/policy/modules/contrib/ftp.fc
index fa132af..366809a 100644
--- a/policy/modules/contrib/ftp.fc
+++ b/policy/modules/contrib/ftp.fc
@@ -9,6 +9,9 @@
/usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/lib/systemd/system/proftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)
+/usr/lib/systemd/system/vsftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)
+
/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index d143280..8b83ad7 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.18.1)
+policy_module(ftp, 1.18.2)
########################################
#
@@ -136,6 +136,9 @@ files_tmp_file(ftpd_tmp_t)
type ftpd_tmpfs_t;
files_tmpfs_file(ftpd_tmpfs_t)
+type ftpd_unit_t;
+init_unit_file(ftpd_unit_t)
+
type ftpd_var_run_t;
files_pid_file(ftpd_var_run_t)
diff --git a/policy/modules/contrib/kdump.fc b/policy/modules/contrib/kdump.fc
index a49ae4e..d5ec077 100644
--- a/policy/modules/contrib/kdump.fc
+++ b/policy/modules/contrib/kdump.fc
@@ -6,6 +6,8 @@
/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
+/usr/lib/systemd/system/kdump.*\.service -- gen_context(system_u:object_r:kdump_unit_t,s0)
+
/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index ac37ce9..215a680 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.4.1)
+policy_module(kdump, 1.4.2)
#######################################
#
diff --git a/policy/modules/contrib/ldap.fc b/policy/modules/contrib/ldap.fc
index b7e5679..cafa486 100644
--- a/policy/modules/contrib/ldap.fc
+++ b/policy/modules/contrib/ldap.fc
@@ -8,6 +8,7 @@
/usr/lib/openldap/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
/usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+/usr/lib/systemd/system/slapd.*\.service -- gen_context(system_u:object_r:slapd_unit_t,s0)
/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
/var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 70bc151..5abf625 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.13.0)
+policy_module(ldap, 1.13.1)
########################################
#
@@ -39,6 +39,9 @@ files_tmp_file(slapd_tmp_t)
type slapd_tmpfs_t;
files_tmpfs_file(slapd_tmpfs_t)
+type slapd_unit_t;
+init_unit_file(slapd_unit_t)
+
type slapd_var_run_t;
files_pid_file(slapd_var_run_t)
diff --git a/policy/modules/contrib/mysql.fc b/policy/modules/contrib/mysql.fc
index 1d258c1..fb9b2d8 100644
--- a/policy/modules/contrib/mysql.fc
+++ b/policy/modules/contrib/mysql.fc
@@ -10,6 +10,8 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/lib/systemd/system/mysqld.*\.service -- gen_context(system_u:object_r:mysqld_unit_t,s0)
+
/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 0db8319..455fd81 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.17.0)
+policy_module(mysql, 1.17.1)
########################################
#
@@ -47,6 +47,9 @@ logging_log_file(mysqld_log_t)
type mysqld_tmp_t;
files_tmp_file(mysqld_tmp_t)
+type mysqld_unit_t;
+init_unit_file(mysqld_unit_t)
+
type mysqlmanagerd_t;
type mysqlmanagerd_exec_t;
init_daemon_domain(mysqlmanagerd_t, mysqlmanagerd_exec_t)
diff --git a/policy/modules/contrib/nis.fc b/policy/modules/contrib/nis.fc
index 8aa1bfa..b7f173c 100644
--- a/policy/modules/contrib/nis.fc
+++ b/policy/modules/contrib/nis.fc
@@ -9,6 +9,11 @@
/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/lib/systemd/system/ypbind.*\.service -- gen_context(system_u:object_r:ypbind_unit_t,s0)
+/usr/lib/systemd/system/yppasswdd.*\.service -- gen_context(system_u:object_r:nis_unit_t,s0)
+/usr/lib/systemd/system/ypserv.*\.service -- gen_context(system_u:object_r:nis_unit_t,s0)
+/usr/lib/systemd/system/ypxfrd.*\.service -- gen_context(system_u:object_r:nis_unit_t,s0)
+
/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
/usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te
index 77c8282..3d3936d 100644
--- a/policy/modules/contrib/nis.te
+++ b/policy/modules/contrib/nis.te
@@ -1,4 +1,4 @@
-policy_module(nis, 1.13.1)
+policy_module(nis, 1.13.2)
########################################
#
@@ -10,6 +10,9 @@ attribute_role ypbind_roles;
type nis_initrc_exec_t;
init_script_file(nis_initrc_exec_t)
+type nis_unit_t;
+init_unit_file(nis_unit_t)
+
type var_yp_t;
files_type(var_yp_t)
@@ -24,6 +27,9 @@ init_script_file(ypbind_initrc_exec_t)
type ypbind_tmp_t;
files_tmp_file(ypbind_tmp_t)
+type ypbind_unit_t;
+init_unit_file(ypbind_unit_t)
+
type ypbind_var_run_t;
files_pid_file(ypbind_var_run_t)
diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te
index 998dcdd..4ba589d 100644
--- a/policy/modules/contrib/nscd.te
+++ b/policy/modules/contrib/nscd.te
@@ -1,4 +1,4 @@
-policy_module(nscd, 1.13.0)
+policy_module(nscd, 1.13.1)
gen_require(`
class nscd all_nscd_perms;
@@ -34,6 +34,9 @@ init_script_file(nscd_initrc_exec_t)
type nscd_log_t;
logging_log_file(nscd_log_t)
+type nscd_unit_t;
+init_unit_file(nscd_unit_t)
+
########################################
#
# Local policy
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index b58ce47..01ae073 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -13,6 +13,7 @@
# Systemd unit file
/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
+/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/contrib/ppp.fc b/policy/modules/contrib/ppp.fc
index efcb653..7d13ee9 100644
--- a/policy/modules/contrib/ppp.fc
+++ b/policy/modules/contrib/ppp.fc
@@ -12,6 +12,8 @@ HOME_DIR/\.ppprc -- gen_context(system_u:object_r:ppp_home_t,s0)
/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/lib/systemd/system/ppp.*\.service -- gen_context(system_u:object_r:pppd_unit_t,s0)
+
/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index 1d3079f..8473117 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -1,4 +1,4 @@
-policy_module(ppp, 1.15.0)
+policy_module(ppp, 1.15.1)
########################################
#
@@ -53,6 +53,9 @@ files_lock_file(pppd_lock_t)
type pppd_tmp_t;
files_tmp_file(pppd_tmp_t)
+type pppd_unit_t;
+init_unit_file(pppd_unit_t)
+
type pppd_var_run_t;
files_pid_file(pppd_var_run_t)
diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc
index a6fb30c..c00b379 100644
--- a/policy/modules/contrib/rpc.fc
+++ b/policy/modules/contrib/rpc.fc
@@ -7,6 +7,9 @@
/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/usr/lib/systemd/system/nfs.*\.service -- gen_context(system_u:object_r:nfsd_unit_t,s0)
+/usr/lib/systemd/system/rpc.*\.service -- gen_context(system_u:object_r:rpcd_unit_t,s0)
+
/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 8849e92..6703f96 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.17.0)
+policy_module(rpc, 1.17.1)
########################################
#
@@ -52,6 +52,9 @@ rpc_domain_template(rpcd)
type rpcd_initrc_exec_t;
init_script_file(rpcd_initrc_exec_t)
+type rpcd_unit_t;
+init_unit_file(rpcd_unit_t)
+
rpc_domain_template(nfsd)
type nfsd_initrc_exec_t;
@@ -63,6 +66,9 @@ files_type(nfsd_rw_t)
type nfsd_ro_t;
files_type(nfsd_ro_t)
+type nfsd_unit_t;
+init_unit_file(nfsd_unit_t)
+
type var_lib_nfs_t;
files_mountpoint(var_lib_nfs_t)
diff --git a/policy/modules/contrib/samba.fc b/policy/modules/contrib/samba.fc
index b8b66ff..ef009e0 100644
--- a/policy/modules/contrib/samba.fc
+++ b/policy/modules/contrib/samba.fc
@@ -14,6 +14,8 @@
/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/lib/systemd/system/smb.*\.service -- gen_context(system_u:object_r:samba_unit_t,s0)
+
/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index f6e9be3..602be98 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.18.0)
+policy_module(samba, 1.18.1)
#################################
#
@@ -130,6 +130,9 @@ files_type(samba_secrets_t)
type samba_share_t; # customizable
files_type(samba_share_t)
+type samba_unit_t;
+init_unit_file(samba_unit_t)
+
type samba_var_t;
files_type(samba_var_t)
diff --git a/policy/modules/contrib/tor.fc b/policy/modules/contrib/tor.fc
index dce42ec..cbaaa15 100644
--- a/policy/modules/contrib/tor.fc
+++ b/policy/modules/contrib/tor.fc
@@ -5,6 +5,8 @@
/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+/usr/lib/systemd/system/tor.*\.service -- gen_context(system_u:object_r:tor_unit_t,s0)
+
/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 418eb29..3c596d8 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.11.0)
+policy_module(tor, 1.11.1)
########################################
#
@@ -23,6 +23,9 @@ files_config_file(tor_etc_t)
type tor_initrc_exec_t;
init_script_file(tor_initrc_exec_t)
+type tor_unit_t;
+init_unit_file(tor_unit_t)
+
type tor_var_lib_t;
files_type(tor_var_lib_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-13 18:35 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: ed6200f6e42066ec145aef23e71e706dee9b08b9
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 16:49:07 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:32:39 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ed6200f6
virt: add policy for virtlogd
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.te | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index f7e0ce8..7d9456a 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 38aa474..f4dd57c 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-08-13 18:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-08-13 18:35 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: c27f6232c179a438d47547012ee3fb63d3ec320e
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Aug 13 13:26:42 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c27f6232
Update the rtkit module
Update the rtkit daemon module so that the daemon can be started.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/rtkit.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index d6390c7..2e8ac03 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -20,7 +20,7 @@ init_unit_file(rtkit_daemon_unit_t)
# Local policy
#
-allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
+allow rtkit_daemon_t self:capability { dac_read_search setgid setpcap setuid sys_chroot sys_nice sys_ptrace };
allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit };
kernel_read_system_state(rtkit_daemon_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-13 18:35 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: 58f6d329dc9011ee2a4567666717bd2a145a0f1d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 11 05:49:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:32:39 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=58f6d329
virt: need to relabel to set categories
libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
policy/modules/contrib/virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 61044bb..1d8b45d 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-13 18:35 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: fd5931ed382e09e97c99a466262adb7aa6893360
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 27 20:44:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:32:39 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fd5931ed
virt: virtlockd doesnt need ps_process_pattern
policy/modules/contrib/virt.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index f4dd57c..61044bb 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
-
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-13 18:35 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: 93a8b8372d435ccb5536ed047913653ec26e3d8e
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 13 16:37:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:32:39 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=93a8b837
virt: kernel_read_system_state
policy/modules/contrib/virt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 1d8b45d..df22d85 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
+kernel_read_system_state(virtlockd_t)
+
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
can_exec(virtlogd_t, virtlogd_exec_t)
+kernel_read_system_state(virtlogd_t)
+
files_read_etc_files(virtlogd_t)
files_list_var_lib(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-17 16:59 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: cb339f1963ddfdfe4be42750974114b3f9f996a0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:58:08 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:46:55 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cb339f19
Module version bump for various patches from Guido Trentalancia.
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/mpd.te | 2 +-
policy/modules/contrib/mplayer.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/telepathy.te | 2 +-
10 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 7a25974..dc87030 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.15.0)
+policy_module(alsa, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index e901010..dee9f93 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -1,4 +1,4 @@
-policy_module(asterisk, 1.15.0)
+policy_module(asterisk, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
index 5068fab..e1f6d58 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -1,4 +1,4 @@
-policy_module(entropyd, 1.9.0)
+policy_module(entropyd, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index 2081d14..beef250 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -1,4 +1,4 @@
-policy_module(hal, 1.15.0)
+policy_module(hal, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index a44cb5a..cd1aea3 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.9.1)
+policy_module(mozilla, 2.9.2)
########################################
#
diff --git a/policy/modules/contrib/mpd.te b/policy/modules/contrib/mpd.te
index f6f9195..755e1ef 100644
--- a/policy/modules/contrib/mpd.te
+++ b/policy/modules/contrib/mpd.te
@@ -1,4 +1,4 @@
-policy_module(mpd, 1.3.0)
+policy_module(mpd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
index e70ee72..6915313 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -1,4 +1,4 @@
-policy_module(mplayer, 2.5.1)
+policy_module(mplayer, 2.5.2)
########################################
#
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 74fba8f..215c57d 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.14.1)
+policy_module(ntp, 1.14.2)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 134866e..32e06ac 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.3)
+policy_module(pulseaudio, 1.8.4)
########################################
#
diff --git a/policy/modules/contrib/telepathy.te b/policy/modules/contrib/telepathy.te
index db2a27b..4bb3c6f 100644
--- a/policy/modules/contrib/telepathy.te
+++ b/policy/modules/contrib/telepathy.te
@@ -1,4 +1,4 @@
-policy_module(telepathy, 1.6.0)
+policy_module(telepathy, 1.6.1)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-17 16:59 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: a96ab003f758041191d0b258a5d3997d92fa652a
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 27 20:44:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:59:32 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a96ab003
virt: virtlockd doesnt need ps_process_pattern
policy/modules/contrib/virt.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index f4dd57c..61044bb 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
-
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-17 16:59 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: 29e837187ba066a54b1096a067c89ead05011489
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 13 16:37:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:59:32 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=29e83718
virt: kernel_read_system_state
policy/modules/contrib/virt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 1d8b45d..df22d85 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
+kernel_read_system_state(virtlockd_t)
+
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
can_exec(virtlogd_t, virtlogd_exec_t)
+kernel_read_system_state(virtlogd_t)
+
files_read_etc_files(virtlogd_t)
files_list_var_lib(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-17 16:59 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: 79c4ff005ec876159b4143d1de3fbfa6dbf5543e
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:36:35 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:46:55 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=79c4ff00
alsa: Add compatibility alias for alsa_etc_rw_t.
policy/modules/contrib/alsa.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index b08ab0c..7a25974 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -12,7 +12,7 @@ type alsa_exec_t;
init_system_domain(alsa_t, alsa_exec_t)
role alsa_roles types alsa_t;
-type alsa_etc_t;
+type alsa_etc_t alias alsa_etc_rw_t;
files_config_file(alsa_etc_t)
type alsa_tmp_t;
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-08-17 16:59 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: ea395bb75ec043061dac0b8aa6b2466514425c6c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 19:51:38 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:46:55 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ea395bb7
pulseaudio: Fix compile errors.
policy/modules/contrib/pulseaudio.te | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 32e06ac..4be64ec 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.4)
+policy_module(pulseaudio, 1.8.5)
########################################
#
@@ -193,11 +193,6 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(pulseaudio_t)
-
- # OIL Runtime Compiler (ORC) optimized code execution
- allow pulseaudio_t gstreamer_orcexec_t:file { manage_file_perms mmap_file_perms };
- gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file)
- gnome_home_filetrans_gstreamer_orcexec(pulseaudio_t, file)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-17 16:59 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: c360be61479b0fc249d860187344c7f970cf1969
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 16:49:07 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:59:32 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c360be61
virt: add policy for virtlogd
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.te | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index f7e0ce8..7d9456a 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 38aa474..f4dd57c 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-08-17 16:59 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: c62aca80448084d3dd1a37ef55866a1de76e540c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:33:24 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:46:55 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c62aca80
Update the alsa module so that the alsa_etc_t file context (previously alsa_etc_rw_t) is widened to the whole alsa share directory, instead of just a couple of files.
The wrong and misleading _rw_ label has been deprecated in the alsa
interface definitions and in their instances throughout the whole
Reference Policy (static and system-wide configuration files are
not runtime-writable). Warning messages are printed when the user
attempts to use the old namings for the above mentioned alsa
interface definitions.
After applying this patch, the recent pulseaudio patch should also
be applied to complete the removal of the _rw_ labels on the alsa
interfaces.
This version of the patch finally removes obsolete file contexts and
grants read permissions instead of manage permissions for static
configuration files in /usr/share/alsa and system-wide configuration
files in /etc.
Thanks to Dominick Grift for pointing out redundant interface usage
in a previous version of this patch.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/alsa.fc | 9 +++----
policy/modules/contrib/alsa.if | 52 ++++++++++++++++++++++++++++++--------
policy/modules/contrib/alsa.te | 10 ++++----
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/mpd.te | 2 +-
policy/modules/contrib/mplayer.te | 2 +-
8 files changed, 55 insertions(+), 26 deletions(-)
diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc
index a8c8a64..112fc62 100644
--- a/policy/modules/contrib/alsa.fc
+++ b/policy/modules/contrib/alsa.fc
@@ -6,10 +6,8 @@ ifdef(`distro_debian',`
/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
+/etc/asound\.conf gen_context(system_u:object_r:alsa_etc_t,s0)
/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
@@ -25,8 +23,7 @@ ifdef(`distro_debian',`
/usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/usr/share/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if
index 38bbf80..9ffed04 100644
--- a/policy/modules/contrib/alsa.if
+++ b/policy/modules/contrib/alsa.if
@@ -102,7 +102,8 @@ interface(`alsa_rw_shared_mem',`
########################################
## <summary>
-## Read writable Alsa configuration content.
+## Read writable Alsa configuration
+## content. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -111,14 +112,29 @@ interface(`alsa_rw_shared_mem',`
## </param>
#
interface(`alsa_read_rw_config',`
+ refpolicywarn(`$0($*) has been deprecated, use alsa_read_config() instead.')
+ alsa_read_config($1)
+')
+
+########################################
+## <summary>
+## Read Alsa configuration content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_read_config',`
gen_require(`
- type alsa_etc_rw_t;
+ type alsa_etc_t;
')
files_search_etc($1)
- allow $1 alsa_etc_rw_t:dir list_dir_perms;
- read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+ allow $1 alsa_etc_t:dir list_dir_perms;
+ read_files_pattern($1, alsa_etc_t, alsa_etc_t)
+ read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
ifdef(`distro_debian',`
files_search_usr($1)
@@ -127,7 +143,8 @@ interface(`alsa_read_rw_config',`
########################################
## <summary>
-## Manage writable Alsa config files.
+## Manage writable Alsa config
+## files. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -136,14 +153,29 @@ interface(`alsa_read_rw_config',`
## </param>
#
interface(`alsa_manage_rw_config',`
+ refpolicywarn(`$0($*) has been deprecated, use alsa_manage_config() instead.')
+ alsa_manage_config($1)
+')
+
+########################################
+## <summary>
+## Manage Alsa config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_manage_config',`
gen_require(`
- type alsa_etc_rw_t;
+ type alsa_etc_t;
')
files_search_etc($1)
- allow $1 alsa_etc_rw_t:dir list_dir_perms;
- manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+ allow $1 alsa_etc_t:dir list_dir_perms;
+ manage_files_pattern($1, alsa_etc_t, alsa_etc_t)
+ read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
ifdef(`distro_debian',`
files_search_usr($1)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 17bb145..b08ab0c 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -12,8 +12,8 @@ type alsa_exec_t;
init_system_domain(alsa_t, alsa_exec_t)
role alsa_roles types alsa_t;
-type alsa_etc_rw_t;
-files_config_file(alsa_etc_rw_t)
+type alsa_etc_t;
+files_config_file(alsa_etc_t)
type alsa_tmp_t;
files_tmp_file(alsa_tmp_t)
@@ -46,9 +46,9 @@ allow alsa_t self:unix_stream_socket { accept listen };
allow alsa_t alsa_home_t:file read_file_perms;
-manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
-manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
-files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
can_exec(alsa_t, alsa_exec_t)
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index fc25311..e901010 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -156,7 +156,7 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_user_home_dirs(asterisk_t)
optional_policy(`
- alsa_read_rw_config(asterisk_t)
+ alsa_read_config(asterisk_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
index e82f4f5..5068fab 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -68,7 +68,7 @@ tunable_policy(`entropyd_use_audio',`
optional_policy(`
tunable_policy(`entropyd_use_audio',`
alsa_read_lib(entropyd_t)
- alsa_read_rw_config(entropyd_t)
+ alsa_read_config(entropyd_t)
')
')
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index bbccc79..2081d14 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -213,7 +213,7 @@ userdom_dontaudit_search_user_home_dirs(hald_t)
optional_policy(`
alsa_domtrans(hald_t)
- alsa_read_rw_config(hald_t)
+ alsa_read_config(hald_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/mpd.te b/policy/modules/contrib/mpd.te
index 01ded5d..f6f9195 100644
--- a/policy/modules/contrib/mpd.te
+++ b/policy/modules/contrib/mpd.te
@@ -179,7 +179,7 @@ tunable_policy(`mpd_use_nfs',`
')
optional_policy(`
- alsa_read_rw_config(mpd_t)
+ alsa_read_config(mpd_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
index 26ff9aa..e70ee72 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -257,7 +257,7 @@ tunable_policy(`allow_mplayer_execstack',`
')
optional_policy(`
- alsa_read_rw_config(mplayer_t)
+ alsa_read_config(mplayer_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-17 16:59 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: 73a57e4bbf4aa6c7a07c249a32c79a73f1567b70
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 11 05:49:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:59:32 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=73a57e4b
virt: need to relabel to set categories
libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
policy/modules/contrib/virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 61044bb..1d8b45d 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-08-17 16:59 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: 0402209aa9f09e25a1283661b79445d61a0babd6
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:57:29 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:46:55 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0402209a
Update the sysnetwork module to add some permissions needed by the dhcp client (another separate patch makes changes to the ifconfig part).
Create auxiliary interfaces in the ntp module.
The permission to execute restorecon/setfiles (required by the
dhclient-script script and granted in a previous version of this
patch) is not granted, as it does not break the script functioning.
Include revisions from Chris PeBenito.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/ntp.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index 192e342..f8534c6 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -101,6 +101,25 @@ interface(`ntp_initrc_domtrans',`
########################################
## <summary>
+## Read ntp conf files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_read_conf_files',`
+ gen_require(`
+ type ntp_conf_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, ntp_conf_t, ntp_conf_t)
+')
+
+########################################
+## <summary>
## Read ntp drift files.
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-17 16:59 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: 3101fc57262e91f9e5f57a89493a32197c1ebc81
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Aug 13 15:16:10 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:46:55 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3101fc57
Update the pulseaudio module for usability and ORC support
Update the pulseaudio module so that it is usable (tested with
latest version pulseaudio 9.0).
This patch depends on a recent patch to update the gnome module.
Support for the OIL Runtime Compiler (OIL) optimized code
execution is added to the pulseaudio module by using a few
newly created interfaces and file contexts in the gnome
module.
Supports the execmem permission only through a boolean which
defaults to false.
Thanks to Dominick Grift for the useful suggestions that
permitted to create this new improved version of the patch.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/pulseaudio.fc | 1 +
policy/modules/contrib/pulseaudio.if | 1 +
policy/modules/contrib/pulseaudio.te | 34 ++++++++++++++++++++++++++++++----
3 files changed, 32 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/pulseaudio.fc b/policy/modules/contrib/pulseaudio.fc
index e005030..19ade57 100644
--- a/policy/modules/contrib/pulseaudio.fc
+++ b/policy/modules/contrib/pulseaudio.fc
@@ -1,6 +1,7 @@
HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.config/pulse(/.*)? -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
diff --git a/policy/modules/contrib/pulseaudio.if b/policy/modules/contrib/pulseaudio.if
index ce863b0..f057680 100644
--- a/policy/modules/contrib/pulseaudio.if
+++ b/policy/modules/contrib/pulseaudio.if
@@ -25,6 +25,7 @@ interface(`pulseaudio_role',`
pulseaudio_run($2, $1)
allow $2 pulseaudio_t:process { ptrace signal_perms };
+ allow $2 pulseaudio_t:fd use;
ps_process_pattern($2, pulseaudio_t)
allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms };
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index e7511a8..134866e 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -5,6 +5,14 @@ policy_module(pulseaudio, 1.8.3)
# Declarations
#
+## <desc>
+## <p>
+## Allow pulseaudio to execute code in
+## writable memory
+## </p>
+## </desc>
+gen_tunable(pulseaudio_execmem, false)
+
attribute pulseaudio_client;
attribute pulseaudio_tmpfsfile;
@@ -37,7 +45,8 @@ files_pid_file(pulseaudio_var_run_t)
#
allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
-allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
+allow pulseaudio_t self:process { getcap getsched setcap setrlimit setsched signal signull };
+
allow pulseaudio_t self:fifo_file rw_fifo_file_perms;
allow pulseaudio_t self:unix_stream_socket { accept connectto listen };
allow pulseaudio_t self:unix_dgram_socket sendto;
@@ -129,9 +138,15 @@ logging_send_syslog_msg(pulseaudio_t)
miscfiles_read_localization(pulseaudio_t)
userdom_read_user_tmpfs_files(pulseaudio_t)
-
+userdom_delete_user_tmpfs_files(pulseaudio_t)
userdom_search_user_home_dirs(pulseaudio_t)
-userdom_write_user_tmp_sockets(pulseaudio_t)
+userdom_search_user_home_content(pulseaudio_t)
+
+userdom_manage_user_tmp_sockets(pulseaudio_t)
+
+tunable_policy(`pulseaudio_execmem',`
+ allow pulseaudio_t self:process execmem;
+')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(pulseaudio_t)
@@ -146,7 +161,8 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- alsa_read_rw_config(pulseaudio_t)
+ alsa_read_config(pulseaudio_t)
+ alsa_read_home_files(pulseaudio_t)
')
optional_policy(`
@@ -176,6 +192,15 @@ optional_policy(`
')
optional_policy(`
+ gnome_stream_connect_gconf(pulseaudio_t)
+
+ # OIL Runtime Compiler (ORC) optimized code execution
+ allow pulseaudio_t gstreamer_orcexec_t:file { manage_file_perms mmap_file_perms };
+ gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file)
+ gnome_home_filetrans_gstreamer_orcexec(pulseaudio_t, file)
+')
+
+optional_policy(`
rtkit_scheduled(pulseaudio_t)
')
@@ -186,6 +211,7 @@ optional_policy(`
')
optional_policy(`
+ udev_read_pid_files(pulseaudio_t)
udev_read_state(pulseaudio_t)
udev_read_db(pulseaudio_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-17 16:59 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: 836b8ae8f3e978659e15e206b72958bbc680a28b
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:11:09 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:42:19 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=836b8ae8
Update the telepathy module:
- add an interface to support chat over dbus in the mission
control domain;
- add support for dbus chat in the mission control domain for
the telepathy role.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/telepathy.if | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/policy/modules/contrib/telepathy.if b/policy/modules/contrib/telepathy.if
index 0d58469..b9a5b8a 100644
--- a/policy/modules/contrib/telepathy.if
+++ b/policy/modules/contrib/telepathy.if
@@ -114,6 +114,8 @@ template(`telepathy_role_template',`
allow $3 telepathy_tmp_content:dir { manage_dir_perms relabel_dir_perms };
allow $3 telepathy_tmp_content:file { manage_file_perms relabel_file_perms };
allow $3 telepathy_tmp_content:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
+ telepathy_mission_control_dbus_chat($3)
')
########################################
@@ -159,6 +161,27 @@ interface(`telepathy_gabble_dbus_chat',`
########################################
## <summary>
+## Send dbus messages to and from
+## mission control.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_mission_control_dbus_chat',`
+ gen_require(`
+ type telepathy_mission_control_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 telepathy_mission_control_t:dbus send_msg;
+ allow telepathy_mission_control_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Read mission control process state files.
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-10-03 6:20 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-10-03 6:26 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: 53fc0ccf1852accb94ea5e13e45ffd69224f4e2f
Author: Guido Trentalancia via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Thu Sep 1 17:25:08 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:05:14 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=53fc0ccf
evolution: read SSL certificates
Update the evolution modules so that:
- it is able to read SSL certificates (e.g. for server authentication);
- it is able to read the random number generator device;
- it doesn't audit attempts to get the attributes of
extended attributes filesystems.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/evolution.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index c99e07c..28d619c 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -164,18 +164,21 @@ corenet_tcp_connect_ldap_port(evolution_t)
corenet_sendrecv_ipp_client_packets(evolution_t)
corenet_tcp_connect_ipp_port(evolution_t)
+dev_read_rand(evolution_t)
dev_read_urand(evolution_t)
domain_dontaudit_read_all_domains_state(evolution_t)
files_read_usr_files(evolution_t)
+fs_dontaudit_getattr_xattr_fs(evolution_t)
fs_search_auto_mountpoints(evolution_t)
auth_use_nsswitch(evolution_t)
logging_send_syslog_msg(evolution_t)
+miscfiles_read_generic_certs(evolution_t)
miscfiles_read_localization(evolution_t)
udev_read_state(evolution_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-10-03 6:20 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-10-03 6:26 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: ad72efd64eb17bf500c13b58120437b3dacc4aab
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Sep 8 23:15:11 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:05:14 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ad72efd6
evolution: Read user certs from Guido Trentalancia.
policy/modules/contrib/evolution.te | 25 ++++++++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 55ee470..a3cf532 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,10 +1,19 @@
-policy_module(evolution, 2.4.1)
+policy_module(evolution, 2.4.2)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow evolution to create and write
+## user certificates in addition to
+## being able to read them
+## </p>
+## </desc>
+gen_tunable(evolution_manage_user_certs, false)
+
attribute_role evolution_roles;
type evolution_t;
@@ -185,6 +194,13 @@ udev_read_state(evolution_t)
userdom_use_user_terminals(evolution_t)
+tunable_policy(`evolution_manage_user_certs',`
+ userdom_manage_user_certs(evolution_t)
+',`
+ userdom_dontaudit_manage_user_certs(evolution_t)
+ userdom_read_user_certs(evolution_t)
+')
+
userdom_manage_user_tmp_dirs(evolution_t)
userdom_manage_user_tmp_files(evolution_t)
@@ -437,6 +453,13 @@ miscfiles_read_generic_certs(evolution_server_t)
userdom_dontaudit_read_user_home_content_files(evolution_server_t)
+tunable_policy(`evolution_manage_user_certs',`
+ userdom_manage_user_certs(evolution_server_t)
+',`
+ userdom_dontaudit_manage_user_certs(evolution_server_t)
+ userdom_read_user_certs(evolution_server_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(evolution_server_t)
fs_manage_nfs_files(evolution_server_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: a3cfff743285e946ebafb7bc1c2c9a5cdb4aa039
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Sep 1 23:36:29 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:05:14 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a3cfff74
Module version bump for Evolution SSL fix from Guido Trentalancia.
policy/modules/contrib/evolution.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 28d619c..55ee470 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.4.0)
+policy_module(evolution, 2.4.1)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: c568bc4bfa98a347210c4ffd3a8aebe1a203d2d8
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Fri Sep 2 11:35:53 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c568bc4b
gpg: public key signature verification in evolution
Let gpg verify public key signatures in the evolution mail client application.
It doesn't need write permissions on such files for signing/encrypting messages.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/evolution.if | 21 +++++++++++++++++++++
policy/modules/contrib/gpg.te | 4 ++++
2 files changed, 25 insertions(+)
diff --git a/policy/modules/contrib/evolution.if b/policy/modules/contrib/evolution.if
index d9c17d2..7c21ba1 100644
--- a/policy/modules/contrib/evolution.if
+++ b/policy/modules/contrib/evolution.if
@@ -128,6 +128,27 @@ interface(`evolution_stream_connect',`
########################################
## <summary>
+## Read evolution orbit temporary
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_read_orbit_tmp_files',`
+ gen_require(`
+ type evolution_orbit_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, evolution_orbit_tmp_t, evolution_orbit_tmp_t)
+')
+
+
+########################################
+## <summary>
## Send and receive messages from
## evolution over dbus.
## </summary>
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 072047d..0eedb45 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -147,6 +147,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ evolution_read_orbit_tmp_files(gpg_t)
+ ')
+
+optional_policy(`
gnome_read_generic_home_content(gpg_t)
gnome_stream_connect_all_gkeyringd(gpg_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: b27815edef70f38fdcf432a880d1c9419981311f
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Sep 19 22:30:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b27815ed
Module version bump for gnome patch from Guido Trentalancia.
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 8c79849..c30e596 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.5.1)
+policy_module(gnome, 2.5.2)
##############################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 7f30a72..72064a2 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.6)
+policy_module(pulseaudio, 1.8.7)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: 227d4173a648167242aef6f7243eda3788c88304
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Sep 11 13:01:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:06:32 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=227d4173
pulseaudio: Move interface definitions.
policy/modules/contrib/pulseaudio.if | 76 ++++++++++++++++++------------------
1 file changed, 38 insertions(+), 38 deletions(-)
diff --git a/policy/modules/contrib/pulseaudio.if b/policy/modules/contrib/pulseaudio.if
index 11238f2..af0f950 100644
--- a/policy/modules/contrib/pulseaudio.if
+++ b/policy/modules/contrib/pulseaudio.if
@@ -146,6 +146,44 @@ interface(`pulseaudio_signull',`
allow $1 pulseaudio_t:process signull;
')
+########################################
+## <summary>
+## Use file descriptors for
+## pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ allow $1 pulseaudio_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use the
+## file descriptors for pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_dontaudit_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ dontaudit $1 pulseaudio_t:fd use;
+')
+
#####################################
## <summary>
## Connect to pulseaudio with a unix
@@ -410,41 +448,3 @@ interface(`pulseaudio_rw_tmpfs_files',`
fs_search_tmpfs($1)
rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
')
-
-########################################
-## <summary>
-## Use file descriptors for
-## pulseaudio.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`pulseaudio_use_fds',`
- gen_require(`
- type pulseaudio_t;
- ')
-
- allow $1 pulseaudio_t:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to use the
-## file descriptors for pulseaudio.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`pulseaudio_dontaudit_use_fds',`
- gen_require(`
- type pulseaudio_t;
- ')
-
- dontaudit $1 pulseaudio_t:fd use;
-')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: 18ddac2acc0a71975ba87e0683cc3846ed72bb9f
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Sep 10 15:28:14 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:05:14 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=18ddac2a
cups: Move can_exec() line.
policy/modules/contrib/cups.te | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 1b0dffa..245926b 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -633,6 +633,9 @@ allow hplip_t hplip_etc_t:dir list_dir_perms;
allow hplip_t hplip_etc_t:file read_file_perms;
allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms;
+# e.g. execute python script to load the firmware
+can_exec(hplip_t, hplip_exec_t)
+
manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
@@ -647,9 +650,6 @@ stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
-# e.g. execute python script to load the firmware
-can_exec(hplip_t, hplip_exec_t)
-
corenet_all_recvfrom_unlabeled(hplip_t)
corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_generic_if(hplip_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-10-03 6:20 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-10-03 6:26 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: d08361ee81045093ab652fa49234e465b730a8f3
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Sep 10 15:43:08 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:05:14 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d08361ee
cups: Module version bump for hplip patch from Guido Trentalancia
policy/modules/contrib/cups.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 245926b..1d6fd86 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.19.1)
+policy_module(cups, 1.19.2)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: 31afb6134c5d0dca49042de96801d28601a905d3
Author: Guido Trentalancia via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Sat Sep 10 16:26:46 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:06:32 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=31afb613
mozilla: let mozilla play audio
Let mozilla play audio:
- add new interfaces to the pulseaudio module;
- let mozilla read alsa configuration files;
- add further permissions to mozilla needed to use
pulseaudio to play audio.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/mozilla.te | 9 +++++
policy/modules/contrib/pulseaudio.if | 77 ++++++++++++++++++++++++++++++++++++
2 files changed, 86 insertions(+)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index cd1aea3..ca45f5c 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -217,6 +217,11 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ alsa_read_config(mozilla_t)
+ alsa_read_home_files(mozilla_t)
+')
+
+optional_policy(`
apache_read_user_scripts(mozilla_t)
apache_read_user_content(mozilla_t)
')
@@ -269,6 +274,8 @@ optional_policy(`
optional_policy(`
pulseaudio_run(mozilla_t, mozilla_roles)
+ pulseaudio_rw_tmpfs_files(mozilla_t)
+ pulseaudio_use_fds(mozilla_t)
')
optional_policy(`
@@ -493,6 +500,8 @@ optional_policy(`
optional_policy(`
pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles)
+ pulseaudio_rw_tmpfs_files(mozilla_plugin_t)
+ pulseaudio_use_fds(mozilla_plugin_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/pulseaudio.if b/policy/modules/contrib/pulseaudio.if
index f057680..11238f2 100644
--- a/policy/modules/contrib/pulseaudio.if
+++ b/policy/modules/contrib/pulseaudio.if
@@ -371,3 +371,80 @@ interface(`pulseaudio_client_domain',`
pulseaudio_domtrans($1)
pulseaudio_tmpfs_content($2)
')
+
+#######################################
+## <summary>
+## Read pulseaudio tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_read_tmpfs_files',`
+ gen_require(`
+ type pulseaudio_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+')
+
+#######################################
+## <summary>
+## Read and write pulseaudio tmpfs
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_rw_tmpfs_files',`
+ gen_require(`
+ type pulseaudio_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Use file descriptors for
+## pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ allow $1 pulseaudio_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use the
+## file descriptors for pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_dontaudit_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ dontaudit $1 pulseaudio_t:fd use;
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-10-03 6:20 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-10-03 6:26 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: fa460d674228cdbe2e16cd33b5b5d83c85e72008
Author: Guido Trentalancia via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Mon Sep 19 11:15:44 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fa460d67
gnome: add support for the OIL Runtime Compiler (ORC) optimized code execution
Add a new gstreamer_orcexec_t type and file context to the gnome
module in order to support the OIL Runtime Compiler (ORC) optimized
code execution (used for example by pulseaudio).
Add optional policy to the pulseaudio module to support the ORC
optimized code execution.
This patch has been anticipated a few weeks ago as part of a
larger gnome patch. It has now been split as a smaller patch,
as required.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/gnome.fc | 4 ++
policy/modules/contrib/gnome.if | 98 ++++++++++++++++++++++++++++++++++++
policy/modules/contrib/gnome.te | 3 ++
policy/modules/contrib/pulseaudio.te | 6 +++
4 files changed, 111 insertions(+)
diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc
index 31d8c6c..ce12193 100644
--- a/policy/modules/contrib/gnome.fc
+++ b/policy/modules/contrib/gnome.fc
@@ -7,6 +7,8 @@ HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
@@ -16,6 +18,8 @@ HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
ifdef(`distro_gentoo',`
HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_config_home_t,s0)
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index cad0e95..190fa16 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -610,6 +610,66 @@ interface(`gnome_gconf_home_filetrans',`
########################################
## <summary>
+## Create objects in user home
+## directories with the gstreamer
+## orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create objects in the user
+## runtime directories with the
+## gstreamer orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
+## <summary>
## Read generic gnome keyring home files.
## </summary>
## <param name="domain">
@@ -764,3 +824,41 @@ interface(`gnome_dbus_chat_gconfd',`
allow $1 gconfd_t:dbus send_msg;
allow gconfd_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## Manage gstreamer ORC optimized
+## code.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ allow $1 gstreamer_orcexec_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Mmap gstreamer ORC optimized
+## code.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_mmap_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ allow $1 gstreamer_orcexec_t:file mmap_file_perms;
+')
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index dd6ac04..8c79849 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_home_t)
type gnome_keyring_tmp_t;
userdom_user_tmp_file(gnome_keyring_tmp_t)
+type gstreamer_orcexec_t;
+application_executable_file(gstreamer_orcexec_t)
+
##############################
#
# Common local Policy
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 214e9c6..7f30a72 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -193,6 +193,12 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(pulseaudio_t)
+
+ # OIL Runtime Compiler (ORC) optimized code execution
+ gnome_manage_gstreamer_orcexec(pulseaudio_t)
+ gnome_mmap_gstreamer_orcexec(pulseaudio_t)
+ gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file)
+ gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio_t, file)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-10-03 6:20 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-10-03 6:26 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: ee7d0d58ccbabc7af9e2a2f7ca7ba276d1884292
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Sep 11 13:02:28 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:06:32 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ee7d0d58
Module version bump for mozilla patch from Guido Trentalancia.
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index ca45f5c..42fb9bf 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.9.2)
+policy_module(mozilla, 2.9.3)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 4be64ec..214e9c6 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.5)
+policy_module(pulseaudio, 1.8.6)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: 71beba0776f9e6a4ad9d4f02b9cdaa793622fc31
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Sep 27 22:45:34 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=71beba07
Module version bump for networkmanager fix from Naftuli Tzvi Kay.
policy/modules/contrib/networkmanager.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 1ae3fde..45bbc02 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.18.3)
+policy_module(networkmanager, 1.18.4)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: abdacce1d5c0894bc44af2822d436ce670e68935
Author: Naftuli Tzvi Kay <rfkrocktk <AT> gmail <DOT> com>
AuthorDate: Tue Sep 27 20:40:57 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=abdacce1
Fix NetworkManager Read Pid Files Macro
Bug found in pull #26 - permissions aren't granted for searching
the NetworkManager_var_run_t directory, only to reading its files.
policy/modules/contrib/networkmanager.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index 152dc57..10688d2 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -247,6 +247,7 @@ interface(`networkmanager_read_pid_files',`
')
files_search_pids($1)
+ allow $1 NetworkManager_var_run_t:dir search_dir_perms;
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-10-03 6:20 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-10-03 6:26 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: 756d18c85f9a8e62ab510f6ab7026944ed028d3b
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Fri Sep 9 12:11:16 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:05:14 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=756d18c8
cups: update permissions for HP printers (load firmware)
Update the cups module with some permissions needed to run HP
printers (in particular to be able to load firmware on those
printers that need it every time they are connected).
The permission to execute shell scripts has been removed in
this new version, as this is not required.
Compared to previous versions, this new version creates a
specific hplip pty (as suggested by Christopher PeBenito).
Here is the list of printers that require firmware loading:
HP LaserJet 1000
HP LaserJet 1005 series
HP LaserJet 1018
HP LaserJet 1020
HP LaserJet p1005
HP LaserJet p1006
HP LaserJet p1007
HP LaserJet p1008
HP LaserJet p1009
HP LaserJet p1505
HP LaserJet Professional p1102
HP LaserJet Professional p1102w
HP LaserJet Professional p1566
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/cups.te | 27 +++++++++++++++++++++++----
1 file changed, 23 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 6fd2ee5..1b0dffa 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -71,6 +71,9 @@ type hplip_exec_t;
init_daemon_domain(hplip_t, hplip_exec_t)
cups_backend(hplip_t, hplip_exec_t)
+type hplip_devpts_t;
+term_pty(hplip_devpts_t)
+
type hplip_etc_t;
files_config_file(hplip_etc_t)
@@ -157,6 +160,10 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
allow cupsd_t hplip_var_run_t:file read_file_perms;
+# hpcups
+read_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
+read_lnk_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
+
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
@@ -300,6 +307,10 @@ optional_policy(`
')
optional_policy(`
+ init_dbus_chat_script(cupsd_t)
+')
+
+optional_policy(`
kerberos_manage_host_rcache(cupsd_t)
kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
')
@@ -426,6 +437,8 @@ miscfiles_read_hwdata(cupsd_config_t)
seutil_dontaudit_search_config(cupsd_config_t)
+term_use_generic_ptys(cupsd_config_t)
+
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
@@ -433,10 +446,6 @@ userdom_read_user_tmp_symlinks(cupsd_config_t)
userdom_rw_user_tmp_files(cupsd_config_t)
optional_policy(`
- term_use_generic_ptys(cupsd_config_t)
-')
-
-optional_policy(`
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
@@ -608,9 +617,12 @@ allow hplip_t self:capability { dac_override dac_read_search net_raw };
dontaudit hplip_t self:capability sys_tty_config;
allow hplip_t self:fifo_file rw_fifo_file_perms;
allow hplip_t self:process signal_perms;
+allow hplip_t self:netlink_kobject_uevent_socket create_socket_perms;
allow hplip_t self:tcp_socket { accept listen };
allow hplip_t self:rawip_socket create_socket_perms;
+allow hplip_t hplip_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+
allow hplip_t cupsd_etc_t:dir search_dir_perms;
manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
@@ -635,6 +647,9 @@ stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
+# e.g. execute python script to load the firmware
+can_exec(hplip_t, hplip_exec_t)
+
corenet_all_recvfrom_unlabeled(hplip_t)
corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_generic_if(hplip_t)
@@ -684,6 +699,10 @@ miscfiles_read_localization(hplip_t)
sysnet_dns_name_resolve(hplip_t)
+term_create_pty(hplip_t, hplip_devpts_t)
+term_use_generic_ptys(hplip_t)
+term_use_ptmx(hplip_t)
+
userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-10-03 6:20 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-10-03 6:26 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: d2251e5d5b63f988488a732febefa2cd115da04c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Sep 27 22:24:08 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d2251e5d
Module version bump for evolution patch from Guido Trentalancia.
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index a3cf532..1580c95 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.4.2)
+policy_module(evolution, 2.4.3)
########################################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 0eedb45..4d200ff 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.9.1)
+policy_module(gpg, 2.9.2)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: cb341f0bcb4701f28a7a4ee0e452240e86bd9941
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Sep 27 22:31:13 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cb341f0b
gpg: Whitespace fix.
policy/modules/contrib/gpg.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 4d200ff..f76aed4 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -148,7 +148,7 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
evolution_read_orbit_tmp_files(gpg_t)
- ')
+')
optional_policy(`
gnome_read_generic_home_content(gpg_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: df89ff0189194d49380b405822524f4ef5d0d369
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 27 20:44:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:15:43 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=df89ff01
virt: virtlockd doesnt need ps_process_pattern
policy/modules/contrib/virt.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index f4dd57c..61044bb 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
-
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: c00f2ff7e6e61e849bdf134a223341f393f12807
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 31 15:03:49 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:15:43 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c00f2ff7
WIP virt: image type perms
policy/modules/contrib/virt.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index df22d85..0dab948 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: 4fb5f1162ad2447f5d2fb6c39c749768c89455b6
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 16:49:07 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:15:43 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4fb5f116
virt: add policy for virtlogd
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.te | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index f7e0ce8..7d9456a 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 38aa474..f4dd57c 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: 58195e8f5a8597066fb2d6f7cf090c9f6a2a404e
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 11 05:49:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:15:43 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=58195e8f
virt: need to relabel to set categories
libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
policy/modules/contrib/virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 61044bb..1d8b45d 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: 2adb14b062aa974d6c2a9a079f4aa8543cbd4a49
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 13 16:37:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:15:43 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2adb14b0
virt: kernel_read_system_state
policy/modules/contrib/virt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 1d8b45d..df22d85 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
+kernel_read_system_state(virtlockd_t)
+
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
can_exec(virtlogd_t, virtlogd_exec_t)
+kernel_read_system_state(virtlogd_t)
+
files_read_etc_files(virtlogd_t)
files_list_var_lib(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-24 15:44 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-24 15:44 UTC (permalink / raw
To: gentoo-commits
commit: f109263032dd1da414d4e465550b9da0820aaab1
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Oct 9 04:37:10 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 9 05:41:23 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f1092630
chromium: perms for user_cert_t
policy/modules/contrib/chromium.te | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 3185640..10bcd9f 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -88,7 +88,8 @@ xdg_cache_home_content(chromium_xdg_cache_t)
# chromium local policy
#
-allow chromium_t self:process { getsched setcap setrlimit setsched sigkill signal };
+# execmem for load in plugins
+allow chromium_t self:process { execmem getsched setcap setrlimit setsched sigkill signal };
allow chromium_t self:fifo_file rw_fifo_file_perms;;
allow chromium_t self:sem create_sem_perms;
allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
@@ -108,8 +109,6 @@ allow chromium_t chromium_sandbox_t:unix_stream_socket { read write };
allow chromium_t chromium_naclhelper_t:process { share };
-allow chromium_t self:process execmem; # Load in plugins
-
# tmp has a wide class access (used for plugins)
manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
@@ -164,18 +163,17 @@ fs_dontaudit_getattr_xattr_fs(chromium_t)
getty_dontaudit_use_fds(chromium_t)
-miscfiles_manage_user_certs(chromium_t)
miscfiles_read_all_certs(chromium_t)
miscfiles_read_localization(chromium_t)
-miscfiles_user_home_dir_filetrans_cert_home(chromium_t, dir, ".nss")
-miscfiles_user_home_dir_filetrans_cert_home(chromium_t, dir, ".pki")
-sysnet_dns_name_resolve(chromium_t)
+sysnet_dns_name_resolve(chromium_t)
userdom_user_content_access_template(chromium, chromium_t)
userdom_dontaudit_list_user_home_dirs(chromium_t)
# Debugging. Also on user_tty_device_t if X is started through "startx" for instance
userdom_use_user_terminals(chromium_t)
+userdom_manage_user_certs(chromium_t)
+userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki")
xdg_create_cache_home_dirs(chromium_t)
xdg_create_config_home_dirs(chromium_t)
@@ -194,6 +192,7 @@ tunable_policy(`chromium_bind_tcp_unreserved_ports',`
tunable_policy(`chromium_rw_usb_dev',`
dev_rw_generic_usb_dev(chromium_t)
+ udev_read_db(chromium_t)
')
tunable_policy(`chromium_read_system_info',`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-24 16:03 Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:03 UTC (permalink / raw
To: gentoo-commits
commit: 7ba6a2c036470cfa2cf1cac7665275ba48f45627
Author: Russell Coker via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Wed Oct 19 06:07:20 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:35 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7ba6a2c0
webalizer patch for inclusion
Thanks Chris for the suggestions, here's a patch that I think is worthy of
inclusion.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/logrotate.te | 5 +++++
policy/modules/contrib/webalizer.if | 20 ++++++++++++++++++++
policy/modules/contrib/webalizer.te | 2 ++
3 files changed, 27 insertions(+)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index a1670d0..f7a70da 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -242,6 +242,11 @@ optional_policy(`
varnishd_manage_log(logrotate_t)
')
+optional_policy(`
+ manage_webalizer_var_lib(logrotate_t)
+ webalizer_run(logrotate_t, system_r)
+')
+
#######################################
#
# Mail local policy
diff --git a/policy/modules/contrib/webalizer.if b/policy/modules/contrib/webalizer.if
index fa28353..cc831b6 100644
--- a/policy/modules/contrib/webalizer.if
+++ b/policy/modules/contrib/webalizer.if
@@ -45,3 +45,23 @@ interface(`webalizer_run',`
webalizer_domtrans($1)
roleattribute $2 webalizer_roles;
')
+
+########################################
+## <summary>
+## Manage webalizer usage files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to manage webalizer usage files
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`manage_webalizer_var_lib',`
+ gen_require(`
+ type webalizer_var_lib_t;
+ ')
+
+ allow $1 webalizer_var_lib_t:dir manage_dir_perms;
+ allow $1 webalizer_var_lib_t:file manage_file_perms;
+')
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index 99bef4a..ff69b41 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -36,6 +36,7 @@ allow webalizer_t self:unix_stream_socket { accept connectto listen };
allow webalizer_t self:tcp_socket { accept listen };
allow webalizer_t webalizer_etc_t:file read_file_perms;
+files_read_usr_files(webalizer_t)
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
@@ -50,6 +51,7 @@ kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
files_read_etc_runtime_files(webalizer_t)
+miscfiles_read_fonts(webalizer_t)
fs_search_auto_mountpoints(webalizer_t)
fs_getattr_xattr_fs(webalizer_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-24 16:03 Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:03 UTC (permalink / raw
To: gentoo-commits
commit: 5a7a3e2f9726819e784af6445669a06293c5457d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 16:49:07 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:02:52 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5a7a3e2f
virt: add policy for virtlogd
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.te | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index f7e0ce8..7d9456a 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index c45ba2d..16c2970 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
@ 2016-10-24 16:03 ` Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:03 UTC (permalink / raw
To: gentoo-commits
commit: 75bde71a956a7d9cd2ad48387d75dfda32c21e1c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Oct 23 20:58:59 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:53 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=75bde71a
Bump module versions for release.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/amanda.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/apcupsd.te | 2 +-
policy/modules/contrib/apm.te | 2 +-
policy/modules/contrib/arpwatch.te | 2 +-
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/automount.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/boinc.te | 2 +-
policy/modules/contrib/certmonger.te | 2 +-
policy/modules/contrib/cgroup.te | 2 +-
policy/modules/contrib/clamav.te | 2 +-
policy/modules/contrib/collectd.te | 2 +-
policy/modules/contrib/consolekit.te | 2 +-
policy/modules/contrib/cpucontrol.te | 2 +-
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/devicekit.te | 2 +-
policy/modules/contrib/dhcp.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/firewalld.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/geoclue.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/ldap.te | 2 +-
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/mailman.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/mpd.te | 2 +-
policy/modules/contrib/mplayer.te | 2 +-
policy/modules/contrib/mysql.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/nis.te | 2 +-
policy/modules/contrib/nscd.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/policykit.te | 2 +-
policy/modules/contrib/ppp.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/puppet.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/redis.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rtkit.te | 2 +-
policy/modules/contrib/samba.te | 2 +-
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/telepathy.te | 2 +-
policy/modules/contrib/tor.te | 2 +-
policy/modules/contrib/userhelper.te | 2 +-
policy/modules/contrib/varnishd.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
policy/modules/contrib/watchdog.te | 2 +-
policy/modules/contrib/webalizer.te | 2 +-
policy/modules/contrib/wm.te | 2 +-
60 files changed, 60 insertions(+), 60 deletions(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index dc87030..f7faa4b 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.15.1)
+policy_module(alsa, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/amanda.te b/policy/modules/contrib/amanda.te
index 5f579aa..65fa397 100644
--- a/policy/modules/contrib/amanda.te
+++ b/policy/modules/contrib/amanda.te
@@ -1,4 +1,4 @@
-policy_module(amanda, 1.15.1)
+policy_module(amanda, 1.16.0)
#######################################
#
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index e02fcdc..2afcf1c 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.10.1)
+policy_module(apache, 2.11.0)
########################################
#
diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te
index 586104d..2432884 100644
--- a/policy/modules/contrib/apcupsd.te
+++ b/policy/modules/contrib/apcupsd.te
@@ -1,4 +1,4 @@
-policy_module(apcupsd, 1.10.1)
+policy_module(apcupsd, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index 449f23f..7c54285 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -1,4 +1,4 @@
-policy_module(apm, 1.14.2)
+policy_module(apm, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
index 0cda29a..cb9258d 100644
--- a/policy/modules/contrib/arpwatch.te
+++ b/policy/modules/contrib/arpwatch.te
@@ -1,4 +1,4 @@
-policy_module(arpwatch, 1.12.1)
+policy_module(arpwatch, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index dee9f93..203d5e4 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -1,4 +1,4 @@
-policy_module(asterisk, 1.15.1)
+policy_module(asterisk, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index 2f5852e..6f3dc40 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -1,4 +1,4 @@
-policy_module(automount, 1.16.1)
+policy_module(automount, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index 40cba10..8c4bbb4 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.16.1)
+policy_module(avahi, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index e3072c7..23645e9 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.16.2)
+policy_module(bind, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/boinc.te b/policy/modules/contrib/boinc.te
index 58468ea..557c8f9 100644
--- a/policy/modules/contrib/boinc.te
+++ b/policy/modules/contrib/boinc.te
@@ -1,4 +1,4 @@
-policy_module(boinc, 1.3.1)
+policy_module(boinc, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index cfbb41c..a98db0b 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -1,4 +1,4 @@
-policy_module(certmonger, 1.3.1)
+policy_module(certmonger, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te
index 736856f..24c2ee7 100644
--- a/policy/modules/contrib/cgroup.te
+++ b/policy/modules/contrib/cgroup.te
@@ -1,4 +1,4 @@
-policy_module(cgroup, 1.3.1)
+policy_module(cgroup, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index d733ffb..f615884 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.12.1)
+policy_module(clamav, 1.13.0)
## <desc>
## <p>
diff --git a/policy/modules/contrib/collectd.te b/policy/modules/contrib/collectd.te
index cb20d84..9c8f218 100644
--- a/policy/modules/contrib/collectd.te
+++ b/policy/modules/contrib/collectd.te
@@ -1,4 +1,4 @@
-policy_module(collectd, 1.1.1)
+policy_module(collectd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 80c18fa..a41c47f 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -1,4 +1,4 @@
-policy_module(consolekit, 1.10.2)
+policy_module(consolekit, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/cpucontrol.te b/policy/modules/contrib/cpucontrol.te
index 901911b..0c3ec09 100644
--- a/policy/modules/contrib/cpucontrol.te
+++ b/policy/modules/contrib/cpucontrol.te
@@ -1,4 +1,4 @@
-policy_module(cpucontrol, 1.4.1)
+policy_module(cpucontrol, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 0125df0..20a645c 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.9.2)
+policy_module(cron, 2.10.0)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 1d6fd86..7674df8 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.19.2)
+policy_module(cups, 1.20.0)
########################################
#
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 3fc7f7c..ccee3f9 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.4.1)
+policy_module(devicekit, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index 927e1d9..9421ef8 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -1,4 +1,4 @@
-policy_module(dhcp, 1.12.1)
+policy_module(dhcp, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
index e1f6d58..e5c943b 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -1,4 +1,4 @@
-policy_module(entropyd, 1.9.1)
+policy_module(entropyd, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 1580c95..1d5421b 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.4.3)
+policy_module(evolution, 2.5.0)
########################################
#
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index aa0d713..e9d23e1 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -1,4 +1,4 @@
-policy_module(firewalld, 1.3.1)
+policy_module(firewalld, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index 8b83ad7..300d0dc 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.18.2)
+policy_module(ftp, 1.19.0)
########################################
#
diff --git a/policy/modules/contrib/geoclue.te b/policy/modules/contrib/geoclue.te
index 9edb92c..c6e6640 100644
--- a/policy/modules/contrib/geoclue.te
+++ b/policy/modules/contrib/geoclue.te
@@ -1,4 +1,4 @@
-policy_module(geoclue, 1.0.4)
+policy_module(geoclue, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index c30e596..5a6f728 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.5.2)
+policy_module(gnome, 2.6.0)
##############################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index f76aed4..c62a7f3 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.9.2)
+policy_module(gpg, 2.10.0)
########################################
#
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index beef250..18e3082 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -1,4 +1,4 @@
-policy_module(hal, 1.15.1)
+policy_module(hal, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index 215a680..1f63509 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.4.2)
+policy_module(kdump, 1.5.0)
#######################################
#
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 5abf625..6b069f2 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.13.1)
+policy_module(ldap, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index fabf459..e2daa42 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.17.1)
+policy_module(logrotate, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te
index 609a9ea..9ec364b 100644
--- a/policy/modules/contrib/mailman.te
+++ b/policy/modules/contrib/mailman.te
@@ -1,4 +1,4 @@
-policy_module(mailman, 1.10.1)
+policy_module(mailman, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 42fb9bf..1331491 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.9.3)
+policy_module(mozilla, 2.10.0)
########################################
#
diff --git a/policy/modules/contrib/mpd.te b/policy/modules/contrib/mpd.te
index 755e1ef..43de2d9 100644
--- a/policy/modules/contrib/mpd.te
+++ b/policy/modules/contrib/mpd.te
@@ -1,4 +1,4 @@
-policy_module(mpd, 1.3.1)
+policy_module(mpd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
index 6915313..758b127 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -1,4 +1,4 @@
-policy_module(mplayer, 2.5.2)
+policy_module(mplayer, 2.6.0)
########################################
#
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 455fd81..023c7db 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.17.1)
+policy_module(mysql, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 45bbc02..5e7a002 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.18.4)
+policy_module(networkmanager, 1.19.0)
########################################
#
diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te
index 3d3936d..9715d63 100644
--- a/policy/modules/contrib/nis.te
+++ b/policy/modules/contrib/nis.te
@@ -1,4 +1,4 @@
-policy_module(nis, 1.13.2)
+policy_module(nis, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te
index 4ba589d..eec2928 100644
--- a/policy/modules/contrib/nscd.te
+++ b/policy/modules/contrib/nscd.te
@@ -1,4 +1,4 @@
-policy_module(nscd, 1.13.1)
+policy_module(nscd, 1.14.0)
gen_require(`
class nscd all_nscd_perms;
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 215c57d..51747ad 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.14.2)
+policy_module(ntp, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index b0e00eb..6c5f592 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.4.1)
+policy_module(policykit, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index 8473117..f09e8ca 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -1,4 +1,4 @@
-policy_module(ppp, 1.15.1)
+policy_module(ppp, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 72064a2..e641031 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.7)
+policy_module(pulseaudio, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index 4516018..dabc6d8 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -1,4 +1,4 @@
-policy_module(puppet, 1.6.1)
+policy_module(puppet, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index ec54379..e65f673 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.15.1)
+policy_module(raid, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index 25cf846..d8bbd67 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -1,4 +1,4 @@
-policy_module(redis, 1.2.2)
+policy_module(redis, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 6703f96..027eb78 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.17.1)
+policy_module(rpc, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 88dbc6b..6e39fe7 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.9.1)
+policy_module(rpcbind, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index 3e68e7f..3310d80 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -1,4 +1,4 @@
-policy_module(rtkit, 1.3.1)
+policy_module(rtkit, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 602be98..15b53a1 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.18.1)
+policy_module(samba, 1.19.0)
#################################
#
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index c4f6477..29661de 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -1,4 +1,4 @@
-policy_module(shorewall, 1.5.1)
+policy_module(shorewall, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/telepathy.te b/policy/modules/contrib/telepathy.te
index 4bb3c6f..1ffeaa7 100644
--- a/policy/modules/contrib/telepathy.te
+++ b/policy/modules/contrib/telepathy.te
@@ -1,4 +1,4 @@
-policy_module(telepathy, 1.6.1)
+policy_module(telepathy, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 3c596d8..1f0832d 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.11.1)
+policy_module(tor, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te
index 8a0dc1d..7a57c21 100644
--- a/policy/modules/contrib/userhelper.te
+++ b/policy/modules/contrib/userhelper.te
@@ -1,4 +1,4 @@
-policy_module(userhelper, 1.9.1)
+policy_module(userhelper, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
index 9d24d0d..9ff049b 100644
--- a/policy/modules/contrib/varnishd.te
+++ b/policy/modules/contrib/varnishd.te
@@ -1,4 +1,4 @@
-policy_module(varnishd, 1.3.2)
+policy_module(varnishd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 38aa474..c45ba2d 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.9.3)
+policy_module(virt, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index 0793afa..4d903b6 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -1,4 +1,4 @@
-policy_module(watchdog, 1.10.1)
+policy_module(watchdog, 1.11.0)
#################################
#
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index 9e87be9..06f9d33 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -1,4 +1,4 @@
-policy_module(webalizer, 1.13.2)
+policy_module(webalizer, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index 02329e0..2cecd32 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -1,4 +1,4 @@
-policy_module(wm, 1.4.1)
+policy_module(wm, 1.5.0)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
@ 2016-10-24 16:03 ` Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:03 UTC (permalink / raw
To: gentoo-commits
commit: 4fe949b5d5a054cf70cc8fe2a7f24aa56e5ef941
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Oct 19 22:57:55 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:45 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4fe949b5
Module version bump for webalizer patch from Russell Coker.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/webalizer.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index f7a70da..fabf459 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.17.0)
+policy_module(logrotate, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index 5e0a9e6..9e87be9 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -1,4 +1,4 @@
-policy_module(webalizer, 1.13.1)
+policy_module(webalizer, 1.13.2)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2016-10-24 16:03 ` Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:03 UTC (permalink / raw
To: gentoo-commits
commit: 25d7f7a7b3dfe131f56d593cfc26816e45ba72f4
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Oct 23 20:58:59 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:57 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=25d7f7a7
Update Changelog for release.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/Changelog | 160 +++++++++++++++++++++++++++++++++++++++
1 file changed, 160 insertions(+)
diff --git a/policy/modules/contrib/Changelog b/policy/modules/contrib/Changelog
index 63c8ea9..f143cb9 100644
--- a/policy/modules/contrib/Changelog
+++ b/policy/modules/contrib/Changelog
@@ -1,3 +1,163 @@
+* Sun Oct 23 2016 Chris PeBenito <pebenito@ieee.org> - 2.20161023
+Adam Tkac (2):
+ varnishncsa (varnishlog_t) reads localization files
+ Grant certmonger "chown" capability
+
+Chris PeBenito (42):
+ Merge branch 'bigon-geoclue'
+ Add additional comments in geoclue.
+ Merge branch 'bigon-virt-1'
+ Merge branch 'nm-1' of git://github.com/bigon/refpolicy-contrib into
+ bigon-nm-1
+ Merge branch 'bigon-nm-1'
+ Module version bump for virt and networkmanager patches from Laurent
+ Bigonville.
+ Merge branch 'master' of git://github.com/bigon/refpolicy-contrib
+ Module version bump for firewalld updates from Laurent Bigonville.
+ Module version bump for collectd update from Jason Zaman.
+ Module version bumps for user runtime fixes from Jason Zaman.
+ Boinc updates from Russell Coker.
+ rpcbind: Read /sys/devices/system/cpu/online from Russell Coker.
+ watchdog: Move line.
+ Module version bump for watchdog pidfile option from Russell Coker.
+ Systemd units from Russell Coker.
+ Module version bump for pulseaudio fc fix from Jason Zaman.
+ cpucontrol: revise cpucontrol_conf_t labeling, from Guido Trentalancia.
+ Module version bumps for patches from Guido Trentalancia.
+ Update the telepathy module:
+ Update the alsa module so that the alsa_etc_t file context (previously
+ alsa_etc_rw_t) is widened to the whole alsa share directory, instead of
+ just a couple of files.
+ alsa: Add compatibility alias for alsa_etc_rw_t.
+ Update the sysnetwork module to add some permissions needed by the dhcp
+ client (another separate patch makes changes to the ifconfig part).
+ Module version bump for various patches from Guido Trentalancia.
+ pulseaudio: Fix compile errors.
+ Merge branch 'master' of
+ https://github.com/SeanPlacchetti/refpolicy-contrib
+ Module version bump for webalizer dead type removal from Sean Placchetti.
+ Module version bump for Evolution SSL fix from Guido Trentalancia.
+ evolution: Read user certs from Guido Trentalancia.
+ cups: Move can_exec() line.
+ cups: Module version bump for hplip patch from Guido Trentalancia
+ pulseaudio: Move interface definitions.
+ Module version bump for mozilla patch from Guido Trentalancia.
+ Module version bump for gnome patch from Guido Trentalancia.
+ Module version bump for evolution patch from Guido Trentalancia.
+ gpg: Whitespace fix.
+ Merge branch 'feature/fix-networkmanager-varrun-macro' of
+ https://github.com/rfkrocktk/refpolicy-contrib
+ Module version bump for networkmanager fix from Naftuli Tzvi Kay.
+ Merge branch 'rfkrocktk-feature/syncthing'
+ Rearrange lines in syncthing.
+ webalizer: Rearrange a couple lines.
+ Module version bump for webalizer patch from Russell Coker.
+ Bump module versions for release.
+
+Dominick Grift (18):
+ Module version bump for changes to the geoclue module by Laurent
+ Bigonville.
+ Module version bump for changes to various modules from Laurent
+ Bigonville.
+ geoclue: move kernel interface call to the appropriate position
+ Actually associate mailmain_domain attribute with mailman domains
+ Module version bumps for changes to various modules by Nicolas Iooss
+ Module version bump for changes to the cron module by Jason Zaman
+ Module version bump for changes to the redis module by Grant Ridder
+ Module version bump for changes to the raid module by Laurent Bigonville
+ Module version bump for changes to the networkmanager module by Laurent
+ Bigonville.
+ Module version bump for changes to the redis module by Grant Ridder.
+ Module version bump for changes to the mozilla module by Laurent
+ Bigonville.
+ Module version bump for changes to the geoclue module by Nicolas Iooss.
+ Add hwloc-dump-hwdata SELinux policy
+ Module version bump for changes to the varnishd module by Robert Moucha
+ Module version bump for changes to the puppet module by Thomas Mueller
+ Module version bump for changes to the varnishd module by Adam Tkac
+ Module version bump for changes to the certmonger module by Adam Tkac
+ Revert "dbus: allow system, and session bus clients to answer to dbus
+ unconfined domains"
+
+Grant Ridder (2):
+ Add read/write perms for redis-sentinel
+ Allow tcp_connect to redis_port_t for redis_t
+
+Guido Trentalancia (7):
+ Policykit module: add fs_getattr_xattr_fs()
+ Update the policy for module apm
+ Let gpg disable core dumps
+ Update the rtkit module
+ Update the pulseaudio module for usability and ORC support
+ cups: update permissions for HP printers (load firmware)
+ gpg: public key signature verification in evolution
+
+Guido Trentalancia via refpolicy (3):
+ evolution: read SSL certificates
+ mozilla: let mozilla play audio
+ gnome: add support for the OIL Runtime Compiler (ORC) optimized code
+ execution
+
+Jason Zaman (10):
+ cron: Allow locks to be lnk_files
+ collectd: update policy for 5.5
+ consolekit: allow managing user runtime
+ pulseaudio: fcontext and filetrans for runtime
+ ftp: Add filetrans from user_runtime
+ gnome: Add filetrans from user_runtime
+ mplayer: Add filetrans from user_runtime
+ userhelper: Add filetrans from user_runtime
+ wm: Add filetrans from user_runtime
+ pulseaudio: fix user runtime fcontext
+
+Laurent Bigonville (13):
+ Add initial geoclue 2 module
+ Properly escape dot in the path to the geoclue daemon
+ Use auth_use_nsswitch() as we need DNS resolving and access nsswitch.conf
+ virt.fc: Add some debian contexts
+ networkmanager.fc: nm-dispatcher.action has been renamed to nm-dispatcher
+ Allow some domain to read sysctl_vm_overcommit_t
+ Allow mdadm read efivarfs files
+ Allow /var/run/firewalld/ directory to transition to firewalld_var_run_t
+ Add an interface to allow a domain to read firewalld_var_run_t files
+ Allow firewalld to create firewalld_var_run_t directory.
+ dontaudit firewalld attempt to relabel its own config files
+ Allow NM to execute arping
+ Debian now ships firefox-esr, properly label the executable
+
+Luis Ressel (1):
+ New policy for tboot utilities
+
+Naftuli Tzvi Kay (2):
+ Fix NetworkManager Read Pid Files Macro
+ Syncthing Policy
+
+Nicolas Iooss (3):
+ Describe _initrc_domtrans interfaces differently from the _domtrans ones
+ Fix typos in several interfaces
+ Add Arch Linux path for geoclue module
+
+Robert Moucha (1):
+ Fix trivial typo in varnishncsa name
+
+Russell Coker (2):
+ watchdog reads pid files
+ named reads vm sysctls
+
+Russell Coker via refpolicy (1):
+ webalizer patch for inclusion
+
+Sean Placchetti (1):
+ -Remove unused declarations from webalizer type enforcement file
+
+Thomas Mueller (1):
+ Allow puppet_t transtition to shorewall_t
+
+doverride (3):
+ Merge pull request #8 from bigon/geoclue
+ Merge pull request #11 from bigon/overcommit-1
+ Merge pull request #12 from fishilico/typos
+
* Tue Dec 08 2015 Chris PeBenito <selinux@tresys.com> - 2.20151208
Alexander Wetzel (1):
add vfio support for libvirt
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
@ 2016-10-24 16:03 ` Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:03 UTC (permalink / raw
To: gentoo-commits
commit: 2643b904b25db0560e375d37753018c0cd561cc0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Oct 19 22:57:38 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:42 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2643b904
webalizer: Rearrange a couple lines.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/webalizer.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index ff69b41..5e0a9e6 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -36,7 +36,6 @@ allow webalizer_t self:unix_stream_socket { accept connectto listen };
allow webalizer_t self:tcp_socket { accept listen };
allow webalizer_t webalizer_etc_t:file read_file_perms;
-files_read_usr_files(webalizer_t)
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
@@ -51,7 +50,7 @@ kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
files_read_etc_runtime_files(webalizer_t)
-miscfiles_read_fonts(webalizer_t)
+files_read_usr_files(webalizer_t)
fs_search_auto_mountpoints(webalizer_t)
fs_getattr_xattr_fs(webalizer_t)
@@ -64,6 +63,7 @@ logging_send_syslog_msg(webalizer_t)
miscfiles_read_localization(webalizer_t)
miscfiles_read_public_files(webalizer_t)
+miscfiles_read_fonts(webalizer_t)
userdom_use_user_terminals(webalizer_t)
userdom_use_unpriv_users_fds(webalizer_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-24 16:03 Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:03 UTC (permalink / raw
To: gentoo-commits
commit: 590c5ac1825126f9ab0e526e4c741bb9149574bb
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 31 15:03:49 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:02:52 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=590c5ac1
WIP virt: image type perms
policy/modules/contrib/virt.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0adbdb1..aec85ea 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-24 16:03 Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:03 UTC (permalink / raw
To: gentoo-commits
commit: e5a4903c5a1f0a4f4c62cd3dac0090457886397f
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 13 16:37:55 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:02:52 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e5a4903c
virt: kernel_read_system_state
policy/modules/contrib/virt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index a29f333..0adbdb1 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
+kernel_read_system_state(virtlockd_t)
+
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
can_exec(virtlogd_t, virtlogd_exec_t)
+kernel_read_system_state(virtlogd_t)
+
files_read_etc_files(virtlogd_t)
files_list_var_lib(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-24 16:03 Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:03 UTC (permalink / raw
To: gentoo-commits
commit: 79de4feaa2f0091d712a1ab5d1d1a929ba381ebd
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 27 20:44:51 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:02:52 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=79de4fea
virt: virtlockd doesnt need ps_process_pattern
policy/modules/contrib/virt.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 16c2970..dc4c94d 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
-
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-24 16:03 Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:03 UTC (permalink / raw
To: gentoo-commits
commit: f2c7b299ec1e8a72187fbd4902b008fda0220271
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 11 05:49:02 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:02:52 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f2c7b299
virt: need to relabel to set categories
libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
policy/modules/contrib/virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index dc4c94d..a29f333 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-24 16:03 Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:03 UTC (permalink / raw
To: gentoo-commits
commit: 2f02dddc5c9dc787776a9f0a94ebb0f207510cd4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Oct 9 04:37:10 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:02:52 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2f02dddc
chromium: perms for user_cert_t
policy/modules/contrib/chromium.te | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 3185640..10bcd9f 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -88,7 +88,8 @@ xdg_cache_home_content(chromium_xdg_cache_t)
# chromium local policy
#
-allow chromium_t self:process { getsched setcap setrlimit setsched sigkill signal };
+# execmem for load in plugins
+allow chromium_t self:process { execmem getsched setcap setrlimit setsched sigkill signal };
allow chromium_t self:fifo_file rw_fifo_file_perms;;
allow chromium_t self:sem create_sem_perms;
allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
@@ -108,8 +109,6 @@ allow chromium_t chromium_sandbox_t:unix_stream_socket { read write };
allow chromium_t chromium_naclhelper_t:process { share };
-allow chromium_t self:process execmem; # Load in plugins
-
# tmp has a wide class access (used for plugins)
manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
@@ -164,18 +163,17 @@ fs_dontaudit_getattr_xattr_fs(chromium_t)
getty_dontaudit_use_fds(chromium_t)
-miscfiles_manage_user_certs(chromium_t)
miscfiles_read_all_certs(chromium_t)
miscfiles_read_localization(chromium_t)
-miscfiles_user_home_dir_filetrans_cert_home(chromium_t, dir, ".nss")
-miscfiles_user_home_dir_filetrans_cert_home(chromium_t, dir, ".pki")
-sysnet_dns_name_resolve(chromium_t)
+sysnet_dns_name_resolve(chromium_t)
userdom_user_content_access_template(chromium, chromium_t)
userdom_dontaudit_list_user_home_dirs(chromium_t)
# Debugging. Also on user_tty_device_t if X is started through "startx" for instance
userdom_use_user_terminals(chromium_t)
+userdom_manage_user_certs(chromium_t)
+userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki")
xdg_create_cache_home_dirs(chromium_t)
xdg_create_config_home_dirs(chromium_t)
@@ -194,6 +192,7 @@ tunable_policy(`chromium_bind_tcp_unreserved_ports',`
tunable_policy(`chromium_rw_usb_dev',`
dev_rw_generic_usb_dev(chromium_t)
+ udev_read_db(chromium_t)
')
tunable_policy(`chromium_read_system_info',`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-10-24 16:56 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2016-10-24 17:13 ` Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2016-10-24 17:13 UTC (permalink / raw
To: gentoo-commits
commit: d58ed8ba1ef188c67ec5ecbfc091abb0014dd6e4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Oct 9 04:37:10 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:47:46 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d58ed8ba
chromium: perms for user_cert_t
policy/modules/contrib/chromium.te | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 3185640..10bcd9f 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -88,7 +88,8 @@ xdg_cache_home_content(chromium_xdg_cache_t)
# chromium local policy
#
-allow chromium_t self:process { getsched setcap setrlimit setsched sigkill signal };
+# execmem for load in plugins
+allow chromium_t self:process { execmem getsched setcap setrlimit setsched sigkill signal };
allow chromium_t self:fifo_file rw_fifo_file_perms;;
allow chromium_t self:sem create_sem_perms;
allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
@@ -108,8 +109,6 @@ allow chromium_t chromium_sandbox_t:unix_stream_socket { read write };
allow chromium_t chromium_naclhelper_t:process { share };
-allow chromium_t self:process execmem; # Load in plugins
-
# tmp has a wide class access (used for plugins)
manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
@@ -164,18 +163,17 @@ fs_dontaudit_getattr_xattr_fs(chromium_t)
getty_dontaudit_use_fds(chromium_t)
-miscfiles_manage_user_certs(chromium_t)
miscfiles_read_all_certs(chromium_t)
miscfiles_read_localization(chromium_t)
-miscfiles_user_home_dir_filetrans_cert_home(chromium_t, dir, ".nss")
-miscfiles_user_home_dir_filetrans_cert_home(chromium_t, dir, ".pki")
-sysnet_dns_name_resolve(chromium_t)
+sysnet_dns_name_resolve(chromium_t)
userdom_user_content_access_template(chromium, chromium_t)
userdom_dontaudit_list_user_home_dirs(chromium_t)
# Debugging. Also on user_tty_device_t if X is started through "startx" for instance
userdom_use_user_terminals(chromium_t)
+userdom_manage_user_certs(chromium_t)
+userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki")
xdg_create_cache_home_dirs(chromium_t)
xdg_create_config_home_dirs(chromium_t)
@@ -194,6 +192,7 @@ tunable_policy(`chromium_bind_tcp_unreserved_ports',`
tunable_policy(`chromium_rw_usb_dev',`
dev_rw_generic_usb_dev(chromium_t)
+ udev_read_db(chromium_t)
')
tunable_policy(`chromium_read_system_info',`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-24 17:14 Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2016-10-24 17:14 UTC (permalink / raw
To: gentoo-commits
commit: 04c8004e139709f43b8bc2b9f4c15a94c4705eb3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 13 16:37:55 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 17:08:02 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=04c8004e
virt: kernel_read_system_state
policy/modules/contrib/virt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index a29f333..0adbdb1 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
+kernel_read_system_state(virtlockd_t)
+
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
can_exec(virtlogd_t, virtlogd_exec_t)
+kernel_read_system_state(virtlogd_t)
+
files_read_etc_files(virtlogd_t)
files_list_var_lib(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-24 17:14 Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2016-10-24 17:14 UTC (permalink / raw
To: gentoo-commits
commit: db3ffc24bb923198f05eb16579d1455a96f7c018
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 31 15:03:49 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 17:08:02 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=db3ffc24
WIP virt: image type perms
policy/modules/contrib/virt.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0adbdb1..aec85ea 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-24 17:14 Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2016-10-24 17:14 UTC (permalink / raw
To: gentoo-commits
commit: dce5ffb47d36501b71c79e3361163747b72c6db5
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 27 20:44:51 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 17:08:02 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dce5ffb4
virt: virtlockd doesnt need ps_process_pattern
policy/modules/contrib/virt.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 16c2970..dc4c94d 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
-
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-24 17:14 Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2016-10-24 17:14 UTC (permalink / raw
To: gentoo-commits
commit: 05ca719e56beb535f7fee58e0874e2a6f15bfaae
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 16:49:07 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 17:08:02 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=05ca719e
virt: add policy for virtlogd
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.te | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index f7e0ce8..7d9456a 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index c45ba2d..16c2970 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-24 17:14 Sven Vermeulen
0 siblings, 0 replies; 413+ messages in thread
From: Sven Vermeulen @ 2016-10-24 17:14 UTC (permalink / raw
To: gentoo-commits
commit: e1b6b1b4b4a8069a588d2db36b0c9c0a0ea851cb
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 11 05:49:02 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 17:08:02 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e1b6b1b4
virt: need to relabel to set categories
libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
policy/modules/contrib/virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index dc4c94d..a29f333 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-26 11:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-26 11:08 UTC (permalink / raw
To: gentoo-commits
commit: b409b946fb32c75fe125b956e526988cccbe6d08
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Oct 26 05:35:36 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Oct 26 08:16:57 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b409b946
gnome: add gkeyring rules and fcontext
policy/modules/contrib/gnome.fc | 2 ++
policy/modules/contrib/gnome.if | 2 ++
policy/modules/contrib/gnome.te | 4 +++-
3 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc
index ce12193..f31230e 100644
--- a/policy/modules/contrib/gnome.fc
+++ b/policy/modules/contrib/gnome.fc
@@ -18,6 +18,7 @@ HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/var/run/user/%{USERID}/keyring(/.*)? gen_context(system_u:object_r:gnome_keyring_tmp_t,s0)
/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
@@ -25,4 +26,5 @@ ifdef(`distro_gentoo',`
HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_config_home_t,s0)
HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_cache_home_t,s0)
HOME_DIR/\.cache/keyring-.* gen_context(system_u:object_r:gnome_xdg_cache_home_t,s0)
+HOME_DIR/\.local/share/keyrings(/.*)? gen_context(system_u:object_r:gnome_xdg_data_home_t,s0)
')
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index 190fa16..b08670b 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -778,6 +778,7 @@ interface(`gnome_stream_connect_gkeyringd',`
')
files_search_tmp($2)
+ userdom_search_user_runtime($2)
stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
')
@@ -799,6 +800,7 @@ interface(`gnome_stream_connect_all_gkeyringd',`
')
files_search_tmp($1)
+ userdom_search_user_runtime($1)
stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
')
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 5a6f728..a874924 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -123,9 +123,11 @@ gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings")
manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
+userdom_user_runtime_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
-kernel_read_system_state(gkeyringd_domain)
kernel_read_crypto_sysctls(gkeyringd_domain)
+kernel_read_kernel_sysctls(gkeyringd_domain)
+kernel_read_system_state(gkeyringd_domain)
dev_read_rand(gkeyringd_domain)
dev_read_sysfs(gkeyringd_domain)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-26 11:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-26 11:08 UTC (permalink / raw
To: gentoo-commits
commit: 68b1afa0ab298c6b714e891bb38bc44ba2d0faf9
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Oct 26 08:04:54 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Oct 26 10:57:10 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=68b1afa0
chromium: allow dbus chat to gnome keyring and upower
For saving secrets and inhibiting power management eg during videos
policy/modules/contrib/chromium.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 10bcd9f..8764370 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -230,6 +230,12 @@ optional_policy(`
optional_policy(`
unconfined_dbus_chat(chromium_t)
')
+ optional_policy(`
+ gnome_dbus_chat_all_gkeyringd(chromium_t)
+ ')
+ optional_policy(`
+ devicekit_dbus_chat_power(chromium_t)
+ ')
')
optional_policy(`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-26 11:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-26 11:08 UTC (permalink / raw
To: gentoo-commits
commit: 34e87a577d7e36e88dfa19bd013b25d78637247a
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Oct 25 15:42:24 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Oct 25 15:48:16 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=34e87a57
pcscd: look up the pid that is connecting
pcscd tries to look at the pid of the process that is connecting to its
socket.
type=AVC msg=audit(1477409841.224:12512): avc: denied { open } for pid=16611 comm="pcscd" path="/proc/10610/stat" dev="proc" ino=29254 scontext=system_u:system_r:pcscd_t:s0 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1477409841.224:12513): avc: denied { getattr } for pid=16611 comm="pcscd" path="/proc/10610/stat" dev="proc" ino=29254 scontext=system_u:system_r:pcscd_t:s0 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=file permissive=1
policy/modules/contrib/pcscd.if | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/pcscd.if b/policy/modules/contrib/pcscd.if
index ac7e60c..b5c522d 100644
--- a/policy/modules/contrib/pcscd.if
+++ b/policy/modules/contrib/pcscd.if
@@ -101,6 +101,9 @@ interface(`pcscd_stream_connect',`
files_search_pids($1)
stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t)
+
+ allow pcscd_t $1:dir list_dir_perms;
+ allow pcscd_t $1:file read_file_perms;
')
########################################
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-26 11:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-26 11:08 UTC (permalink / raw
To: gentoo-commits
commit: f19368f101e373b4a18c8f9a8b0cdfeadbf478ef
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Oct 25 14:24:46 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Oct 25 15:48:16 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f19368f1
gpg: add new socket paths
GPG 2.1 has sockets in /run/user/UID/gnupg/ and
~/.gnupg/S.gpg-agent{,.ssh}.
policy/modules/contrib/gpg.fc | 4 ++++
policy/modules/contrib/gpg.if | 4 ++++
policy/modules/contrib/gpg.te | 4 ++++
3 files changed, 12 insertions(+)
diff --git a/policy/modules/contrib/gpg.fc b/policy/modules/contrib/gpg.fc
index 888cd2c..dcd6a16 100644
--- a/policy/modules/contrib/gpg.fc
+++ b/policy/modules/contrib/gpg.fc
@@ -1,5 +1,7 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S.gpg-agent -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S.gpg-agent.ssh -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
@@ -8,3 +10,5 @@ HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+
+/var/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 0370dd1..5f4cefc 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -205,9 +205,13 @@ interface(`gpg_rw_agent_pipes',`
interface(`gpg_stream_connect_agent',`
gen_require(`
type gpg_agent_t, gpg_agent_tmp_t;
+ type gpg_secret_t;
')
stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+ allow $1 gpg_secret_t:dir search_dir_perms;
+ userdom_search_user_runtime($1)
+ userdom_search_user_home_dirs($1)
')
########################################
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index c62a7f3..095cf96 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -229,6 +229,8 @@ manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
@@ -250,6 +252,8 @@ miscfiles_read_localization(gpg_agent_t)
userdom_use_user_terminals(gpg_agent_t)
userdom_search_user_home_dirs(gpg_agent_t)
+userdom_search_user_runtime(gpg_agent_t)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-26 11:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-26 11:08 UTC (permalink / raw
To: gentoo-commits
commit: c2f75bf40a1b1176728757becf5c9f3361ae25b3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Oct 26 08:04:11 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Oct 26 08:16:57 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c2f75bf4
gpg: allow pinentry dbus chat to gkeyring
policy/modules/contrib/gpg.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 095cf96..441d696 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -351,6 +351,10 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_all_session_bus_client(gpg_pinentry_t)
dbus_system_bus_client(gpg_pinentry_t)
+
+ optional_policy(`
+ gnome_dbus_chat_all_gkeyringd(gpg_pinentry_t)
+ ')
')
optional_policy(`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-26 11:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-26 11:08 UTC (permalink / raw
To: gentoo-commits
commit: c97dab2e577e227382d0fd35ebd2a4d13300c9a1
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Oct 26 05:36:20 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Oct 26 05:48:10 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c97dab2e
devicekit: fcontext for udisks2
policy/modules/contrib/devicekit.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/devicekit.fc b/policy/modules/contrib/devicekit.fc
index ae49c9d..8908ab6 100644
--- a/policy/modules/contrib/devicekit.fc
+++ b/policy/modules/contrib/devicekit.fc
@@ -10,6 +10,7 @@
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+/usr/libexec/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-26 11:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-10-26 11:08 UTC (permalink / raw
To: gentoo-commits
commit: 31d0870c44fd917b7519e65d5750d6bf455b4056
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Oct 25 15:07:24 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Oct 25 15:34:41 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=31d0870c
pcsc: allow policykit dbus chat
policy/modules/contrib/pcscd.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index 1828900..bcc863c 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -73,6 +73,10 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(pcscd_t)
')
+
+ optional_policy(`
+ policykit_dbus_chat(pcscd_t)
+ ')
')
optional_policy(`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-12-06 14:25 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: f379a19944626a91093b7e9d598d9559ae0afa63
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sat Dec 3 23:30:32 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f379a199
Add debian path for fprintd daemon
Add debian path for fprintd daemon (/usr/lib/fprintd/fprintd)
policy/modules/contrib/fprintd.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/fprintd.fc b/policy/modules/contrib/fprintd.fc
index d861e88..81317ea 100644
--- a/policy/modules/contrib/fprintd.fc
+++ b/policy/modules/contrib/fprintd.fc
@@ -1,3 +1,5 @@
+/usr/lib/fprintd/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0)
+
/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0)
/var/lib/fprint(/.*)? gen_context(system_u:object_r:fprintd_var_lib_t,s0)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-06 14:25 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: 897a8e2008bdb9d73db6d692272ca98e870a0566
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Nov 23 03:18:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=897a8e20
authbind: Remove dead policy.
policy/modules/contrib/authbind.fc | 3 ---
policy/modules/contrib/authbind.if | 46 --------------------------------------
policy/modules/contrib/authbind.te | 34 ----------------------------
3 files changed, 83 deletions(-)
diff --git a/policy/modules/contrib/authbind.fc b/policy/modules/contrib/authbind.fc
deleted file mode 100644
index 699ecc1..0000000
--- a/policy/modules/contrib/authbind.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/etc/authbind(/.*)? gen_context(system_u:object_r:authbind_etc_t,s0)
-
-/usr/lib/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0)
diff --git a/policy/modules/contrib/authbind.if b/policy/modules/contrib/authbind.if
deleted file mode 100644
index 40fdc75..0000000
--- a/policy/modules/contrib/authbind.if
+++ /dev/null
@@ -1,46 +0,0 @@
-## <summary>Tool for non-root processes to bind to reserved ports.</summary>
-
-########################################
-## <summary>
-## Execute authbind in the authbind domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`authbind_domtrans',`
- gen_require(`
- type authbind_t, authbind_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, authbind_exec_t, authbind_t)
-')
-
-########################################
-## <summary>
-## Execute authbind in the authbind
-## domain, and allow the specified
-## role the authbind domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-#
-interface(`authbind_run',`
- gen_require(`
- attribute_role authbind_roles;
- ')
-
- authbind_domtrans($1)
- roleattribute $2 authbind_roles;
-')
diff --git a/policy/modules/contrib/authbind.te b/policy/modules/contrib/authbind.te
deleted file mode 100644
index dd9d215..0000000
--- a/policy/modules/contrib/authbind.te
+++ /dev/null
@@ -1,34 +0,0 @@
-policy_module(authbind, 1.3.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role authbind_roles;
-roleattribute system_r authbind_roles;
-
-type authbind_t;
-type authbind_exec_t;
-application_domain(authbind_t, authbind_exec_t)
-role authbind_roles types authbind_t;
-
-type authbind_etc_t;
-files_config_file(authbind_etc_t)
-
-########################################
-#
-# Local policy
-#
-
-allow authbind_t self:capability net_bind_service;
-
-allow authbind_t authbind_etc_t:dir list_dir_perms;
-exec_files_pattern(authbind_t, authbind_etc_t, authbind_etc_t)
-read_lnk_files_pattern(authbind_t, authbind_etc_t, authbind_etc_t)
-
-files_list_etc(authbind_t)
-
-term_use_console(authbind_t)
-
-logging_send_syslog_msg(authbind_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-06 14:25 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: 1c472ba023387394309b157827e9b8acfe08a2d4
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Dec 4 17:47:47 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1c472ba0
Module version bump for Debian fprintd fc entry from Laurent Bigonville.
policy/modules/contrib/fprintd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/fprintd.te b/policy/modules/contrib/fprintd.te
index 92a6479..00099f9 100644
--- a/policy/modules/contrib/fprintd.te
+++ b/policy/modules/contrib/fprintd.te
@@ -1,4 +1,4 @@
-policy_module(fprintd, 1.2.0)
+policy_module(fprintd, 1.2.1)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-06 14:25 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: 98732751e002526aa86963b6c0425846bccd93d2
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Nov 29 02:00:14 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=98732751
Module version bump for cups patch from Guido Trentalancia.
policy/modules/contrib/cups.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 7674df8..e630014 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.20.0)
+policy_module(cups, 1.20.1)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-12-06 14:25 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: b822b1181b81fd74038c8987162a1cfe86611720
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Fri Nov 25 22:14:47 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b822b118
cups: descend "rw" directories when reading configuration files
When reading CUPS configuration files under /etc, let the caller
search (i.e. descend into) "rw" directories (such as "ppd").
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/cups.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
index cad7df2..a6bcb68 100644
--- a/policy/modules/contrib/cups.if
+++ b/policy/modules/contrib/cups.if
@@ -203,7 +203,7 @@ interface(`cups_read_config',`
')
files_search_etc($1)
- read_files_pattern($1, cupsd_etc_t, { cupsd_etc_t cupsd_rw_etc_t })
+ read_files_pattern($1, { cupsd_etc_t cupsd_rw_etc_t }, { cupsd_etc_t cupsd_rw_etc_t })
')
########################################
@@ -223,7 +223,7 @@ interface(`cups_read_rw_config',`
')
files_search_etc($1)
- read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
+ read_files_pattern($1, { cupsd_etc_t cupsd_rw_etc_t }, cupsd_rw_etc_t)
')
########################################
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-12-06 14:25 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: 6291bac4cdcbd366f63d6d0b66f73a535ecc0340
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Oct 26 17:19:21 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6291bac4
gnome: add gkeyring rules and fcontext
policy/modules/contrib/gnome.fc | 1 +
policy/modules/contrib/gnome.if | 2 ++
policy/modules/contrib/gnome.te | 4 +++-
3 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc
index ce12193..cd2ead4 100644
--- a/policy/modules/contrib/gnome.fc
+++ b/policy/modules/contrib/gnome.fc
@@ -18,6 +18,7 @@ HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/var/run/user/%{USERID}/keyring(/.*)? gen_context(system_u:object_r:gnome_keyring_tmp_t,s0)
/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index 190fa16..b08670b 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -778,6 +778,7 @@ interface(`gnome_stream_connect_gkeyringd',`
')
files_search_tmp($2)
+ userdom_search_user_runtime($2)
stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
')
@@ -799,6 +800,7 @@ interface(`gnome_stream_connect_all_gkeyringd',`
')
files_search_tmp($1)
+ userdom_search_user_runtime($1)
stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
')
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 5a6f728..a874924 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -123,9 +123,11 @@ gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings")
manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
+userdom_user_runtime_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
-kernel_read_system_state(gkeyringd_domain)
kernel_read_crypto_sysctls(gkeyringd_domain)
+kernel_read_kernel_sysctls(gkeyringd_domain)
+kernel_read_system_state(gkeyringd_domain)
dev_read_rand(gkeyringd_domain)
dev_read_sysfs(gkeyringd_domain)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-12-06 14:25 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: e0ed083c6bc22c8a33c45498d1e97ed945f8ce5e
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Oct 30 18:20:42 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e0ed083c
Module version bump for patches from Jason Zaman.
policy/modules/contrib/devicekit.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/pcscd.te | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index ccee3f9..8b8a4cc 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.5.0)
+policy_module(devicekit, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index a874924..7c2e27d 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.6.0)
+policy_module(gnome, 2.6.1)
##############################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 441d696..e32b7f8 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.10.0)
+policy_module(gpg, 2.10.1)
########################################
#
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index bcc863c..f9b6e1b 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -1,4 +1,4 @@
-policy_module(pcscd, 1.11.0)
+policy_module(pcscd, 1.11.1)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-12-06 14:25 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: 48faa5c437079c8cf7626d2814e9fc2f87d35811
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Sun Nov 6 07:49:13 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=48faa5c4
Re-add raid fc spec that must have been removed earlier by mistake
Reported-By: Nicolas Iooss <nicolas.iooss <AT> m4x.org>
policy/modules/contrib/raid.fc | 1 +
policy/modules/contrib/raid.te | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/raid.fc b/policy/modules/contrib/raid.fc
index 2ea0889..f5b8ff4 100644
--- a/policy/modules/contrib/raid.fc
+++ b/policy/modules/contrib/raid.fc
@@ -19,6 +19,7 @@
/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/sbin/mdmon -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index e65f673..84fdfdf 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.16.0)
+policy_module(raid, 1.16.1)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-12-06 14:25 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: b90d7f0d0f52f0b0847be67866c6bd34984bf625
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Oct 26 17:19:18 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 12:41:59 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b90d7f0d
pcscd: dbus and domain lookup
Allow dbus chat to policykit.
pcscd needs to lookup the domain that connects to the socket.
type=AVC msg=audit(1477409841.224:12512): avc: denied { open } for pid=16611 comm="pcscd" path="/proc/10610/stat" dev="proc" ino=29254 scontext=system_u:system_r:pcscd_t:s0 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1477409841.224:12513): avc: denied { getattr } for pid=16611 comm="pcscd" path="/proc/10610/stat" dev="proc" ino=29254 scontext=system_u:system_r:pcscd_t:s0 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=file permissive=1
policy/modules/contrib/pcscd.if | 3 +++
policy/modules/contrib/pcscd.te | 4 ++++
2 files changed, 7 insertions(+)
diff --git a/policy/modules/contrib/pcscd.if b/policy/modules/contrib/pcscd.if
index ac7e60c..b5c522d 100644
--- a/policy/modules/contrib/pcscd.if
+++ b/policy/modules/contrib/pcscd.if
@@ -101,6 +101,9 @@ interface(`pcscd_stream_connect',`
files_search_pids($1)
stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t)
+
+ allow pcscd_t $1:dir list_dir_perms;
+ allow pcscd_t $1:file read_file_perms;
')
########################################
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index 1828900..bcc863c 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -73,6 +73,10 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(pcscd_t)
')
+
+ optional_policy(`
+ policykit_dbus_chat(pcscd_t)
+ ')
')
optional_policy(`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-12-06 14:25 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: 68baf3fd885ca06420812d2ff3cbf1b7f7fc2ad6
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Oct 26 17:19:20 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 12:41:59 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=68baf3fd
devicekit: fcontext for udisks2
policy/modules/contrib/devicekit.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/devicekit.fc b/policy/modules/contrib/devicekit.fc
index ae49c9d..8908ab6 100644
--- a/policy/modules/contrib/devicekit.fc
+++ b/policy/modules/contrib/devicekit.fc
@@ -10,6 +10,7 @@
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+/usr/libexec/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-12-06 14:25 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: 761a962e70701012d49907883a314147ef944263
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Dec 1 18:48:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=761a962e
use domain_auto_transition_pattern instead of domain_auto_trans
policy/modules/contrib/daemontools.if | 2 +-
policy/modules/contrib/gpg.if | 2 +-
policy/modules/contrib/lircd.if | 2 +-
policy/modules/contrib/mta.if | 2 +-
policy/modules/contrib/qemu.if | 2 +-
policy/modules/contrib/rsync.if | 4 ++--
6 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/daemontools.if b/policy/modules/contrib/daemontools.if
index 3b3d9a0..54c71e1 100644
--- a/policy/modules/contrib/daemontools.if
+++ b/policy/modules/contrib/daemontools.if
@@ -43,7 +43,7 @@ interface(`daemontools_service_domain',`
type svc_run_t;
')
- domain_auto_trans(svc_run_t, $2, $1)
+ domain_auto_transition_pattern(svc_run_t, $2, $1)
daemontools_ipc_domain($1)
allow svc_run_t $1:process signal;
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 5f4cefc..efffff8 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -120,7 +120,7 @@ interface(`gpg_spec_domtrans',`
')
corecmd_search_bin($1)
- domain_auto_trans($1, gpg_exec_t, $2)
+ domain_auto_transition_pattern($1, gpg_exec_t, $2)
')
######################################
diff --git a/policy/modules/contrib/lircd.if b/policy/modules/contrib/lircd.if
index f54240e..de2543b 100644
--- a/policy/modules/contrib/lircd.if
+++ b/policy/modules/contrib/lircd.if
@@ -16,7 +16,7 @@ interface(`lircd_domtrans',`
')
corecmd_search_bin($1)
- domain_auto_trans($1, lircd_exec_t, lircd_t)
+ domain_auto_transition_pattern($1, lircd_exec_t, lircd_t)
')
######################################
diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if
index 48a2845..a503427 100644
--- a/policy/modules/contrib/mta.if
+++ b/policy/modules/contrib/mta.if
@@ -457,7 +457,7 @@ interface(`mta_sendmail_domtrans',`
')
corecmd_search_bin($1)
- domain_auto_trans($1, sendmail_exec_t, $2)
+ domain_auto_transition_pattern($1, sendmail_exec_t, $2)
allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
')
diff --git a/policy/modules/contrib/qemu.if b/policy/modules/contrib/qemu.if
index ea947bc..32b4865 100644
--- a/policy/modules/contrib/qemu.if
+++ b/policy/modules/contrib/qemu.if
@@ -353,7 +353,7 @@ interface(`qemu_spec_domtrans',`
')
corecmd_search_bin($1)
- domain_auto_trans($1, qemu_exec_t, $2)
+ domain_auto_transition_pattern($1, qemu_exec_t, $2)
')
######################################
diff --git a/policy/modules/contrib/rsync.if b/policy/modules/contrib/rsync.if
index c7b19aa..7a14937 100644
--- a/policy/modules/contrib/rsync.if
+++ b/policy/modules/contrib/rsync.if
@@ -50,7 +50,7 @@ interface(`rsync_entry_spec_domtrans',`
')
corecmd_search_bin($1)
- domain_auto_trans($1, rsync_exec_t, $2)
+ domain_auto_transition_pattern($1, rsync_exec_t, $2)
')
########################################
@@ -84,7 +84,7 @@ interface(`rsync_entry_domtrans',`
')
corecmd_search_bin($1)
- domain_auto_trans($1, rsync_exec_t, $2)
+ domain_auto_transition_pattern($1, rsync_exec_t, $2)
')
########################################
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-12-06 14:21 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-12-06 14:25 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: a2f1ba7050cdedf754c399f9c22375bff161b78f
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sat Nov 26 18:05:35 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:58:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a2f1ba70
Allow portage compile domains to relabel portage_tmp_t:dir's
This permission is requested by a 'cp' in the multibuild.eclass (see bug
600926). It's not actually required, but since we already allow the same
permission for files and allowing it for directories doesn't have any
security implications, I've chosen use "allow" instead of "dontaudit".
policy/modules/contrib/portage.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 14c4fb6..e990d79 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -118,6 +118,7 @@ interface(`portage_compile_domain',`
files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file })
# SELinux-enabled programs running in the sandbox
allow $1 portage_tmp_t:file relabel_file_perms;
+ allow $1 portage_tmp_t:dir relabel_dir_perms;
manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-12-06 14:25 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: 4c91124f97d8669fa37ea1b4def8cf36124d8661
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Oct 27 14:59:49 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4c91124f
gpg: add new socket paths
GPG 2.1 has sockets in /run/user/UID/gnupg/ and
~/.gnupg/S.gpg-agent{,.ssh}.
also allow pinentry to dbus chat gkeyring
policy/modules/contrib/gpg.fc | 4 ++++
policy/modules/contrib/gpg.if | 4 ++++
policy/modules/contrib/gpg.te | 8 ++++++++
3 files changed, 16 insertions(+)
diff --git a/policy/modules/contrib/gpg.fc b/policy/modules/contrib/gpg.fc
index 888cd2c..3f1d1d2 100644
--- a/policy/modules/contrib/gpg.fc
+++ b/policy/modules/contrib/gpg.fc
@@ -1,5 +1,7 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S\.gpg-agent -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S\.gpg-agent\.ssh -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
@@ -8,3 +10,5 @@ HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+
+/var/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 0370dd1..5f4cefc 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -205,9 +205,13 @@ interface(`gpg_rw_agent_pipes',`
interface(`gpg_stream_connect_agent',`
gen_require(`
type gpg_agent_t, gpg_agent_tmp_t;
+ type gpg_secret_t;
')
stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+ allow $1 gpg_secret_t:dir search_dir_perms;
+ userdom_search_user_runtime($1)
+ userdom_search_user_home_dirs($1)
')
########################################
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index c62a7f3..441d696 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -229,6 +229,8 @@ manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
@@ -250,6 +252,8 @@ miscfiles_read_localization(gpg_agent_t)
userdom_use_user_terminals(gpg_agent_t)
userdom_search_user_home_dirs(gpg_agent_t)
+userdom_search_user_runtime(gpg_agent_t)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -347,6 +351,10 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_all_session_bus_client(gpg_pinentry_t)
dbus_system_bus_client(gpg_pinentry_t)
+
+ optional_policy(`
+ gnome_dbus_chat_all_gkeyringd(gpg_pinentry_t)
+ ')
')
optional_policy(`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-06 14:25 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: ae3bfe124e68c7131845e445b6c47e7d66917176
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 13 16:37:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 14:20:26 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ae3bfe12
virt: kernel_read_system_state
policy/modules/contrib/virt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index a29f333..0adbdb1 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
+kernel_read_system_state(virtlockd_t)
+
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
can_exec(virtlogd_t, virtlogd_exec_t)
+kernel_read_system_state(virtlogd_t)
+
files_read_etc_files(virtlogd_t)
files_list_var_lib(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-06 14:25 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: 7303b15c0ee625b3c2b630d49eb455a37b225cc9
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 27 20:44:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 14:20:25 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7303b15c
virt: virtlockd doesnt need ps_process_pattern
policy/modules/contrib/virt.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 16c2970..dc4c94d 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
-
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-06 14:25 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: 6b15d13e6b4ec1c7c9db9b0558bc56719e42e538
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 11 05:49:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 14:20:26 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6b15d13e
virt: need to relabel to set categories
libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
policy/modules/contrib/virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index dc4c94d..a29f333 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-06 14:25 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: 584f2d47e1eb6d0ce23e9057899913366038f170
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 16:49:07 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 14:20:25 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=584f2d47
virt: add policy for virtlogd
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.te | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index f7e0ce8..7d9456a 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index c45ba2d..16c2970 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-06 14:25 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: acec90e60dfa2f47ee6fb883ec25baed3868aa8e
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Oct 26 05:35:36 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 14:20:13 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=acec90e6
gnome: add gentoo-specific gkeyring fcontext
policy/modules/contrib/gnome.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc
index cd2ead4..f31230e 100644
--- a/policy/modules/contrib/gnome.fc
+++ b/policy/modules/contrib/gnome.fc
@@ -26,4 +26,5 @@ ifdef(`distro_gentoo',`
HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_config_home_t,s0)
HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_cache_home_t,s0)
HOME_DIR/\.cache/keyring-.* gen_context(system_u:object_r:gnome_xdg_cache_home_t,s0)
+HOME_DIR/\.local/share/keyrings(/.*)? gen_context(system_u:object_r:gnome_xdg_data_home_t,s0)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-06 14:25 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: c89c889375b5c537d25fc10eea57fd75426226bc
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 31 15:03:49 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 14:20:26 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c89c8893
WIP virt: image type perms
policy/modules/contrib/virt.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0adbdb1..aec85ea 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-06 15:10 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 15:10 UTC (permalink / raw
To: gentoo-commits
commit: 6fec98ded6c9bda1c731ab48a87265ace6cc43b1
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Dec 6 15:00:17 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 15:02:34 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6fec98de
portage: add signal and FEATURES=test perms
policy/modules/contrib/portage.te | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 19bd8c8..52c6bf9 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -436,6 +436,8 @@ gen_tunable(portage_enable_test, false)
allow portage_t self:capability2 block_suspend;
+ allow portage_t { portage_fetch_t portage_sandbox_t }:process signal_perms;
+
# Support self-update of Portage
allow portage_t portage_tmp_t:dir relabel_dir_perms;
allow portage_t portage_tmp_t:lnk_file relabel_lnk_file_perms;
@@ -490,9 +492,12 @@ gen_tunable(portage_enable_test, false)
tunable_policy(`portage_enable_test',`
# lots of tests connect over loopback
- corenet_tcp_bind_generic_node(portage_sandbox_t)
corenet_tcp_bind_all_unreserved_ports(portage_sandbox_t)
+ corenet_tcp_bind_generic_node(portage_sandbox_t)
corenet_tcp_connect_all_unreserved_ports(portage_sandbox_t)
+ corenet_udp_bind_all_unreserved_ports(portage_sandbox_t)
+ corenet_udp_bind_generic_node(portage_sandbox_t)
+ corenet_udp_sendrecv_all_ports(portage_sandbox_t)
')
##########################################
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-06 15:10 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 15:10 UTC (permalink / raw
To: gentoo-commits
commit: d2badac562857104a03bb38f79c3b08c138bf4e2
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 13 16:37:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 15:02:54 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d2badac5
virt: kernel_read_system_state
policy/modules/contrib/virt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index a29f333..0adbdb1 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
+kernel_read_system_state(virtlockd_t)
+
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
can_exec(virtlogd_t, virtlogd_exec_t)
+kernel_read_system_state(virtlogd_t)
+
files_read_etc_files(virtlogd_t)
files_list_var_lib(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-06 15:10 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 15:10 UTC (permalink / raw
To: gentoo-commits
commit: d1fbfee8d08f96007893d2c06440077de0048d7f
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 31 15:03:49 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 15:02:54 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d1fbfee8
WIP virt: image type perms
policy/modules/contrib/virt.te | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0adbdb1..fd357c4 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
- allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-06 15:10 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 15:10 UTC (permalink / raw
To: gentoo-commits
commit: 7e6d0d5e769320d3fa752f2082d7314c674c07e4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 27 20:44:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 15:02:54 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7e6d0d5e
virt: virtlockd doesnt need ps_process_pattern
policy/modules/contrib/virt.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 16c2970..dc4c94d 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
-
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-06 15:10 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 15:10 UTC (permalink / raw
To: gentoo-commits
commit: 9986f7e0a077b456cdd833d9508f9125d9313f2b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 16:49:07 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 15:02:54 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9986f7e0
virt: add policy for virtlogd
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.te | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index f7e0ce8..7d9456a 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index c45ba2d..16c2970 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-06 15:10 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-06 15:10 UTC (permalink / raw
To: gentoo-commits
commit: 4871e1eccd9f29ce8b8beb97e462bf3c506946b4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 11 05:49:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 15:02:54 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4871e1ec
virt: need to relabel to set categories
libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
policy/modules/contrib/virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index dc4c94d..a29f333 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-08 5:03 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-08 5:03 UTC (permalink / raw
To: gentoo-commits
commit: 04485a6efa37a46b0b2d4a329f1fc99133bc8728
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Tue Dec 6 20:41:47 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 8 04:47:22 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=04485a6e
Apache OpenOffice module (contrib policy part)
This is a patch that I have created and tested to support Apache
OpenOffice with its own module (contrib policy part, 2/2).
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
Since the second version it includes revisions from Dominick Grift.
Since the third version it should correctly manage files in home
directories and allow some other major functionality.
The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).
The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.
The sixth version of the patch adds the ability to run the
evolution email application.
The seventh version of the patch, improves the integration with
the evolution email application.
The eighth version of the patch, adds the support for integration
with mozilla and improves the integration with thunderbird.
This nineth version of the patch, avoids auditing some denial
messages.
All released versions are safe to apply, each new version just
brings improved application functionality and better integration
with other desktop applications.
Although this patch has only been tested with Apache OpenOffice
version 4, it might also work with earlier versions (in particular
version 3) or at least it can be easily adapted for the purpose.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/evolution.if | 38 +++++++++++
policy/modules/contrib/evolution.te | 5 ++
policy/modules/contrib/mozilla.te | 5 ++
policy/modules/contrib/openoffice.fc | 30 +++++++++
policy/modules/contrib/openoffice.if | 88 +++++++++++++++++++++++++
policy/modules/contrib/openoffice.te | 120 ++++++++++++++++++++++++++++++++++
policy/modules/contrib/thunderbird.te | 5 ++
7 files changed, 291 insertions(+)
diff --git a/policy/modules/contrib/evolution.if b/policy/modules/contrib/evolution.if
index 7c21ba1..558f68e 100644
--- a/policy/modules/contrib/evolution.if
+++ b/policy/modules/contrib/evolution.if
@@ -107,6 +107,24 @@ interface(`evolution_home_filetrans',`
########################################
## <summary>
+## Read evolution home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_read_evolution_home_files',`
+ gen_require(`
+ type evolution_t, evolution_home_t;
+ ')
+
+ read_files_pattern($1, evolution_home_t, evolution_home_t)
+')
+
+########################################
+## <summary>
## Connect to evolution using a unix
## domain stream socket.
## </summary>
@@ -188,3 +206,23 @@ interface(`evolution_alarm_dbus_chat',`
allow $1 evolution_alarm_t:dbus send_msg;
allow evolution_alarm_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## Make a domain transition to the
+## evolution target domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_domtrans',`
+ gen_require(`
+ type evolution_t, evolution_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, evolution_exec_t, evolution_t);
+')
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 1d5421b..e5adf09 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -270,6 +270,11 @@ optional_policy(`
')
optional_policy(`
+ ooffice_domtrans(evolution_t)
+ ooffice_rw_ooffice_tmp_files(evolution_t)
+')
+
+optional_policy(`
spamassassin_exec_spamd(evolution_t)
spamassassin_domtrans_client(evolution_t)
spamassassin_domtrans_local_client(evolution_t)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 1331491..f755c6b 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -273,6 +273,11 @@ optional_policy(`
')
optional_policy(`
+ ooffice_domtrans(mozilla_t)
+ ooffice_rw_ooffice_tmp_files(mozilla_t)
+')
+
+optional_policy(`
pulseaudio_run(mozilla_t, mozilla_roles)
pulseaudio_rw_tmpfs_files(mozilla_t)
pulseaudio_use_fds(mozilla_t)
diff --git a/policy/modules/contrib/openoffice.fc b/policy/modules/contrib/openoffice.fc
new file mode 100644
index 0000000..6613bb4
--- /dev/null
+++ b/policy/modules/contrib/openoffice.fc
@@ -0,0 +1,30 @@
+HOME_DIR/\.openoffice(\.org)?(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0)
+
+/opt/openoffice(.*)?/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0)
diff --git a/policy/modules/contrib/openoffice.if b/policy/modules/contrib/openoffice.if
new file mode 100644
index 0000000..e47acf7
--- /dev/null
+++ b/policy/modules/contrib/openoffice.if
@@ -0,0 +1,88 @@
+## <summary>Openoffice suite.</summary>
+
+############################################################
+## <summary>
+## Role access for openoffice.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`ooffice_role',`
+ gen_require(`
+ attribute_role ooffice_roles;
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ roleattribute $1 ooffice_roles;
+
+ allow ooffice_t $2:unix_stream_socket connectto;
+
+ domtrans_pattern($2, ooffice_exec_t, ooffice_t)
+
+ allow $2 ooffice_t:process { ptrace signal_perms };
+ ps_process_pattern($2, ooffice_t)
+')
+
+########################################
+## <summary>
+## Run openoffice in its own domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ooffice_domtrans',`
+ gen_require(`
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ domtrans_pattern($1, ooffice_exec_t, ooffice_t)
+')
+
+########################################
+## <summary>
+## Read and write temporary
+## openoffice files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ooffice_rw_ooffice_tmp_files',`
+ gen_require(`
+ type ooffice_tmp_t;
+ ')
+
+ rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`ooffice_dontaudit_exec_tmp_files',`
+ gen_require(`
+ type ooffice_tmp_t;
+ ')
+
+ dontaudit $1 ooffice_tmp_t:file exec_file_perms;
+')
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
new file mode 100644
index 0000000..1500fd2
--- /dev/null
+++ b/policy/modules/contrib/openoffice.te
@@ -0,0 +1,120 @@
+policy_module(openoffice, 1.0.0)
+
+##############################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether openoffice can
+## download software updates from the
+## network (application and/or
+## extensions).
+## </p>
+## </desc>
+gen_tunable(openoffice_allow_update, true)
+
+attribute_role ooffice_roles;
+
+type ooffice_t;
+type ooffice_exec_t;
+userdom_user_application_domain(ooffice_t, ooffice_exec_t)
+role ooffice_roles types ooffice_t;
+
+type ooffice_home_t;
+userdom_user_home_content(ooffice_home_t)
+
+type ooffice_tmp_t;
+files_tmp_file(ooffice_tmp_t)
+
+##############################
+#
+# Openoffice local policy
+#
+
+allow ooffice_t self:process { execmem getsched signal };
+allow ooffice_t self:shm create_shm_perms;
+allow ooffice_t self:fifo_file rw_fifo_file_perms;
+allow ooffice_t self:unix_stream_socket connectto;
+
+allow ooffice_t ooffice_home_t:dir manage_dir_perms;
+allow ooffice_t ooffice_home_t:file manage_file_perms;
+allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice")
+
+manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
+
+can_exec(ooffice_t, ooffice_exec_t)
+
+corecmd_exec_bin(ooffice_t)
+corecmd_exec_shell(ooffice_t)
+
+dev_read_sysfs(ooffice_t)
+dev_read_urand(ooffice_t)
+
+files_getattr_all_dirs(ooffice_t)
+files_getattr_all_files(ooffice_t)
+files_getattr_all_symlinks(ooffice_t)
+files_read_etc_files(ooffice_t)
+files_read_usr_files(ooffice_t)
+
+fs_getattr_xattr_fs(ooffice_t)
+
+miscfiles_read_fonts(ooffice_t)
+miscfiles_read_localization(ooffice_t)
+
+ooffice_dontaudit_exec_tmp_files(ooffice_t)
+
+sysnet_dns_name_resolve(ooffice_t)
+
+userdom_dontaudit_exec_user_home_content_files(ooffice_t)
+userdom_manage_user_home_content_dirs(ooffice_t)
+userdom_manage_user_home_content_files(ooffice_t)
+userdom_manage_user_home_content_symlinks(ooffice_t)
+userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
+
+tunable_policy(`openoffice_allow_update',`
+ corenet_tcp_connect_http_port(ooffice_t)
+')
+
+optional_policy(`
+ cups_read_config(ooffice_t)
+ cups_stream_connect(ooffice_t)
+')
+
+optional_policy(`
+ dbus_all_session_bus_client(ooffice_t)
+')
+
+optional_policy(`
+ evolution_domtrans(ooffice_t)
+ evolution_read_evolution_home_files(ooffice_t)
+')
+
+optional_policy(`
+ hostname_exec(ooffice_t)
+')
+
+optional_policy(`
+ java_exec(ooffice_t)
+')
+
+optional_policy(`
+ mozilla_domtrans(ooffice_t)
+')
+
+optional_policy(`
+ thunderbird_domtrans(ooffice_t)
+')
+
+optional_policy(`
+ xserver_read_user_iceauth(ooffice_t)
+ xserver_read_user_xauth(ooffice_t)
+ xserver_read_xdm_tmp_files(ooffice_t)
+ xserver_stream_connect(ooffice_t)
+ xserver_stream_connect_xdm(ooffice_t)
+')
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index cbf9e39..844d07f 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -207,3 +207,8 @@ ifdef(`distro_gentoo',`
pulseaudio_client_domain(thunderbird_t, thunderbird_tmpfs_t)
')
')
+
+optional_policy(`
+ ooffice_domtrans(thunderbird_t)
+ ooffice_rw_ooffice_tmp_files(thunderbird_t)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-08 5:03 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-08 5:03 UTC (permalink / raw
To: gentoo-commits
commit: 19cc0dd3e22ff760557458a606aae28875bca190
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 31 15:03:49 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 8 05:03:22 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=19cc0dd3
WIP virt: image type perms
policy/modules/contrib/virt.te | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0adbdb1..fd357c4 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
- allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-08 5:03 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-08 5:03 UTC (permalink / raw
To: gentoo-commits
commit: e19b33854b5d4f302dbc12bad9810be29c4e45a5
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 16:49:07 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 8 05:03:22 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e19b3385
virt: add policy for virtlogd
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.te | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index f7e0ce8..7d9456a 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index c45ba2d..16c2970 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-08 5:03 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-08 5:03 UTC (permalink / raw
To: gentoo-commits
commit: c57aed9da88efe8523e7705544c697246e3c42ec
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 13 16:37:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 8 05:03:22 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c57aed9d
virt: kernel_read_system_state
policy/modules/contrib/virt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index a29f333..0adbdb1 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
+kernel_read_system_state(virtlockd_t)
+
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
can_exec(virtlogd_t, virtlogd_exec_t)
+kernel_read_system_state(virtlogd_t)
+
files_read_etc_files(virtlogd_t)
files_list_var_lib(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-12-08 4:47 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-12-08 5:03 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-08 5:03 UTC (permalink / raw
To: gentoo-commits
commit: 571467b17b4ed06c9cac315d7d74f02851af398c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Dec 7 01:18:56 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 8 04:47:22 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=571467b1
Module version bumps for openoffice patches from Guido Trentalancia.
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/thunderbird.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index e5adf09..64cc6a6 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.5.0)
+policy_module(evolution, 2.5.1)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index f755c6b..20fc82e 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.10.0)
+policy_module(mozilla, 2.10.1)
########################################
#
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index 844d07f..52192c0 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -1,4 +1,4 @@
-policy_module(thunderbird, 2.4.0)
+policy_module(thunderbird, 2.4.1)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-08 5:03 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-08 5:03 UTC (permalink / raw
To: gentoo-commits
commit: 9874317d0b74d1320f5e2910f5d336ee4534d9e1
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 27 20:44:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 8 05:03:22 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9874317d
virt: virtlockd doesnt need ps_process_pattern
policy/modules/contrib/virt.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 16c2970..dc4c94d 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
-
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-08 5:03 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2016-12-08 5:03 UTC (permalink / raw
To: gentoo-commits
commit: da274ceda489c560cb8bc471e6327e748c8b30e8
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 11 05:49:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 8 05:03:22 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=da274ced
virt: need to relabel to set categories
libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
policy/modules/contrib/virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index dc4c94d..a29f333 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-01-01 16:37 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-01-01 16:37 UTC (permalink / raw
To: gentoo-commits
commit: d313346330e8329dba085cc1f98a32538e0df08c
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 11 05:49:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 1 16:37:17 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d3133463
virt: need to relabel to set categories
libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
policy/modules/contrib/virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 53233cb..073bdc7 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-01-01 16:37 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-01-01 16:37 UTC (permalink / raw
To: gentoo-commits
commit: 25870fced7fd72db22bccb30f4f9964d2a51d548
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 31 15:03:49 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 1 16:37:17 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=25870fce
WIP virt: image type perms
policy/modules/contrib/virt.te | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index d68ea34..f6bc770 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
- allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-01-01 16:37 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-01-01 16:37 UTC (permalink / raw
To: gentoo-commits
commit: b408a4f834ead0cf75539fcdd31f947c7841ec9a
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 27 20:44:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 1 16:37:17 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b408a4f8
virt: virtlockd doesnt need ps_process_pattern
policy/modules/contrib/virt.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0924307..53233cb 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
-
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-01-01 16:37 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-01-01 16:37 UTC (permalink / raw
To: gentoo-commits
commit: 200b4f8675cf7052c0465df698acc5bb086e84fa
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 13 16:37:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 1 16:37:17 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=200b4f86
virt: kernel_read_system_state
policy/modules/contrib/virt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 073bdc7..d68ea34 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
+kernel_read_system_state(virtlockd_t)
+
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
can_exec(virtlogd_t, virtlogd_exec_t)
+kernel_read_system_state(virtlogd_t)
+
files_read_etc_files(virtlogd_t)
files_list_var_lib(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-01-01 16:37 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-01-01 16:37 UTC (permalink / raw
To: gentoo-commits
commit: 8785c8c6eb78bf8ab2e6cf915065b3dff243b56e
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 16:49:07 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 1 16:37:17 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8785c8c6
virt: add policy for virtlogd
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.te | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index 22c1ed7..dca262a 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 41a352d..0924307 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-01-01 16:47 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-01-01 16:47 UTC (permalink / raw
To: gentoo-commits
commit: 057adccd201fedd6e465395554d1283eeb9d0ef4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 13 16:37:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 1 16:41:45 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=057adccd
virt: kernel_read_system_state
policy/modules/contrib/virt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 073bdc7..d68ea34 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
+kernel_read_system_state(virtlockd_t)
+
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
can_exec(virtlogd_t, virtlogd_exec_t)
+kernel_read_system_state(virtlogd_t)
+
files_read_etc_files(virtlogd_t)
files_list_var_lib(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-01-01 16:47 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-01-01 16:47 UTC (permalink / raw
To: gentoo-commits
commit: 825f87ccd353ab7d66bb41c5cb1905d89654fce0
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 31 15:03:49 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 1 16:41:45 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=825f87cc
WIP virt: image type perms
policy/modules/contrib/virt.te | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index d68ea34..f6bc770 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
- allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-01-01 16:47 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-01-01 16:47 UTC (permalink / raw
To: gentoo-commits
commit: 7a4066298de57f3bec0ff28a6a261e893b4f509b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 11 05:49:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 1 16:41:45 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7a406629
virt: need to relabel to set categories
libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
policy/modules/contrib/virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 53233cb..073bdc7 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-01-01 16:47 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-01-01 16:47 UTC (permalink / raw
To: gentoo-commits
commit: aab0a8a125baba6defd5178025d458ffbd29f5e5
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 27 20:44:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 1 16:41:45 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aab0a8a1
virt: virtlockd doesnt need ps_process_pattern
policy/modules/contrib/virt.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0924307..53233cb 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
-
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-01-01 16:47 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-01-01 16:47 UTC (permalink / raw
To: gentoo-commits
commit: 0689d4afa74c089cc196125380526a7e82d87b6a
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 16:49:07 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 1 16:41:45 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0689d4af
virt: add policy for virtlogd
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.te | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index 22c1ed7..dca262a 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 41a352d..0924307 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-17 8:50 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: 37f95ed3c925df8ef1618ecb30274f5210d69665
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Feb 5 16:12:27 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=37f95ed3
java: update fcontexts for new versions of icedtea
icedtea8 is the current version, but use a regex so any future versions
work too.
policy/modules/contrib/java.fc | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/java.fc b/policy/modules/contrib/java.fc
index 7958f819..d2984281 100644
--- a/policy/modules/contrib/java.fc
+++ b/policy/modules/contrib/java.fc
@@ -22,7 +22,8 @@ HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:java_home_t,s0)
/usr/lib/bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
-/usr/lib/icedtea[67]/bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/icedtea[0-9]+/bin/.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/icedtea[0-9]+/jre/bin/.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-02-17 8:44 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-02-17 8:50 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: e010b2f40c2154410caae30c736c54fc20efb2ee
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Feb 15 23:44:26 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e010b2f4
Module version bump for cups revert.
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/lpd.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 8810656d..c90e2120 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.21.2)
+policy_module(cups, 1.21.3)
########################################
#
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te
index 11daaf6c..fc70ff9e 100644
--- a/policy/modules/contrib/lpd.te
+++ b/policy/modules/contrib/lpd.te
@@ -1,4 +1,4 @@
-policy_module(lpd, 1.15.1)
+policy_module(lpd, 1.15.2)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-17 8:50 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: accbff6fa3d2188818a6f0d5c8d64bb82a58d46b
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu Feb 9 16:20:53 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=accbff6f
mozilla: allow stream connections to cups so that it can print
Let mozilla connect to cups using socket files so that it is
possible to print.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/mozilla.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 9eb99c30..16452264 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -237,6 +237,7 @@ optional_policy(`
optional_policy(`
cups_read_rw_config(mozilla_t)
+ cups_stream_connect(mozilla_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-17 8:50 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: f5d92d4af9bd6a2688884494681381e08644e698
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Feb 8 22:06:44 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f5d92d4a
mon policy from Russell Coker.
policy/modules/contrib/gpm.if | 1 +
policy/modules/contrib/gpm.te | 2 +-
policy/modules/contrib/mon.fc | 11 +++
policy/modules/contrib/mon.if | 1 +
policy/modules/contrib/mon.te | 223 ++++++++++++++++++++++++++++++++++++++++++
5 files changed, 237 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/gpm.if b/policy/modules/contrib/gpm.if
index b9a47431..356fb6d1 100644
--- a/policy/modules/contrib/gpm.if
+++ b/policy/modules/contrib/gpm.if
@@ -38,6 +38,7 @@ interface(`gpm_getattr_gpmctl',`
dev_list_all_dev_nodes($1)
allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
+ allow $1 gpmctl_t:fifo_file getattr_fifo_file_perms;
')
########################################
diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te
index 087ddcef..5cbfa3a6 100644
--- a/policy/modules/contrib/gpm.te
+++ b/policy/modules/contrib/gpm.te
@@ -1,4 +1,4 @@
-policy_module(gpm, 1.11.0)
+policy_module(gpm, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/mon.fc b/policy/modules/contrib/mon.fc
new file mode 100644
index 00000000..fa179dd8
--- /dev/null
+++ b/policy/modules/contrib/mon.fc
@@ -0,0 +1,11 @@
+/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
+/usr/lib/mon/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
+/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
+/usr/lib/mon-contrib/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
+
+/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
+
+/var/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
+
+/var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0)
+/var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0)
diff --git a/policy/modules/contrib/mon.if b/policy/modules/contrib/mon.if
new file mode 100644
index 00000000..d9aee2be
--- /dev/null
+++ b/policy/modules/contrib/mon.if
@@ -0,0 +1 @@
+## <summary>mon network monitoring daemon.</summary>
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te
new file mode 100644
index 00000000..c685ac26
--- /dev/null
+++ b/policy/modules/contrib/mon.te
@@ -0,0 +1,223 @@
+policy_module(mon, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mon_t;
+type mon_exec_t;
+init_daemon_domain(mon_t, mon_exec_t)
+
+type mon_net_test_t;
+typealias mon_net_test_t alias mon_test_t;
+type mon_net_test_exec_t;
+typealias mon_net_test_exec_t alias mon_test_exec_t;
+
+domain_type(mon_net_test_t)
+domain_entry_file(mon_net_test_t, mon_net_test_exec_t)
+role system_r types mon_net_test_t;
+domtrans_pattern(mon_t, mon_net_test_exec_t, mon_net_test_t)
+
+type mon_local_test_t;
+type mon_local_test_exec_t;
+domain_type(mon_local_test_t)
+domain_entry_file(mon_local_test_t, mon_local_test_exec_t)
+role system_r types mon_local_test_t;
+
+type mon_var_run_t;
+files_pid_file(mon_var_run_t)
+
+type mon_var_lib_t;
+files_type(mon_var_lib_t)
+
+type mon_var_log_t;
+logging_log_file(mon_var_log_t)
+
+type mon_tmp_t;
+files_tmp_file(mon_tmp_t)
+
+########################################
+#
+# Local policy
+# mon_t is for the main mon process and for sending alerts
+#
+
+allow mon_t self:fifo_file rw_fifo_file_perms;
+allow mon_t self:tcp_socket create_stream_socket_perms;
+
+domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)
+
+manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t)
+manage_files_pattern(mon_t, mon_tmp_t, mon_tmp_t)
+files_tmp_filetrans(mon_t, mon_tmp_t, { file dir })
+
+manage_files_pattern(mon_t, mon_var_lib_t, mon_var_lib_t)
+
+manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t)
+
+manage_files_pattern(mon_t, mon_var_run_t, mon_var_run_t)
+files_pid_filetrans(mon_t, mon_var_run_t, file)
+
+kernel_read_kernel_sysctls(mon_t)
+kernel_read_network_state(mon_t)
+kernel_read_system_state(mon_t)
+
+corecmd_exec_bin(mon_t)
+corecmd_exec_shell(mon_t)
+
+corenet_tcp_bind_mon_port(mon_t)
+corenet_udp_bind_mon_port(mon_t)
+corenet_tcp_bind_generic_node(mon_t)
+corenet_udp_bind_generic_node(mon_t)
+corenet_tcp_connect_jabber_client_port(mon_t)
+
+dev_read_urand(mon_t)
+dev_read_sysfs(mon_t)
+
+domain_use_interactive_fds(mon_t)
+
+files_read_etc_files(mon_t)
+files_read_etc_runtime_files(mon_t)
+files_read_usr_files(mon_t)
+
+fs_getattr_all_fs(mon_t)
+fs_search_auto_mountpoints(mon_t)
+
+term_dontaudit_search_ptys(mon_t)
+
+application_signull(mon_t)
+
+init_read_utmp(mon_t)
+
+logging_send_syslog_msg(mon_t)
+logging_search_logs(mon_t)
+
+miscfiles_read_localization(mon_t)
+
+sysnet_dns_name_resolve(mon_t)
+
+userdom_dontaudit_use_unpriv_user_fds(mon_t)
+userdom_dontaudit_search_user_home_dirs(mon_t)
+
+optional_policy(`
+ mta_send_mail(mon_t)
+')
+
+########################################
+#
+# Local policy
+# mon_net_test_t is for running tests that need network access
+#
+
+allow mon_net_test_t self:fifo_file rw_file_perms;
+
+can_exec(mon_net_test_t, mon_net_test_exec_t)
+manage_files_pattern(mon_net_test_t, mon_var_lib_t, mon_var_lib_t)
+
+kernel_dontaudit_getattr_core_if(mon_net_test_t)
+kernel_getattr_proc(mon_net_test_t)
+kernel_read_system_state(mon_net_test_t)
+
+corecmd_exec_bin(mon_net_test_t)
+corecmd_exec_shell(mon_net_test_t)
+
+corenet_tcp_connect_all_ports(mon_net_test_t)
+corenet_udp_bind_generic_node(mon_net_test_t)
+
+dev_dontaudit_getattr_all_chr_files(mon_net_test_t)
+dev_getattr_sysfs(mon_net_test_t)
+dev_read_sysfs(mon_net_test_t)
+dev_read_urand(mon_net_test_t)
+
+files_read_usr_files(mon_net_test_t)
+
+fs_getattr_xattr_fs(mon_net_test_t)
+
+auth_use_nsswitch(mon_net_test_t)
+
+miscfiles_read_certs(mon_net_test_t)
+miscfiles_read_localization(mon_net_test_t)
+
+netutils_domtrans_ping(mon_net_test_t)
+
+sysnet_read_config(mon_net_test_t)
+
+optional_policy(`
+ bind_read_zone(mon_net_test_t)
+')
+
+########################################
+#
+# Local policy
+# mon_local_test_t is for running tests that don't need network access
+# this domain has much more access to the local system!
+#
+# try not to use dontaudit rules for this
+#
+
+allow mon_local_test_t self:capability sys_admin;
+allow mon_local_test_t self:fifo_file rw_file_perms;
+
+can_exec(mon_local_test_t, mon_local_test_exec_t)
+
+manage_files_pattern(mon_local_test_t, mon_var_lib_t, mon_var_lib_t)
+
+kernel_dontaudit_getattr_core_if(mon_local_test_t)
+kernel_getattr_proc(mon_local_test_t)
+kernel_read_software_raid_state(mon_local_test_t)
+kernel_read_system_state(mon_local_test_t)
+
+corecmd_exec_bin(mon_local_test_t)
+corecmd_exec_shell(mon_local_test_t)
+
+dev_dontaudit_getattr_all_chr_files(mon_local_test_t)
+dev_getattr_sysfs(mon_local_test_t)
+dev_read_urand(mon_local_test_t)
+dev_read_sysfs(mon_local_test_t)
+
+domain_read_all_domains_state(mon_local_test_t)
+
+files_read_usr_files(mon_local_test_t)
+files_search_mnt(mon_local_test_t)
+files_search_spool(mon_local_test_t)
+files_list_boot(mon_local_test_t)
+
+fs_search_auto_mountpoints(mon_local_test_t)
+fs_getattr_nfs(mon_local_test_t)
+fs_getattr_xattr_fs(mon_local_test_t)
+fs_list_hugetlbfs(mon_local_test_t)
+fs_list_tmpfs(mon_local_test_t)
+fs_search_nfs(mon_local_test_t)
+
+storage_getattr_fixed_disk_dev(mon_local_test_t)
+storage_getattr_removable_dev(mon_local_test_t)
+
+term_getattr_generic_ptys(mon_local_test_t)
+term_list_ptys(mon_local_test_t)
+
+application_exec_all(mon_local_test_t)
+
+auth_use_nsswitch(mon_local_test_t)
+
+init_getattr_initctl(mon_local_test_t)
+
+logging_send_syslog_msg(mon_local_test_t)
+
+miscfiles_read_localization(mon_local_test_t)
+
+rpc_read_nfs_content(mon_local_test_t)
+
+sysnet_read_config(mon_local_test_t)
+
+optional_policy(`
+ gpm_getattr_gpmctl(mon_local_test_t)
+')
+
+optional_policy(`
+ postfix_search_spool(mon_local_test_t)
+')
+
+optional_policy(`
+ xserver_rw_console(mon_local_test_t)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-17 8:50 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: a16a1f6a2712ab32441f676c5bf0041cb8f290db
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Feb 15 23:43:57 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a16a1f6a
Revert "cups/lpd: read permission for cupsd_var_run_t socket files"
This reverts commit 9995442bb5f249c5d666e66e29308d2f8d201049.
policy/modules/contrib/cups.if | 19 -------------------
policy/modules/contrib/lpd.te | 1 -
2 files changed, 20 deletions(-)
diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
index 1fb79e2b..bd6b77f4 100644
--- a/policy/modules/contrib/cups.if
+++ b/policy/modules/contrib/cups.if
@@ -129,25 +129,6 @@ interface(`cups_read_pid_files',`
########################################
## <summary>
-## Read cups socket files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cups_read_sock_files',`
- gen_require(`
- type cupsd_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 cupsd_var_run_t:sock_file read_sock_file_perms;
-')
-
-########################################
-## <summary>
## Execute cups_config in the
## cups config domain.
## </summary>
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te
index 1343b116..11daaf6c 100644
--- a/policy/modules/contrib/lpd.te
+++ b/policy/modules/contrib/lpd.te
@@ -295,7 +295,6 @@ optional_policy(`
cups_read_config(lpr_t)
cups_stream_connect(lpr_t)
cups_read_pid_files(lpr_t)
- cups_read_sock_files(lpr_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-02-17 8:44 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-02-17 8:50 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: 68218cecf765be819fade6909ec4a67c6491a7fd
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Feb 14 01:00:28 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=68218cec
Module version bump for tbird and mozilla printing from Guido Trentalancia.
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/thunderbird.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 16452264..fa651ed4 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.11.0)
+policy_module(mozilla, 2.11.1)
########################################
#
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index 9de96c7c..9f88912c 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -1,4 +1,4 @@
-policy_module(thunderbird, 2.5.0)
+policy_module(thunderbird, 2.5.1)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-02-17 8:44 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-02-17 8:50 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: 9671bfb441d3b4606c944fceb142ff772309f677
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Feb 11 20:13:40 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9671bfb4
cups/lpd: read permission for cupsd_var_run_t socket files
Introduce a new interface in the cups module to read cups socket
files and call such interface from the lpd module.
Thanks to Christpher PeBenito for revising this patch.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/cups.if | 19 +++++++++++++++++++
policy/modules/contrib/lpd.te | 1 +
2 files changed, 20 insertions(+)
diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
index bd6b77f4..1fb79e2b 100644
--- a/policy/modules/contrib/cups.if
+++ b/policy/modules/contrib/cups.if
@@ -129,6 +129,25 @@ interface(`cups_read_pid_files',`
########################################
## <summary>
+## Read cups socket files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_read_sock_files',`
+ gen_require(`
+ type cupsd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 cupsd_var_run_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
## Execute cups_config in the
## cups config domain.
## </summary>
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te
index 87984710..480b5e7e 100644
--- a/policy/modules/contrib/lpd.te
+++ b/policy/modules/contrib/lpd.te
@@ -295,6 +295,7 @@ optional_policy(`
cups_read_config(lpr_t)
cups_stream_connect(lpr_t)
cups_read_pid_files(lpr_t)
+ cups_read_sock_files(lpr_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-17 8:50 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: 8f528ab68d375086dc9643da8f7e36f78289195c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Feb 12 18:44:46 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8f528ab6
Module version bump for cups patches from Guido Trentalancia.
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/lpd.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 14a4cfd7..8810656d 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.21.1)
+policy_module(cups, 1.21.2)
########################################
#
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te
index 480b5e7e..1343b116 100644
--- a/policy/modules/contrib/lpd.te
+++ b/policy/modules/contrib/lpd.te
@@ -1,4 +1,4 @@
-policy_module(lpd, 1.15.0)
+policy_module(lpd, 1.15.1)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-02-17 8:44 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-02-17 8:50 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: 183984a40e0e043d260bb227c1f78c16ccc9ea12
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Feb 7 23:37:57 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=183984a4
Module version bump for usrmerge FC fixes from Jason Zaman.
policy/modules/contrib/dphysswapfile.te | 2 +-
policy/modules/contrib/fakehwclock.te | 2 +-
policy/modules/contrib/java.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/dphysswapfile.te b/policy/modules/contrib/dphysswapfile.te
index 485372a0..26faf67d 100644
--- a/policy/modules/contrib/dphysswapfile.te
+++ b/policy/modules/contrib/dphysswapfile.te
@@ -1,4 +1,4 @@
-policy_module(dphysswapfile, 1.0.0)
+policy_module(dphysswapfile, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/fakehwclock.te b/policy/modules/contrib/fakehwclock.te
index b5cf6632..5caedf9f 100644
--- a/policy/modules/contrib/fakehwclock.te
+++ b/policy/modules/contrib/fakehwclock.te
@@ -1,4 +1,4 @@
-policy_module(fakehwclock, 1.0.0)
+policy_module(fakehwclock, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 7568835e..722b0826 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -1,4 +1,4 @@
-policy_module(java, 2.9.0)
+policy_module(java, 2.9.1)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-02-17 8:44 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-02-17 8:50 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: 909b13c82553151ca1c990c2bef222dbdc90af7b
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Mon Feb 13 19:31:58 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=909b13c8
thunderbird: allow stream connections to cups so that it can print
Let thunderbird connect to cups using socket files so that it is
possible to print.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/thunderbird.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index 9823d1dd..9de96c7c 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -151,6 +151,7 @@ optional_policy(`
optional_policy(`
cups_read_rw_config(thunderbird_t)
+ cups_stream_connect(thunderbird_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-02-17 8:44 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-02-17 8:50 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: 8ce244028e264e2e86a988345f6dc04ddc164db4
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu Feb 9 16:25:15 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8ce24402
cups: read permission for cupsd_var_run_t socket files in cups_stream_connect()
Modify the cups_stream_connect() interface so that it can also
read cupsd_var_run_t socket files in addition to writing them.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/cups.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
index 6a2633cb..bd6b77f4 100644
--- a/policy/modules/contrib/cups.if
+++ b/policy/modules/contrib/cups.if
@@ -69,6 +69,7 @@ interface(`cups_stream_connect',`
')
files_search_pids($1)
+ allow $1 cupsd_var_run_t:sock_file read_sock_file_perms;
stream_connect_pattern($1, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-17 8:50 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: 0fd0292db9ceea1cfbf6ae829aa6e261279750fa
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 11 05:49:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:45:13 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0fd0292d
virt: need to relabel to set categories
libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
policy/modules/contrib/virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 42e68a29..3da04ef9 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-17 8:50 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: 135d33ac60262bd59b8080cfa914471e5cd28a16
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 31 15:03:49 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:46:50 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=135d33ac
WIP virt: image type perms
policy/modules/contrib/virt.te | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0f82a04e..5df86d7b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
- allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-17 8:50 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: 6c4f7f44b8475c05327146520cc4f3e196f9574c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Feb 15 23:47:07 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:41:32 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6c4f7f44
Sort capabilities permissions from Russell Coker.
policy/modules/contrib/accountsd.te | 2 +-
policy/modules/contrib/afs.te | 2 +-
policy/modules/contrib/aisexec.te | 2 +-
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/amanda.te | 4 ++--
policy/modules/contrib/amavis.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/apm.te | 4 ++--
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/automount.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/bacula.te | 2 +-
policy/modules/contrib/bluetooth.te | 2 +-
policy/modules/contrib/boinc.te | 2 +-
policy/modules/contrib/cachefilesd.te | 2 +-
policy/modules/contrib/callweaver.te | 2 +-
policy/modules/contrib/canna.te | 2 +-
policy/modules/contrib/ccs.te | 2 +-
policy/modules/contrib/cdrecord.te | 2 +-
policy/modules/contrib/certmaster.te | 2 +-
policy/modules/contrib/certmonger.te | 2 +-
policy/modules/contrib/cgroup.te | 6 +++---
policy/modules/contrib/chronyd.te | 2 +-
policy/modules/contrib/cipe.te | 2 +-
policy/modules/contrib/clamav.te | 6 +++---
policy/modules/contrib/clockspeed.te | 2 +-
policy/modules/contrib/clogd.te | 2 +-
policy/modules/contrib/cmirrord.te | 2 +-
policy/modules/contrib/colord.te | 2 +-
policy/modules/contrib/comsat.te | 2 +-
policy/modules/contrib/condor.te | 12 ++++++------
policy/modules/contrib/consolekit.te | 2 +-
policy/modules/contrib/corosync.te | 4 ++--
policy/modules/contrib/courier.te | 4 ++--
policy/modules/contrib/cron.te | 6 +++---
policy/modules/contrib/cups.te | 10 +++++-----
policy/modules/contrib/cvs.te | 2 +-
policy/modules/contrib/daemontools.te | 2 +-
policy/modules/contrib/dante.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/dcc.te | 4 ++--
policy/modules/contrib/ddcprobe.te | 2 +-
policy/modules/contrib/devicekit.te | 4 ++--
policy/modules/contrib/dhcp.te | 2 +-
policy/modules/contrib/dictd.te | 2 +-
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/dovecot.te | 2 +-
policy/modules/contrib/dpkg.te | 4 ++--
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/fail2ban.te | 2 +-
policy/modules/contrib/finger.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/gdomap.te | 2 +-
policy/modules/contrib/glusterfs.te | 2 +-
policy/modules/contrib/gpm.te | 2 +-
policy/modules/contrib/gpsd.te | 4 ++--
policy/modules/contrib/hadoop.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/ifplugd.te | 2 +-
policy/modules/contrib/inetd.te | 4 ++--
policy/modules/contrib/iodine.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/kerberos.te | 4 ++--
policy/modules/contrib/kismet.te | 2 +-
policy/modules/contrib/kudzu.te | 2 +-
policy/modules/contrib/ldap.te | 2 +-
policy/modules/contrib/likewise.te | 4 ++--
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/logwatch.te | 2 +-
policy/modules/contrib/lpd.te | 6 +++---
policy/modules/contrib/mailman.te | 2 +-
policy/modules/contrib/mailscanner.te | 2 +-
policy/modules/contrib/mandb.te | 2 +-
policy/modules/contrib/memcached.te | 2 +-
policy/modules/contrib/milter.te | 2 +-
policy/modules/contrib/minissdpd.te | 2 +-
policy/modules/contrib/mozilla.te | 4 ++--
policy/modules/contrib/mrtg.te | 2 +-
policy/modules/contrib/mta.te | 2 +-
policy/modules/contrib/nagios.te | 8 ++++----
policy/modules/contrib/networkmanager.te | 4 ++--
policy/modules/contrib/nslcd.te | 2 +-
policy/modules/contrib/ntop.te | 2 +-
policy/modules/contrib/ntp.te | 4 ++--
policy/modules/contrib/nut.te | 2 +-
policy/modules/contrib/oddjob.te | 2 +-
policy/modules/contrib/oident.te | 2 +-
policy/modules/contrib/openvpn.te | 2 +-
policy/modules/contrib/openvswitch.te | 2 +-
policy/modules/contrib/pacemaker.te | 2 +-
policy/modules/contrib/passenger.te | 2 +-
policy/modules/contrib/pcmcia.te | 2 +-
policy/modules/contrib/pegasus.te | 2 +-
policy/modules/contrib/pkcs.te | 2 +-
policy/modules/contrib/podsleuth.te | 2 +-
policy/modules/contrib/portage.if | 2 +-
policy/modules/contrib/portage.te | 4 ++--
policy/modules/contrib/portmap.te | 2 +-
policy/modules/contrib/portreserve.te | 2 +-
policy/modules/contrib/portslave.te | 2 +-
policy/modules/contrib/postfix.te | 8 ++++----
policy/modules/contrib/postfixpolicyd.te | 2 +-
policy/modules/contrib/ppp.te | 4 ++--
policy/modules/contrib/procmail.te | 2 +-
policy/modules/contrib/psad.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/puppet.te | 4 ++--
policy/modules/contrib/qemu.if | 2 +-
policy/modules/contrib/qmail.te | 2 +-
policy/modules/contrib/quota.te | 2 +-
policy/modules/contrib/radvd.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/readahead.te | 2 +-
policy/modules/contrib/remotelogin.te | 2 +-
policy/modules/contrib/rgmanager.te | 2 +-
policy/modules/contrib/rhcs.te | 2 +-
policy/modules/contrib/ricci.te | 2 +-
policy/modules/contrib/rlogin.te | 2 +-
policy/modules/contrib/rpc.te | 4 ++--
policy/modules/contrib/rpm.te | 4 ++--
policy/modules/contrib/rshd.te | 2 +-
| 2 +-
policy/modules/contrib/rsync.te | 2 +-
policy/modules/contrib/samba.te | 8 ++++----
policy/modules/contrib/samhain.te | 2 +-
policy/modules/contrib/screen.te | 2 +-
policy/modules/contrib/sendmail.te | 2 +-
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/slocate.te | 2 +-
policy/modules/contrib/smartmon.te | 2 +-
policy/modules/contrib/smokeping.te | 2 +-
policy/modules/contrib/snmp.te | 2 +-
policy/modules/contrib/snort.te | 2 +-
policy/modules/contrib/sosreport.te | 2 +-
policy/modules/contrib/spamassassin.te | 2 +-
policy/modules/contrib/squid.te | 2 +-
policy/modules/contrib/sssd.te | 2 +-
policy/modules/contrib/sxid.te | 2 +-
policy/modules/contrib/systemtap.te | 2 +-
policy/modules/contrib/telnet.te | 2 +-
policy/modules/contrib/tripwire.te | 2 +-
policy/modules/contrib/ulogd.te | 2 +-
policy/modules/contrib/userhelper.te | 4 ++--
policy/modules/contrib/usernetctl.te | 2 +-
policy/modules/contrib/uucp.te | 4 ++--
policy/modules/contrib/varnishd.te | 2 +-
policy/modules/contrib/vbetool.te | 2 +-
policy/modules/contrib/vhostmd.te | 2 +-
policy/modules/contrib/virt.te | 12 ++++++------
policy/modules/contrib/vlock.te | 2 +-
policy/modules/contrib/vmware.te | 4 ++--
policy/modules/contrib/vpn.te | 2 +-
policy/modules/contrib/watchdog.te | 2 +-
policy/modules/contrib/wdmd.te | 2 +-
policy/modules/contrib/xen.te | 4 ++--
policy/modules/contrib/yam.te | 2 +-
policy/modules/contrib/zabbix.te | 4 ++--
policy/modules/contrib/zarafa.te | 2 +-
policy/modules/contrib/zebra.te | 2 +-
160 files changed, 215 insertions(+), 215 deletions(-)
diff --git a/policy/modules/contrib/accountsd.te b/policy/modules/contrib/accountsd.te
index 3593510d..d435a2d6 100644
--- a/policy/modules/contrib/accountsd.te
+++ b/policy/modules/contrib/accountsd.te
@@ -21,7 +21,7 @@ files_type(accountsd_var_lib_t)
# Local policy
#
-allow accountsd_t self:capability { chown dac_override setuid setgid sys_ptrace };
+allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace };
allow accountsd_t self:process signal;
allow accountsd_t self:fifo_file rw_fifo_file_perms;
allow accountsd_t self:passwd { rootok passwd chfn chsh };
diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te
index e685b5d3..b95757a5 100644
--- a/policy/modules/contrib/afs.te
+++ b/policy/modules/contrib/afs.te
@@ -147,7 +147,7 @@ seutil_read_config(afs_bosserver_t)
# fileserver local policy
#
-allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
+allow afs_fsserver_t self:capability { chown dac_override fowner kill sys_nice };
dontaudit afs_fsserver_t self:capability fsetid;
allow afs_fsserver_t self:process { setsched signal_perms };
allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/aisexec.te b/policy/modules/contrib/aisexec.te
index d89a243e..06b61940 100644
--- a/policy/modules/contrib/aisexec.te
+++ b/policy/modules/contrib/aisexec.te
@@ -32,7 +32,7 @@ files_pid_file(aisexec_var_run_t)
# Local policy
#
-allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner };
+allow aisexec_t self:capability { ipc_lock ipc_owner sys_nice sys_resource };
allow aisexec_t self:process { setrlimit setsched signal };
allow aisexec_t self:fifo_file rw_fifo_file_perms;
allow aisexec_t self:sem create_sem_perms;
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 19046676..f82e39ca 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -38,7 +38,7 @@ userdom_user_home_content(alsa_home_t)
# Local policy
#
-allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
+allow alsa_t self:capability { dac_override dac_read_search ipc_owner setgid setuid };
dontaudit alsa_t self:capability sys_admin;
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
diff --git a/policy/modules/contrib/amanda.te b/policy/modules/contrib/amanda.te
index 65fa3975..ecf15211 100644
--- a/policy/modules/contrib/amanda.te
+++ b/policy/modules/contrib/amanda.te
@@ -59,7 +59,7 @@ optional_policy(`
# Local policy
#
-allow amanda_t self:capability { chown dac_override setuid kill };
+allow amanda_t self:capability { chown dac_override kill setuid };
allow amanda_t self:process { setpgid signal };
allow amanda_t self:fifo_file rw_fifo_file_perms;
allow amanda_t self:unix_stream_socket { accept listen };
@@ -141,7 +141,7 @@ logging_send_syslog_msg(amanda_t)
# Recover local policy
#
-allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
+allow amanda_recover_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
allow amanda_recover_t self:process { sigkill sigstop signal };
allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
allow amanda_recover_t self:unix_stream_socket create_socket_perms;
diff --git a/policy/modules/contrib/amavis.te b/policy/modules/contrib/amavis.te
index 2f66a812..44913b37 100644
--- a/policy/modules/contrib/amavis.te
+++ b/policy/modules/contrib/amavis.te
@@ -46,7 +46,7 @@ files_type(amavis_spool_t)
# Local policy
#
-allow amavis_t self:capability { kill chown dac_override setgid setuid };
+allow amavis_t self:capability { chown dac_override kill setgid setuid };
dontaudit amavis_t self:capability sys_tty_config;
allow amavis_t self:process signal_perms;
allow amavis_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 12b80554..2f724b68 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -920,7 +920,7 @@ tunable_policy(`httpd_tty_comm',`
# Suexec local policy
#
-allow httpd_suexec_t self:capability { setuid setgid };
+allow httpd_suexec_t self:capability { setgid setuid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
allow httpd_suexec_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index f5692d58..c5647460 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -62,8 +62,8 @@ logging_send_syslog_msg(apm_t)
# Server local policy
#
-allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
+allow apmd_t self:capability { kill mknod sys_admin sys_nice sys_time };
+dontaudit apmd_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config };
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:netlink_socket create_socket_perms;
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index db0efef0..9c6a947f 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -39,7 +39,7 @@ init_daemon_pid_file(asterisk_var_run_t, dir, "asterisk")
# Local policy
#
-allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin };
+allow asterisk_t self:capability { chown dac_override net_admin setgid setuid sys_nice };
dontaudit asterisk_t self:capability { sys_module sys_tty_config };
allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
allow asterisk_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index ae421061..09b82b0c 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -33,7 +33,7 @@ files_pid_file(automount_var_run_t)
# Local policy
#
-allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
+allow automount_t self:capability { dac_override setgid setuid sys_admin sys_nice sys_resource };
dontaudit automount_t self:capability sys_tty_config;
allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
allow automount_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index d5d87ee3..b2e43eed 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -27,7 +27,7 @@ files_pid_file(avahi_var_run_t)
# Local policy
#
-allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot };
+allow avahi_t self:capability { chown dac_override fowner kill net_admin net_raw setgid setuid sys_chroot };
dontaudit avahi_t self:capability sys_tty_config;
allow avahi_t self:process { setrlimit signal_perms getcap setcap };
allow avahi_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/bacula.te b/policy/modules/contrib/bacula.te
index 2050984c..20b92c3f 100644
--- a/policy/modules/contrib/bacula.te
+++ b/policy/modules/contrib/bacula.te
@@ -43,7 +43,7 @@ role bacula_admin_roles types bacula_admin_t;
# Local policy
#
-allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
+allow bacula_t self:capability { chown dac_override dac_read_search fowner fsetid };
allow bacula_t self:process signal;
allow bacula_t self:fifo_file rw_fifo_file_perms;
allow bacula_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index ceb79e63..75d739da 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -57,7 +57,7 @@ files_pid_file(bluetooth_var_run_t)
# Local policy
#
-allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock };
+allow bluetooth_t self:capability { dac_override ipc_lock net_admin net_bind_service net_raw setpcap sys_admin sys_tty_config };
dontaudit bluetooth_t self:capability sys_tty_config;
allow bluetooth_t self:process { getcap setcap getsched signal_perms };
allow bluetooth_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/boinc.te b/policy/modules/contrib/boinc.te
index 64803206..ed1aaf34 100644
--- a/policy/modules/contrib/boinc.te
+++ b/policy/modules/contrib/boinc.te
@@ -168,7 +168,7 @@ optional_policy(`
# Project local policy
#
-allow boinc_project_t self:capability { setuid setgid };
+allow boinc_project_t self:capability { setgid setuid };
allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index 14fcf67c..c92149d1 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -27,7 +27,7 @@ role system_r types cachefiles_kernel_t;
# Cachefilesd local policy
#
-allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
+allow cachefilesd_t self:capability { dac_override setgid setuid sys_admin };
allow cachefilesd_t cachefiles_kernel_t:kernel_service use_as_override;
diff --git a/policy/modules/contrib/callweaver.te b/policy/modules/contrib/callweaver.te
index d67ad9b8..f9443343 100644
--- a/policy/modules/contrib/callweaver.te
+++ b/policy/modules/contrib/callweaver.te
@@ -29,7 +29,7 @@ files_type(callweaver_spool_t)
# Local policy
#
-allow callweaver_t self:capability { setuid sys_nice setgid };
+allow callweaver_t self:capability { setgid setuid sys_nice };
allow callweaver_t self:process { setsched signal };
allow callweaver_t self:fifo_file rw_fifo_file_perms;
allow callweaver_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/canna.te b/policy/modules/contrib/canna.te
index 6738527a..ea8f64b5 100644
--- a/policy/modules/contrib/canna.te
+++ b/policy/modules/contrib/canna.te
@@ -26,7 +26,7 @@ files_pid_file(canna_var_run_t)
# Local policy
#
-allow canna_t self:capability { setgid setuid net_bind_service };
+allow canna_t self:capability { net_bind_service setgid setuid };
dontaudit canna_t self:capability sys_tty_config;
allow canna_t self:process signal_perms;
allow canna_t self:unix_stream_socket { accept connectto listen };
diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index eacec0bf..bc766e74 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -35,7 +35,7 @@ files_pid_file(ccs_var_run_t)
# Local policy
#
-allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
+allow ccs_t self:capability { ipc_lock ipc_owner sys_admin sys_nice sys_resource };
allow ccs_t self:process { signal setrlimit setsched };
dontaudit ccs_t self:process ptrace;
allow ccs_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/cdrecord.te b/policy/modules/contrib/cdrecord.te
index 16883c9c..4af7717a 100644
--- a/policy/modules/contrib/cdrecord.te
+++ b/policy/modules/contrib/cdrecord.te
@@ -29,7 +29,7 @@ role cdrecord_roles types cdrecord_t;
# Local policy
#
-allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
+allow cdrecord_t self:capability { dac_override ipc_lock setuid sys_nice sys_rawio };
allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill };
allow cdrecord_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/certmaster.te b/policy/modules/contrib/certmaster.te
index 16420ae9..daeb417d 100644
--- a/policy/modules/contrib/certmaster.te
+++ b/policy/modules/contrib/certmaster.te
@@ -29,7 +29,7 @@ files_pid_file(certmaster_var_run_t)
# Local policy
#
-allow certmaster_t self:capability { dac_read_search dac_override sys_tty_config };
+allow certmaster_t self:capability { dac_override dac_read_search sys_tty_config };
allow certmaster_t self:tcp_socket { accept listen };
list_dirs_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index defc3467..f6c9d20d 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -23,7 +23,7 @@ files_pid_file(certmonger_var_run_t)
# Local policy
#
-allow certmonger_t self:capability { chown dac_override dac_read_search setgid setuid kill sys_nice };
+allow certmonger_t self:capability { chown dac_override dac_read_search kill setgid setuid sys_nice };
dontaudit certmonger_t self:capability sys_tty_config;
allow certmonger_t self:capability2 block_suspend;
allow certmonger_t self:process { getsched setsched sigkill signal };
diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te
index 5d600a9f..3599d7a2 100644
--- a/policy/modules/contrib/cgroup.te
+++ b/policy/modules/contrib/cgroup.te
@@ -40,7 +40,7 @@ files_config_file(cgconfig_etc_t)
# cgclear local policy
#
-allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
+allow cgclear_t self:capability { dac_override dac_read_search sys_admin };
allow cgclear_t cgconfig_etc_t:file read_file_perms;
@@ -57,7 +57,7 @@ fs_unmount_cgroup(cgclear_t)
# cgconfig local policy
#
-allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config };
+allow cgconfig_t self:capability { chown dac_override fowner fsetid sys_admin sys_tty_config };
allow cgconfig_t cgconfig_etc_t:file read_file_perms;
@@ -77,7 +77,7 @@ fs_unmount_cgroup(cgconfig_t)
# cgred local policy
#
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
+allow cgred_t self:capability { chown dac_override fsetid net_admin sys_admin sys_ptrace };
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 97c541c6..618f6cf5 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -35,7 +35,7 @@ files_pid_file(chronyd_var_run_t)
# Local policy
#
-allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+allow chronyd_t self:capability { dac_override ipc_lock setgid setuid sys_resource sys_time };
allow chronyd_t self:process { getcap setcap setrlimit signal };
allow chronyd_t self:shm create_shm_perms;
allow chronyd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/cipe.te b/policy/modules/contrib/cipe.te
index e2a5c13c..729d7820 100644
--- a/policy/modules/contrib/cipe.te
+++ b/policy/modules/contrib/cipe.te
@@ -17,7 +17,7 @@ init_script_file(ciped_initrc_exec_t)
# Local policy
#
-allow ciped_t self:capability { net_admin ipc_lock sys_tty_config };
+allow ciped_t self:capability { ipc_lock net_admin sys_tty_config };
dontaudit ciped_t self:capability sys_tty_config;
allow ciped_t self:process signal_perms;
allow ciped_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index 0940e437..f2664e82 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -73,7 +73,7 @@ logging_log_file(freshclam_var_log_t)
# Clamd local policy
#
-allow clamd_t self:capability { kill setgid setuid dac_override };
+allow clamd_t self:capability { dac_override kill setgid setuid };
dontaudit clamd_t self:capability sys_tty_config;
allow clamd_t self:process signal;
allow clamd_t self:fifo_file rw_fifo_file_perms;
@@ -173,7 +173,7 @@ optional_policy(`
# Freshclam local policy
#
-allow freshclam_t self:capability { setgid setuid dac_override };
+allow freshclam_t self:capability { dac_override setgid setuid };
allow freshclam_t self:fifo_file rw_fifo_file_perms;
allow freshclam_t self:unix_stream_socket { accept listen };
allow freshclam_t self:tcp_socket { accept listen };
@@ -252,7 +252,7 @@ optional_policy(`
# Clamscam local policy
#
-allow clamscan_t self:capability { setgid setuid dac_override };
+allow clamscan_t self:capability { dac_override setgid setuid };
allow clamscan_t self:fifo_file rw_fifo_file_perms;
allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
allow clamscan_t self:unix_dgram_socket create_socket_perms;
diff --git a/policy/modules/contrib/clockspeed.te b/policy/modules/contrib/clockspeed.te
index d3e2a67e..6544d006 100644
--- a/policy/modules/contrib/clockspeed.te
+++ b/policy/modules/contrib/clockspeed.te
@@ -49,7 +49,7 @@ userdom_use_user_terminals(clockspeed_cli_t)
# Server local policy
#
-allow clockspeed_srv_t self:capability { sys_time net_bind_service };
+allow clockspeed_srv_t self:capability { net_bind_service sys_time };
allow clockspeed_srv_t self:udp_socket create_socket_perms;
allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms;
allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
diff --git a/policy/modules/contrib/clogd.te b/policy/modules/contrib/clogd.te
index 356ef465..b9a57b18 100644
--- a/policy/modules/contrib/clogd.te
+++ b/policy/modules/contrib/clogd.te
@@ -20,7 +20,7 @@ files_pid_file(clogd_var_run_t)
# Local policy
#
-allow clogd_t self:capability { net_admin mknod };
+allow clogd_t self:capability { mknod net_admin };
allow clogd_t self:process signal;
allow clogd_t self:sem create_sem_perms;
allow clogd_t self:shm create_shm_perms;
diff --git a/policy/modules/contrib/cmirrord.te b/policy/modules/contrib/cmirrord.te
index d916d65c..ece1a1ce 100644
--- a/policy/modules/contrib/cmirrord.te
+++ b/policy/modules/contrib/cmirrord.te
@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
# Local policy
#
-allow cmirrord_t self:capability { net_admin kill };
+allow cmirrord_t self:capability { kill net_admin };
dontaudit cmirrord_t self:capability sys_tty_config;
allow cmirrord_t self:process { setfscreate signal };
allow cmirrord_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te
index b7a2b96f..0236b279 100644
--- a/policy/modules/contrib/colord.te
+++ b/policy/modules/contrib/colord.te
@@ -23,7 +23,7 @@ files_type(colord_var_lib_t)
# Local policy
#
-allow colord_t self:capability { dac_read_search dac_override };
+allow colord_t self:capability { dac_override dac_read_search };
dontaudit colord_t self:capability sys_admin;
allow colord_t self:process signal;
allow colord_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/comsat.te b/policy/modules/contrib/comsat.te
index c63cf855..9b7b3706 100644
--- a/policy/modules/contrib/comsat.te
+++ b/policy/modules/contrib/comsat.te
@@ -20,7 +20,7 @@ files_pid_file(comsat_var_run_t)
# Local policy
#
-allow comsat_t self:capability { setuid setgid };
+allow comsat_t self:capability { setgid setuid };
allow comsat_t self:process signal_perms;
allow comsat_t self:fifo_file rw_fifo_file_perms;
allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 33937669..fbb70249 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -130,7 +130,7 @@ optional_policy(`
# Master local policy
#
-allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
+allow condor_master_t self:capability { dac_override setgid setuid sys_ptrace };
allow condor_master_t condor_domain:process { sigkill signal };
@@ -167,7 +167,7 @@ optional_policy(`
# Collector local policy
#
-allow condor_collector_t self:capability { setuid setgid };
+allow condor_collector_t self:capability { setgid setuid };
allow condor_collector_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
@@ -179,7 +179,7 @@ kernel_read_network_state(condor_collector_t)
# Negotiator local policy
#
-allow condor_negotiator_t self:capability { setuid setgid };
+allow condor_negotiator_t self:capability { setgid setuid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
@@ -188,7 +188,7 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
# Procd local policy
#
-allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
+allow condor_procd_t self:capability { chown dac_override fowner kill sys_ptrace };
allow condor_procd_t condor_domain:process sigkill;
@@ -199,7 +199,7 @@ domain_read_all_domains_state(condor_procd_t)
# Schedd local policy
#
-allow condor_schedd_t self:capability { setuid chown setgid dac_override };
+allow condor_schedd_t self:capability { chown dac_override setgid setuid };
allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_schedd_t condor_master_t:udp_socket getattr;
@@ -219,7 +219,7 @@ files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
# Startd local policy
#
-allow condor_startd_t self:capability { setuid net_admin setgid dac_override };
+allow condor_startd_t self:capability { dac_override net_admin setgid setuid };
allow condor_startd_t self:process execmem;
manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 5b11390c..a2a51ba8 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit")
# Local policy
#
-allow consolekit_t self:capability { chown fowner setuid setgid sys_admin sys_tty_config dac_override sys_nice sys_ptrace };
+allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
allow consolekit_t self:process { getsched signal setfscreate };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/corosync.te b/policy/modules/contrib/corosync.te
index 43ec8c61..771582f0 100644
--- a/policy/modules/contrib/corosync.te
+++ b/policy/modules/contrib/corosync.te
@@ -33,9 +33,9 @@ files_pid_file(corosync_var_run_t)
# Local policy
#
-allow corosync_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock };
+allow corosync_t self:capability { dac_override fowner ipc_lock setgid setuid sys_admin sys_nice sys_resource };
# for hearbeat
-allow corosync_t self:capability { net_raw chown };
+allow corosync_t self:capability { chown net_raw };
allow corosync_t self:process { setpgid setrlimit setsched signal signull };
allow corosync_t self:fifo_file rw_fifo_file_perms;
allow corosync_t self:sem create_sem_perms;
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 35ba8d89..176bd5c2 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -85,7 +85,7 @@ optional_policy(`
# Authdaemon local policy
#
-allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
+allow courier_authdaemon_t self:capability { setgid setuid sys_tty_config };
allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen };
create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
@@ -123,7 +123,7 @@ userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
# Calendar (PCP) local policy
#
-allow courier_pcp_t self:capability { setuid setgid };
+allow courier_pcp_t self:capability { setgid setuid };
dev_read_rand(courier_pcp_t)
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 1c6f3867..905deb16 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -141,7 +141,7 @@ ifdef(`enable_mcs',`
# Common crontab local policy
#
-allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
+allow crontab_domain self:capability { chown dac_override fowner setgid setuid };
allow crontab_domain self:process { getcap setsched signal_perms };
allow crontab_domain self:fifo_file rw_fifo_file_perms;
@@ -217,7 +217,7 @@ tunable_policy(`fcron_crond',`
# Daemon local policy
#
-allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
+allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
@@ -425,7 +425,7 @@ optional_policy(`
# System local policy
#
-allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fd use;
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index c90e2120..8fdd713f 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -109,8 +109,8 @@ ifdef(`enable_mls',`
# Cups local policy
#
-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
-dontaudit cupsd_t self:capability { sys_tty_config net_admin };
+allow cupsd_t self:capability { chown dac_override dac_override dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_admin sys_rawio sys_resource sys_tty_config };
+dontaudit cupsd_t self:capability { net_admin sys_tty_config };
allow cupsd_t self:capability2 block_suspend;
allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
allow cupsd_t self:fifo_file rw_fifo_file_perms;
@@ -357,7 +357,7 @@ optional_policy(`
# Configuration daemon local policy
#
-allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid };
+allow cupsd_config_t self:capability { chown dac_override setgid setuid sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
allow cupsd_config_t self:process { getsched signal_perms };
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
@@ -500,7 +500,7 @@ optional_policy(`
# Lpd local policy
#
-allow cupsd_lpd_t self:capability { setuid setgid };
+allow cupsd_lpd_t self:capability { setgid setuid };
allow cupsd_lpd_t self:process signal_perms;
allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
allow cupsd_lpd_t self:tcp_socket { accept listen };
@@ -562,7 +562,7 @@ optional_policy(`
# Pdf local policy
#
-allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
+allow cups_pdf_t self:capability { chown dac_override fowner fsetid setgid setuid };
allow cups_pdf_t self:fifo_file rw_fifo_file_perms;
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te
index ab055c99..f090b62a 100644
--- a/policy/modules/contrib/cvs.te
+++ b/policy/modules/contrib/cvs.te
@@ -39,7 +39,7 @@ files_pid_file(cvs_var_run_t)
# Local policy
#
-allow cvs_t self:capability { setuid setgid };
+allow cvs_t self:capability { setgid setuid };
allow cvs_t self:process signal_perms;
allow cvs_t self:fifo_file rw_fifo_file_perms;
allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
diff --git a/policy/modules/contrib/daemontools.te b/policy/modules/contrib/daemontools.te
index 78a01e75..d355befc 100644
--- a/policy/modules/contrib/daemontools.te
+++ b/policy/modules/contrib/daemontools.te
@@ -55,7 +55,7 @@ logging_manage_generic_logs(svc_multilog_t)
# ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
#
-allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource };
+allow svc_run_t self:capability { chown fsetid setgid setuid sys_resource };
allow svc_run_t self:process setrlimit;
allow svc_run_t self:fifo_file rw_fifo_file_perms;
allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/contrib/dante.te b/policy/modules/contrib/dante.te
index 4ed8790f..124f2c58 100644
--- a/policy/modules/contrib/dante.te
+++ b/policy/modules/contrib/dante.te
@@ -23,7 +23,7 @@ files_pid_file(dante_var_run_t)
# Local policy
#
-allow dante_t self:capability { setuid setgid };
+allow dante_t self:capability { setgid setuid };
dontaudit dante_t self:capability sys_tty_config;
allow dante_t self:process signal_perms;
allow dante_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 42c7d4fe..78de2022 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -60,7 +60,7 @@ ifdef(`enable_mls',`
# Local policy
#
-allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
+allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/dcc.te b/policy/modules/contrib/dcc.te
index 0a6abd4b..9b1c25e7 100644
--- a/policy/modules/contrib/dcc.te
+++ b/policy/modules/contrib/dcc.te
@@ -82,7 +82,7 @@ files_pid_file(dccm_var_run_t)
# Daemon controller local policy
#
-allow cdcc_t self:capability { setuid setgid };
+allow cdcc_t self:capability { setgid setuid };
manage_dirs_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t)
manage_files_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t)
@@ -109,7 +109,7 @@ userdom_use_user_terminals(cdcc_t)
# Procmail interface local policy
#
-allow dcc_client_t self:capability { setuid setgid };
+allow dcc_client_t self:capability { setgid setuid };
allow dcc_client_t dcc_client_map_t:file rw_file_perms;
diff --git a/policy/modules/contrib/ddcprobe.te b/policy/modules/contrib/ddcprobe.te
index 8fa4bb99..8d1263ae 100644
--- a/policy/modules/contrib/ddcprobe.te
+++ b/policy/modules/contrib/ddcprobe.te
@@ -18,7 +18,7 @@ role ddcprobe_roles types ddcprobe_t;
# Local policy
#
-allow ddcprobe_t self:capability { sys_rawio sys_admin };
+allow ddcprobe_t self:capability { sys_admin sys_rawio };
allow ddcprobe_t self:process execmem;
kernel_read_system_state(ddcprobe_t)
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index a5926c4a..82ce25c3 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -64,7 +64,7 @@ optional_policy(`
# Disk local policy
#
-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio };
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -197,7 +197,7 @@ optional_policy(`
# Power local policy
#
-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_nice sys_ptrace sys_tty_config };
allow devicekit_power_t self:capability2 wake_alarm;
allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index a5f6ecd8..2fbf84ed 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -37,7 +37,7 @@ files_pid_file(dhcpd_var_run_t)
# Local policy
#
-allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
+allow dhcpd_t self:capability { chown dac_override net_raw setgid setuid sys_chroot sys_resource };
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
allow dhcpd_t self:process { getcap setcap signal_perms };
allow dhcpd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te
index 74b38850..c390b549 100644
--- a/policy/modules/contrib/dictd.te
+++ b/policy/modules/contrib/dictd.te
@@ -26,7 +26,7 @@ files_pid_file(dictd_var_run_t)
# Local policy
#
-allow dictd_t self:capability { setuid setgid };
+allow dictd_t self:capability { setgid setuid };
dontaudit dictd_t self:capability sys_tty_config;
allow dictd_t self:process { signal_perms setpgid };
allow dictd_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index 23fdaa0d..ee961ce2 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -32,7 +32,7 @@ files_pid_file(dnsmasq_var_run_t)
# Local policy
#
-allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_raw };
+allow dnsmasq_t self:capability { chown dac_override net_admin net_raw setgid setuid };
dontaudit dnsmasq_t self:capability sys_tty_config;
allow dnsmasq_t self:process { getcap setcap signal_perms };
allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index fcfcf3c2..1701e3f0 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -92,7 +92,7 @@ miscfiles_read_localization(dovecot_domain)
# Local policy
#
-allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot };
+allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
allow dovecot_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index 9bb9d6f6..84dd6ba1 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -49,7 +49,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t)
# Local policy
#
-allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
+allow dpkg_t self:capability { chown dac_override fowner fsetid kill linux_immutable mknod setgid setuid sys_nice sys_resource sys_tty_config };
allow dpkg_t self:process { setpgid fork getsched setfscreate };
allow dpkg_t self:fd use;
allow dpkg_t self:fifo_file rw_fifo_file_perms;
@@ -202,7 +202,7 @@ optional_policy(`
# Script Local policy
#
-allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
+allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod setgid setuid sys_chroot sys_nice };
allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow dpkg_script_t self:fd use;
allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index b2376d6d..d717829a 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -110,7 +110,7 @@ userdom_user_tmpfs_file(evolution_webcal_tmpfs_t)
# Local policy
#
-allow evolution_t self:capability { setuid setgid sys_nice };
+allow evolution_t self:capability { setgid setuid sys_nice };
allow evolution_t self:process { signal getsched setsched };
allow evolution_t self:fifo_file rw_file_perms;
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 97dff0ac..66421ff3 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -73,7 +73,7 @@ ifdef(`distro_debian',`
# Local policy
#
-allow exim_t self:capability { chown dac_override fowner setuid setgid sys_resource };
+allow exim_t self:capability { chown dac_override fowner setgid setuid sys_resource };
allow exim_t self:process { setrlimit setpgid };
allow exim_t self:fifo_file rw_fifo_file_perms;
allow exim_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te
index 6f34502d..215d0935 100644
--- a/policy/modules/contrib/fail2ban.te
+++ b/policy/modules/contrib/fail2ban.te
@@ -36,7 +36,7 @@ role fail2ban_client_roles types fail2ban_client_t;
# Server Local policy
#
-allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
+allow fail2ban_t self:capability { dac_override dac_read_search sys_tty_config };
allow fail2ban_t self:process signal;
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
allow fail2ban_t self:unix_stream_socket { accept connectto listen };
diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/finger.te
index 0de8ac23..d7fdd5eb 100644
--- a/policy/modules/contrib/finger.te
+++ b/policy/modules/contrib/finger.te
@@ -25,7 +25,7 @@ files_pid_file(fingerd_var_run_t)
#
allow fingerd_t self:capability { setgid setuid };
-dontaudit fingerd_t self:capability { sys_tty_config fsetid };
+dontaudit fingerd_t self:capability { fsetid sys_tty_config };
allow fingerd_t self:process signal_perms;
allow fingerd_t self:fifo_file rw_fifo_file_perms;
allow fingerd_t self:tcp_socket connected_stream_socket_perms;
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index faf6863a..7e81e249 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -170,7 +170,7 @@ ifdef(`enable_mls',`
# Local policy
#
-allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_chroot sys_admin sys_nice sys_resource };
+allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_admin sys_chroot sys_nice sys_resource };
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/gdomap.te b/policy/modules/contrib/gdomap.te
index 3227543f..e710d356 100644
--- a/policy/modules/contrib/gdomap.te
+++ b/policy/modules/contrib/gdomap.te
@@ -23,7 +23,7 @@ files_pid_file(gdomap_var_run_t)
# Local policy
#
-allow gdomap_t self:capability { setuid sys_chroot net_bind_service setgid };
+allow gdomap_t self:capability { net_bind_service setgid setuid sys_chroot };
allow gdomap_t self:tcp_socket { listen accept };
allow gdomap_t gdomap_var_run_t:file manage_file_perms;
diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te
index 83a5806a..07bd10d7 100644
--- a/policy/modules/contrib/glusterfs.te
+++ b/policy/modules/contrib/glusterfs.te
@@ -32,7 +32,7 @@ files_type(glusterd_var_lib_t)
# Local policy
#
-allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner };
+allow glusterd_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_resource };
allow glusterd_t self:process { setrlimit signal };
allow glusterd_t self:fifo_file rw_fifo_file_perms;
allow glusterd_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te
index 5cbfa3a6..4e2b5f9c 100644
--- a/policy/modules/contrib/gpm.te
+++ b/policy/modules/contrib/gpm.te
@@ -29,7 +29,7 @@ files_type(gpmctl_t)
# Local policy
#
-allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config };
+allow gpm_t self:capability { dac_override setpcap setuid sys_admin sys_tty_config };
allow gpm_t self:process { signal signull getcap setcap };
allow gpm_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/gpsd.te b/policy/modules/contrib/gpsd.te
index bd09110f..6f4e8b79 100644
--- a/policy/modules/contrib/gpsd.te
+++ b/policy/modules/contrib/gpsd.te
@@ -27,8 +27,8 @@ files_pid_file(gpsd_var_run_t)
# Local policy
#
-allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
-dontaudit gpsd_t self:capability { dac_read_search dac_override };
+allow gpsd_t self:capability { fowner fsetid setgid setuid sys_nice sys_time sys_tty_config };
+dontaudit gpsd_t self:capability { dac_override dac_read_search };
allow gpsd_t self:process { setsched signal_perms };
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/hadoop.te b/policy/modules/contrib/hadoop.te
index f22683e3..9f333bfd 100644
--- a/policy/modules/contrib/hadoop.te
+++ b/policy/modules/contrib/hadoop.te
@@ -246,7 +246,7 @@ optional_policy(`
# Common hadoop_initrc_domain local policy
#
-allow hadoop_initrc_domain self:capability { setuid setgid };
+allow hadoop_initrc_domain self:capability { setgid setuid };
dontaudit hadoop_initrc_domain self:capability sys_tty_config;
allow hadoop_initrc_domain self:process setsched;
allow hadoop_initrc_domain self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index d3296e28..31035d15 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -72,7 +72,7 @@ hal_stream_connect(hald_domain)
# Local policy
#
-allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+allow hald_t self:capability { chown dac_override dac_read_search kill mknod net_admin setgid setuid sys_admin sys_nice sys_rawio sys_tty_config };
dontaudit hald_t self:capability { sys_ptrace sys_tty_config };
allow hald_t self:process { getsched getattr signal_perms };
allow hald_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/ifplugd.te b/policy/modules/contrib/ifplugd.te
index addcca5a..4f1223db 100644
--- a/policy/modules/contrib/ifplugd.te
+++ b/policy/modules/contrib/ifplugd.te
@@ -23,7 +23,7 @@ files_pid_file(ifplugd_var_run_t)
# Local policy
#
-allow ifplugd_t self:capability { net_admin sys_nice net_bind_service };
+allow ifplugd_t self:capability { net_admin net_bind_service sys_nice };
dontaudit ifplugd_t self:capability sys_tty_config;
allow ifplugd_t self:process { signal signull };
allow ifplugd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/inetd.te b/policy/modules/contrib/inetd.te
index 1974c112..66c15680 100644
--- a/policy/modules/contrib/inetd.te
+++ b/policy/modules/contrib/inetd.te
@@ -37,7 +37,7 @@ ifdef(`enable_mcs',`
# Local policy
#
-allow inetd_t self:capability { setuid setgid sys_resource };
+allow inetd_t self:capability { setgid setuid sys_resource };
dontaudit inetd_t self:capability sys_tty_config;
allow inetd_t self:process { setsched setexec setrlimit };
allow inetd_t self:fifo_file rw_fifo_file_perms;
@@ -204,7 +204,7 @@ optional_policy(`
# Child local policy
#
-allow inetd_child_t self:capability { setuid setgid };
+allow inetd_child_t self:capability { setgid setuid };
allow inetd_child_t self:process signal_perms;
allow inetd_child_t self:fifo_file rw_fifo_file_perms;
allow inetd_child_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te
index 6eb84095..c35fc069 100644
--- a/policy/modules/contrib/iodine.te
+++ b/policy/modules/contrib/iodine.te
@@ -17,7 +17,7 @@ init_script_file(iodined_initrc_exec_t)
# Local policy
#
-allow iodined_t self:capability { net_admin net_raw sys_chroot setgid setuid };
+allow iodined_t self:capability { net_admin net_raw setgid setuid sys_chroot };
allow iodined_t self:rawip_socket create_socket_perms;
allow iodined_t self:tun_socket create_socket_perms;
allow iodined_t self:udp_socket connected_socket_perms;
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index e758c15f..9981dc55 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -31,7 +31,7 @@ files_tmp_file(kdumpctl_tmp_t)
# Local policy
#
-allow kdump_t self:capability { sys_boot dac_override };
+allow kdump_t self:capability { dac_override sys_boot };
allow kdump_t kdump_etc_t:file read_file_perms;
diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
index 38532d33..d226156e 100644
--- a/policy/modules/contrib/kerberos.te
+++ b/policy/modules/contrib/kerberos.te
@@ -74,7 +74,7 @@ files_pid_file(krb5kdc_var_run_t)
# kadmind local policy
#
-allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
+allow kadmind_t self:capability { chown dac_override fowner setgid setuid sys_nice };
dontaudit kadmind_t self:capability sys_tty_config;
allow kadmind_t self:capability2 block_suspend;
allow kadmind_t self:process { setfscreate setsched getsched signal_perms };
@@ -174,7 +174,7 @@ optional_policy(`
# Krb5kdc local policy
#
-allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
+allow krb5kdc_t self:capability { chown dac_override fowner net_admin setgid setuid sys_nice };
dontaudit krb5kdc_t self:capability sys_tty_config;
allow krb5kdc_t self:capability2 block_suspend;
allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
diff --git a/policy/modules/contrib/kismet.te b/policy/modules/contrib/kismet.te
index 30c8c689..a581ece2 100644
--- a/policy/modules/contrib/kismet.te
+++ b/policy/modules/contrib/kismet.te
@@ -38,7 +38,7 @@ files_pid_file(kismet_var_run_t)
# Local policy
#
-allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid };
+allow kismet_t self:capability { dac_override kill net_admin net_raw setgid setuid };
allow kismet_t self:process signal_perms;
allow kismet_t self:fifo_file rw_fifo_file_perms;
allow kismet_t self:packet_socket create_socket_perms;
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
index 4116d008..00b43648 100644
--- a/policy/modules/contrib/kudzu.te
+++ b/policy/modules/contrib/kudzu.te
@@ -26,7 +26,7 @@ files_pid_file(kudzu_var_run_t)
# Local policy
#
-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
+allow kudzu_t self:capability { dac_override mknod net_admin sys_admin sys_rawio sys_tty_config };
dontaudit kudzu_t self:capability sys_tty_config;
allow kudzu_t self:process { signal_perms execmem };
allow kudzu_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index b740c730..023884ab 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -50,7 +50,7 @@ files_pid_file(slapd_var_run_t)
# Local policy
#
-allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
+allow slapd_t self:capability { dac_override dac_read_search kill net_raw setgid setuid };
dontaudit slapd_t self:capability sys_tty_config;
allow slapd_t self:process setsched;
allow slapd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/likewise.te b/policy/modules/contrib/likewise.te
index 58c05712..21d18a3c 100644
--- a/policy/modules/contrib/likewise.te
+++ b/policy/modules/contrib/likewise.te
@@ -102,7 +102,7 @@ corenet_tcp_sendrecv_epmap_port(eventlogd_t)
# lsassd local policy
#
-allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time };
+allow lsassd_t self:capability { chown dac_override fowner fsetid sys_time };
allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -165,7 +165,7 @@ optional_policy(`
# lwiod local policy
#
-allow lwiod_t self:capability { fowner chown fsetid dac_override sys_resource };
+allow lwiod_t self:capability { chown dac_override fowner fsetid sys_resource };
allow lwiod_t self:process setrlimit;
allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index e2daa42d..1179568b 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -36,7 +36,7 @@ role system_r types logrotate_mail_t;
# Local policy
#
-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
+allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
allow logrotate_t self:fd use;
allow logrotate_t self:key manage_key_perms;
diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te
index 353a5311..24f1c17b 100644
--- a/policy/modules/contrib/logwatch.te
+++ b/policy/modules/contrib/logwatch.te
@@ -173,7 +173,7 @@ optional_policy(`
# Mail local policy
#
-allow logwatch_mail_t self:capability { dac_read_search dac_override };
+allow logwatch_mail_t self:capability { dac_override dac_read_search };
allow logwatch_mail_t logwatch_t:fd use;
allow logwatch_mail_t logwatch_t:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te
index fc70ff9e..8ebe2435 100644
--- a/policy/modules/contrib/lpd.te
+++ b/policy/modules/contrib/lpd.te
@@ -62,7 +62,7 @@ files_config_file(printconf_t)
# Checkpc local policy
#
-allow checkpc_t self:capability { setgid setuid dac_override };
+allow checkpc_t self:capability { dac_override setgid setuid };
allow checkpc_t self:process signal_perms;
allow checkpc_t self:unix_stream_socket create_socket_perms;
allow checkpc_t self:tcp_socket create_socket_perms;
@@ -126,7 +126,7 @@ optional_policy(`
# Lpd local policy
#
-allow lpd_t self:capability { setgid setuid dac_read_search dac_override chown fowner };
+allow lpd_t self:capability { chown dac_override dac_read_search fowner setgid setuid };
dontaudit lpd_t self:capability sys_tty_config;
allow lpd_t self:process signal_perms;
allow lpd_t self:fifo_file rw_fifo_file_perms;
@@ -214,7 +214,7 @@ optional_policy(`
# Lpr local policy
#
-allow lpr_t self:capability { setuid dac_override net_bind_service chown };
+allow lpr_t self:capability { chown dac_override net_bind_service setuid };
allow lpr_t self:unix_stream_socket { accept listen };
allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te
index 46d98e79..7421ce3a 100644
--- a/policy/modules/contrib/mailman.te
+++ b/policy/modules/contrib/mailman.te
@@ -115,7 +115,7 @@ optional_policy(`
# Mail local policy
#
-allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
+allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };
allow mailman_mail_t self:process { signal signull };
manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
diff --git a/policy/modules/contrib/mailscanner.te b/policy/modules/contrib/mailscanner.te
index 14840eda..d8dcb317 100644
--- a/policy/modules/contrib/mailscanner.te
+++ b/policy/modules/contrib/mailscanner.te
@@ -29,7 +29,7 @@ files_pid_file(mscan_var_run_t)
# Local policy
#
-allow mscan_t self:capability { setuid chown setgid dac_override };
+allow mscan_t self:capability { chown dac_override setgid setuid };
allow mscan_t self:process signal;
allow mscan_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index ce0ac3c8..142e7e07 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -21,7 +21,7 @@ init_unit_file(mandb_unit_t)
# Local policy
#
-allow mandb_t self:capability { setuid setgid };
+allow mandb_t self:capability { setgid setuid };
allow mandb_t self:process { setsched signal };
allow mandb_t self:fifo_file rw_fifo_file_perms;
allow mandb_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/contrib/memcached.te b/policy/modules/contrib/memcached.te
index 570035ef..c90c632f 100644
--- a/policy/modules/contrib/memcached.te
+++ b/policy/modules/contrib/memcached.te
@@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t)
# Local policy
#
-allow memcached_t self:capability { setuid setgid };
+allow memcached_t self:capability { setgid setuid };
dontaudit memcached_t self:capability sys_tty_config;
allow memcached_t self:process { setrlimit signal_perms };
allow memcached_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te
index c25488c9..7c4b347d 100644
--- a/policy/modules/contrib/milter.te
+++ b/policy/modules/contrib/milter.te
@@ -82,7 +82,7 @@ optional_policy(`
# regex local policy
#
-allow regex_milter_t self:capability { setuid setgid dac_override };
+allow regex_milter_t self:capability { dac_override setgid setuid };
files_search_spool(regex_milter_t)
diff --git a/policy/modules/contrib/minissdpd.te b/policy/modules/contrib/minissdpd.te
index f1a37029..d16cdb1b 100644
--- a/policy/modules/contrib/minissdpd.te
+++ b/policy/modules/contrib/minissdpd.te
@@ -23,7 +23,7 @@ files_pid_file(minissdpd_var_run_t)
# Local policy
#
-allow minissdpd_t self:capability { sys_module net_admin };
+allow minissdpd_t self:capability { net_admin sys_module };
allow minissdpd_t self:netlink_route_socket r_netlink_socket_perms;
allow minissdpd_t self:udp_socket create_socket_perms;
allow minissdpd_t self:unix_dgram_socket create_socket_perms;
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index fa651ed4..85d6bda1 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -81,7 +81,7 @@ userdom_user_tmpfs_file(mozilla_tmpfs_t)
# Local policy
#
-allow mozilla_t self:capability { sys_nice setgid setuid };
+allow mozilla_t self:capability { setgid setuid sys_nice };
allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow mozilla_t self:fifo_file rw_fifo_file_perms;
allow mozilla_t self:shm create_shm_perms;
@@ -533,7 +533,7 @@ optional_policy(`
# Plugin config local policy
#
-allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
+allow mozilla_plugin_config_t self:capability { dac_override dac_read_search setgid setuid sys_nice };
allow mozilla_plugin_config_t self:process { setsched signal_perms getsched };
allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms;
allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te
index 42b484c0..5126d9d5 100644
--- a/policy/modules/contrib/mrtg.te
+++ b/policy/modules/contrib/mrtg.te
@@ -32,7 +32,7 @@ files_pid_file(mrtg_var_run_t)
# Local policy
#
-allow mrtg_t self:capability { setgid setuid chown };
+allow mrtg_t self:capability { chown setgid setuid };
dontaudit mrtg_t self:capability sys_tty_config;
allow mrtg_t self:process signal_perms;
allow mrtg_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index f0c4b92c..9a3ee20e 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -55,7 +55,7 @@ userdom_user_tmp_file(user_mail_tmp_t)
# Common base mail policy
#
-allow user_mail_domain self:capability { setuid setgid chown };
+allow user_mail_domain self:capability { chown setgid setuid };
allow user_mail_domain self:process { signal_perms setrlimit };
allow user_mail_domain self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te
index 3f1a7b95..44c2abcd 100644
--- a/policy/modules/contrib/nagios.te
+++ b/policy/modules/contrib/nagios.te
@@ -216,8 +216,8 @@ optional_policy(`
# Nrpe local policy
#
-allow nrpe_t self:capability { setuid setgid };
-dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
+allow nrpe_t self:capability { setgid setuid };
+dontaudit nrpe_t self:capability { sys_resource sys_tty_config };
allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
allow nrpe_t self:fifo_file rw_fifo_file_perms;
allow nrpe_t self:tcp_socket { accept listen };
@@ -311,7 +311,7 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
# Mail local policy
#
-allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
+allow nagios_mail_plugin_t self:capability { dac_override setgid setuid };
allow nagios_mail_plugin_t self:tcp_socket { accept listen };
kernel_read_kernel_sysctls(nagios_mail_plugin_t)
@@ -405,7 +405,7 @@ optional_policy(`
#
allow nagios_system_plugin_t self:capability dac_override;
-dontaudit nagios_system_plugin_t self:capability { setuid setgid };
+dontaudit nagios_system_plugin_t self:capability { setgid setuid };
read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 27b92658..cde12ad5 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -47,8 +47,8 @@ ifdef(`distro_gentoo',`
# Local policy
#
-allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
-dontaudit NetworkManager_t self:capability { sys_tty_config sys_module sys_ptrace };
+allow NetworkManager_t self:capability { chown dac_override fowner fsetid ipc_lock kill net_admin net_raw setgid setuid sys_nice };
+dontaudit NetworkManager_t self:capability { sys_module sys_ptrace sys_tty_config };
allow NetworkManager_t self:capability2 wake_alarm;
allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/nslcd.te b/policy/modules/contrib/nslcd.te
index 40682ca2..30639e64 100644
--- a/policy/modules/contrib/nslcd.te
+++ b/policy/modules/contrib/nslcd.te
@@ -23,7 +23,7 @@ files_config_file(nslcd_conf_t)
# Local policy
#
-allow nslcd_t self:capability { setgid setuid dac_override };
+allow nslcd_t self:capability { dac_override setgid setuid };
allow nslcd_t self:process signal;
allow nslcd_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/ntop.te b/policy/modules/contrib/ntop.te
index a3503716..025f5d4a 100644
--- a/policy/modules/contrib/ntop.te
+++ b/policy/modules/contrib/ntop.te
@@ -29,7 +29,7 @@ files_pid_file(ntop_var_run_t)
# Local Policy
#
-allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
+allow ntop_t self:capability { net_admin net_raw setgid setuid sys_admin };
dontaudit ntop_t self:capability sys_tty_config;
allow ntop_t self:process signal_perms;
allow ntop_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index c7c27be5..2fcf0a40 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -47,8 +47,8 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
# Local policy
#
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
-dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
+allow ntpd_t self:capability { chown dac_override ipc_lock ipc_owner kill setgid setuid sys_chroot sys_nice sys_resource sys_time };
+dontaudit ntpd_t self:capability { fsetid net_admin sys_nice sys_tty_config };
allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
allow ntpd_t self:fifo_file rw_fifo_file_perms;
allow ntpd_t self:shm create_shm_perms;
diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
index 8086281f..d38ced7b 100644
--- a/policy/modules/contrib/nut.te
+++ b/policy/modules/contrib/nut.te
@@ -34,7 +34,7 @@ init_daemon_pid_file(nut_var_run_t, dir, "nut")
# Common nut domain local policy
#
-allow nut_domain self:capability { setgid setuid dac_override kill };
+allow nut_domain self:capability { dac_override kill setgid setuid };
allow nut_domain self:process signal_perms;
allow nut_domain self:fifo_file rw_fifo_file_perms;
allow nut_domain self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/oddjob.te b/policy/modules/contrib/oddjob.te
index c01d4f62..507d6d24 100644
--- a/policy/modules/contrib/oddjob.te
+++ b/policy/modules/contrib/oddjob.te
@@ -74,7 +74,7 @@ optional_policy(`
# Mkhomedir local policy
#
-allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
+allow oddjob_mkhomedir_t self:capability { chown dac_override fowner fsetid };
allow oddjob_mkhomedir_t self:process setfscreate;
allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
allow oddjob_mkhomedir_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/oident.te b/policy/modules/contrib/oident.te
index 0cf6cfe3..c1f42dc1 100644
--- a/policy/modules/contrib/oident.te
+++ b/policy/modules/contrib/oident.te
@@ -25,7 +25,7 @@ files_config_file(oidentd_config_t)
# Local policy
#
-allow oidentd_t self:capability { setuid setgid };
+allow oidentd_t self:capability { setgid setuid };
allow oidentd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow oidentd_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index cce20317..465716f6 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -54,7 +54,7 @@ files_pid_file(openvpn_var_run_t)
# Local policy
#
-allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
+allow openvpn_t self:capability { dac_override dac_read_search ipc_lock net_admin setgid setuid sys_chroot sys_nice sys_tty_config };
allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te
index 04cbe909..b9790021 100644
--- a/policy/modules/contrib/openvswitch.te
+++ b/policy/modules/contrib/openvswitch.te
@@ -32,7 +32,7 @@ files_pid_file(openvswitch_var_run_t)
# Local policy
#
-allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock };
+allow openvswitch_t self:capability { ipc_lock net_admin sys_nice sys_resource };
allow openvswitch_t self:process { setrlimit setsched signal };
allow openvswitch_t self:fifo_file rw_fifo_file_perms;
allow openvswitch_t self:rawip_socket create_socket_perms;
diff --git a/policy/modules/contrib/pacemaker.te b/policy/modules/contrib/pacemaker.te
index 6d1b3c4d..218470bb 100644
--- a/policy/modules/contrib/pacemaker.te
+++ b/policy/modules/contrib/pacemaker.te
@@ -29,7 +29,7 @@ files_pid_file(pacemaker_var_run_t)
# Local policy
#
-allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid };
+allow pacemaker_t self:capability { chown dac_override fowner fsetid kill setuid };
allow pacemaker_t self:process { setrlimit signal setpgid };
allow pacemaker_t self:fifo_file rw_fifo_file_perms;
allow pacemaker_t self:unix_stream_socket { connectto accept listen };
diff --git a/policy/modules/contrib/passenger.te b/policy/modules/contrib/passenger.te
index 85fb36db..b6181456 100644
--- a/policy/modules/contrib/passenger.te
+++ b/policy/modules/contrib/passenger.te
@@ -25,7 +25,7 @@ files_pid_file(passenger_var_run_t)
# Local policy
#
-allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
+allow passenger_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace sys_resource };
allow passenger_t self:process { setpgid setsched sigkill signal };
allow passenger_t self:fifo_file rw_fifo_file_perms;
allow passenger_t self:unix_stream_socket { accept connectto listen };
diff --git a/policy/modules/contrib/pcmcia.te b/policy/modules/contrib/pcmcia.te
index ceab5763..230f1f00 100644
--- a/policy/modules/contrib/pcmcia.te
+++ b/policy/modules/contrib/pcmcia.te
@@ -29,7 +29,7 @@ role cardmgr_roles types cardmgr_t;
# Local policy
#
-allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
+allow cardmgr_t self:capability { dac_override dac_read_search mknod net_admin setuid sys_admin sys_nice sys_tty_config };
dontaudit cardmgr_t self:capability sys_tty_config;
allow cardmgr_t self:process signal_perms;
allow cardmgr_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/pegasus.te b/policy/modules/contrib/pegasus.te
index 6d8c0192..b2138295 100644
--- a/policy/modules/contrib/pegasus.te
+++ b/policy/modules/contrib/pegasus.te
@@ -35,7 +35,7 @@ files_pid_file(pegasus_var_run_t)
# Local policy
#
-allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service };
+allow pegasus_t self:capability { chown dac_override ipc_lock kill net_admin net_bind_service setgid setuid sys_nice };
dontaudit pegasus_t self:capability sys_tty_config;
allow pegasus_t self:process signal;
allow pegasus_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index 1d1635d4..b10f18e7 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -29,7 +29,7 @@ files_tmpfs_file(pkcs_slotd_tmpfs_t)
# Local policy
#
-allow pkcs_slotd_t self:capability { fsetid kill chown };
+allow pkcs_slotd_t self:capability { chown fsetid kill };
allow pkcs_slotd_t self:fifo_file rw_fifo_file_perms;
allow pkcs_slotd_t self:sem create_sem_perms;
allow pkcs_slotd_t self:shm create_shm_perms;
diff --git a/policy/modules/contrib/podsleuth.te b/policy/modules/contrib/podsleuth.te
index 9123f715..83dc77b5 100644
--- a/policy/modules/contrib/podsleuth.te
+++ b/policy/modules/contrib/podsleuth.te
@@ -28,7 +28,7 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t)
# Local policy
#
-allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
+allow podsleuth_t self:capability { dac_override kill sys_admin sys_rawio };
allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
allow podsleuth_t self:fifo_file rw_fifo_file_perms;
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index e990d79a..cad9b9f1 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -72,7 +72,7 @@ interface(`portage_compile_domain',`
type portage_tmp_t, portage_tmpfs_t;
')
- allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
+ allow $1 self:capability { chown dac_override fowner fsetid mknod net_raw setgid setuid };
dontaudit $1 self:capability sys_chroot;
allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate };
allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 87ca0c6c..ef04131e 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -160,7 +160,7 @@ optional_policy(`
# - setfscreate for merging to live fs
allow portage_t self:process { setfscreate };
# - kill for mysql merging, at least
-allow portage_t self:capability { sys_nice kill setfcap };
+allow portage_t self:capability { kill setfcap sys_nice };
dontaudit portage_t self:capability { dac_read_search };
dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -247,7 +247,7 @@ dontaudit portage_t device_type:blk_file read_blk_file_perms;
#
allow portage_fetch_t self:process signal;
-allow portage_fetch_t self:capability { dac_override fowner fsetid chown };
+allow portage_fetch_t self:capability { chown dac_override fowner fsetid };
allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
allow portage_fetch_t self:tcp_socket { accept listen };
allow portage_fetch_t self:unix_stream_socket create_socket_perms;
diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te
index 292b3aa8..2a8c850b 100644
--- a/policy/modules/contrib/portmap.te
+++ b/policy/modules/contrib/portmap.te
@@ -30,7 +30,7 @@ files_pid_file(portmap_var_run_t)
# Local policy
#
-allow portmap_t self:capability { setuid setgid };
+allow portmap_t self:capability { setgid setuid };
dontaudit portmap_t self:capability sys_tty_config;
allow portmap_t self:unix_stream_socket { accept listen };
allow portmap_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/portreserve.te b/policy/modules/contrib/portreserve.te
index 7e05b61b..a09698ce 100644
--- a/policy/modules/contrib/portreserve.te
+++ b/policy/modules/contrib/portreserve.te
@@ -23,7 +23,7 @@ files_pid_file(portreserve_var_run_t)
# Local policy
#
-allow portreserve_t self:capability { dac_read_search dac_override };
+allow portreserve_t self:capability { dac_override dac_read_search };
allow portreserve_t self:fifo_file rw_fifo_file_perms;
allow portreserve_t self:unix_stream_socket create_stream_socket_perms;
allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto };
diff --git a/policy/modules/contrib/portslave.te b/policy/modules/contrib/portslave.te
index cbe36c1d..b34887c9 100644
--- a/policy/modules/contrib/portslave.te
+++ b/policy/modules/contrib/portslave.te
@@ -21,7 +21,7 @@ files_lock_file(portslave_lock_t)
# Local policy
#
-allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config };
+allow portslave_t self:capability { fsetid net_admin net_bind_service setgid setuid sys_tty_config };
dontaudit portslave_t self:capability sys_admin;
allow portslave_t self:process signal_perms;
allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 1f1a396f..74cb3d7e 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -108,7 +108,7 @@ mta_mailserver_delivery(postfix_virtual_t)
# Common postfix domain local policy
#
-allow postfix_domain self:capability { sys_nice sys_chroot };
+allow postfix_domain self:capability { sys_chroot sys_nice };
dontaudit postfix_domain self:capability sys_tty_config;
allow postfix_domain self:process { signal_perms setpgid setsched };
allow postfix_domain self:fifo_file rw_fifo_file_perms;
@@ -171,7 +171,7 @@ optional_policy(`
# Common postfix server domain local policy
#
-allow postfix_server_domain self:capability { setuid setgid dac_override };
+allow postfix_server_domain self:capability { dac_override setgid setuid };
allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
@@ -198,7 +198,7 @@ domain_use_interactive_fds(postfix_user_domains)
# Master local policy
#
-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
+allow postfix_master_t self:capability { chown dac_override fowner kill setgid setuid sys_tty_config };
allow postfix_master_t self:capability2 block_suspend;
allow postfix_master_t self:process setrlimit;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
@@ -683,7 +683,7 @@ corecmd_exec_bin(postfix_qmgr_t)
# Showq local policy
#
-allow postfix_showq_t self:capability { setuid setgid };
+allow postfix_showq_t self:capability { setgid setuid };
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te
index 153fb19c..621e1817 100644
--- a/policy/modules/contrib/postfixpolicyd.te
+++ b/policy/modules/contrib/postfixpolicyd.te
@@ -23,7 +23,7 @@ files_pid_file(postfix_policyd_var_run_t)
# Local policy
#
-allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
+allow postfix_policyd_t self:capability { setgid setuid sys_chroot sys_resource };
allow postfix_policyd_t self:process setrlimit;
allow postfix_policyd_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index 27718824..1015b4ee 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -78,7 +78,7 @@ userdom_user_home_content(ppp_home_t)
# PPPD local policy
#
-allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
+allow pppd_t self:capability { dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_admin sys_nice };
dontaudit pppd_t self:capability sys_tty_config;
allow pppd_t self:process { getsched setsched signal };
allow pppd_t self:fifo_file rw_fifo_file_perms;
@@ -224,7 +224,7 @@ optional_policy(`
# PPTP local policy
#
-allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin };
+allow pptp_t self:capability { dac_override dac_read_search net_admin net_raw };
dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:process signal;
allow pptp_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te
index a4fa22b0..8a842661 100644
--- a/policy/modules/contrib/procmail.te
+++ b/policy/modules/contrib/procmail.te
@@ -24,7 +24,7 @@ files_tmp_file(procmail_tmp_t)
# Local policy
#
-allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override };
+allow procmail_t self:capability { chown dac_override fsetid setgid setuid sys_nice };
allow procmail_t self:process { setsched signal signull };
allow procmail_t self:fifo_file rw_fifo_file_perms;
allow procmail_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/psad.te b/policy/modules/contrib/psad.te
index 3336ca7e..b94e44a9 100644
--- a/policy/modules/contrib/psad.te
+++ b/policy/modules/contrib/psad.te
@@ -32,7 +32,7 @@ files_tmp_file(psad_tmp_t)
# Local policy
#
-allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
+allow psad_t self:capability { dac_override net_admin net_raw setgid setuid };
dontaudit psad_t self:capability sys_tty_config;
allow psad_t self:process signal_perms;
allow psad_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index e9a4a507..ac9811ea 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -44,7 +44,7 @@ files_pid_file(pulseaudio_var_run_t)
# Local policy
#
-allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
+allow pulseaudio_t self:capability { chown fowner fsetid setgid setuid sys_nice sys_resource sys_tty_config };
allow pulseaudio_t self:process { getcap getsched setcap setrlimit setsched signal signull };
allow pulseaudio_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index 4f496964..0e8161a2 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -59,7 +59,7 @@ files_tmp_file(puppetmaster_tmp_t)
# Local policy
#
-allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
+allow puppet_t self:capability { chown dac_override fowner fsetid setgid setuid sys_admin sys_nice sys_tty_config };
allow puppet_t self:process { signal signull getsched setsched };
allow puppet_t self:fifo_file rw_fifo_file_perms;
allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
@@ -255,7 +255,7 @@ optional_policy(`
# Master local policy
#
-allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
+allow puppetmaster_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config };
allow puppetmaster_t self:process { signal_perms getsched setsched };
allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
allow puppetmaster_t self:netlink_route_socket nlmsg_write;
diff --git a/policy/modules/contrib/qemu.if b/policy/modules/contrib/qemu.if
index 32b48657..efdc5286 100644
--- a/policy/modules/contrib/qemu.if
+++ b/policy/modules/contrib/qemu.if
@@ -27,7 +27,7 @@ template(`qemu_domain_template',`
# Policy
#
- allow $1_t self:capability { dac_read_search dac_override };
+ allow $1_t self:capability { dac_override dac_read_search };
allow $1_t self:process { execstack execmem signal getsched };
allow $1_t self:fifo_file rw_file_perms;
allow $1_t self:shm create_shm_perms;
diff --git a/policy/modules/contrib/qmail.te b/policy/modules/contrib/qmail.te
index a40ba2a2..455f2c0e 100644
--- a/policy/modules/contrib/qmail.te
+++ b/policy/modules/contrib/qmail.te
@@ -145,7 +145,7 @@ optional_policy(`
# Lspawn local policy
#
-allow qmail_lspawn_t self:capability { setuid setgid };
+allow qmail_lspawn_t self:capability { setgid setuid };
allow qmail_lspawn_t self:process signal_perms;
allow qmail_lspawn_t self:fifo_file rw_fifo_file_perms;
allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te
index 9952f537..95fc0aa3 100644
--- a/policy/modules/contrib/quota.te
+++ b/policy/modules/contrib/quota.te
@@ -33,7 +33,7 @@ files_pid_file(quota_nld_var_run_t)
# Local policy
#
-allow quota_t self:capability { sys_admin dac_override };
+allow quota_t self:capability { dac_override sys_admin };
dontaudit quota_t self:capability sys_tty_config;
allow quota_t self:process signal_perms;
diff --git a/policy/modules/contrib/radvd.te b/policy/modules/contrib/radvd.te
index 1d7fbfe4..41df3b57 100644
--- a/policy/modules/contrib/radvd.te
+++ b/policy/modules/contrib/radvd.te
@@ -22,7 +22,7 @@ files_pid_file(radvd_var_run_t)
# Local policy
#
-allow radvd_t self:capability { kill setgid setuid net_raw net_admin };
+allow radvd_t self:capability { kill net_admin net_raw setgid setuid };
dontaudit radvd_t self:capability sys_tty_config;
allow radvd_t self:process signal_perms;
allow radvd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index ad21e093..49c7dbb4 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -27,7 +27,7 @@ dev_associate(mdadm_var_run_t)
# Local policy
#
-allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
+allow mdadm_t self:capability { dac_override ipc_lock sys_admin };
dontaudit mdadm_t self:capability sys_tty_config;
allow mdadm_t self:process { getsched setsched signal_perms };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/readahead.te b/policy/modules/contrib/readahead.te
index 080c0ad0..ec587591 100644
--- a/policy/modules/contrib/readahead.te
+++ b/policy/modules/contrib/readahead.te
@@ -22,7 +22,7 @@ init_daemon_pid_file(readahead_var_run_t, dir, "readahead")
# Local policy
#
-allow readahead_t self:capability { sys_admin fowner dac_override dac_read_search };
+allow readahead_t self:capability { dac_override dac_read_search fowner sys_admin };
dontaudit readahead_t self:capability { net_admin sys_tty_config };
allow readahead_t self:process { setsched signal_perms };
diff --git a/policy/modules/contrib/remotelogin.te b/policy/modules/contrib/remotelogin.te
index ae308717..3130db86 100644
--- a/policy/modules/contrib/remotelogin.te
+++ b/policy/modules/contrib/remotelogin.te
@@ -18,7 +18,7 @@ files_tmp_file(remote_login_tmp_t)
# Local policy
#
-allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
+allow remote_login_t self:capability { chown dac_override fowner fsetid kill net_bind_service setgid setuid sys_nice sys_resource sys_tty_config };
allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow remote_login_t self:process { setrlimit setexec };
allow remote_login_t self:fd use;
diff --git a/policy/modules/contrib/rgmanager.te b/policy/modules/contrib/rgmanager.te
index c533810f..905c3d44 100644
--- a/policy/modules/contrib/rgmanager.te
+++ b/policy/modules/contrib/rgmanager.te
@@ -37,7 +37,7 @@ files_pid_file(rgmanager_var_run_t)
# Local policy
#
-allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
+allow rgmanager_t self:capability { dac_override ipc_lock net_raw sys_admin sys_nice sys_resource };
allow rgmanager_t self:process { setsched signal };
allow rgmanager_t self:fifo_file rw_fifo_file_perms;
allow rgmanager_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index 4c58d123..85a3a066 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -170,7 +170,7 @@ tunable_policy(`fenced_can_network_connect',`
optional_policy(`
tunable_policy(`fenced_can_ssh',`
- allow fenced_t self:capability { setuid setgid };
+ allow fenced_t self:capability { setgid setuid };
corenet_sendrecv_ssh_client_packets(fenced_t)
corenet_tcp_connect_ssh_port(fenced_t)
diff --git a/policy/modules/contrib/ricci.te b/policy/modules/contrib/ricci.te
index 794dcd36..326d7b85 100644
--- a/policy/modules/contrib/ricci.te
+++ b/policy/modules/contrib/ricci.te
@@ -78,7 +78,7 @@ files_lock_file(ricci_modstorage_lock_t)
# Local policy
#
-allow ricci_t self:capability { setuid sys_nice sys_boot };
+allow ricci_t self:capability { setuid sys_boot sys_nice };
allow ricci_t self:process setsched;
allow ricci_t self:fifo_file rw_fifo_file_perms;
allow ricci_t self:unix_stream_socket { accept connectto listen };
diff --git a/policy/modules/contrib/rlogin.te b/policy/modules/contrib/rlogin.te
index 0714e380..94d41e81 100644
--- a/policy/modules/contrib/rlogin.te
+++ b/policy/modules/contrib/rlogin.te
@@ -31,7 +31,7 @@ files_pid_file(rlogind_var_run_t)
# Local policy
#
-allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
+allow rlogind_t self:capability { chown dac_override fowner fsetid setgid setuid sys_tty_config };
allow rlogind_t self:process signal_perms;
allow rlogind_t self:fifo_file rw_fifo_file_perms;
allow rlogind_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index cf1f775b..5123f079 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -145,7 +145,7 @@ optional_policy(`
# Local policy
#
-allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid };
+allow rpcd_t self:capability { chown dac_override setgid setpcap setuid sys_admin };
allow rpcd_t self:capability2 block_suspend;
allow rpcd_t self:process { getcap setcap };
allow rpcd_t self:fifo_file rw_fifo_file_perms;
@@ -288,7 +288,7 @@ optional_policy(`
# GSSD local policy
#
-allow gssd_t self:capability { dac_override dac_read_search setuid setgid sys_nice };
+allow gssd_t self:capability { dac_override dac_read_search setgid setuid sys_nice };
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 6ab5fd9e..1b36d097 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -73,7 +73,7 @@ files_tmpfs_file(rpm_script_tmpfs_t)
# rpm Local policy
#
-allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
+allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config };
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
@@ -241,7 +241,7 @@ optional_policy(`
# rpm-script Local policy
#
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setgid setuid sys_admin sys_chroot sys_nice sys_rawio };
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te
index 5a5f6f71..dc327424 100644
--- a/policy/modules/contrib/rshd.te
+++ b/policy/modules/contrib/rshd.te
@@ -18,7 +18,7 @@ files_type(rshd_keytab_t)
# Local policy
#
-allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
+allow rshd_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
allow rshd_t self:process { signal_perms setsched setpgid setexec };
allow rshd_t self:fifo_file rw_fifo_file_perms;
allow rshd_t self:tcp_socket create_stream_socket_perms;
--git a/policy/modules/contrib/rssh.te b/policy/modules/contrib/rssh.te
index 5c5465fe..cf6dd81e 100644
--- a/policy/modules/contrib/rssh.te
+++ b/policy/modules/contrib/rssh.te
@@ -86,7 +86,7 @@ optional_policy(`
# Chroot helper local policy
#
-allow rssh_chroot_helper_t self:capability { sys_chroot setuid };
+allow rssh_chroot_helper_t self:capability { setuid sys_chroot };
allow rssh_chroot_helper_t self:fifo_file rw_fifo_file_perms;
allow rssh_chroot_helper_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
index 18db99d4..2fce98b0 100644
--- a/policy/modules/contrib/rsync.te
+++ b/policy/modules/contrib/rsync.te
@@ -83,7 +83,7 @@ files_pid_file(rsync_var_run_t)
# Local policy
#
-allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
+allow rsync_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
allow rsync_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 0acf15a7..e7dae973 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -194,7 +194,7 @@ files_pid_file(winbind_var_run_t)
# Net local policy
#
-allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override };
+allow samba_net_t self:capability { dac_override dac_read_search sys_chroot sys_nice };
allow samba_net_t self:capability2 block_suspend;
allow samba_net_t self:process { getsched setsched };
allow samba_net_t self:unix_stream_socket { accept listen };
@@ -261,7 +261,7 @@ optional_policy(`
# Smbd Local policy
#
-allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
+allow smbd_t self:capability { chown dac_override dac_read_search fowner fsetid kill lease setgid setuid sys_admin sys_chroot sys_nice sys_resource };
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow smbd_t self:fd use;
@@ -650,7 +650,7 @@ optional_policy(`
# Smbmount Local policy
#
-allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown };
+allow smbmount_t self:capability { chown dac_override sys_admin sys_rawio };
allow smbmount_t self:process signal_perms;
allow smbmount_t self:tcp_socket { accept listen };
allow smbmount_t self:unix_dgram_socket create_socket_perms;
@@ -724,7 +724,7 @@ optional_policy(`
# Swat Local policy
#
-allow swat_t self:capability { dac_override setuid setgid sys_resource };
+allow swat_t self:capability { dac_override setgid setuid sys_resource };
allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_fifo_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te
index 1d2f80f5..865f9563 100644
--- a/policy/modules/contrib/samhain.te
+++ b/policy/modules/contrib/samhain.te
@@ -49,7 +49,7 @@ ifdef(`enable_mls',`
#
allow samhain_domain self:capability { dac_override dac_read_search fowner ipc_lock };
-dontaudit samhain_domain self:capability { sys_resource sys_ptrace };
+dontaudit samhain_domain self:capability { sys_ptrace sys_resource };
allow samhain_domain self:process { setsched setrlimit signull };
allow samhain_domain self:fd use;
allow samhain_domain self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te
index e8569cb1..e376da59 100644
--- a/policy/modules/contrib/screen.te
+++ b/policy/modules/contrib/screen.te
@@ -29,7 +29,7 @@ ubac_constrained(screen_runtime_t)
#
# dac_override : read /dev/pts/ID
-allow screen_domain self:capability { setuid setgid fsetid dac_override };
+allow screen_domain self:capability { dac_override fsetid setgid setuid };
allow screen_domain self:process signal_perms;
allow screen_domain self:fd use;
allow screen_domain self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
index 1ae4a27a..dbfab0a0 100644
--- a/policy/modules/contrib/sendmail.te
+++ b/policy/modules/contrib/sendmail.te
@@ -40,7 +40,7 @@ role sendmail_unconfined_roles types unconfined_sendmail_t;
# Local policy
#
-allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config };
+allow sendmail_t self:capability { chown dac_override setgid setuid sys_nice sys_tty_config };
allow sendmail_t self:process { setsched setpgid setrlimit signal signull };
allow sendmail_t self:fifo_file rw_fifo_file_perms;
allow sendmail_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index e2e6c30d..5e815dd8 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -32,7 +32,7 @@ logging_log_file(shorewall_log_t)
# Local policy
#
-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin };
+allow shorewall_t self:capability { dac_override net_admin net_raw setgid setuid sys_admin sys_nice };
dontaudit shorewall_t self:capability sys_tty_config;
allow shorewall_t self:fifo_file rw_fifo_file_perms;
allow shorewall_t self:netlink_socket create_socket_perms;
diff --git a/policy/modules/contrib/slocate.te b/policy/modules/contrib/slocate.te
index 65fe1cb6..2bf0fed4 100644
--- a/policy/modules/contrib/slocate.te
+++ b/policy/modules/contrib/slocate.te
@@ -20,7 +20,7 @@ files_pid_file(locate_var_run_t)
# Local policy
#
-allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
+allow locate_t self:capability { chown dac_override dac_read_search fowner fsetid };
allow locate_t self:process { execmem execheap execstack signal setsched };
allow locate_t self:fifo_file rw_fifo_file_perms;
allow locate_t self:unix_stream_socket create_socket_perms;
diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te
index eb812fe8..4a7cafa7 100644
--- a/policy/modules/contrib/smartmon.te
+++ b/policy/modules/contrib/smartmon.te
@@ -38,7 +38,7 @@ ifdef(`enable_mls',`
# Local policy
#
-allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin };
+allow fsdaemon_t self:capability { dac_override kill setgid setpcap sys_admin sys_rawio };
dontaudit fsdaemon_t self:capability sys_tty_config;
allow fsdaemon_t self:process { getcap setcap signal_perms };
allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te
index 625d8018..cc19c38d 100644
--- a/policy/modules/contrib/smokeping.te
+++ b/policy/modules/contrib/smokeping.te
@@ -23,7 +23,7 @@ files_type(smokeping_var_lib_t)
# Local policy
#
-dontaudit smokeping_t self:capability { dac_read_search dac_override };
+dontaudit smokeping_t self:capability { dac_override dac_read_search };
allow smokeping_t self:fifo_file rw_fifo_file_perms;
allow smokeping_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/snmp.te b/policy/modules/contrib/snmp.te
index 49385798..fe37b52d 100644
--- a/policy/modules/contrib/snmp.te
+++ b/policy/modules/contrib/snmp.te
@@ -26,7 +26,7 @@ files_type(snmpd_var_lib_t)
# Local policy
#
-allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace };
+allow snmpd_t self:capability { chown dac_override ipc_lock kill net_admin setgid setuid sys_nice sys_ptrace sys_tty_config };
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
allow snmpd_t self:process { signal_perms getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index 30ba1e0c..536efd00 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -30,7 +30,7 @@ init_daemon_pid_file(snort_var_run_t, dir, "snort")
# Local policy
#
-allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
+allow snort_t self:capability { dac_override net_admin net_raw setgid setuid };
dontaudit snort_t self:capability sys_tty_config;
allow snort_t self:process signal_perms;
allow snort_t self:netlink_socket create_socket_perms;
diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te
index 18dca447..940f220a 100644
--- a/policy/modules/contrib/sosreport.te
+++ b/policy/modules/contrib/sosreport.te
@@ -31,7 +31,7 @@ optional_policy(`
# Local policy
#
-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
+allow sosreport_t self:capability { dac_override kill net_admin net_raw setuid sys_admin sys_nice };
dontaudit sosreport_t self:capability sys_ptrace;
allow sosreport_t self:process { setsched setpgid signal_perms };
allow sosreport_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 6631a498..4a9153ce 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -270,7 +270,7 @@ optional_policy(`
# Daemon local policy
#
-allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
+allow spamd_t self:capability { dac_override kill setgid setuid sys_tty_config };
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index 2852599a..74fb3c23 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -51,7 +51,7 @@ files_pid_file(squid_var_run_t)
# Local policy
#
-allow squid_t self:capability { setgid kill setuid dac_override sys_resource };
+allow squid_t self:capability { dac_override kill setgid setuid sys_resource };
dontaudit squid_t self:capability sys_tty_config;
allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow squid_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index 9be5c19c..e273c904 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -33,7 +33,7 @@ files_pid_file(sssd_var_run_t)
# Local policy
#
-allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
+allow sssd_t self:capability { chown dac_override dac_read_search kill net_admin setgid setuid sys_admin sys_nice sys_resource };
allow sssd_t self:capability2 block_suspend;
allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
allow sssd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/sxid.te b/policy/modules/contrib/sxid.te
index 01a9d0ac..010c40ce 100644
--- a/policy/modules/contrib/sxid.te
+++ b/policy/modules/contrib/sxid.te
@@ -21,7 +21,7 @@ files_tmp_file(sxid_tmp_t)
#
allow sxid_t self:capability { dac_override dac_read_search fsetid };
-dontaudit sxid_t self:capability { setuid setgid sys_tty_config };
+dontaudit sxid_t self:capability { setgid setuid sys_tty_config };
allow sxid_t self:process signal_perms;
allow sxid_t self:fifo_file rw_fifo_file_perms;
allow sxid_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/contrib/systemtap.te b/policy/modules/contrib/systemtap.te
index f2fa8494..c0ddb637 100644
--- a/policy/modules/contrib/systemtap.te
+++ b/policy/modules/contrib/systemtap.te
@@ -29,7 +29,7 @@ files_pid_file(stapserver_var_run_t)
# Local policy
#
-allow stapserver_t self:capability { dac_override kill setuid setgid };
+allow stapserver_t self:capability { dac_override kill setgid setuid };
allow stapserver_t self:process { setrlimit setsched signal };
allow stapserver_t self:fifo_file rw_fifo_file_perms;
allow stapserver_t self:key write;
diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te
index 0e70d1f4..6007d763 100644
--- a/policy/modules/contrib/telnet.te
+++ b/policy/modules/contrib/telnet.te
@@ -27,7 +27,7 @@ files_pid_file(telnetd_var_run_t)
# Local policy
#
-allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
+allow telnetd_t self:capability { chown dac_override fowner fsetid setgid setuid sys_tty_config };
allow telnetd_t self:process signal_perms;
allow telnetd_t self:fifo_file rw_fifo_file_perms;
allow telnetd_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/tripwire.te b/policy/modules/contrib/tripwire.te
index 03aa6b7f..47dc24b3 100644
--- a/policy/modules/contrib/tripwire.te
+++ b/policy/modules/contrib/tripwire.te
@@ -47,7 +47,7 @@ role twprint_roles types twprint_t;
# Local policy
#
-allow tripwire_t self:capability { setgid setuid dac_override };
+allow tripwire_t self:capability { dac_override setgid setuid };
allow tripwire_t tripwire_etc_t:dir list_dir_perms;
allow tripwire_t tripwire_etc_t:file read_file_perms;
diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te
index 6c3a3eaf..50beee26 100644
--- a/policy/modules/contrib/ulogd.te
+++ b/policy/modules/contrib/ulogd.te
@@ -26,7 +26,7 @@ logging_log_file(ulogd_var_log_t)
# Local policy
#
-allow ulogd_t self:capability { net_admin setuid setgid sys_nice };
+allow ulogd_t self:capability { net_admin setgid setuid sys_nice };
allow ulogd_t self:process setsched;
allow ulogd_t self:netlink_nflog_socket create_socket_perms;
allow ulogd_t self:netlink_socket create_socket_perms;
diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te
index 7a57c21a..9c7ac268 100644
--- a/policy/modules/contrib/userhelper.te
+++ b/policy/modules/contrib/userhelper.te
@@ -25,7 +25,7 @@ application_executable_file(consolehelper_exec_t)
# Common consolehelper domain local policy
#
-allow consolehelper_type self:capability { setgid setuid dac_override };
+allow consolehelper_type self:capability { dac_override setgid setuid };
allow consolehelper_type self:process signal;
allow consolehelper_type self:fifo_file rw_fifo_file_perms;
allow consolehelper_type self:unix_stream_socket create_stream_socket_perms;
@@ -94,7 +94,7 @@ optional_policy(`
# Common userhelper domain local policy
#
-allow userhelper_type self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
+allow userhelper_type self:capability { chown dac_override net_bind_service setgid setuid sys_tty_config };
allow userhelper_type self:process ~{ ptrace setcurrent setfscreate setrlimit execmem execstack execheap };
allow userhelper_type self:fd use;
allow userhelper_type self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/usernetctl.te b/policy/modules/contrib/usernetctl.te
index f973af82..3f774951 100644
--- a/policy/modules/contrib/usernetctl.te
+++ b/policy/modules/contrib/usernetctl.te
@@ -18,7 +18,7 @@ role usernetctl_roles types usernetctl_t;
# Local policy
#
-allow usernetctl_t self:capability { setuid setgid dac_override };
+allow usernetctl_t self:capability { dac_override setgid setuid };
allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow usernetctl_t self:fd use;
allow usernetctl_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/uucp.te b/policy/modules/contrib/uucp.te
index 9c884c46..d44d025f 100644
--- a/policy/modules/contrib/uucp.te
+++ b/policy/modules/contrib/uucp.te
@@ -46,7 +46,7 @@ role uux_roles types uux_t;
# Local policy
#
-allow uucpd_t self:capability { setuid setgid };
+allow uucpd_t self:capability { setgid setuid };
allow uucpd_t self:process signal_perms;
allow uucpd_t self:fifo_file rw_fifo_file_perms;
allow uucpd_t self:tcp_socket { accept listen };
@@ -137,7 +137,7 @@ optional_policy(`
# UUX Local policy
#
-allow uux_t self:capability { setuid setgid };
+allow uux_t self:capability { setgid setuid };
allow uux_t self:fifo_file write_fifo_file_perms;
domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t)
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
index 36c32fcd..b36f69ca 100644
--- a/policy/modules/contrib/varnishd.te
+++ b/policy/modules/contrib/varnishd.te
@@ -50,7 +50,7 @@ files_type(varnishlog_log_t)
# Local policy
#
-allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
+allow varnishd_t self:capability { dac_override ipc_lock kill setgid setuid };
dontaudit varnishd_t self:capability sys_tty_config;
allow varnishd_t self:process signal;
allow varnishd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/vbetool.te b/policy/modules/contrib/vbetool.te
index 2a61f752..09980a08 100644
--- a/policy/modules/contrib/vbetool.te
+++ b/policy/modules/contrib/vbetool.te
@@ -26,7 +26,7 @@ role vbetool_roles types vbetool_t;
# Local policy
#
-allow vbetool_t self:capability { dac_override sys_tty_config sys_admin };
+allow vbetool_t self:capability { dac_override sys_admin sys_tty_config };
allow vbetool_t self:process execmem;
dev_wx_raw_memory(vbetool_t)
diff --git a/policy/modules/contrib/vhostmd.te b/policy/modules/contrib/vhostmd.te
index 4d47427d..f6636a99 100644
--- a/policy/modules/contrib/vhostmd.te
+++ b/policy/modules/contrib/vhostmd.te
@@ -23,7 +23,7 @@ files_pid_file(vhostmd_var_run_t)
# Local policy
#
-allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
+allow vhostmd_t self:capability { dac_override ipc_lock setgid setuid };
allow vhostmd_t self:process { setsched getsched signal };
allow vhostmd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index e8ac408d..eb72843f 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -455,7 +455,7 @@ tunable_policy(`virt_use_vfio',`
# virtd local policy
#
-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
@@ -808,7 +808,7 @@ optional_policy(`
# Virsh local policy
#
-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
+allow virsh_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config };
allow virsh_t self:process { getcap getsched setsched setcap signal };
allow virsh_t self:fifo_file rw_fifo_file_perms;
allow virsh_t self:unix_stream_socket { accept connectto listen };
@@ -956,7 +956,7 @@ optional_policy(`
# Lxc local policy
#
-allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource };
+allow virtd_lxc_t self:capability { chown dac_override net_admin net_raw setpcap sys_admin sys_boot sys_resource };
allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms };
allow virtd_lxc_t self:fifo_file rw_fifo_file_perms;
allow virtd_lxc_t self:netlink_route_socket nlmsg_write;
@@ -1052,7 +1052,7 @@ sysnet_domtrans_ifconfig(virtd_lxc_t)
# Common virt lxc domain local policy
#
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
+allow svirt_lxc_domain self:capability { dac_override kill setgid setuid sys_boot };
allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
@@ -1149,7 +1149,7 @@ optional_policy(`
# Lxc net local policy
#
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
+allow svirt_lxc_net_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_raw setpcap sys_admin sys_nice sys_ptrace sys_resource };
dontaudit svirt_lxc_net_t self:capability2 block_suspend;
allow svirt_lxc_net_t self:process setrlimit;
allow svirt_lxc_net_t self:tcp_socket { accept listen };
@@ -1253,7 +1253,7 @@ optional_policy(`
#
allow virt_bridgehelper_t self:process { setcap getcap };
-allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
+allow virt_bridgehelper_t self:capability { net_admin setgid setpcap setuid };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
diff --git a/policy/modules/contrib/vlock.te b/policy/modules/contrib/vlock.te
index 6b72968e..d4094916 100644
--- a/policy/modules/contrib/vlock.te
+++ b/policy/modules/contrib/vlock.te
@@ -17,7 +17,7 @@ role vlock_roles types vlock_t;
# Local policy
#
-dontaudit vlock_t self:capability { setuid setgid };
+dontaudit vlock_t self:capability { setgid setuid };
allow vlock_t self:fd use;
allow vlock_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
index 0fa22c2b..59a32f5d 100644
--- a/policy/modules/contrib/vmware.te
+++ b/policy/modules/contrib/vmware.te
@@ -69,7 +69,7 @@ optional_policy(`
# Host local policy
#
-allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
+allow vmware_host_t self:capability { dac_override kill net_raw setgid setuid sys_nice sys_ptrace sys_time };
dontaudit vmware_host_t self:capability sys_tty_config;
allow vmware_host_t self:process { execstack execmem signal_perms };
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
@@ -186,7 +186,7 @@ optional_policy(`
# Guest local policy
#
-allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
+allow vmware_t self:capability { chown dac_override setgid setuid sys_admin sys_nice sys_rawio sys_resource };
dontaudit vmware_t self:capability sys_tty_config;
allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow vmware_t self:process { execmem execstack };
diff --git a/policy/modules/contrib/vpn.te b/policy/modules/contrib/vpn.te
index 85353fa7..10fb1013 100644
--- a/policy/modules/contrib/vpn.te
+++ b/policy/modules/contrib/vpn.te
@@ -24,7 +24,7 @@ files_pid_file(vpnc_var_run_t)
# Local policy
#
-allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw setuid };
+allow vpnc_t self:capability { dac_override dac_read_search ipc_lock net_admin net_raw setuid };
allow vpnc_t self:process { getsched signal };
allow vpnc_t self:fifo_file rw_fifo_file_perms;
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index a181f48b..bac0a747 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -23,7 +23,7 @@ files_pid_file(watchdog_var_run_t)
# Local policy
#
-allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource net_raw };
+allow watchdog_t self:capability { ipc_lock net_admin net_raw sys_admin sys_boot sys_nice sys_pacct sys_resource };
dontaudit watchdog_t self:capability sys_tty_config;
allow watchdog_t self:process { setsched signal_perms };
allow watchdog_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/wdmd.te b/policy/modules/contrib/wdmd.te
index a32e1988..24c3802e 100644
--- a/policy/modules/contrib/wdmd.te
+++ b/policy/modules/contrib/wdmd.te
@@ -23,7 +23,7 @@ files_pid_file(wdmd_var_run_t)
# Local policy
#
-allow wdmd_t self:capability { chown sys_nice ipc_lock };
+allow wdmd_t self:capability { chown ipc_lock sys_nice };
allow wdmd_t self:process { setsched signal };
allow wdmd_t self:fifo_file rw_fifo_file_perms;
allow wdmd_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
index c134cfe5..383c00a7 100644
--- a/policy/modules/contrib/xen.te
+++ b/policy/modules/contrib/xen.te
@@ -163,7 +163,7 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
# xend local policy
#
-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_resource sys_rawio };
+allow xend_t self:capability { dac_override ipc_lock net_admin net_raw setuid sys_admin sys_nice sys_rawio sys_resource sys_tty_config };
dontaudit xend_t self:capability { sys_ptrace };
allow xend_t self:process { setrlimit signal sigkill };
dontaudit xend_t self:process ptrace;
@@ -470,7 +470,7 @@ xen_append_log(xenstored_t)
# xm local policy
#
-allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
+allow xm_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config };
allow xm_t self:process { getcap getsched setsched setcap signal };
allow xm_t self:fifo_file rw_fifo_file_perms;
allow xm_t self:unix_stream_socket { accept connectto listen };
diff --git a/policy/modules/contrib/yam.te b/policy/modules/contrib/yam.te
index 2695db25..4927d4d7 100644
--- a/policy/modules/contrib/yam.te
+++ b/policy/modules/contrib/yam.te
@@ -26,7 +26,7 @@ files_tmp_file(yam_tmp_t)
# Local policy
#
-allow yam_t self:capability { chown fowner fsetid dac_override };
+allow yam_t self:capability { chown dac_override fowner fsetid };
allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
allow yam_t self:fd use;
allow yam_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te
index 33822181..a021b743 100644
--- a/policy/modules/contrib/zabbix.te
+++ b/policy/modules/contrib/zabbix.te
@@ -44,7 +44,7 @@ files_pid_file(zabbix_var_run_t)
# Local policy
#
-allow zabbix_t self:capability { dac_read_search dac_override setuid setgid };
+allow zabbix_t self:capability { dac_override dac_read_search setgid setuid };
allow zabbix_t self:process { setsched signal_perms };
allow zabbix_t self:fifo_file rw_fifo_file_perms;
allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
@@ -132,7 +132,7 @@ optional_policy(`
# Agent local policy
#
-allow zabbix_agent_t self:capability { setuid setgid };
+allow zabbix_agent_t self:capability { setgid setuid };
allow zabbix_agent_t self:process { setsched getsched signal };
allow zabbix_agent_t self:fifo_file rw_fifo_file_perms;
allow zabbix_agent_t self:sem create_sem_perms;
diff --git a/policy/modules/contrib/zarafa.te b/policy/modules/contrib/zarafa.te
index 5ce3c3eb..506952fb 100644
--- a/policy/modules/contrib/zarafa.te
+++ b/policy/modules/contrib/zarafa.te
@@ -158,7 +158,7 @@ corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t)
# Zarafa domain local policy
#
-allow zarafa_domain self:capability { kill dac_override chown setgid setuid };
+allow zarafa_domain self:capability { chown dac_override kill setgid setuid };
allow zarafa_domain self:process { setrlimit signal };
allow zarafa_domain self:fifo_file rw_fifo_file_perms;
allow zarafa_domain self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te
index d0b03583..bfc2d21d 100644
--- a/policy/modules/contrib/zebra.te
+++ b/policy/modules/contrib/zebra.te
@@ -37,7 +37,7 @@ files_pid_file(zebra_var_run_t)
# Local policy
#
-allow zebra_t self:capability { setgid setuid net_admin net_raw };
+allow zebra_t self:capability { net_admin net_raw setgid setuid };
dontaudit zebra_t self:capability sys_tty_config;
allow zebra_t self:process { signal_perms getcap setcap };
allow zebra_t self:fifo_file rw_fifo_file_perms;
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-17 8:50 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: a59482227021ff7bdd4d446f4ae9b8c5073e1011
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 27 20:44:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:45:13 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a5948222
virt: virtlockd doesnt need ps_process_pattern
policy/modules/contrib/virt.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index e1a3bcaf..42e68a29 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
-
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-17 8:50 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: 0d5ec8428b688ea09c2241fe868e1d684fc9cba6
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Feb 15 17:15:58 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:46:50 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d5ec842
kerberos: Introduce kerberos_filetrans_named_content interface
policy/modules/contrib/kerberos.if | 37 +++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index 01caeead..d9d5811f 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -466,6 +466,43 @@ interface(`kerberos_connect_524',`
########################################
## <summary>
+## Transition to kerberos named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_filetrans_named_content',`
+ gen_require(`
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t;
+ ')
+
+ files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+
+ kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
+ #kerberos_filetrans_admin_home_content($1)
+
+ kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
+ kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
+ kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an kerberos environment.
## </summary>
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-17 8:50 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: 91667a23f7060ba1ed8bbb1ca3ff155530a46224
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 16:49:07 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:45:13 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=91667a23
virt: add policy for virtlogd
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.te | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index 22c1ed70..dca262ab 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index eb72843f..e1a3bcaf 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-17 8:50 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: 45d8bb4bc3b2b5f4072002656c004cde3008eb51
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 13 16:37:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:45:13 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=45d8bb4b
virt: kernel_read_system_state
policy/modules/contrib/virt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 3da04ef9..0f82a04e 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
+kernel_read_system_state(virtlockd_t)
+
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
can_exec(virtlogd_t, virtlogd_exec_t)
+kernel_read_system_state(virtlogd_t)
+
files_read_etc_files(virtlogd_t)
files_list_var_lib(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 14:59 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
To: gentoo-commits
commit: 6eaf81074bf12ca8be01e0acd602a346846a3395
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 11 05:49:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:54:48 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6eaf8107
virt: need to relabel to set categories
libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
policy/modules/contrib/virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 42e68a29..3da04ef9 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 14:59 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
To: gentoo-commits
commit: 102619e7fbf84aed6046f818e9778bc1d9b760fb
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 27 20:44:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:54:48 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=102619e7
virt: virtlockd doesnt need ps_process_pattern
policy/modules/contrib/virt.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index e1a3bcaf..42e68a29 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
-
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 14:59 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
To: gentoo-commits
commit: bdd606c36e4b163f5dee262d0c450a74efcd208c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 24 01:03:08 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:53 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bdd606c3
Systemd fixes from Russell Coker.
policy/modules/contrib/cron.if | 19 +++++++++++++++++++
policy/modules/contrib/cron.te | 2 +-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index c6dec2c3..6737f53c 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -686,6 +686,25 @@ interface(`cron_use_system_job_fds',`
########################################
## <summary>
+## Create, read, write, and delete the system spool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_manage_system_spool',`
+ gen_require(`
+ type cron_system_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
+')
+
+########################################
+## <summary>
## Read system cron job lib files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 905deb16..3513e1f2 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.0)
+policy_module(cron, 2.11.1)
gen_require(`
class passwd rootok;
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 14:59 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
To: gentoo-commits
commit: 232701f0d9090cd34c22f350a7dfbda7c58a0ea0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 24 01:58:41 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:54 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=232701f0
mailman: Fixes from Russell Coker.
policy/modules/contrib/cron.if | 18 +++++++
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/mailman.fc | 24 ++++-----
policy/modules/contrib/mailman.te | 100 +++++++++++++++++++++++++++++++++++---
policy/modules/contrib/mta.if | 18 +++++++
policy/modules/contrib/mta.te | 2 +-
6 files changed, 143 insertions(+), 21 deletions(-)
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index 6737f53c..5739d4f0 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -705,6 +705,24 @@ interface(`cron_manage_system_spool',`
########################################
## <summary>
+## Read and write crond temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_tmp_files',`
+ gen_require(`
+ type crond_tmp_t;
+ ')
+
+ allow $1 crond_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
## Read system cron job lib files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 3513e1f2..b51524a4 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.1)
+policy_module(cron, 2.11.2)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/mailman.fc b/policy/modules/contrib/mailman.fc
index 1a226daf..d5734fc9 100644
--- a/policy/modules/contrib/mailman.fc
+++ b/policy/modules/contrib/mailman.fc
@@ -2,11 +2,11 @@
/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
-/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
-/var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
+/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
/var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0)
/var/lock/subsys/mailman.* -- gen_context(system_u:object_r:mailman_lock_t,s0)
@@ -17,16 +17,16 @@
/var/spool/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
-/usr/lib/cgi-bin/mailman.*/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman.*/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-/usr/lib/mailman.*/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman.*/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
ifdef(`distro_gentoo',`
# Bug 536666
diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te
index 7421ce3a..3de43d20 100644
--- a/policy/modules/contrib/mailman.te
+++ b/policy/modules/contrib/mailman.te
@@ -1,4 +1,4 @@
-policy_module(mailman, 1.12.0)
+policy_module(mailman, 1.12.1)
########################################
#
@@ -91,12 +91,39 @@ miscfiles_read_localization(mailman_domain)
# CGI local policy
#
+allow mailman_cgi_t self:unix_dgram_socket { create connect };
+
+allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
+allow mailman_cgi_t mailman_archive_t:file read_file_perms;
+
+allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
+allow mailman_cgi_t mailman_data_t:file manage_file_perms;
+allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
+allow mailman_cgi_t mailman_lock_t:file manage_file_perms;
+
+allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms };
+allow mailman_cgi_t mailman_log_t:dir search_dir_perms;
+
+kernel_read_crypto_sysctls(mailman_cgi_t)
+kernel_read_system_state(mailman_cgi_t)
+
+corecmd_exec_bin(mailman_cgi_t)
+
dev_read_urand(mailman_cgi_t)
+files_search_locks(mailman_cgi_t)
+
term_use_controlling_term(mailman_cgi_t)
libs_dontaudit_write_lib_dirs(mailman_cgi_t)
+logging_search_logs(mailman_cgi_t)
+
+miscfiles_read_localization(mailman_cgi_t)
+
+
optional_policy(`
apache_sigchld(mailman_cgi_t)
apache_use_fds(mailman_cgi_t)
@@ -116,24 +143,61 @@ optional_policy(`
#
allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };
-allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:process { signal signull setsched };
+
+allow mailman_mail_t mailman_archive_t:dir manage_dir_perms;
+allow mailman_mail_t mailman_archive_t:file manage_file_perms;
+allow mailman_mail_t mailman_archive_t:lnk_file manage_lnk_file_perms;
+
+allow mailman_mail_t mailman_data_t:dir rw_dir_perms;
+allow mailman_mail_t mailman_data_t:file manage_file_perms;
+allow mailman_mail_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_mail_t mailman_lock_t:dir rw_dir_perms;
+allow mailman_mail_t mailman_lock_t:file manage_file_perms;
+
+allow mailman_mail_t mailman_log_t:dir search;
+allow mailman_mail_t mailman_log_t:file read_file_perms;
+
+domtrans_pattern(mailman_mail_t, mailman_queue_exec_t, mailman_queue_t)
+allow mailman_mail_t mailman_queue_exec_t:file ioctl;
+
+can_exec(mailman_mail_t, mailman_mail_exec_t)
manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
-corenet_sendrecv_innd_client_packets(mailman_mail_t)
-corenet_tcp_connect_innd_port(mailman_mail_t)
-corenet_tcp_sendrecv_innd_port(mailman_mail_t)
+kernel_read_system_state(mailman_mail_t)
+corenet_tcp_connect_smtp_port(mailman_mail_t)
corenet_sendrecv_spamd_client_packets(mailman_mail_t)
+corenet_sendrecv_innd_client_packets(mailman_mail_t)
+corenet_tcp_connect_innd_port(mailman_mail_t)
corenet_tcp_connect_spamd_port(mailman_mail_t)
+corenet_tcp_sendrecv_innd_port(mailman_mail_t)
corenet_tcp_sendrecv_spamd_port(mailman_mail_t)
dev_read_urand(mailman_mail_t)
+corecmd_exec_bin(mailman_mail_t)
+
+files_search_locks(mailman_mail_t)
+
fs_rw_anon_inodefs_files(mailman_mail_t)
+# this is far from ideal, but systemd reduces the importance of initrc_t
+init_signal_script(mailman_mail_t)
+init_signull_script(mailman_mail_t)
+
+# for python .path file
+libs_read_lib_files(mailman_mail_t)
+
+logging_search_logs(mailman_mail_t)
+
+miscfiles_read_localization(mailman_mail_t)
+
+mta_use_mailserver_fds(mailman_mail_t)
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
mta_dontaudit_rw_queue(mailman_mail_t)
@@ -159,18 +223,40 @@ allow mailman_queue_t self:capability { setgid setuid };
allow mailman_queue_t self:process { setsched signal_perms };
allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
+allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
+allow mailman_queue_t mailman_archive_t:file manage_file_perms;
+
+allow mailman_queue_t mailman_data_t:dir rw_dir_perms;
+allow mailman_queue_t mailman_data_t:file manage_file_perms;
+allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;
+allow mailman_queue_t mailman_lock_t:file manage_file_perms;
+
+allow mailman_queue_t mailman_log_t:dir list_dir_perms;
+allow mailman_queue_t mailman_log_t:file manage_file_perms;
+
+kernel_read_system_state(mailman_queue_t)
+
+auth_domtrans_chk_passwd(mailman_queue_t)
+
+corecmd_read_bin_files(mailman_queue_t)
+corecmd_read_bin_symlinks(mailman_queue_t)
corenet_sendrecv_innd_client_packets(mailman_queue_t)
corenet_tcp_connect_innd_port(mailman_queue_t)
corenet_tcp_sendrecv_innd_port(mailman_queue_t)
-auth_domtrans_chk_passwd(mailman_queue_t)
-
files_dontaudit_search_pids(mailman_queue_t)
+files_search_locks(mailman_queue_t)
+
+miscfiles_read_localization(mailman_queue_t)
seutil_dontaudit_search_config(mailman_queue_t)
userdom_search_user_home_dirs(mailman_queue_t)
+cron_rw_tmp_files(mailman_queue_t)
+
optional_policy(`
apache_read_config(mailman_queue_t)
')
diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if
index a5034276..7e268b80 100644
--- a/policy/modules/contrib/mta.if
+++ b/policy/modules/contrib/mta.if
@@ -338,6 +338,24 @@ interface(`mta_sendmail_mailserver',`
typeattribute $1 mailserver_domain;
')
+########################################
+## <summary>
+## Inherit FDs from mailserver_domain domains
+## </summary>
+## <param name="type">
+## <summary>
+## Type for a list server or delivery agent that inherits fds
+## </summary>
+## </param>
+#
+interface(`mta_use_mailserver_fds',`
+ gen_require(`
+ attribute mailserver_domain;
+ ')
+
+ allow $1 mailserver_domain:fd use;
+')
+
#######################################
## <summary>
## Make a type a mailserver type used
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 9a3ee20e..f7280b11 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.1)
+policy_module(mta, 2.8.2)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 14:59 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
To: gentoo-commits
commit: 71caed6d48b8d6a9c0d5054c60a3f19b40dad113
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 16:49:07 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:54:48 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=71caed6d
virt: add policy for virtlogd
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.te | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index 22c1ed70..dca262ab 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index eb72843f..e1a3bcaf 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 14:59 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
To: gentoo-commits
commit: a45b31b9fba7cc7e723345310d946c86f7dc165f
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Feb 23 00:00:32 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a45b31b9
Module version bump for ntp fixes from cgzones.
policy/modules/contrib/ntp.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 208bd66e..b1969955 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.16.0)
+policy_module(ntp, 1.16.1)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 14:59 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
To: gentoo-commits
commit: 8b14b48e43ea96dcd1af81b53b7543bb8c1ef4fd
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Feb 23 23:16:16 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:53 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8b14b48e
Module version bump for samba patch from Russell Coker.
policy/modules/contrib/samba.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index afff38ff..06323b49 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.20.0)
+policy_module(samba, 1.20.1)
#################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-02-25 14:51 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-02-25 14:59 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
To: gentoo-commits
commit: a0d699a7a8da9ce12233029519efd3581c448ad4
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 24 01:31:35 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:53 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a0d699a7
Xen fixes from Russell Coker.
policy/modules/contrib/qemu.fc | 2 ++
policy/modules/contrib/qemu.if | 38 ++++++++++++++++++++++++++++++++++++
policy/modules/contrib/qemu.te | 22 ++++++++++++++++++++-
policy/modules/contrib/xen.fc | 4 ++++
policy/modules/contrib/xen.if | 28 +++++++++++++++++++++++++++
policy/modules/contrib/xen.te | 44 +++++++++++++++++++++++++++++++++++++++---
6 files changed, 134 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index db9ff368..122ca70f 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -7,6 +7,8 @@
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/var/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0)
+
ifdef(`distro_gentoo',`
/usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0)
diff --git a/policy/modules/contrib/qemu.if b/policy/modules/contrib/qemu.if
index efdc5286..b6d8e1c2 100644
--- a/policy/modules/contrib/qemu.if
+++ b/policy/modules/contrib/qemu.if
@@ -264,6 +264,44 @@ interface(`qemu_kill',`
########################################
## <summary>
+## Connect to qemu with a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_stream_connect',`
+ gen_require(`
+ type qemu_t, qemu_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, qemu_var_run_t, qemu_var_run_t, qemu_t)
+')
+
+########################################
+## <summary>
+## Unlink qemu socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_delete_pid_sock_file',`
+ gen_require(`
+ type qemu_var_run_t;
+ ')
+
+ allow $1 qemu_var_run_t:sock_file unlink;
+')
+
+########################################
+## <summary>
## Execute a domain transition to
## run qemu unconfined.
## </summary>
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 9dc09977..b2c843f5 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.9.0)
+policy_module(qemu, 1.9.1)
########################################
#
@@ -25,11 +25,21 @@ role qemu_roles types qemu_t;
type qemu_unit_t;
init_unit_file(qemu_unit_t)
+type qemu_var_run_t;
+files_pid_file(qemu_var_run_t);
+
########################################
#
# Local policy
#
+kernel_read_crypto_sysctls(qemu_t)
+
+dev_read_sysfs(qemu_t)
+
+allow qemu_t qemu_var_run_t:sock_file create_sock_file_perms;
+files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file)
+
tunable_policy(`qemu_full_network',`
corenet_udp_sendrecv_generic_if(qemu_t)
corenet_udp_sendrecv_generic_node(qemu_t)
@@ -41,6 +51,16 @@ tunable_policy(`qemu_full_network',`
')
optional_policy(`
+ fs_manage_xenfs_files(qemu_t)
+
+ dev_rw_xen(qemu_t)
+
+ xen_stream_connect_xenstore(qemu_t)
+ xen_append_log(qemu_t)
+ xen_pid_filetrans(qemu_t, qemu_var_run_t, sock_file)
+')
+
+optional_policy(`
xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)
')
diff --git a/policy/modules/contrib/xen.fc b/policy/modules/contrib/xen.fc
index 657a94ac..be0374df 100644
--- a/policy/modules/contrib/xen.fc
+++ b/policy/modules/contrib/xen.fc
@@ -5,6 +5,7 @@
/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
/usr/lib/xen-[^/]*/bin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
+/usr/lib/xen-[^/]*/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
@@ -20,6 +21,8 @@
/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
+/var/lock/xl -- gen_context(system_u:object_r:xen_lock_t,s0)
+
/var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0)
/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
/var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
@@ -30,6 +33,7 @@
/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0)
/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+/run/xen -d gen_context(system_u:object_r:xend_var_run_t,s0)
/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
diff --git a/policy/modules/contrib/xen.if b/policy/modules/contrib/xen.if
index f93558c5..44116292 100644
--- a/policy/modules/contrib/xen.if
+++ b/policy/modules/contrib/xen.if
@@ -259,6 +259,34 @@ interface(`xen_stream_connect',`
########################################
## <summary>
+## Create in a xend_var_run_t directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`xen_pid_filetrans',`
+ gen_require(`
+ type xend_var_run_t;
+ ')
+
+ filetrans_pattern($1, xend_var_run_t, $2, $3)
+')
+
+########################################
+## <summary>
## Execute a domain transition to run xm.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
index 383c00a7..0d680116 100644
--- a/policy/modules/contrib/xen.te
+++ b/policy/modules/contrib/xen.te
@@ -1,4 +1,4 @@
-policy_module(xen, 1.15.0)
+policy_module(xen, 1.15.1)
########################################
#
@@ -75,6 +75,9 @@ type xend_t;
type xend_exec_t;
init_daemon_domain(xend_t, xend_exec_t)
+type xen_lock_t;
+files_lock_file(xen_lock_t)
+
type xend_tmp_t;
files_tmp_file(xend_tmp_t)
@@ -224,6 +227,7 @@ kernel_write_xen_state(xend_t)
kernel_read_xen_state(xend_t)
kernel_rw_net_sysctls(xend_t)
kernel_read_network_state(xend_t)
+kernel_read_vm_sysctls(xend_t)
corecmd_exec_bin(xend_t)
corecmd_exec_shell(xend_t)
@@ -281,6 +285,8 @@ fs_manage_xenfs_dirs(xend_t)
fs_manage_xenfs_files(xend_t)
storage_read_scsi_generic(xend_t)
+# for lsscsi
+storage_getattr_fixed_disk_dev(xend_t)
term_setattr_generic_ptys(xend_t)
term_getattr_all_ptys(xend_t)
@@ -444,6 +450,8 @@ stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchn
kernel_write_xen_state(xenstored_t)
kernel_read_xen_state(xenstored_t)
+corecmd_search_bin(xenstored_t)
+
dev_filetrans_xen(xenstored_t)
dev_rw_xen(xenstored_t)
dev_read_sysfs(xenstored_t)
@@ -470,12 +478,19 @@ xen_append_log(xenstored_t)
# xm local policy
#
-allow xm_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config };
-allow xm_t self:process { getcap getsched setsched setcap signal };
+allow xm_t self:capability { dac_override ipc_lock net_admin setpcap sys_nice sys_tty_config };
+allow xm_t self:process { getcap getsched setsched setcap signal sigkill };
allow xm_t self:fifo_file rw_fifo_file_perms;
allow xm_t self:unix_stream_socket { accept connectto listen };
allow xm_t self:tcp_socket { accept listen };
+allow xm_t xend_var_run_t:dir rw_dir_perms;
+
+allow xm_t xen_lock_t:file manage_file_perms;
+files_lock_filetrans(xm_t, xen_lock_t, file)
+
+manage_files_pattern(xm_t, xend_var_log_t, xend_var_log_t)
+
manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
@@ -494,6 +509,8 @@ xen_stream_connect_xenstore(xm_t)
can_exec(xm_t, xm_exec_t)
+kernel_load_module(xm_t)
+kernel_request_load_module(xm_t)
kernel_read_system_state(xm_t)
kernel_read_network_state(xm_t)
kernel_read_kernel_sysctls(xm_t)
@@ -517,8 +534,11 @@ dev_read_rand(xm_t)
dev_read_urand(xm_t)
dev_read_sysfs(xm_t)
+domain_use_interactive_fds(xm_t)
+
files_read_etc_runtime_files(xm_t)
files_read_etc_files(xm_t)
+files_read_kernel_img(xm_t)
files_read_usr_files(xm_t)
files_search_pids(xm_t)
files_search_var_lib(xm_t)
@@ -543,6 +563,13 @@ logging_send_syslog_msg(xm_t)
miscfiles_read_localization(xm_t)
sysnet_dns_name_resolve(xm_t)
+sysnet_domtrans_ifconfig(xm_t)
+
+# for vif-bridge to write to /run/xen-hotplug/iptables
+# maybe we need a different label for /run/xen-hotplug
+udev_manage_pid_files(xm_t)
+
+userdom_dontaudit_search_user_home_content(xm_t)
tunable_policy(`xen_use_fusefs',`
fs_manage_fusefs_dirs(xm_t)
@@ -563,6 +590,17 @@ tunable_policy(`xen_use_samba',`
')
optional_policy(`
+ qemu_domtrans(xm_t)
+ qemu_signal(xm_t)
+ qemu_stream_connect(xm_t)
+ qemu_delete_pid_sock_file(xm_t)
+')
+
+optional_policy(`
+ iptables_domtrans(xm_t)
+')
+
+optional_policy(`
cron_system_entry(xm_t, xm_exec_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 14:59 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
To: gentoo-commits
commit: 35bc01e881f75e092a6cf668400407d73081f8fc
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan 5 18:59:45 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35bc01e8
update ntp module
* add private lock type
* dontaudit sys_resource
policy/modules/contrib/ntp.fc | 47 ++++++++++++++++++++++---------------------
policy/modules/contrib/ntp.if | 7 ++++---
policy/modules/contrib/ntp.te | 37 +++++++++++++++++++++-------------
3 files changed, 51 insertions(+), 40 deletions(-)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 16428bc2..756241da 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -1,33 +1,34 @@
-/etc/cron\.daily/ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.daily/ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/ntp\.conf -- gen_context(system_u:object_r:ntp_conf_t,s0)
-/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
-/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
-/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
-/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntp\.conf -- gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
-/etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
-# Systemd unit file
-/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
-/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
+/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_pid_t,s0)
-/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
-/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
+/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
-/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0)
+/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
-/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
-/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
-/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
+/var/lock/ntpdate -- gen_context(system_u:object_r:ntpd_lock_t,s0)
+
+/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/run/ntpd\.sock -s gen_context(system_u:object_r:ntpd_var_run_t,s0)
ifdef(`distro_gentoo',`
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index f8534c6b..fa0a1839 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -179,14 +179,15 @@ interface(`ntp_rw_shm',`
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
- type ntpd_key_t, ntpd_var_run_t, ntp_conf_t;
+ type ntpd_key_t, ntpd_pid_t, ntp_conf_t;
type ntpd_initrc_exec_t, ntp_drift_t;
+ type ntpd_unit_t;
')
allow $1 ntpd_t:process { ptrace signal_perms };
ps_process_pattern($1, ntpd_t)
- init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t)
+ init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t, ntpd_unit_t)
files_list_etc($1)
admin_pattern($1, { ntpd_key_t ntp_conf_t })
@@ -201,7 +202,7 @@ interface(`ntp_admin',`
admin_pattern($1, ntp_drift_t)
files_list_pids($1)
- admin_pattern($1, ntpd_var_run_t)
+ admin_pattern($1, ntpd_pid_t)
ntp_run($1, $2)
')
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 2fcf0a40..208bd66e 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -7,6 +7,9 @@ policy_module(ntp, 1.16.0)
attribute_role ntpd_roles;
+type ntp_conf_t;
+files_config_file(ntp_conf_t)
+
type ntp_drift_t;
files_type(ntp_drift_t)
@@ -18,15 +21,20 @@ role ntpd_roles types ntpd_t;
type ntpd_initrc_exec_t;
init_script_file(ntpd_initrc_exec_t)
-type ntp_conf_t;
-files_config_file(ntp_conf_t)
-
type ntpd_key_t;
files_type(ntpd_key_t)
+type ntpd_lock_t;
+files_lock_file(ntpd_lock_t)
+init_daemon_lock_file(ntpd_lock_t, file, "ntpdate")
+
type ntpd_log_t;
logging_log_file(ntpd_log_t)
+type ntpd_pid_t;
+typealias ntpd_pid_t alias ntpd_var_run_t;
+files_pid_file(ntpd_pid_t)
+
type ntpd_tmp_t;
files_tmp_file(ntpd_tmp_t)
@@ -36,9 +44,6 @@ files_tmpfs_file(ntpd_tmpfs_t)
type ntpd_unit_t;
init_unit_file(ntpd_unit_t)
-type ntpd_var_run_t;
-files_pid_file(ntpd_var_run_t)
-
type ntpdate_exec_t;
init_system_domain(ntpd_t, ntpdate_exec_t)
@@ -47,28 +52,36 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
# Local policy
#
-allow ntpd_t self:capability { chown dac_override ipc_lock ipc_owner kill setgid setuid sys_chroot sys_nice sys_resource sys_time };
-dontaudit ntpd_t self:capability { fsetid net_admin sys_nice sys_tty_config };
+# sys_time : modify system time
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice };
+dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice sys_resource };
allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
allow ntpd_t self:fifo_file rw_fifo_file_perms;
allow ntpd_t self:shm create_shm_perms;
+allow ntpd_t self:socket create;
allow ntpd_t self:tcp_socket { accept listen };
+allow ntpd_t ntp_conf_t:file read_file_perms;
+
manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
files_var_filetrans(ntpd_t, ntp_drift_t, file)
-allow ntpd_t ntp_conf_t:file read_file_perms;
-
read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+allow ntpd_t ntpd_lock_t:file write_file_perms;
+
allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
+manage_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
+manage_sock_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
+files_pid_filetrans(ntpd_t, ntpd_pid_t, { file sock_file })
+
manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
@@ -77,10 +90,6 @@ manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
-manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
-manage_sock_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
-files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file sock_file })
-
can_exec(ntpd_t, ntpd_exec_t)
kernel_read_kernel_sysctls(ntpd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-02-25 14:51 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-02-25 14:59 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
To: gentoo-commits
commit: 247f0728c48ca087ecfd18cb21719420248ce0a6
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Feb 23 23:15:45 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:53 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=247f0728
samba: A few line moves.
policy/modules/contrib/samba.te | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 6f314b0c..afff38ff 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -381,11 +381,7 @@ auth_domtrans_chk_passwd(smbd_t)
auth_domtrans_upd_passwd(smbd_t)
auth_manage_cache(smbd_t)
auth_write_login_records(smbd_t)
-
auth_can_read_shadow_passwords(smbd_t)
-tunable_policy(`samba_read_shadow',`
- auth_tunable_read_shadow(smbd_t)
-')
init_rw_utmp(smbd_t)
@@ -446,6 +442,10 @@ tunable_policy(`samba_portmapper',`
corenet_tcp_sendrecv_all_ports(smbd_t)
')
+tunable_policy(`samba_read_shadow',`
+ auth_tunable_read_shadow(smbd_t)
+')
+
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
@@ -560,6 +560,8 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
+corecmd_search_bin(nmbd_t)
+
corenet_all_recvfrom_unlabeled(nmbd_t)
corenet_all_recvfrom_netlabel(nmbd_t)
corenet_tcp_sendrecv_generic_if(nmbd_t)
@@ -576,7 +578,6 @@ corenet_sendrecv_smbd_client_packets(nmbd_t)
corenet_tcp_connect_smbd_port(nmbd_t)
corenet_tcp_sendrecv_smbd_port(nmbd_t)
-corecmd_search_bin(nmbd_t)
dev_read_urand(nmbd_t)
dev_read_sysfs(nmbd_t)
dev_getattr_mtrr_dev(nmbd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-02-25 14:51 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-02-25 14:59 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
To: gentoo-commits
commit: 8e14efe4abf1297f7c8c341d7690802f82d798a2
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Tue Feb 21 08:29:50 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:53 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8e14efe4
patch for samba
I merged the types nmbd_var_run_t and smbd_var_run_t because nmbd_t and smbd_t
interacted with each other so much there was no benefit in separating them.
Also added a tunable for reading /etc/shadow because on one of my systems I
couldn't get samba working without it. Maybe I misconfigured samba, but
others will do the same and we need to give users the choice.
Description: samba patches
Author: Russell Coker <russell <AT> coker.com.au>
Last-Update: 2017-02-21
policy/modules/contrib/samba.fc | 30 +++++++++---------
policy/modules/contrib/samba.te | 69 ++++++++++++++++++++++++-----------------
2 files changed, 55 insertions(+), 44 deletions(-)
diff --git a/policy/modules/contrib/samba.fc b/policy/modules/contrib/samba.fc
index d227fd82..753a009c 100644
--- a/policy/modules/contrib/samba.fc
+++ b/policy/modules/contrib/samba.fc
@@ -31,21 +31,21 @@
/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
-/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
-
-/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0)
-/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-/run/samba/share_info\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/run/nmbd(/.*)? gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/nmbd(/.*)? gen_context(system_u:object_r:samba_var_run_t,s0)
+
+/run/samba(/.*)? gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/brlock\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/connections\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/gencache\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/locking\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/messages\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/namelist\.debug -- gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/nmbd\.pid -- gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/share_info\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/smbd\.pid -- gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index e7dae973..6f314b0c 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -6,6 +6,14 @@ policy_module(samba, 1.20.0)
#
## <desc>
+## <p>
+## Determine whether smbd_t can
+## read shadow files.
+## </p>
+## </desc>
+gen_tunable(samba_read_shadow, false)
+
+## <desc>
## <p>
## Determine whether samba can modify
## public files used for public file
@@ -104,8 +112,9 @@ type nmbd_t;
type nmbd_exec_t;
init_daemon_domain(nmbd_t, nmbd_exec_t)
-type nmbd_var_run_t;
-files_pid_file(nmbd_var_run_t)
+type samba_var_run_t;
+typealias samba_var_run_t alias { nmbd_var_run_t smbd_var_run_t };
+files_pid_file(samba_var_run_t)
type samba_etc_t;
files_config_file(samba_etc_t)
@@ -151,9 +160,6 @@ files_type(smbd_keytab_t)
type smbd_tmp_t;
files_tmp_file(smbd_tmp_t)
-type smbd_var_run_t;
-files_pid_file(smbd_var_run_t)
-
type smbmount_t;
type smbmount_exec_t;
application_domain(smbmount_t, smbmount_exec_t)
@@ -305,16 +311,15 @@ manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
-manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
-manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
-manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
-files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
+manage_dirs_pattern(smbd_t, samba_var_run_t, samba_var_run_t)
+manage_files_pattern(smbd_t, samba_var_run_t, samba_var_run_t)
+manage_sock_files_pattern(smbd_t, samba_var_run_t, samba_var_run_t)
+files_pid_filetrans(smbd_t, samba_var_run_t, { dir file })
allow smbd_t winbind_var_run_t:sock_file read_sock_file_perms;
stream_connect_pattern(smbd_t, winbind_var_run_t, winbind_var_run_t, winbind_t)
-allow smbd_t nmbd_var_run_t:file read_file_perms;
-stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+stream_connect_pattern(smbd_t, samba_var_run_t, samba_var_run_t, nmbd_t)
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
@@ -377,6 +382,11 @@ auth_domtrans_upd_passwd(smbd_t)
auth_manage_cache(smbd_t)
auth_write_login_records(smbd_t)
+auth_can_read_shadow_passwords(smbd_t)
+tunable_policy(`samba_read_shadow',`
+ auth_tunable_read_shadow(smbd_t)
+')
+
init_rw_utmp(smbd_t)
logging_search_logs(smbd_t)
@@ -519,11 +529,10 @@ allow nmbd_t self:tcp_socket { accept listen };
allow nmbd_t self:unix_dgram_socket sendto;
allow nmbd_t self:unix_stream_socket { accept connectto listen };
-manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
-manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file sock_file })
-filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, dir)
+manage_dirs_pattern(nmbd_t, samba_var_run_t, samba_var_run_t)
+manage_files_pattern(nmbd_t, samba_var_run_t, samba_var_run_t)
+manage_sock_files_pattern(nmbd_t, samba_var_run_t, samba_var_run_t)
+files_pid_filetrans(nmbd_t, samba_var_run_t, { dir file sock_file })
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
@@ -542,7 +551,7 @@ files_var_filetrans(nmbd_t, samba_var_t, dir, "samba")
allow nmbd_t { swat_t smbcontrol_t }:process signal;
-allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
+allow nmbd_t samba_var_run_t:dir rw_dir_perms;
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
@@ -567,6 +576,8 @@ corenet_sendrecv_smbd_client_packets(nmbd_t)
corenet_tcp_connect_smbd_port(nmbd_t)
corenet_tcp_sendrecv_smbd_port(nmbd_t)
+corecmd_search_bin(nmbd_t)
+dev_read_urand(nmbd_t)
dev_read_sysfs(nmbd_t)
dev_getattr_mtrr_dev(nmbd_t)
@@ -618,7 +629,7 @@ allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
allow smbcontrol_t self:process { signal signull };
allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
-read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t })
+read_files_pattern(smbcontrol_t, samba_var_run_t, samba_var_run_t)
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
@@ -733,8 +744,8 @@ allow swat_t self:unix_stream_socket connectto;
allow swat_t { nmbd_t smbd_t }:process { signal signull };
-allow swat_t smbd_var_run_t:file read_file_perms;
-allow swat_t smbd_var_run_t:file { lock delete_file_perms };
+allow swat_t samba_var_run_t:file read_file_perms;
+allow swat_t samba_var_run_t:file { lock delete_file_perms };
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
@@ -766,8 +777,8 @@ read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
allow swat_t winbind_var_run_t:dir { add_entry_dir_perms del_entry_dir_perms };
allow swat_t winbind_var_run_t:sock_file { create_sock_file_perms delete_sock_file_perms };
-read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
-stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+read_files_pattern(swat_t, samba_var_run_t, samba_var_run_t)
+stream_connect_pattern(swat_t, samba_var_run_t, samba_var_run_t, nmbd_t)
samba_domtrans_smbd(swat_t)
samba_domtrans_nmbd(swat_t)
@@ -852,8 +863,8 @@ allow winbind_t self:tcp_socket { accept listen };
allow winbind_t nmbd_t:process { signal signull };
-allow winbind_t nmbd_var_run_t:file read_file_perms;
-stream_connect_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+allow winbind_t samba_var_run_t:file read_file_perms;
+stream_connect_pattern(winbind_t, samba_var_run_t, samba_var_run_t, nmbd_t)
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
@@ -885,15 +896,15 @@ manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
-manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
+manage_dirs_pattern(winbind_t, { samba_var_run_t winbind_var_run_t }, winbind_var_run_t)
manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir })
-filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)
+filetrans_pattern(winbind_t, samba_var_run_t, winbind_var_run_t, dir)
-manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
-manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
-manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
+manage_dirs_pattern(winbind_t, samba_var_run_t, samba_var_run_t)
+manage_files_pattern(winbind_t, samba_var_run_t, samba_var_run_t)
+manage_sock_files_pattern(winbind_t, samba_var_run_t, samba_var_run_t)
kernel_read_network_state(winbind_t)
kernel_read_kernel_sysctls(winbind_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 14:59 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
To: gentoo-commits
commit: d14db39e5f242b6f9c9edace8ac00de4591f31c0
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Feb 15 17:15:58 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:54:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d14db39e
kerberos: Introduce kerberos_filetrans_named_content interface
policy/modules/contrib/kerberos.if | 37 +++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index 01caeead..d9d5811f 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -466,6 +466,43 @@ interface(`kerberos_connect_524',`
########################################
## <summary>
+## Transition to kerberos named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_filetrans_named_content',`
+ gen_require(`
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t;
+ ')
+
+ files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+
+ kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
+ #kerberos_filetrans_admin_home_content($1)
+
+ kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
+ kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
+ kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an kerberos environment.
## </summary>
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 14:59 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
To: gentoo-commits
commit: f3f96b574462741c540c0c9f2c256342697a81e2
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 13 16:37:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:54:48 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f3f96b57
virt: kernel_read_system_state
policy/modules/contrib/virt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 3da04ef9..0f82a04e 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
+kernel_read_system_state(virtlockd_t)
+
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
can_exec(virtlogd_t, virtlogd_exec_t)
+kernel_read_system_state(virtlogd_t)
+
files_read_etc_files(virtlogd_t)
files_list_var_lib(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 14:59 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
To: gentoo-commits
commit: ad7dc2af699a8689bbb55a8b7b03d4065c67cec6
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 31 15:03:49 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:54:48 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ad7dc2af
WIP virt: image type perms
policy/modules/contrib/virt.te | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0f82a04e..5df86d7b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
- allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 16:58 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 16:58 UTC (permalink / raw
To: gentoo-commits
commit: 7de494c4bec178fe90745be29f92c9f5d60511c1
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 27 20:44:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 16:57:29 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7de494c4
virt: virtlockd doesnt need ps_process_pattern
policy/modules/contrib/virt.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index e1a3bcaf..42e68a29 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
-
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 16:58 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 16:58 UTC (permalink / raw
To: gentoo-commits
commit: 8d98d8c879371ade03fdb66270e66408d3af7199
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Feb 25 16:33:58 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 16:33:58 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8d98d8c8
Revert "Fix bug #536666 - Assign mailman_domain to all mailman domains"
This reverts commit 8a9db2c7ce1d9ffc2b0e2f789d3eb8fec86eeb53.
This is now upstream
policy/modules/contrib/mailman.if | 5 -----
1 file changed, 5 deletions(-)
diff --git a/policy/modules/contrib/mailman.if b/policy/modules/contrib/mailman.if
index 7c7ddf4b..259f0c3e 100644
--- a/policy/modules/contrib/mailman.if
+++ b/policy/modules/contrib/mailman.if
@@ -39,11 +39,6 @@ template(`mailman_domain_template',`
files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir })
auth_use_nsswitch(mailman_$1_t)
-
- ifdef(`distro_gentoo',`
- # Bug #536666 - Assign mailman_domain to all mailman domains
- typeattribute mailman_$1_t mailman_domain;
- ')
')
#######################################
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-02-25 15:28 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-02-25 16:58 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 16:58 UTC (permalink / raw
To: gentoo-commits
commit: fbdf6476f796ef532836e9ce0f76da7223ea8f99
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Feb 25 15:27:25 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 15:27:25 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fbdf6476
qemu: remove gentoo specific types that are now upstream
policy/modules/contrib/qemu.te | 2 --
1 file changed, 2 deletions(-)
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index b2c843f5..2183147c 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -85,8 +85,6 @@ ifdef(`distro_gentoo',`
#
# Local policy
#
- type qemu_var_run_t;
- files_pid_file(qemu_var_run_t)
# VNC/GDB support
allow qemu_t self:tcp_socket create_stream_socket_perms;
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-02-25 16:58 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-02-25 16:58 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 16:58 UTC (permalink / raw
To: gentoo-commits
commit: 569a623ad9011d342bdc454cd166b98943e9d744
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Feb 25 16:31:50 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 16:31:50 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=569a623a
mailman: remove gentoo specific fcontexts that are now upstream
policy/modules/contrib/mailman.fc | 22 ----------------------
1 file changed, 22 deletions(-)
diff --git a/policy/modules/contrib/mailman.fc b/policy/modules/contrib/mailman.fc
index d5734fc9..fe7a5159 100644
--- a/policy/modules/contrib/mailman.fc
+++ b/policy/modules/contrib/mailman.fc
@@ -27,25 +27,3 @@
/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-
-ifdef(`distro_gentoo',`
-# Bug 536666
-# Seems like Fedora changes trickled in refpolicy and break due to /usr/lib/mailman/bin declaration in corecommands.fc
-/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
-
-/usr/lib/cgi-bin/mailman(/.*)? gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman/bin/mm-handler -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-/usr/lib/mailman/cgi-bin(/.*)? gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman/cron(/.*)? gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-
-/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-
-/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
-/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
-')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 16:58 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 16:58 UTC (permalink / raw
To: gentoo-commits
commit: 5d09eb208d774b72835ad7b168eba163d0459524
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 16:49:07 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 16:57:29 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5d09eb20
virt: add policy for virtlogd
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.te | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index 22c1ed70..dca262ab 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index eb72843f..e1a3bcaf 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 16:58 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 16:58 UTC (permalink / raw
To: gentoo-commits
commit: 5645bfe751544fd4ae9d8a4f2935bf6f2db10092
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 11 05:49:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 16:57:29 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5645bfe7
virt: need to relabel to set categories
libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
policy/modules/contrib/virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 42e68a29..3da04ef9 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 16:58 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 16:58 UTC (permalink / raw
To: gentoo-commits
commit: 3e37a5c6747b197e069b00446c328d320381ddf6
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Feb 15 17:15:58 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 16:57:29 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3e37a5c6
kerberos: Introduce kerberos_filetrans_named_content interface
policy/modules/contrib/kerberos.if | 37 +++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index 01caeead..d9d5811f 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -466,6 +466,43 @@ interface(`kerberos_connect_524',`
########################################
## <summary>
+## Transition to kerberos named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_filetrans_named_content',`
+ gen_require(`
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t;
+ ')
+
+ files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+
+ kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
+ #kerberos_filetrans_admin_home_content($1)
+
+ kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
+ kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
+ kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an kerberos environment.
## </summary>
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 16:58 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 16:58 UTC (permalink / raw
To: gentoo-commits
commit: 86a502818b8cf5ddd166a134ffd2ed50b726eea5
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 13 16:37:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 16:57:29 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=86a50281
virt: kernel_read_system_state
policy/modules/contrib/virt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 3da04ef9..0f82a04e 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
+kernel_read_system_state(virtlockd_t)
+
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
can_exec(virtlogd_t, virtlogd_exec_t)
+kernel_read_system_state(virtlogd_t)
+
files_read_etc_files(virtlogd_t)
files_list_var_lib(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 16:58 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-25 16:58 UTC (permalink / raw
To: gentoo-commits
commit: a63d567bbb4ec5293fb191b0caab42c0e27b32cf
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 31 15:03:49 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 16:57:29 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a63d567b
WIP virt: image type perms
policy/modules/contrib/virt.te | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0f82a04e..5df86d7b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
- allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-27 11:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-27 11:40 UTC (permalink / raw
To: gentoo-commits
commit: c12405c1bbcaeb1558c3f053671710738138e463
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 15:17:52 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:44:02 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c12405c1
MTA fixes from Russell Coker.
policy/modules/contrib/clamav.te | 11 +++++++++--
policy/modules/contrib/courier.if | 4 ++--
policy/modules/contrib/courier.te | 6 +++++-
policy/modules/contrib/dkim.if | 18 ++++++++++++++++++
policy/modules/contrib/dkim.te | 14 +++++++++++---
policy/modules/contrib/dovecot.fc | 3 +++
policy/modules/contrib/dovecot.te | 13 ++++++++++---
policy/modules/contrib/milter.if | 18 ++++++++++++++++++
policy/modules/contrib/milter.te | 10 +++++++++-
policy/modules/contrib/mta.fc | 1 +
policy/modules/contrib/mta.te | 8 +++++++-
policy/modules/contrib/perdition.fc | 2 +-
policy/modules/contrib/perdition.te | 19 +++++++++++++++----
policy/modules/contrib/postfix.fc | 30 +++++++++++++++---------------
policy/modules/contrib/postfix.te | 26 +++++++++++++++++++++++++-
policy/modules/contrib/postfixpolicyd.te | 18 +++++++++++++++---
policy/modules/contrib/postgrey.te | 7 +++++--
policy/modules/contrib/procmail.fc | 1 +
policy/modules/contrib/procmail.te | 7 ++++++-
policy/modules/contrib/spamassassin.fc | 1 +
policy/modules/contrib/spamassassin.te | 3 ++-
21 files changed, 179 insertions(+), 41 deletions(-)
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index f2664e82..11e568a6 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.14.0)
+policy_module(clamav, 1.14.1)
## <desc>
## <p>
@@ -73,7 +73,7 @@ logging_log_file(freshclam_var_log_t)
# Clamd local policy
#
-allow clamd_t self:capability { dac_override kill setgid setuid };
+allow clamd_t self:capability { chown fowner fsetid kill setgid setuid dac_override };
dontaudit clamd_t self:capability sys_tty_config;
allow clamd_t self:process signal;
allow clamd_t self:fifo_file rw_fifo_file_perms;
@@ -107,6 +107,8 @@ kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
kernel_read_kernel_sysctls(clamd_t)
kernel_read_system_state(clamd_t)
+kernel_read_vm_sysctls(clamd_t)
+kernel_read_vm_overcommit_sysctl(clamd_t)
corecmd_exec_shell(clamd_t)
@@ -128,6 +130,7 @@ corenet_tcp_bind_clamd_port(clamd_t)
dev_read_rand(clamd_t)
dev_read_urand(clamd_t)
+dev_read_sysfs(clamd_t)
domain_use_interactive_fds(clamd_t)
@@ -215,6 +218,10 @@ corenet_sendrecv_http_client_packets(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
corenet_tcp_sendrecv_http_port(freshclam_t)
+corenet_sendrecv_http_cache_client_packets(freshclam_t)
+corenet_tcp_connect_http_cache_port(freshclam_t)
+corenet_tcp_sendrecv_http_cache_port(freshclam_t)
+
corenet_sendrecv_squid_client_packets(freshclam_t)
corenet_tcp_connect_squid_port(freshclam_t)
corenet_tcp_sendrecv_squid_port(freshclam_t)
diff --git a/policy/modules/contrib/courier.if b/policy/modules/contrib/courier.if
index 10f820fc..db4d192b 100644
--- a/policy/modules/contrib/courier.if
+++ b/policy/modules/contrib/courier.if
@@ -65,11 +65,11 @@ interface(`courier_domtrans_authdaemon',`
#
interface(`courier_stream_connect_authdaemon',`
gen_require(`
- type courier_authdaemon_t, courier_spool_t;
+ type courier_authdaemon_t, courier_var_run_t;
')
files_search_spool($1)
- stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
+ stream_connect_pattern($1, courier_var_run_t, courier_var_run_t, courier_authdaemon_t)
')
########################################
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 176bd5c2..31ee1073 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -1,4 +1,4 @@
-policy_module(courier, 1.16.0)
+policy_module(courier, 1.16.1)
########################################
#
@@ -101,6 +101,8 @@ allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_pe
can_exec(courier_authdaemon_t, courier_exec_t)
+corecmd_exec_shell(courier_authdaemon_t)
+
domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
dev_read_urand(courier_authdaemon_t)
@@ -187,6 +189,8 @@ miscfiles_read_localization(courier_tcpd_t)
kernel_read_kernel_sysctls(courier_sqwebmail_t)
+dev_read_urand(courier_sqwebmail_t)
+
optional_policy(`
cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t)
')
diff --git a/policy/modules/contrib/dkim.if b/policy/modules/contrib/dkim.if
index 61e1f192..059e495a 100644
--- a/policy/modules/contrib/dkim.if
+++ b/policy/modules/contrib/dkim.if
@@ -2,6 +2,24 @@
########################################
## <summary>
+## Allow a domain to talk to dkim via Unix domain socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dkim_stream_connect',`
+ gen_require(`
+ type dkim_milter_data_t, dkim_milter_t;
+ ')
+
+ stream_connect_pattern($1, dkim_milter_data_t, dkim_milter_data_t, dkim_milter_t)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an dkim environment.
## </summary>
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index 9ef8d760..5ffc618b 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -1,4 +1,4 @@
-policy_module(dkim, 1.5.0)
+policy_module(dkim, 1.5.1)
########################################
#
@@ -20,15 +20,23 @@ init_daemon_pid_file(dkim_milter_data_t, dir, "opendkim")
# Local policy
#
-allow dkim_milter_t self:capability { setgid setuid };
-allow dkim_milter_t self:process signal;
+allow dkim_milter_t self:capability { dac_override setgid setuid };
+allow dkim_milter_t self:process { signal signull };
allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
kernel_read_kernel_sysctls(dkim_milter_t)
+kernel_read_vm_sysctls(dkim_milter_t)
+kernel_read_vm_overcommit_sysctl(dkim_milter_t)
+
+corenet_udp_bind_generic_node(dkim_milter_t)
+corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
+corenet_dontaudit_udp_bind_all_ports(dkim_milter_t)
dev_read_urand(dkim_milter_t)
+# for cpu/online
+dev_read_sysfs(dkim_milter_t)
files_search_spool(dkim_milter_t)
diff --git a/policy/modules/contrib/dovecot.fc b/policy/modules/contrib/dovecot.fc
index a8119188..c2f5734e 100644
--- a/policy/modules/contrib/dovecot.fc
+++ b/policy/modules/contrib/dovecot.fc
@@ -15,10 +15,13 @@
/etc/ssl/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
+/usr/lib/dovecot/anvil -- gen_context(system_u:object_r:dovecot_exec_t,s0)
/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/lib/dovecot/log -- gen_context(system_u:object_r:dovecot_exec_t,s0)
+/usr/lib/dovecot/ssl-params -- gen_context(system_u:object_r:dovecot_exec_t,s0)
/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index 1701e3f0..d18f9adc 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.19.0)
+policy_module(dovecot, 1.19.1)
########################################
#
@@ -92,7 +92,7 @@ miscfiles_read_localization(dovecot_domain)
# Local policy
#
-allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot };
+allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot sys_resource };
dontaudit dovecot_t self:capability sys_tty_config;
allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
allow dovecot_t self:tcp_socket { accept listen };
@@ -159,6 +159,8 @@ files_search_spool(dovecot_t)
files_dontaudit_list_default(dovecot_t)
files_dontaudit_search_all_dirs(dovecot_t)
files_search_all_mountpoints(dovecot_t)
+files_list_usr(dovecot_t)
+files_read_usr_files(dovecot_t)
fs_getattr_all_fs(dovecot_t)
fs_getattr_all_dirs(dovecot_t)
@@ -241,6 +243,8 @@ manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
+allow dovecot_auth_t dovecot_var_run_t:file manage_file_perms;
+allow dovecot_auth_t dovecot_var_run_t:fifo_file write_fifo_file_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
@@ -249,6 +253,9 @@ files_search_pids(dovecot_auth_t)
files_read_usr_files(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
+selinux_get_enforce_mode(dovecot_auth_t)
+selinux_get_fs_mount(dovecot_auth_t)
+
auth_domtrans_chk_passwd(dovecot_auth_t)
auth_use_nsswitch(dovecot_auth_t)
@@ -256,7 +263,7 @@ init_rw_utmp(dovecot_auth_t)
logging_send_audit_msgs(dovecot_auth_t)
-seutil_dontaudit_search_config(dovecot_auth_t)
+seutil_search_default_contexts(dovecot_auth_t)
sysnet_use_ldap(dovecot_auth_t)
diff --git a/policy/modules/contrib/milter.if b/policy/modules/contrib/milter.if
index cba62db1..ffb58f9f 100644
--- a/policy/modules/contrib/milter.if
+++ b/policy/modules/contrib/milter.if
@@ -97,3 +97,21 @@ interface(`milter_manage_spamass_state',`
manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
')
+
+########################################
+## <summary>
+## Get the attributes of the spamassissin milter data dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_getattr_data_dir',`
+ gen_require(`
+ type spamass_milter_data_t;
+ ')
+
+ allow $1 spamass_milter_data_t:dir getattr;
+')
diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te
index 7c4b347d..8295ca64 100644
--- a/policy/modules/contrib/milter.te
+++ b/policy/modules/contrib/milter.te
@@ -1,4 +1,4 @@
-policy_module(milter, 1.6.0)
+policy_module(milter, 1.6.1)
########################################
#
@@ -94,15 +94,23 @@ mta_read_config(regex_milter_t)
#
allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
+allow spamass_milter_t self:process sigkill;
kernel_read_system_state(spamass_milter_t)
+kernel_read_vm_overcommit_sysctl(spamass_milter_t)
corecmd_exec_shell(spamass_milter_t)
+dev_read_sysfs(spamass_milter_t)
+
files_search_var_lib(spamass_milter_t)
mta_send_mail(spamass_milter_t)
optional_policy(`
+ postfix_search_spool(spamass_milter_t)
+')
+
+optional_policy(`
spamassassin_domtrans_client(spamass_milter_t)
')
diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
index 24681349..dd9f799a 100644
--- a/policy/modules/contrib/mta.fc
+++ b/policy/modules/contrib/mta.fc
@@ -3,6 +3,7 @@ HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/DovecotMail(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index f7280b11..22308885 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.2)
+policy_module(mta, 2.8.3)
########################################
#
@@ -199,6 +199,7 @@ selinux_getattr_fs(system_mail_t)
term_dontaudit_use_unallocated_ttys(system_mail_t)
init_use_script_ptys(system_mail_t)
+init_use_fds(system_mail_t)
userdom_use_user_terminals(system_mail_t)
@@ -233,6 +234,7 @@ optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
+ cron_rw_tmp_files(system_mail_t)
')
optional_policy(`
@@ -294,6 +296,10 @@ optional_policy(`
smartmon_read_tmp_files(system_mail_t)
')
+optional_policy(`
+ unconfined_use_fds(system_mail_t)
+')
+
########################################
#
# MTA user agent local policy
diff --git a/policy/modules/contrib/perdition.fc b/policy/modules/contrib/perdition.fc
index 156232f8..a7d2a8be 100644
--- a/policy/modules/contrib/perdition.fc
+++ b/policy/modules/contrib/perdition.fc
@@ -2,6 +2,6 @@
/etc/perdition(/.*)? gen_context(system_u:object_r:perdition_etc_t,s0)
-/usr/sbin/perdition -- gen_context(system_u:object_r:perdition_exec_t,s0)
+/usr/sbin/perdition.* -- gen_context(system_u:object_r:perdition_exec_t,s0)
/run/perdition\.pid -- gen_context(system_u:object_r:perdition_var_run_t,s0)
diff --git a/policy/modules/contrib/perdition.te b/policy/modules/contrib/perdition.te
index 15023cee..2975c2cc 100644
--- a/policy/modules/contrib/perdition.te
+++ b/policy/modules/contrib/perdition.te
@@ -1,4 +1,4 @@
-policy_module(perdition, 1.10.0)
+policy_module(perdition, 1.10.1)
########################################
#
@@ -23,7 +23,7 @@ files_pid_file(perdition_var_run_t)
# Local policy
#
-allow perdition_t self:capability { setgid setuid };
+allow perdition_t self:capability { chown dac_override fowner setgid setuid };
dontaudit perdition_t self:capability sys_tty_config;
allow perdition_t self:process signal_perms;
allow perdition_t self:tcp_socket { accept listen };
@@ -33,7 +33,8 @@ allow perdition_t perdition_etc_t:file read_file_perms;
allow perdition_t perdition_etc_t:lnk_file read_lnk_file_perms;
manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t)
-files_pid_filetrans(perdition_t, perdition_var_run_t, file)
+manage_dirs_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t)
+files_pid_filetrans(perdition_t, perdition_var_run_t, { file dir })
kernel_read_kernel_sysctls(perdition_t)
kernel_list_proc(perdition_t)
@@ -45,12 +46,17 @@ corenet_tcp_sendrecv_generic_if(perdition_t)
corenet_tcp_sendrecv_generic_node(perdition_t)
corenet_tcp_sendrecv_all_ports(perdition_t)
corenet_tcp_bind_generic_node(perdition_t)
-
+corenet_tcp_connect_pop_port(perdition_t)
corenet_sendrecv_pop_server_packets(perdition_t)
corenet_tcp_bind_pop_port(perdition_t)
corenet_tcp_sendrecv_pop_port(perdition_t)
+corenet_tcp_connect_sieve_port(perdition_t)
+corenet_sendrecv_sieve_server_packets(perdition_t)
+corenet_tcp_bind_sieve_port(perdition_t)
+corenet_tcp_sendrecv_sieve_port(perdition_t)
dev_read_sysfs(perdition_t)
+dev_read_urand(perdition_t)
domain_use_interactive_fds(perdition_t)
@@ -67,6 +73,11 @@ userdom_dontaudit_use_unpriv_user_fds(perdition_t)
userdom_dontaudit_search_user_home_dirs(perdition_t)
optional_policy(`
+ mysql_tcp_connect(perdition_t)
+ mysql_stream_connect(perdition_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(perdition_t)
')
diff --git a/policy/modules/contrib/postfix.fc b/policy/modules/contrib/postfix.fc
index b71d8442..707b5be0 100644
--- a/policy/modules/contrib/postfix.fc
+++ b/policy/modules/contrib/postfix.fc
@@ -1,24 +1,24 @@
-/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
+/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0)
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
# Remove catch-all so that .so files remain lib_t
-#/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
-/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
-/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+#/usr/lib/postfix/(sbin/)?.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/lib/postfix/(sbin/)?cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/lib/postfix/(sbin/)?local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/lib/postfix/(sbin/)?master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/lib/postfix/(sbin/)?pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/lib/postfix/(sbin/)?(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/(sbin/)?showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+/usr/lib/postfix/(sbin/)?smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/(sbin/)?lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/(sbin/)?scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/(sbin/)?smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/lib/postfix/(sbin/)?bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/lib/postfix/(sbin/)?pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+/usr/lib/postfix/(sbin/)?virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 74cb3d7e..94ac8471 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.17.0)
+policy_module(postfix, 1.17.1)
########################################
#
@@ -172,6 +172,7 @@ optional_policy(`
#
allow postfix_server_domain self:capability { dac_override setgid setuid };
+allow postfix_master_t self:process getsched;
allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
@@ -272,6 +273,7 @@ corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
corenet_tcp_bind_generic_node(postfix_master_t)
+corenet_udp_bind_generic_node(postfix_master_t)
corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
@@ -302,6 +304,8 @@ mcs_file_read_all(postfix_master_t)
term_dontaudit_search_ptys(postfix_master_t)
+hostname_exec(postfix_master_t)
+
miscfiles_read_man_pages(postfix_master_t)
seutil_sigchld_newrole(postfix_master_t)
@@ -326,6 +330,11 @@ optional_policy(`
optional_policy(`
mailman_manage_data_files(postfix_master_t)
+ mailman_search_data(postfix_pipe_t)
+')
+
+optional_policy(`
+ milter_getattr_data_dir(postfix_master_t)
')
optional_policy(`
@@ -371,6 +380,7 @@ allow postfix_cleanup_t self:process setrlimit;
allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
+allow postfix_cleanup_t postfix_smtpd_t:fd use;
allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
@@ -397,6 +407,10 @@ corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t)
mta_read_aliases(postfix_cleanup_t)
optional_policy(`
+ dkim_stream_connect(postfix_cleanup_t)
+')
+
+optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
')
@@ -432,6 +446,7 @@ tunable_policy(`postfix_local_write_mail_spool',`
optional_policy(`
clamav_search_lib(postfix_local_t)
clamav_exec_clamscan(postfix_local_t)
+ clamav_stream_connect(postfix_smtpd_t)
')
optional_policy(`
@@ -549,6 +564,7 @@ allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
+write_sock_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
@@ -567,6 +583,7 @@ optional_policy(`
optional_policy(`
mailman_domtrans_queue(postfix_pipe_t)
+ mailman_domtrans(postfix_pipe_t)
')
optional_policy(`
@@ -596,6 +613,9 @@ manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool
allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+# for /var/spool/postfix/public/pickup
+stream_connect_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t, postfix_master_t)
+
mcs_file_read_all(postfix_postdrop_t)
mcs_file_write_all(postfix_postdrop_t)
@@ -654,6 +674,10 @@ optional_policy(`
ppp_sigchld(postfix_postqueue_t)
')
+optional_policy(`
+ userdom_sigchld_all_users(postfix_postqueue_t)
+')
+
########################################
#
# Qmgr local policy
diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te
index 621e1817..be84e714 100644
--- a/policy/modules/contrib/postfixpolicyd.te
+++ b/policy/modules/contrib/postfixpolicyd.te
@@ -1,4 +1,4 @@
-policy_module(postfixpolicyd, 1.5.0)
+policy_module(postfixpolicyd, 1.5.1)
########################################
#
@@ -15,6 +15,9 @@ files_config_file(postfix_policyd_conf_t)
type postfix_policyd_initrc_exec_t;
init_script_file(postfix_policyd_initrc_exec_t)
+type postfix_policyd_tmp_t;
+files_type(postfix_policyd_tmp_t)
+
type postfix_policyd_var_run_t;
files_pid_file(postfix_policyd_var_run_t)
@@ -23,8 +26,8 @@ files_pid_file(postfix_policyd_var_run_t)
# Local policy
#
-allow postfix_policyd_t self:capability { setgid setuid sys_chroot sys_resource };
-allow postfix_policyd_t self:process setrlimit;
+allow postfix_policyd_t self:capability { chown sys_chroot sys_resource setgid setuid };
+allow postfix_policyd_t self:process { setrlimit signal signull };
allow postfix_policyd_t self:tcp_socket { accept listen };
allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
@@ -34,6 +37,13 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
+allow postfix_policyd_t postfix_policyd_tmp_t:{ file sock_file } manage_file_perms;
+files_tmp_filetrans(postfix_policyd_t, postfix_policyd_tmp_t, { file sock_file })
+
+kernel_search_network_sysctl(postfix_policyd_t)
+
+corecmd_exec_bin(postfix_policyd_t)
+
corenet_all_recvfrom_unlabeled(postfix_policyd_t)
corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
corenet_tcp_sendrecv_generic_node(postfix_policyd_t)
@@ -47,6 +57,8 @@ corenet_sendrecv_mysqld_server_packets(postfix_policyd_t)
corenet_tcp_bind_mysqld_port(postfix_policyd_t)
corenet_tcp_sendrecv_mysqld_port(postfix_policyd_t)
+dev_read_urand(postfix_policyd_t)
+
files_read_etc_files(postfix_policyd_t)
files_read_usr_files(postfix_policyd_t)
diff --git a/policy/modules/contrib/postgrey.te b/policy/modules/contrib/postgrey.te
index ab5a8d3a..4fe73487 100644
--- a/policy/modules/contrib/postgrey.te
+++ b/policy/modules/contrib/postgrey.te
@@ -1,4 +1,4 @@
-policy_module(postgrey, 1.11.0)
+policy_module(postgrey, 1.11.1)
########################################
#
@@ -34,6 +34,8 @@ dontaudit postgrey_t self:capability sys_tty_config;
allow postgrey_t self:process signal_perms;
allow postgrey_t self:fifo_file create_fifo_file_perms;
allow postgrey_t self:tcp_socket create_stream_socket_perms;
+allow postgrey_t self:netlink_route_socket r_netlink_socket_perms;
+allow postgrey_t self:udp_socket { connect connected_socket_perms };
allow postgrey_t postgrey_etc_t:dir list_dir_perms;
allow postgrey_t postgrey_etc_t:file read_file_perms;
@@ -55,7 +57,8 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file })
kernel_read_system_state(postgrey_t)
kernel_read_kernel_sysctls(postgrey_t)
-corecmd_search_bin(postgrey_t)
+corecmd_read_bin_files(postgrey_t)
+corecmd_exec_bin(postgrey_t)
corenet_all_recvfrom_unlabeled(postgrey_t)
corenet_all_recvfrom_netlabel(postgrey_t)
diff --git a/policy/modules/contrib/procmail.fc b/policy/modules/contrib/procmail.fc
index bdff6c93..dac08916 100644
--- a/policy/modules/contrib/procmail.fc
+++ b/policy/modules/contrib/procmail.fc
@@ -1,5 +1,6 @@
HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0)
+/usr/bin/maildrop -- gen_context(system_u:object_r:procmail_exec_t,s0)
/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te
index 8a842661..cdd23cc9 100644
--- a/policy/modules/contrib/procmail.te
+++ b/policy/modules/contrib/procmail.te
@@ -1,4 +1,4 @@
-policy_module(procmail, 1.14.0)
+policy_module(procmail, 1.14.1)
########################################
#
@@ -96,6 +96,11 @@ optional_policy(`
')
optional_policy(`
+ courier_read_config(procmail_t)
+ courier_stream_connect_authdaemon(procmail_t)
+')
+
+optional_policy(`
cyrus_stream_connect(procmail_t)
')
diff --git a/policy/modules/contrib/spamassassin.fc b/policy/modules/contrib/spamassassin.fc
index de27cda7..58dce766 100644
--- a/policy/modules/contrib/spamassassin.fc
+++ b/policy/modules/contrib/spamassassin.fc
@@ -23,6 +23,7 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
/var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0)
/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/run/spamassassin\.pid gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 4a9153ce..2f770d2d 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.10.0)
+policy_module(spamassassin, 2.10.1)
########################################
#
@@ -46,6 +46,7 @@ type spamc_exec_t;
typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
userdom_user_application_domain(spamc_t, spamc_exec_t)
+role system_r types spamc_t;
type spamc_tmp_t;
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-27 11:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-27 11:40 UTC (permalink / raw
To: gentoo-commits
commit: e81afa8e462fd625e95e7458332b1cff1724654f
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 16:20:03 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:44:02 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e81afa8e
Network daemon patches from Russell Coker.
policy/modules/contrib/apache.fc | 4 +++
policy/modules/contrib/apache.if | 19 +++++++++++++
policy/modules/contrib/apache.te | 46 +++++++++++++++++++++-----------
policy/modules/contrib/bind.fc | 3 +++
policy/modules/contrib/bind.te | 6 ++++-
policy/modules/contrib/inetd.te | 3 ++-
policy/modules/contrib/iodine.fc | 2 ++
policy/modules/contrib/iodine.te | 9 ++++++-
policy/modules/contrib/jabber.fc | 4 +++
policy/modules/contrib/jabber.te | 12 ++++++++-
policy/modules/contrib/nagios.te | 7 +++--
policy/modules/contrib/networkmanager.fc | 2 +-
policy/modules/contrib/networkmanager.te | 6 ++++-
policy/modules/contrib/ntp.if | 18 +++++++++++++
policy/modules/contrib/ntp.te | 3 ++-
policy/modules/contrib/openvpn.fc | 1 +
policy/modules/contrib/openvpn.te | 2 +-
policy/modules/contrib/rpc.te | 4 ++-
policy/modules/contrib/squid.fc | 8 +++---
policy/modules/contrib/squid.if | 19 +++++++++++++
policy/modules/contrib/squid.te | 15 ++++++++++-
21 files changed, 161 insertions(+), 32 deletions(-)
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index faa08802..5fded37a 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -17,6 +17,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:objec
/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/postfixadmin(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
@@ -56,6 +57,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:objec
/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -110,6 +112,7 @@ ifdef(`distro_suse',`
/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php5(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -124,6 +127,7 @@ ifdef(`distro_suse',`
/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index 16539db5..91191ecc 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -1254,6 +1254,25 @@ interface(`apache_dontaudit_write_tmp_files',`
########################################
## <summary>
+## Delete httpd_var_lib_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that can delete the files
+## </summary>
+## </param>
+#
+interface(`apache_delete_lib_files',`
+ gen_require(`
+ type httpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ delete_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
+')
+
+########################################
+## <summary>
## Execute CGI in the specified domain.
## </summary>
## <desc>
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 2f724b68..37af1e22 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.12.0)
+policy_module(apache, 2.12.1)
########################################
#
@@ -402,14 +402,12 @@ read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
allow httpd_t httpd_keytab_t:file read_file_perms;
+allow httpd_t httpd_lock_t:dir manage_dir_perms;
allow httpd_t httpd_lock_t:file manage_file_perms;
-files_lock_filetrans(httpd_t, httpd_lock_t, file)
+files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
-allow httpd_t httpd_log_t:dir setattr_dir_perms;
-create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
-create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
logging_log_filetrans(httpd_t, httpd_log_t, file)
@@ -427,6 +425,8 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+allow httpd_t httpd_sys_script_t:process signull;
+
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -444,6 +444,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi
manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
@@ -464,6 +465,8 @@ domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
kernel_read_kernel_sysctls(httpd_t)
+kernel_read_vm_sysctls(httpd_t)
+kernel_read_vm_overcommit_sysctl(httpd_t)
kernel_read_network_state(httpd_t)
kernel_read_system_state(httpd_t)
kernel_search_network_sysctl(httpd_t)
@@ -513,6 +516,8 @@ files_read_var_lib_symlinks(httpd_t)
auth_use_nsswitch(httpd_t)
+init_rw_inherited_script_tmp_files(httpd_t)
+
libs_read_lib_files(httpd_t)
logging_send_syslog_msg(httpd_t)
@@ -590,6 +595,7 @@ tunable_policy(`httpd_builtin_scripting',`
tunable_policy(`httpd_enable_cgi',`
allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+ allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -737,9 +743,8 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
tunable_policy(`httpd_use_nfs',`
fs_list_auto_mountpoints(httpd_t)
- fs_manage_nfs_dirs(httpd_t)
- fs_manage_nfs_files(httpd_t)
- fs_manage_nfs_symlinks(httpd_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1063,9 +1068,8 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
tunable_policy(`httpd_use_nfs',`
fs_list_auto_mountpoints(httpd_suexec_t)
- fs_manage_nfs_dirs(httpd_suexec_t)
- fs_manage_nfs_files(httpd_suexec_t)
- fs_manage_nfs_symlinks(httpd_suexec_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1213,8 +1217,11 @@ optional_policy(`
#
allow httpd_sys_script_t self:tcp_socket { accept listen };
+allow httpd_sys_script_t self:unix_dgram_socket { create connect connected_socket_perms };
+
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
+allow httpd_sys_script_t httpd_t:unix_stream_socket { read write ioctl };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -1226,6 +1233,8 @@ allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
kernel_read_kernel_sysctls(httpd_sys_script_t)
+dev_read_sysfs(httpd_sys_script_t)
+
fs_search_auto_mountpoints(httpd_sys_script_t)
files_read_var_symlinks(httpd_sys_script_t)
@@ -1236,6 +1245,12 @@ apache_domtrans_rotatelogs(httpd_sys_script_t)
auth_use_nsswitch(httpd_sys_script_t)
+logging_send_syslog_msg(httpd_sys_script_t)
+
+ifdef(`init_systemd', `
+ init_search_pid_dirs(httpd_sys_script_t)
+')
+
tunable_policy(`httpd_can_sendmail',`
corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
corenet_tcp_connect_smtp_port(httpd_sys_script_t)
@@ -1290,9 +1305,8 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
tunable_policy(`httpd_use_nfs',`
fs_list_auto_mountpoints(httpd_sys_script_t)
- fs_manage_nfs_dirs(httpd_sys_script_t)
- fs_manage_nfs_files(httpd_sys_script_t)
- fs_manage_nfs_symlinks(httpd_sys_script_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc
index c9619a4e..de596aed 100644
--- a/policy/modules/contrib/bind.fc
+++ b/policy/modules/contrib/bind.fc
@@ -28,6 +28,8 @@
/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+
/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
@@ -53,5 +55,6 @@
/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/run/lwresd/lwresd\.pid -s gen_context(system_u:object_r:named_var_run_t,s0)
/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index bfec7c74..25329fdb 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.18.0)
+policy_module(bind, 1.18.1)
########################################
#
@@ -112,6 +112,8 @@ allow named_t named_zone_t:dir list_dir_perms;
read_files_pattern(named_t, named_zone_t, named_zone_t)
read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
+kernel_read_net_sysctls(named_t)
+kernel_read_vm_sysctls(named_t)
kernel_read_kernel_sysctls(named_t)
kernel_read_vm_overcommit_sysctl(named_t)
kernel_read_system_state(named_t)
@@ -152,6 +154,7 @@ dev_read_urand(named_t)
domain_use_interactive_fds(named_t)
files_read_etc_runtime_files(named_t)
+files_read_usr_files(named_t)
fs_getattr_all_fs(named_t)
fs_search_auto_mountpoints(named_t)
@@ -219,6 +222,7 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:capability2 block_suspend;
allow ndc_t self:process signal_perms;
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/inetd.te b/policy/modules/contrib/inetd.te
index 66c15680..70ecd1e5 100644
--- a/policy/modules/contrib/inetd.te
+++ b/policy/modules/contrib/inetd.te
@@ -1,4 +1,4 @@
-policy_module(inetd, 1.14.0)
+policy_module(inetd, 1.14.1)
########################################
#
@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t)
kernel_tcp_recvfrom_unlabeled(inetd_t)
corecmd_bin_domtrans(inetd_t, inetd_child_t)
+corecmd_bin_entry_type(inetd_child_t)
corenet_all_recvfrom_unlabeled(inetd_t)
corenet_all_recvfrom_netlabel(inetd_t)
diff --git a/policy/modules/contrib/iodine.fc b/policy/modules/contrib/iodine.fc
index ca07a874..42a24aaf 100644
--- a/policy/modules/contrib/iodine.fc
+++ b/policy/modules/contrib/iodine.fc
@@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0)
/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
+
+/var/run/iodine(/.*)? gen_context(system_u:object_r:iodined_var_run_t,s0)
diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te
index c35fc069..11ef68f9 100644
--- a/policy/modules/contrib/iodine.te
+++ b/policy/modules/contrib/iodine.te
@@ -1,4 +1,4 @@
-policy_module(iodine, 1.2.0)
+policy_module(iodine, 1.2.1)
########################################
#
@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t)
type iodined_initrc_exec_t;
init_script_file(iodined_initrc_exec_t)
+type iodined_var_run_t;
+files_pid_file(iodined_var_run_t)
+
########################################
#
# Local policy
@@ -21,6 +24,10 @@ allow iodined_t self:capability { net_admin net_raw setgid setuid sys_chroot };
allow iodined_t self:rawip_socket create_socket_perms;
allow iodined_t self:tun_socket create_socket_perms;
allow iodined_t self:udp_socket connected_socket_perms;
+allow iodined_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_dirs_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t)
+manage_files_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t)
kernel_read_net_sysctls(iodined_t)
kernel_read_network_state(iodined_t)
diff --git a/policy/modules/contrib/jabber.fc b/policy/modules/contrib/jabber.fc
index 96325be0..e31f56e8 100644
--- a/policy/modules/contrib/jabber.fc
+++ b/policy/modules/contrib/jabber.fc
@@ -2,6 +2,7 @@
/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/prosody -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
@@ -13,13 +14,16 @@
/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
+/var/log/prosody(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
/var/lib/ejabberd/spool(/.*)? gen_context(system_u:object_r:jabberd_spool_t,s0)
/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+/var/lib/prosody(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
/var/lib/jabberd/log(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
/var/lib/jabberd/pid(/.*)? gen_context(system_u:object_r:jabberd_var_run_t,s0)
/run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
/run/jabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
+/run/prosody(/.*)? -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
diff --git a/policy/modules/contrib/jabber.te b/policy/modules/contrib/jabber.te
index fdea29d5..36f603c3 100644
--- a/policy/modules/contrib/jabber.te
+++ b/policy/modules/contrib/jabber.te
@@ -1,4 +1,4 @@
-policy_module(jabber, 1.12.0)
+policy_module(jabber, 1.12.1)
########################################
#
@@ -73,6 +73,7 @@ allow jabberd_t self:capability dac_override;
dontaudit jabberd_t self:capability sys_tty_config;
allow jabberd_t self:tcp_socket create_socket_perms;
allow jabberd_t self:udp_socket create_socket_perms;
+allow jabberd_t self:netlink_route_socket r_netlink_socket_perms;
manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t)
@@ -87,8 +88,12 @@ manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)
manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
+domain_dontaudit_search_all_domains_state(jabberd_t)
+
kernel_read_kernel_sysctls(jabberd_t)
+corecmd_exec_bin(jabberd_t)
+
corenet_sendrecv_jabber_client_server_packets(jabberd_t)
corenet_tcp_bind_jabber_client_port(jabberd_t)
corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
@@ -96,6 +101,7 @@ corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
corenet_tcp_bind_jabber_interserver_port(jabberd_t)
corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_interserver_port(jabberd_t)
dev_read_rand(jabberd_t)
@@ -103,9 +109,13 @@ domain_use_interactive_fds(jabberd_t)
files_read_etc_files(jabberd_t)
files_read_etc_runtime_files(jabberd_t)
+# usr for lua modules
+files_read_usr_files(jabberd_t)
fs_search_auto_mountpoints(jabberd_t)
+miscfiles_read_all_certs(jabberd_t)
+
sysnet_read_config(jabberd_t)
userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te
index 44c2abcd..de6a62cf 100644
--- a/policy/modules/contrib/nagios.te
+++ b/policy/modules/contrib/nagios.te
@@ -1,4 +1,4 @@
-policy_module(nagios, 1.15.0)
+policy_module(nagios, 1.15.1)
########################################
#
@@ -216,12 +216,15 @@ optional_policy(`
# Nrpe local policy
#
-allow nrpe_t self:capability { setgid setuid };
+allow nrpe_t self:capability { dac_override setgid setuid };
dontaudit nrpe_t self:capability { sys_resource sys_tty_config };
allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
allow nrpe_t self:fifo_file rw_fifo_file_perms;
allow nrpe_t self:tcp_socket { accept listen };
+allow nrpe_t nagios_etc_t:dir list_dir_perms;
+allow nrpe_t nagios_etc_t:file read_file_perms;
+
allow nrpe_t nagios_plugin_domain:process { signal sigkill };
read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t)
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index fe5f8b4c..1e6d0f5b 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -3,7 +3,7 @@
/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0)
/etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
-/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/NetworkManager/dispatcher\.d(/.*)? -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/etc/dhcp/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
/etc/dhcp/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index cde12ad5..1e3237e5 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.20.1)
+policy_module(networkmanager, 1.20.2)
########################################
#
@@ -241,6 +241,10 @@ optional_policy(`
optional_policy(`
xserver_dbus_chat_xdm(NetworkManager_t)
')
+
+ optional_policy(`
+ unconfined_dbus_send(NetworkManager_t)
+ ')
')
optional_policy(`
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index fa0a1839..8bbb2aa3 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -18,6 +18,24 @@ interface(`ntp_stub',`
########################################
## <summary>
+## Read ntp.conf
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_read_config',`
+ gen_require(`
+ type ntp_conf_t;
+ ')
+
+ allow $1 ntp_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Execute ntp server in the ntpd domain.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index b1969955..9af1ad5f 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.16.1)
+policy_module(ntp, 1.16.2)
########################################
#
@@ -60,6 +60,7 @@ allow ntpd_t self:fifo_file rw_fifo_file_perms;
allow ntpd_t self:shm create_shm_perms;
allow ntpd_t self:socket create;
allow ntpd_t self:tcp_socket { accept listen };
+allow ntpd_t self:unix_dgram_socket sendto;
allow ntpd_t ntp_conf_t:file read_file_perms;
diff --git a/policy/modules/contrib/openvpn.fc b/policy/modules/contrib/openvpn.fc
index 7703264d..00d176d3 100644
--- a/policy/modules/contrib/openvpn.fc
+++ b/policy/modules/contrib/openvpn.fc
@@ -1,5 +1,6 @@
/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
/etc/openvpn/ipp\.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
+/etc/openvpn/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0)
/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index 465716f6..54170a62 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -1,4 +1,4 @@
-policy_module(openvpn, 1.15.0)
+policy_module(openvpn, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 5123f079..0b9a71fc 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.19.1)
+policy_module(rpc, 1.19.2)
########################################
#
@@ -161,6 +161,8 @@ kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
kernel_signal(rpcd_t)
+# for /proc/fs/lockd/nlm_end_grace
+kernel_write_proc_files(rpcd_t)
corecmd_exec_bin(rpcd_t)
diff --git a/policy/modules/contrib/squid.fc b/policy/modules/contrib/squid.fc
index d6b5ba09..7051c3e1 100644
--- a/policy/modules/contrib/squid.fc
+++ b/policy/modules/contrib/squid.fc
@@ -4,17 +4,17 @@
/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
-/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
+/usr/sbin/squid.* -- gen_context(system_u:object_r:squid_exec_t,s0)
/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
-/var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
+/var/log/squid.* gen_context(system_u:object_r:squid_log_t,s0)
/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
-/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
+/run/squid3.* gen_context(system_u:object_r:squid_var_run_t,s0)
-/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/var/spool/squid.* gen_context(system_u:object_r:squid_cache_t,s0)
/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if
index 941cedf3..b5adfad3 100644
--- a/policy/modules/contrib/squid.if
+++ b/policy/modules/contrib/squid.if
@@ -191,6 +191,25 @@ interface(`squid_use',`
########################################
## <summary>
+## dontaudit statting tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not be audited
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`squid_dontaudit_read_tmpfs_files',`
+ gen_require(`
+ type squid_tmpfs_t;
+ ')
+
+ dontaudit $1 squid_tmpfs_t:file getattr;
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an squid environment.
## </summary>
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index 74fb3c23..f4fd15e8 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -1,4 +1,4 @@
-policy_module(squid, 1.15.0)
+policy_module(squid, 1.15.1)
########################################
#
@@ -21,6 +21,14 @@ gen_tunable(squid_connect_any, false)
## </desc>
gen_tunable(squid_use_tproxy, false)
+## <desc>
+## <p>
+## Determine whether squid can use the
+## pinger daemon (needs raw net access)
+## </p>
+## </desc>
+gen_tunable(squid_use_pinger, true)
+
type squid_t;
type squid_exec_t;
init_daemon_domain(squid_t, squid_exec_t)
@@ -188,6 +196,11 @@ tunable_policy(`squid_connect_any',`
corenet_tcp_sendrecv_all_ports(squid_t)
')
+tunable_policy(`squid_use_pinger',`
+ allow squid_t self:rawip_socket connected_socket_perms;
+ allow squid_t self:capability net_raw;
+')
+
tunable_policy(`squid_use_tproxy',`
allow squid_t self:capability net_admin;
corenet_sendrecv_netport_server_packets(squid_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-27 11:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-27 11:40 UTC (permalink / raw
To: gentoo-commits
commit: a81b9a9546a92414dba7d3e0b0adff0147611eba
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 11 05:49:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 11:32:41 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a81b9a95
virt: need to relabel to set categories
libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
policy/modules/contrib/virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 42e68a29..3da04ef9 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-27 11:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-27 11:40 UTC (permalink / raw
To: gentoo-commits
commit: 7607e67783d8ae44493ce4f3a45abf1c80916be2
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 16:49:07 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 11:32:41 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7607e677
virt: add policy for virtlogd
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.te | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index 22c1ed70..dca262ab 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index eb72843f..e1a3bcaf 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-27 11:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-27 11:40 UTC (permalink / raw
To: gentoo-commits
commit: 5b1b50963284b3d1431c3c39edaceba6d7034bfc
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 27 20:44:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 11:32:41 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5b1b5096
virt: virtlockd doesnt need ps_process_pattern
policy/modules/contrib/virt.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index e1a3bcaf..42e68a29 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
-
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-02-27 10:50 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-02-27 11:40 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-27 11:40 UTC (permalink / raw
To: gentoo-commits
commit: fb7aaf2a48166616050ebcc819fef4f9eb097e9b
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 16:49:54 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:44:02 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fb7aaf2a
apache: Fix CI error.
policy/modules/contrib/apache.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 37af1e22..1d8b1140 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.12.1)
+policy_module(apache, 2.12.2)
########################################
#
@@ -1248,7 +1248,7 @@ auth_use_nsswitch(httpd_sys_script_t)
logging_send_syslog_msg(httpd_sys_script_t)
ifdef(`init_systemd', `
- init_search_pid_dirs(httpd_sys_script_t)
+ init_search_pids(httpd_sys_script_t)
')
tunable_policy(`httpd_can_sendmail',`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-27 11:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-27 11:40 UTC (permalink / raw
To: gentoo-commits
commit: 4a80bc53fe759bce98cd0e396cfe1fd350f8111f
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 13 16:37:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 11:32:41 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4a80bc53
virt: kernel_read_system_state
policy/modules/contrib/virt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 3da04ef9..0f82a04e 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
+kernel_read_system_state(virtlockd_t)
+
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
can_exec(virtlogd_t, virtlogd_exec_t)
+kernel_read_system_state(virtlogd_t)
+
files_read_etc_files(virtlogd_t)
files_list_var_lib(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-27 11:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-27 11:40 UTC (permalink / raw
To: gentoo-commits
commit: 3e4daaf3bad04646ec4d16fba6dfe802ad2dd77e
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 31 15:03:49 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 11:32:41 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3e4daaf3
WIP virt: image type perms
policy/modules/contrib/virt.te | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0f82a04e..5df86d7b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
- allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-27 11:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-02-27 11:40 UTC (permalink / raw
To: gentoo-commits
commit: 3d5dce8f0dc4f16ba83750cc6b84f2534178a089
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Feb 15 17:15:58 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 11:32:41 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3d5dce8f
kerberos: Introduce kerberos_filetrans_named_content interface
policy/modules/contrib/kerberos.if | 37 +++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index 01caeead..d9d5811f 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -466,6 +466,43 @@ interface(`kerberos_connect_524',`
########################################
## <summary>
+## Transition to kerberos named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_filetrans_named_content',`
+ gen_require(`
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t;
+ ')
+
+ files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+
+ kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
+ #kerberos_filetrans_admin_home_content($1)
+
+ kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
+ kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
+ kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an kerberos environment.
## </summary>
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-03-30 17:09 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: 63a3fc2863f04cafbd4f160861133e064764b0d4
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Tue Mar 14 15:01:16 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 14:00:10 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=63a3fc28
monit: add syslog access and support for monit systemd service
policy/modules/contrib/monit.if | 8 ++++----
policy/modules/contrib/monit.te | 3 +++
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/monit.if b/policy/modules/contrib/monit.if
index 6107ef9d..d249dfbd 100644
--- a/policy/modules/contrib/monit.if
+++ b/policy/modules/contrib/monit.if
@@ -58,10 +58,10 @@ interface(`monit_run_cli',`
interface(`monit_reload',`
gen_require(`
class service { reload status };
- type monit_initrc_exec_t;
+ type monit_initrc_exec_t, monit_unit_t;
')
- allow $1 monit_initrc_exec_t:service { reload status };
+ allow $1 { monit_initrc_exec_t monit_unit_t }:service { reload status };
')
########################################
@@ -77,10 +77,10 @@ interface(`monit_reload',`
interface(`monit_startstop_service',`
gen_require(`
class service { start status stop };
- type monit_initrc_exec_t;
+ type monit_initrc_exec_t, monit_unit_t;
')
- allow $1 monit_initrc_exec_t:service { start status stop };
+ allow $1 { monit_initrc_exec_t monit_unit_t }:service { start status stop };
')
########################################
diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
index 470c44f4..feedbd7e 100644
--- a/policy/modules/contrib/monit.te
+++ b/policy/modules/contrib/monit.te
@@ -88,6 +88,7 @@ dontaudit monit_t self:capability net_admin;
allow monit_t self:fifo_file rw_fifo_file_perms;
allow monit_t self:rawip_socket connected_socket_perms;
allow monit_t self:tcp_socket server_stream_socket_perms;
+allow monit_t self:unix_dgram_socket { connect create };
allow monit_t monit_log_t:file { create read_file_perms append_file_perms };
logging_log_filetrans(monit_t, monit_log_t, file)
@@ -111,6 +112,8 @@ domain_read_all_domains_state(monit_t)
files_read_all_pids(monit_t)
+logging_send_syslog_msg(monit_t)
+
ifdef(`hide_broken_symptoms',`
# kernel bug: https://github.com/SELinuxProject/selinux-kernel/issues/6
dontaudit monit_t self:capability dac_override;
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-03-30 17:09 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: 0575eea1a7dfe550051c45678d2b1d98b3b91805
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Tue Mar 14 14:14:05 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 14:00:10 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0575eea1
remove /var/run file context lefovers, add dbus exception
policy/modules/contrib/dbus.fc | 17 ++++++++++-------
policy/modules/contrib/iodine.fc | 4 ++--
policy/modules/contrib/mon.fc | 12 ++++++------
policy/modules/contrib/qemu.fc | 6 +++---
4 files changed, 21 insertions(+), 18 deletions(-)
diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc
index c7baa6ba..725276de 100644
--- a/policy/modules/contrib/dbus.fc
+++ b/policy/modules/contrib/dbus.fc
@@ -1,8 +1,11 @@
-HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
+HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
-/etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
+/etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
-/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+
+/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
@@ -11,9 +14,9 @@ HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
-/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
-/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
-/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+# /var/run prefix exception; https://dbus.freedesktop.org/doc/dbus-specification.html#idm2461
+/var/run/dbus/system_bus_socket gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --git a/policy/modules/contrib/iodine.fc b/policy/modules/contrib/iodine.fc
index 42a24aaf..53b6a139 100644
--- a/policy/modules/contrib/iodine.fc
+++ b/policy/modules/contrib/iodine.fc
@@ -1,5 +1,5 @@
/etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0)
-/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
+/run/iodine(/.*)? gen_context(system_u:object_r:iodined_var_run_t,s0)
-/var/run/iodine(/.*)? gen_context(system_u:object_r:iodined_var_run_t,s0)
+/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
diff --git a/policy/modules/contrib/mon.fc b/policy/modules/contrib/mon.fc
index fa179dd8..c92575b4 100644
--- a/policy/modules/contrib/mon.fc
+++ b/policy/modules/contrib/mon.fc
@@ -1,11 +1,11 @@
-/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
-/usr/lib/mon/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
-/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
-/usr/lib/mon-contrib/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
+/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
-/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
+/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
+/usr/lib/mon/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
+/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
+/usr/lib/mon-contrib/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
-/var/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
+/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
/var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0)
/var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0)
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index 122ca70f..1fc79800 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -1,4 +1,6 @@
-/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0)
+
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
@@ -7,8 +9,6 @@
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
-/var/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0)
-
ifdef(`distro_gentoo',`
/usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-03-30 17:09 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: 7778cfae1f95b32eb4b244dd4c0721fda21b0cf6
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Mar 18 13:14:38 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 14:00:10 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7778cfae
Module version bump for fixes from cgzones.
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/iodine.te | 2 +-
policy/modules/contrib/mon.te | 2 +-
policy/modules/contrib/qemu.te | 2 +-
policy/modules/contrib/vnstatd.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 6e011919..f307ddec 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.22.2)
+policy_module(dbus, 1.22.3)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te
index 11ef68f9..b316ec5b 100644
--- a/policy/modules/contrib/iodine.te
+++ b/policy/modules/contrib/iodine.te
@@ -1,4 +1,4 @@
-policy_module(iodine, 1.2.1)
+policy_module(iodine, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te
index 1a9d2a1a..5db41833 100644
--- a/policy/modules/contrib/mon.te
+++ b/policy/modules/contrib/mon.te
@@ -1,4 +1,4 @@
-policy_module(mon, 1.0.1)
+policy_module(mon, 1.0.2)
########################################
#
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 2183147c..6581907a 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.9.1)
+policy_module(qemu, 1.9.2)
########################################
#
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index 69a93d0b..ee8ae063 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -1,4 +1,4 @@
-policy_module(vnstatd, 1.3.1)
+policy_module(vnstatd, 1.3.2)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-03-30 17:06 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-03-30 17:09 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: 2c0da71cc910b4b69b6be4565771b2da18df9254
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Mar 12 20:36:34 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 13:58:39 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2c0da71c
Module version bump for dphysswapfile and mandb fixes from cgzones.
policy/modules/contrib/dphysswapfile.te | 2 +-
policy/modules/contrib/mandb.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/dphysswapfile.te b/policy/modules/contrib/dphysswapfile.te
index cb3d194f..5a308095 100644
--- a/policy/modules/contrib/dphysswapfile.te
+++ b/policy/modules/contrib/dphysswapfile.te
@@ -1,4 +1,4 @@
-policy_module(dphysswapfile, 1.0.1)
+policy_module(dphysswapfile, 1.0.2)
########################################
#
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index 0358aaff..62684374 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -1,4 +1,4 @@
-policy_module(mandb, 1.3.0)
+policy_module(mandb, 1.3.1)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-03-30 17:06 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-03-30 17:09 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: 997b61a104f916f9883d5dfdc2e3510ecc7f3d61
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Mar 25 16:31:20 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 14:00:10 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=997b61a1
dontaudit net_admin for SO_SNDBUFFORCE
The following patch adds dontaudit rules for where the net_admin capability
is requested due to SO_SNDBUFFORCE. This forces the caller to use SO_SNDBUF
which gives the same result but possibly a smaller buffer.
From Russell Coker
policy/modules/contrib/rpcbind.te | 4 +++-
policy/modules/contrib/tor.te | 4 +++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 8e752265..abe55b18 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.11.1)
+policy_module(rpcbind, 1.11.2)
########################################
#
@@ -26,6 +26,8 @@ files_type(rpcbind_var_lib_t)
#
allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
+# net_admin is for SO_SNDBUFFORCE
+dontaudit rpcbind_t self:capability net_admin;
allow rpcbind_t self:fifo_file rw_fifo_file_perms;
allow rpcbind_t self:unix_stream_socket { accept listen };
allow rpcbind_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index a68e5d9e..3b48ba5e 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.13.1)
+policy_module(tor, 1.13.2)
########################################
#
@@ -42,6 +42,8 @@ init_daemon_pid_file(tor_var_run_t, dir, "tor")
#
allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config };
+# net_admin is for SO_SNDBUFFORCE
+dontaudit tor_t self:capability net_admin;
allow tor_t self:process signal;
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket { accept listen };
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-03-30 17:06 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-03-30 17:09 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: 9c069ad294b09ac28ca1fe83ff999e77975c3cd0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Mar 25 16:55:52 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 14:00:10 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9c069ad2
/var/run -> /run again
Here's the latest version of my patch to remove all /var/run when it's not
needed. I have removed the subst thing from the patch, but kept a
distro_debian bit that relies on it. So with this patch the policy won't
install if you build it with distro_debian unless you have my subst patch.
Chris, if your automated tests require that it build and install with
distro_debian then skip the patch for sysnetwork.fc.
From Russell Coker
policy/modules/contrib/dbus.fc | 4 ++++
policy/modules/contrib/dbus.te | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc
index 725276de..c2a15358 100644
--- a/policy/modules/contrib/dbus.fc
+++ b/policy/modules/contrib/dbus.fc
@@ -20,3 +20,7 @@ HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
# /var/run prefix exception; https://dbus.freedesktop.org/doc/dbus-specification.html#idm2461
/var/run/dbus/system_bus_socket gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+
+ifdef(`distro_debian',`
+/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index f307ddec..941d2f47 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.22.3)
+policy_module(dbus, 1.22.4)
gen_require(`
class dbus all_dbus_perms;
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-03-30 17:09 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: ca6c38b25c5f3187b4ef72253548e944f4e515c0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Mar 25 17:24:42 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 14:00:10 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ca6c38b2
Module version bump for monit patch from cgzones.
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/monit.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 65765f63..c43440ee 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.18.0)
+policy_module(logrotate, 1.18.1)
########################################
#
diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
index feedbd7e..3f929253 100644
--- a/policy/modules/contrib/monit.te
+++ b/policy/modules/contrib/monit.te
@@ -1,4 +1,4 @@
-policy_module(monit, 1.0.1)
+policy_module(monit, 1.0.2)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-03-30 17:09 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: 0f32cb056a8ed3e2b619202c03a9d2db6b9dace2
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 30 15:23:08 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 15:23:08 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0f32cb05
phpfpm: corecmd_read_bin_symlinks is deprecated
policy/modules/contrib/phpfpm.te | 1 -
1 file changed, 1 deletion(-)
diff --git a/policy/modules/contrib/phpfpm.te b/policy/modules/contrib/phpfpm.te
index 89ed6c9e..826ba859 100644
--- a/policy/modules/contrib/phpfpm.te
+++ b/policy/modules/contrib/phpfpm.te
@@ -52,7 +52,6 @@ manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
kernel_read_kernel_sysctls(phpfpm_t)
-corecmd_read_bin_symlinks(phpfpm_t)
corecmd_search_bin(phpfpm_t)
corenet_tcp_bind_all_unreserved_ports(phpfpm_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-03-30 17:09 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: 0f4d3222a8e6014f777007ce8ed54cd3f5c8326e
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 27 20:44:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 16:50:39 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0f4d3222
virt: virtlockd doesnt need ps_process_pattern
policy/modules/contrib/virt.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index e1a3bcaf..42e68a29 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
-
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-03-30 17:06 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-03-30 17:09 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: 66330450e5ece7ebc512aae878d224b772efd252
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Mar 28 22:50:35 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 14:00:10 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=66330450
systemd-resolvd, sessions, and tmpfiles take2
I believe that I have addressed all the issues Chris raised, so here's a newer
version of the patch which applies to today's git version.
Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <russell <AT> coker.com.au>
Last-Update: 2017-03-26
policy/modules/contrib/xfs.if | 19 +++++++++++++++++++
policy/modules/contrib/xfs.te | 2 +-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/xfs.if b/policy/modules/contrib/xfs.if
index 19934060..1aafbbc1 100644
--- a/policy/modules/contrib/xfs.if
+++ b/policy/modules/contrib/xfs.if
@@ -60,6 +60,25 @@ interface(`xfs_exec',`
########################################
## <summary>
+## Create xfs temporary dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xfs_create_tmp_dirs',`
+ gen_require(`
+ type xfs_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 xfs_tmp_t:dir create;
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an xfs environment.
## </summary>
diff --git a/policy/modules/contrib/xfs.te b/policy/modules/contrib/xfs.te
index 3fc2a1bf..839f15cf 100644
--- a/policy/modules/contrib/xfs.te
+++ b/policy/modules/contrib/xfs.te
@@ -1,4 +1,4 @@
-policy_module(xfs, 1.9.0)
+policy_module(xfs, 1.9.1)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-03-30 17:06 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-03-30 17:09 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: cb4a7621007fc2b4bfd34fd5952c151cfa3e82c3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 30 16:50:15 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 16:50:39 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cb4a7621
android: add new rules for adb
policy/modules/contrib/android.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
index 9b3d010f..5c2681c2 100644
--- a/policy/modules/contrib/android.te
+++ b/policy/modules/contrib/android.te
@@ -56,6 +56,8 @@ files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+corecmd_list_bin(android_tools_t)
+
corenet_tcp_bind_adb_port(android_tools_t)
corenet_tcp_bind_generic_node(android_tools_t)
corenet_tcp_connect_adb_port(android_tools_t)
@@ -63,11 +65,15 @@ corenet_tcp_connect_adb_port(android_tools_t)
dev_read_sysfs(android_tools_t)
dev_rw_generic_usb_dev(android_tools_t)
+files_read_etc_files(android_tools_t)
+
userdom_manage_user_home_content_dirs(android_tools_t)
userdom_manage_user_home_content_files(android_tools_t)
userdom_search_user_home_content(android_tools_t)
userdom_use_user_terminals(android_tools_t)
+sysnet_dns_name_resolve(android_tools_t)
+
############################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-03-30 17:09 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: 15cc617da7710016c4aa47e0f9e42ed68ff36006
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 16:49:07 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 16:50:39 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=15cc617d
virt: add policy for virtlogd
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.te | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index 22c1ed70..dca262ab 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index eb72843f..e1a3bcaf 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-03-30 17:09 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: c6e77e09d07fe6e2d9b6210fd66226a7f2cbb4d5
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 11 05:49:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 16:50:39 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c6e77e09
virt: need to relabel to set categories
libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
policy/modules/contrib/virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 42e68a29..3da04ef9 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-03-30 17:09 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: 7b417b60f1c8234ee350a88a86f7238df6cf41ee
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Feb 15 17:15:58 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 16:50:39 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7b417b60
kerberos: Introduce kerberos_filetrans_named_content interface
policy/modules/contrib/kerberos.if | 37 +++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index 01caeead..d9d5811f 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -466,6 +466,43 @@ interface(`kerberos_connect_524',`
########################################
## <summary>
+## Transition to kerberos named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_filetrans_named_content',`
+ gen_require(`
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t;
+ ')
+
+ files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+
+ kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
+ #kerberos_filetrans_admin_home_content($1)
+
+ kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
+ kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
+ kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an kerberos environment.
## </summary>
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-03-30 17:09 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: 4977eb8dd00874ce90306272d9b4edfad209f14b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 30 07:15:39 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 16:50:40 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4977eb8d
gssproxy: add policy
borrowed and modified from Fedora
policy/modules/contrib/gssproxy.fc | 8 ++
policy/modules/contrib/gssproxy.if | 199 +++++++++++++++++++++++++++++++++++++
policy/modules/contrib/gssproxy.te | 67 +++++++++++++
3 files changed, 274 insertions(+)
diff --git a/policy/modules/contrib/gssproxy.fc b/policy/modules/contrib/gssproxy.fc
new file mode 100644
index 00000000..a9970159
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0)
+
+/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
+
+/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
+
+/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0)
+/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_run_t,s0)
diff --git a/policy/modules/contrib/gssproxy.if b/policy/modules/contrib/gssproxy.if
new file mode 100644
index 00000000..cebdb20b
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.if
@@ -0,0 +1,199 @@
+
+## <summary>policy for gssproxy</summary>
+
+########################################
+## <summary>
+## Execute gssproxy in the gssproxy domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gssproxy_domtrans',`
+ gen_require(`
+ type gssproxy_t, gssproxy_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+## Search gssproxy lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_search_lib',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ allow $1 gssproxy_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read gssproxy lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_read_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gssproxy lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gssproxy lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_dirs',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read gssproxy PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_read_pid_files',`
+ gen_require(`
+ type gssproxy_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)
+')
+
+########################################
+## <summary>
+## Execute gssproxy server in the gssproxy domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gssproxy_systemctl',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_unit_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 gssproxy_unit_t:file read_file_perms;
+ allow $1 gssproxy_unit_t:service manage_service_perms;
+
+ ps_process_pattern($1, gssproxy_t)
+')
+
+########################################
+## <summary>
+## Connect to gssproxy over an unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_stream_connect',`
+ gen_require(`
+ type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)
+ stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an gssproxy environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`gssproxy_admin',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_var_lib_t;
+ type gssproxy_run_t;
+ type gssproxy_unit_t;
+ ')
+
+ allow $1 gssproxy_t:process { ptrace signal_perms };
+ ps_process_pattern($1, gssproxy_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, gssproxy_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, gssproxy_run_t)
+
+ gssproxy_systemctl($1)
+ admin_pattern($1, gssproxy_unit_t)
+ allow $1 gssproxy_unit_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te
new file mode 100644
index 00000000..20027689
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.te
@@ -0,0 +1,67 @@
+policy_module(gssproxy, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gssproxy_t;
+type gssproxy_exec_t;
+init_daemon_domain(gssproxy_t, gssproxy_exec_t)
+
+type gssproxy_var_lib_t;
+files_type(gssproxy_var_lib_t)
+
+type gssproxy_run_t;
+files_pid_file(gssproxy_run_t)
+
+type gssproxy_unit_t;
+init_unit_file(gssproxy_unit_t)
+
+########################################
+#
+# gssproxy local policy
+#
+allow gssproxy_t self:capability { setuid setgid };
+allow gssproxy_t self:capability2 block_suspend;
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+files_pid_filetrans(gssproxy_t, gssproxy_run_t, { dir file lnk_file sock_file })
+
+kernel_rw_rpc_sysctls(gssproxy_t)
+
+domain_use_interactive_fds(gssproxy_t)
+
+files_read_etc_files(gssproxy_t)
+
+fs_getattr_all_fs(gssproxy_t)
+
+auth_use_nsswitch(gssproxy_t)
+
+dev_read_urand(gssproxy_t)
+
+logging_send_syslog_msg(gssproxy_t)
+
+miscfiles_read_localization(gssproxy_t)
+
+#userdom_read_all_users_keys(gssproxy_t)
+userdom_manage_user_tmp_dirs(gssproxy_t)
+userdom_manage_user_tmp_files(gssproxy_t)
+
+optional_policy(`
+ kerberos_filetrans_named_content(gssproxy_t)
+ kerberos_manage_host_rcache(gssproxy_t)
+ kerberos_read_keytab(gssproxy_t)
+ kerberos_use(gssproxy_t)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-03-30 17:09 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: c9989029f0a837b7512f7b076fc5e5db711e1b38
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 30 04:58:28 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 16:50:40 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c9989029
dirmngr: add to roles and allow gpg to domtrans
policy/modules/contrib/dirmngr.if | 69 +++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/gpg.te | 4 +++
2 files changed, 73 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if
index 4cd2810e..2f6875a6 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -1,5 +1,74 @@
## <summary>Server for managing and downloading certificate revocation lists.</summary>
+############################################################
+## <summary>
+## Role access for dirmngr.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`dirmngr_role',`
+ gen_require(`
+ type dirmngr_t, dirmngr_exec_t;
+ ')
+
+ role $1 types dirmngr_t;
+
+ domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
+
+ allow $2 dirmngr_t:process { ptrace signal_perms };
+ ps_process_pattern($2, dirmngr_t)
+
+ allow dirmngr_t $2:fd use;
+ allow dirmngr_t $2:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## Execute dirmngr in the dirmngr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dirmngr_domtrans',`
+ gen_require(`
+ type dirmngr_t, dirmngr_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dirmngr_exec_t, dirmngr_t)
+')
+
+########################################
+## <summary>
+## Execute the dirmngr in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirmngr_exec',`
+ gen_require(`
+ type dirmngr_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, dirmngr_exec_t)
+')
+
########################################
## <summary>
## All of the rules required to
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 4345bd08..160c5f85 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -138,6 +138,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ dirmngr_domtrans(gpg_t)
+')
+
+optional_policy(`
evolution_read_orbit_tmp_files(gpg_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-03-30 17:09 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: ba43f30169ea936eda2acc84c98ff25bbf644efe
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 31 15:03:49 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 16:50:39 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ba43f301
WIP virt: image type perms
policy/modules/contrib/virt.te | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0f82a04e..5df86d7b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
- allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-03-30 17:09 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: b43c66661ae7ef3ac82af3ea452ce97281d53721
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 13 16:37:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 16:50:39 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b43c6666
virt: kernel_read_system_state
policy/modules/contrib/virt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 3da04ef9..0f82a04e 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
+kernel_read_system_state(virtlockd_t)
+
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
can_exec(virtlogd_t, virtlogd_exec_t)
+kernel_read_system_state(virtlogd_t)
+
files_read_etc_files(virtlogd_t)
files_list_var_lib(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-04-30 9:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: 1dfdf221ae0952dfcba50f8380b75150f07c2d8a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Apr 20 15:07:37 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:16:47 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1dfdf221
rpc_* interfaces should be wrapped by optional_policy()
The rpc module is not a core module. As such, calls towards rpc_*
interfaces should be wrapped with optional_policy().
Changes since v2:
- Wrapped other calls towards rpc_* within apache.te
Changes since v1:
- Fixed wrong quotation mark
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/apache.te | 30 ++++++++++++++++++------------
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index b418338c..ce6479e8 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -745,10 +745,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_t)
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1070,10 +1072,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_suexec_t)
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_suexec_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1307,10 +1311,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_sys_script_t)
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-04-30 9:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: 4958ff939e10105864acd95b941c9d7e3d380586
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 26 10:25:59 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:21:11 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4958ff93
login take 4 from Russell Coker.
I have used optional sections for dbus and xserver as requested and also
fixed a minor issue of a rule not being in the correct section.
Please merge this.
policy/modules/contrib/dbus.te | 6 ++++++
policy/modules/contrib/gpg.te | 12 ++++++++++++
policy/modules/contrib/policykit.te | 5 +++++
3 files changed, 23 insertions(+)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 579b2230..80ceb9de 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -149,6 +149,12 @@ ifdef(`distro_gentoo',`
')
')
+ifdef(`init_systemd', `
+ # gdm3 causes system_dbusd_t to want this access
+ dev_rw_dri(system_dbusd_t)
+ dev_rw_input_dev(system_dbusd_t)
+')
+
optional_policy(`
# for /run/systemd/users/*
systemd_read_logind_pids(system_dbusd_t)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 4345bd08..c795f278 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t)
domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+kernel_read_crypto_sysctls(gpg_t)
kernel_read_sysctl(gpg_t)
# read /proc/cpuinfo
kernel_read_system_state(gpg_t)
@@ -232,6 +233,8 @@ kernel_dontaudit_search_sysctl(gpg_agent_t)
kernel_read_core_if(gpg_agent_t)
kernel_read_system_state(gpg_agent_t)
+auth_use_nsswitch(gpg_agent_t)
+
corecmd_exec_bin(gpg_agent_t)
corecmd_exec_shell(gpg_agent_t)
@@ -272,6 +275,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ dbus_system_bus_client(gpg_agent_t)
+')
+
+optional_policy(`
mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
')
@@ -279,6 +286,11 @@ optional_policy(`
pcscd_stream_connect(gpg_agent_t)
')
+optional_policy(`
+ xserver_sigchld_xdm(gpg_agent_t)
+ xserver_read_user_xauth(gpg_agent_t)
+')
+
##############################
#
# Pinentry local policy
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index d7686081..ee6ad3da 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -89,6 +89,7 @@ kernel_read_kernel_sysctls(policykit_t)
kernel_read_system_state(policykit_t)
dev_read_urand(policykit_t)
+dev_read_urand(policykit_t)
domain_read_all_domains_state(policykit_t)
@@ -96,6 +97,8 @@ files_dontaudit_search_all_mountpoints(policykit_t)
fs_getattr_xattr_fs(policykit_t)
fs_list_inotifyfs(policykit_t)
+fs_getattr_tmpfs(policykit_t)
+fs_getattr_cgroup(policykit_t)
auth_use_nsswitch(policykit_t)
@@ -105,6 +108,8 @@ userdom_read_all_users_state(policykit_t)
optional_policy(`
dbus_system_domain(policykit_t, policykit_exec_t)
+ userdom_dbus_send_all_users(policykit_t)
+
optional_policy(`
consolekit_dbus_chat(policykit_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-04-30 9:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: d093fd90125d80dfd122221d69daecd64687d89f
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu Apr 20 22:00:36 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:16:47 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d093fd90
openoffice: support starting it from the window manager
This patch allows to start the openoffice suite from the
window manager.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/openoffice.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index 148ff232..58845575 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -34,6 +34,10 @@ type ooffice_exec_t;
userdom_user_application_domain(ooffice_t, ooffice_exec_t)
role ooffice_roles types ooffice_t;
+optional_policy(`
+ wm_application_domain(ooffice_t, ooffice_exec_t)
+')
+
type ooffice_home_t;
userdom_user_home_content(ooffice_home_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-04-30 9:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: a8cb4e80579cdaa70d22c79eab1c8fe6e89cd2b7
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 26 10:35:47 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:21:11 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a8cb4e80
Rename apm to acpi from Russell Coker.
This patch is slightly more involved than just running sed. It also adds
typealias rules and doesn't change the FC entries.
The /dev/apm_bios device doesn't exist on modern systems. I have left that
policy in for the moment on the principle of making one change per patch. But
I might send another patch to remove that as it won't exist with modern
kernels.
policy/modules/contrib/acpi.fc | 21 +++
policy/modules/contrib/{apm.if => acpi.if} | 70 ++++----
policy/modules/contrib/acpi.te | 247 +++++++++++++++++++++++++++++
policy/modules/contrib/apm.fc | 21 ---
policy/modules/contrib/apm.te | 236 ---------------------------
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
7 files changed, 305 insertions(+), 294 deletions(-)
diff --git a/policy/modules/contrib/acpi.fc b/policy/modules/contrib/acpi.fc
new file mode 100644
index 00000000..bfbe255b
--- /dev/null
+++ b/policy/modules/contrib/acpi.fc
@@ -0,0 +1,21 @@
+/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:acpid_initrc_exec_t,s0)
+
+/usr/bin/apm -- gen_context(system_u:object_r:acpi_exec_t,s0)
+
+/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:acpid_unit_t,s0)
+
+/usr/sbin/acpid -- gen_context(system_u:object_r:acpid_exec_t,s0)
+/usr/sbin/apmd -- gen_context(system_u:object_r:acpid_exec_t,s0)
+/usr/sbin/powersaved -- gen_context(system_u:object_r:acpid_exec_t,s0)
+
+/var/lock/subsys/acpid -- gen_context(system_u:object_r:acpid_lock_t,s0)
+
+/var/log/acpid.* -- gen_context(system_u:object_r:acpid_log_t,s0)
+
+/run/\.?acpid\.socket -s gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/acpid\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/apmd\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/powersaved\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/powersave_socket -s gen_context(system_u:object_r:acpid_var_run_t,s0)
+
+/var/lib/acpi(/.*)? gen_context(system_u:object_r:acpid_var_lib_t,s0)
diff --git a/policy/modules/contrib/apm.if b/policy/modules/contrib/acpi.if
similarity index 65%
rename from policy/modules/contrib/apm.if
rename to policy/modules/contrib/acpi.if
index cbf60b55..109b644e 100644
--- a/policy/modules/contrib/apm.if
+++ b/policy/modules/contrib/acpi.if
@@ -10,13 +10,13 @@
## </summary>
## </param>
#
-interface(`apm_domtrans_client',`
+interface(`acpi_domtrans_client',`
gen_require(`
- type apm_t, apm_exec_t;
+ type acpi_t, acpi_exec_t;
')
corecmd_search_bin($1)
- domtrans_pattern($1, apm_exec_t, apm_t)
+ domtrans_pattern($1, acpi_exec_t, acpi_t)
')
########################################
@@ -36,13 +36,13 @@ interface(`apm_domtrans_client',`
## </summary>
## </param>
#
-interface(`apm_run_client',`
+interface(`acpi_run_client',`
gen_require(`
- attribute_role apm_roles;
+ attribute_role acpi_roles;
')
- apm_domtrans_client($1)
- roleattribute $2 apm_roles;
+ acpi_domtrans_client($1)
+ roleattribute $2 acpi_roles;
')
########################################
@@ -55,12 +55,12 @@ interface(`apm_run_client',`
## </summary>
## </param>
#
-interface(`apm_use_fds',`
+interface(`acpi_use_fds',`
gen_require(`
- type apmd_t;
+ type acpid_t;
')
- allow $1 apmd_t:fd use;
+ allow $1 acpid_t:fd use;
')
########################################
@@ -73,12 +73,12 @@ interface(`apm_use_fds',`
## </summary>
## </param>
#
-interface(`apm_write_pipes',`
+interface(`acpi_write_pipes',`
gen_require(`
- type apmd_t;
+ type acpid_t;
')
- allow $1 apmd_t:fifo_file write;
+ allow $1 acpid_t:fifo_file write;
')
########################################
@@ -92,12 +92,12 @@ interface(`apm_write_pipes',`
## </summary>
## </param>
#
-interface(`apm_rw_stream_sockets',`
+interface(`acpi_rw_stream_sockets',`
gen_require(`
- type apmd_t;
+ type acpid_t;
')
- allow $1 apmd_t:unix_stream_socket { read write };
+ allow $1 acpid_t:unix_stream_socket { read write };
')
########################################
@@ -110,13 +110,13 @@ interface(`apm_rw_stream_sockets',`
## </summary>
## </param>
#
-interface(`apm_append_log',`
+interface(`acpi_append_log',`
gen_require(`
- type apmd_log_t;
+ type acpid_log_t;
')
logging_search_logs($1)
- allow $1 apmd_log_t:file append_file_perms;
+ allow $1 acpid_log_t:file append_file_perms;
')
########################################
@@ -130,13 +130,13 @@ interface(`apm_append_log',`
## </summary>
## </param>
#
-interface(`apm_stream_connect',`
+interface(`acpi_stream_connect',`
gen_require(`
- type apmd_t, apmd_var_run_t;
+ type acpid_t, acpid_var_run_t;
')
files_search_pids($1)
- stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
+ stream_connect_pattern($1, acpid_var_run_t, acpid_var_run_t, acpid_t)
')
########################################
@@ -156,32 +156,32 @@ interface(`apm_stream_connect',`
## </param>
## <rolecap/>
#
-interface(`apm_admin',`
+interface(`acpi_admin',`
gen_require(`
- type apmd_t, apmd_initrc_exec_t, apmd_log_t;
- type apmd_lock_t, apmd_var_run_t, apmd_var_lib_t;
- type apmd_tmp_t;
+ type acpid_t, acpid_initrc_exec_t, acpid_log_t;
+ type acpid_lock_t, acpid_var_run_t, acpid_var_lib_t;
+ type acpid_tmp_t;
')
- allow $1 apmd_t:process { ptrace signal_perms };
- ps_process_pattern($1, apmd_t)
+ allow $1 acpid_t:process { ptrace signal_perms };
+ ps_process_pattern($1, acpid_t)
- init_startstop_service($1, $2, apmd_t, apmd_initrc_exec_t)
+ init_startstop_service($1, $2, acpid_t, acpid_initrc_exec_t)
logging_search_logs($1)
- admin_pattern($1, apmd_log_t)
+ admin_pattern($1, acpid_log_t)
files_search_locks($1)
- admin_pattern($1, apmd_lock_t)
+ admin_pattern($1, acpid_lock_t)
files_search_pids($1)
- admin_pattern($1, apmd_var_run_t)
+ admin_pattern($1, acpid_var_run_t)
files_search_var_lib($1)
- admin_pattern($1, apmd_var_lib_t)
+ admin_pattern($1, acpid_var_lib_t)
files_search_tmp($1)
- admin_pattern($1, apmd_tmp_t)
+ admin_pattern($1, acpid_tmp_t)
- apm_run_client($1, $2)
+ acpi_run_client($1, $2)
')
diff --git a/policy/modules/contrib/acpi.te b/policy/modules/contrib/acpi.te
new file mode 100644
index 00000000..0cd3d884
--- /dev/null
+++ b/policy/modules/contrib/acpi.te
@@ -0,0 +1,247 @@
+policy_module(acpi, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role acpi_roles;
+roleattribute system_r acpi_roles;
+
+type acpid_t;
+type acpid_exec_t;
+typealias acpid_t alias apmd_t;
+typealias acpid_exec_t alias apmd_exec_t;
+init_daemon_domain(acpid_t, acpid_exec_t)
+
+type acpid_initrc_exec_t;
+typealias acpid_initrc_exec_t alias apmd_initrc_exec_t;
+init_script_file(acpid_initrc_exec_t)
+
+type acpi_t;
+type acpi_exec_t;
+typealias acpi_t alias apm_t;
+typealias acpi_exec_t alias apm_exec_t;
+application_domain(acpi_t, acpi_exec_t)
+role acpi_roles types acpi_t;
+
+type acpid_lock_t;
+typealias acpid_lock_t alias apmd_lock_t;
+files_lock_file(acpid_lock_t)
+
+type acpid_log_t;
+typealias acpid_log_t alias apmd_log_t;
+logging_log_file(acpid_log_t)
+
+type acpid_tmp_t;
+typealias acpid_tmp_t alias apmd_tmp_t;
+files_tmp_file(acpid_tmp_t)
+
+type acpid_unit_t;
+typealias acpid_unit_t alias apmd_unit_t;
+init_unit_file(acpid_unit_t)
+
+type acpid_var_lib_t;
+typealias acpid_var_lib_t alias apmd_var_lib_t;
+files_type(acpid_var_lib_t)
+
+type acpid_var_run_t;
+typealias acpid_var_run_t alias apmd_var_run_t;
+files_pid_file(acpid_var_run_t)
+
+########################################
+#
+# Client local policy
+#
+
+allow acpi_t self:capability { dac_override sys_admin };
+
+kernel_read_system_state(acpi_t)
+
+dev_rw_acpi_bios(acpi_t)
+
+fs_getattr_xattr_fs(acpi_t)
+
+term_use_all_terms(acpi_t)
+
+domain_use_interactive_fds(acpi_t)
+
+logging_send_syslog_msg(acpi_t)
+
+########################################
+#
+# Server local policy
+#
+
+allow acpid_t self:capability { kill mknod sys_admin sys_nice sys_time };
+dontaudit acpid_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config };
+allow acpid_t self:process { signal_perms getsession };
+allow acpid_t self:fifo_file rw_fifo_file_perms;
+allow acpid_t self:netlink_socket create_socket_perms;
+allow acpid_t self:netlink_generic_socket create_socket_perms;
+allow acpid_t self:unix_stream_socket { accept listen };
+
+allow acpid_t acpid_lock_t:file manage_file_perms;
+files_lock_filetrans(acpid_t, acpid_lock_t, file)
+
+allow acpid_t acpid_log_t:file manage_file_perms;
+logging_log_filetrans(acpid_t, acpid_log_t, file)
+
+manage_dirs_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t)
+manage_files_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t)
+files_tmp_filetrans(acpid_t, acpid_tmp_t, { file dir })
+
+manage_dirs_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t)
+manage_files_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t)
+files_var_lib_filetrans(acpid_t, acpid_var_lib_t, dir)
+
+manage_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t)
+manage_sock_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t)
+files_pid_filetrans(acpid_t, acpid_var_run_t, { file sock_file })
+
+can_exec(acpid_t, acpid_var_run_t)
+
+kernel_read_kernel_sysctls(acpid_t)
+kernel_rw_all_sysctls(acpid_t)
+kernel_read_system_state(acpid_t)
+kernel_write_proc_files(acpid_t)
+kernel_request_load_module(acpid_t)
+
+dev_read_input(acpid_t)
+dev_read_mouse(acpid_t)
+dev_read_realtime_clock(acpid_t)
+dev_read_urand(acpid_t)
+dev_rw_acpi_bios(acpid_t)
+dev_rw_sysfs(acpid_t)
+dev_dontaudit_getattr_all_chr_files(acpid_t)
+dev_dontaudit_getattr_all_blk_files(acpid_t)
+
+files_exec_etc_files(acpid_t)
+files_read_etc_runtime_files(acpid_t)
+files_dontaudit_getattr_all_files(acpid_t)
+files_dontaudit_getattr_all_symlinks(acpid_t)
+files_dontaudit_getattr_all_pipes(acpid_t)
+files_dontaudit_getattr_all_sockets(acpid_t)
+
+fs_dontaudit_list_tmpfs(acpid_t)
+fs_getattr_all_fs(acpid_t)
+fs_search_auto_mountpoints(acpid_t)
+fs_dontaudit_getattr_all_files(acpid_t)
+fs_dontaudit_getattr_all_symlinks(acpid_t)
+fs_dontaudit_getattr_all_pipes(acpid_t)
+fs_dontaudit_getattr_all_sockets(acpid_t)
+
+selinux_search_fs(acpid_t)
+
+corecmd_exec_all_executables(acpid_t)
+
+domain_read_all_domains_state(acpid_t)
+domain_dontaudit_ptrace_all_domains(acpid_t)
+domain_use_interactive_fds(acpid_t)
+domain_dontaudit_getattr_all_sockets(acpid_t)
+domain_dontaudit_getattr_all_key_sockets(acpid_t)
+domain_dontaudit_list_all_domains_state(acpid_t)
+
+auth_use_nsswitch(acpid_t)
+
+init_domtrans_script(acpid_t)
+
+libs_exec_ld_so(acpid_t)
+libs_exec_lib_files(acpid_t)
+
+logging_send_audit_msgs(acpid_t)
+logging_send_syslog_msg(acpid_t)
+
+miscfiles_read_localization(acpid_t)
+miscfiles_read_hwdata(acpid_t)
+
+modutils_domtrans(acpid_t)
+modutils_read_module_config(acpid_t)
+
+seutil_dontaudit_read_config(acpid_t)
+
+userdom_dontaudit_use_unpriv_user_fds(acpid_t)
+userdom_dontaudit_search_user_home_dirs(acpid_t)
+userdom_dontaudit_search_user_home_content(acpid_t)
+
+optional_policy(`
+ automount_domtrans(acpid_t)
+')
+
+optional_policy(`
+ clock_domtrans(acpid_t)
+ clock_rw_adjtime(acpid_t)
+')
+
+optional_policy(`
+ cron_system_entry(acpid_t, acpid_exec_t)
+ cron_anacron_domtrans_system_job(acpid_t)
+')
+
+optional_policy(`
+ devicekit_manage_pid_files(acpid_t)
+ devicekit_manage_log_files(acpid_t)
+ devicekit_relabel_log_files(acpid_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(acpid_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(acpid_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(acpid_t)
+ ')
+')
+
+optional_policy(`
+ fstools_domtrans(acpid_t)
+')
+
+optional_policy(`
+ iptables_domtrans(acpid_t)
+')
+
+optional_policy(`
+ logrotate_use_fds(acpid_t)
+')
+
+optional_policy(`
+ mta_send_mail(acpid_t)
+')
+
+optional_policy(`
+ netutils_domtrans(acpid_t)
+')
+
+optional_policy(`
+ pcmcia_domtrans_cardmgr(acpid_t)
+ pcmcia_domtrans_cardctl(acpid_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(acpid_t)
+')
+
+optional_policy(`
+ shutdown_domtrans(acpid_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(acpid_t)
+')
+
+optional_policy(`
+ udev_read_db(acpid_t)
+ udev_read_state(acpid_t)
+')
+
+optional_policy(`
+ vbetool_domtrans(acpid_t)
+')
+
+optional_policy(`
+ xserver_domtrans(acpid_t)
+')
diff --git a/policy/modules/contrib/apm.fc b/policy/modules/contrib/apm.fc
deleted file mode 100644
index bfa60ae0..00000000
--- a/policy/modules/contrib/apm.fc
+++ /dev/null
@@ -1,21 +0,0 @@
-/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0)
-
-/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
-
-/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:apmd_unit_t,s0)
-
-/usr/sbin/acpid -- gen_context(system_u:object_r:apmd_exec_t,s0)
-/usr/sbin/apmd -- gen_context(system_u:object_r:apmd_exec_t,s0)
-/usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0)
-
-/var/lock/subsys/acpid -- gen_context(system_u:object_r:apmd_lock_t,s0)
-
-/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
-
-/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/acpid\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
-
-/var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0)
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
deleted file mode 100644
index 7f41a450..00000000
--- a/policy/modules/contrib/apm.te
+++ /dev/null
@@ -1,236 +0,0 @@
-policy_module(apm, 1.16.1)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role apm_roles;
-roleattribute system_r apm_roles;
-
-type apmd_t;
-type apmd_exec_t;
-init_daemon_domain(apmd_t, apmd_exec_t)
-
-type apmd_initrc_exec_t;
-init_script_file(apmd_initrc_exec_t)
-
-type apm_t;
-type apm_exec_t;
-application_domain(apm_t, apm_exec_t)
-role apm_roles types apm_t;
-
-type apmd_lock_t;
-files_lock_file(apmd_lock_t)
-
-type apmd_log_t;
-logging_log_file(apmd_log_t)
-
-type apmd_tmp_t;
-files_tmp_file(apmd_tmp_t)
-
-type apmd_unit_t;
-init_unit_file(apmd_unit_t)
-
-type apmd_var_lib_t;
-files_type(apmd_var_lib_t)
-
-type apmd_var_run_t;
-files_pid_file(apmd_var_run_t)
-
-########################################
-#
-# Client local policy
-#
-
-allow apm_t self:capability { dac_override sys_admin };
-
-kernel_read_system_state(apm_t)
-
-dev_rw_apm_bios(apm_t)
-
-fs_getattr_xattr_fs(apm_t)
-
-term_use_all_terms(apm_t)
-
-domain_use_interactive_fds(apm_t)
-
-logging_send_syslog_msg(apm_t)
-
-########################################
-#
-# Server local policy
-#
-
-allow apmd_t self:capability { kill mknod sys_admin sys_nice sys_time };
-dontaudit apmd_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config };
-allow apmd_t self:process { signal_perms getsession };
-allow apmd_t self:fifo_file rw_fifo_file_perms;
-allow apmd_t self:netlink_socket create_socket_perms;
-allow apmd_t self:netlink_generic_socket create_socket_perms;
-allow apmd_t self:unix_stream_socket { accept listen };
-
-allow apmd_t apmd_lock_t:file manage_file_perms;
-files_lock_filetrans(apmd_t, apmd_lock_t, file)
-
-allow apmd_t apmd_log_t:file manage_file_perms;
-logging_log_filetrans(apmd_t, apmd_log_t, file)
-
-manage_dirs_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
-manage_files_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
-files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir })
-
-manage_dirs_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
-manage_files_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
-files_var_lib_filetrans(apmd_t, apmd_var_lib_t, dir)
-
-manage_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t)
-manage_sock_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t)
-files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file })
-
-can_exec(apmd_t, apmd_var_run_t)
-
-kernel_read_kernel_sysctls(apmd_t)
-kernel_rw_all_sysctls(apmd_t)
-kernel_read_system_state(apmd_t)
-kernel_write_proc_files(apmd_t)
-kernel_request_load_module(apmd_t)
-
-dev_read_input(apmd_t)
-dev_read_mouse(apmd_t)
-dev_read_realtime_clock(apmd_t)
-dev_read_urand(apmd_t)
-dev_rw_apm_bios(apmd_t)
-dev_rw_sysfs(apmd_t)
-dev_dontaudit_getattr_all_chr_files(apmd_t)
-dev_dontaudit_getattr_all_blk_files(apmd_t)
-
-files_exec_etc_files(apmd_t)
-files_read_etc_runtime_files(apmd_t)
-files_dontaudit_getattr_all_files(apmd_t)
-files_dontaudit_getattr_all_symlinks(apmd_t)
-files_dontaudit_getattr_all_pipes(apmd_t)
-files_dontaudit_getattr_all_sockets(apmd_t)
-
-fs_dontaudit_list_tmpfs(apmd_t)
-fs_getattr_all_fs(apmd_t)
-fs_search_auto_mountpoints(apmd_t)
-fs_dontaudit_getattr_all_files(apmd_t)
-fs_dontaudit_getattr_all_symlinks(apmd_t)
-fs_dontaudit_getattr_all_pipes(apmd_t)
-fs_dontaudit_getattr_all_sockets(apmd_t)
-
-selinux_search_fs(apmd_t)
-
-corecmd_exec_all_executables(apmd_t)
-
-domain_read_all_domains_state(apmd_t)
-domain_dontaudit_ptrace_all_domains(apmd_t)
-domain_use_interactive_fds(apmd_t)
-domain_dontaudit_getattr_all_sockets(apmd_t)
-domain_dontaudit_getattr_all_key_sockets(apmd_t)
-domain_dontaudit_list_all_domains_state(apmd_t)
-
-auth_use_nsswitch(apmd_t)
-
-init_domtrans_script(apmd_t)
-
-libs_exec_ld_so(apmd_t)
-libs_exec_lib_files(apmd_t)
-
-logging_send_audit_msgs(apmd_t)
-logging_send_syslog_msg(apmd_t)
-
-miscfiles_read_localization(apmd_t)
-miscfiles_read_hwdata(apmd_t)
-
-modutils_domtrans(apmd_t)
-modutils_read_module_config(apmd_t)
-
-seutil_dontaudit_read_config(apmd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(apmd_t)
-userdom_dontaudit_search_user_home_dirs(apmd_t)
-userdom_dontaudit_search_user_home_content(apmd_t)
-
-optional_policy(`
- automount_domtrans(apmd_t)
-')
-
-optional_policy(`
- clock_domtrans(apmd_t)
- clock_rw_adjtime(apmd_t)
-')
-
-optional_policy(`
- cron_system_entry(apmd_t, apmd_exec_t)
- cron_anacron_domtrans_system_job(apmd_t)
-')
-
-optional_policy(`
- devicekit_manage_pid_files(apmd_t)
- devicekit_manage_log_files(apmd_t)
- devicekit_relabel_log_files(apmd_t)
-')
-
-optional_policy(`
- dbus_system_bus_client(apmd_t)
-
- optional_policy(`
- consolekit_dbus_chat(apmd_t)
- ')
-
- optional_policy(`
- networkmanager_dbus_chat(apmd_t)
- ')
-')
-
-optional_policy(`
- fstools_domtrans(apmd_t)
-')
-
-optional_policy(`
- iptables_domtrans(apmd_t)
-')
-
-optional_policy(`
- logrotate_use_fds(apmd_t)
-')
-
-optional_policy(`
- mta_send_mail(apmd_t)
-')
-
-optional_policy(`
- netutils_domtrans(apmd_t)
-')
-
-optional_policy(`
- pcmcia_domtrans_cardmgr(apmd_t)
- pcmcia_domtrans_cardctl(apmd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(apmd_t)
-')
-
-optional_policy(`
- shutdown_domtrans(apmd_t)
-')
-
-optional_policy(`
- sysnet_domtrans_ifconfig(apmd_t)
-')
-
-optional_policy(`
- udev_read_db(apmd_t)
- udev_read_state(apmd_t)
-')
-
-optional_policy(`
- vbetool_domtrans(apmd_t)
-')
-
-optional_policy(`
- xserver_domtrans(apmd_t)
-')
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 8fdd713f..3a6c0b92 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -273,7 +273,7 @@ userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
- apm_domtrans_client(cupsd_t)
+ acpi_domtrans_client(cupsd_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index d260d697..29b473e7 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -221,7 +221,7 @@ optional_policy(`
')
optional_policy(`
- apm_stream_connect(hald_t)
+ acpi_stream_connect(hald_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-04-30 9:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: 007a597180bcd449f400cb15130deca3dae61738
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Wed Apr 19 13:37:16 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:16:47 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=007a5971
Gnome and Evolution dbus chat permissions
This patch adds assorted permission to chat over dbus needed
for the correct functioning of Gnome and Evolution.
The second version, simply removes an extra "#" prefix from
the comments.
This third version, rebases the patch so that it applies to
the most recent git tree (thanks to Christopher PeBenito and
Russell Coker for pointing that out).
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/evolution.te | 4 ++++
policy/modules/contrib/gnome.if | 37 +++++++++++++++++++++++++++++++++++++
2 files changed, 41 insertions(+)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index bd1647f2..579c21a6 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -345,6 +345,10 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_all_session_bus_client(evolution_alarm_t)
dbus_connect_all_session_bus(evolution_alarm_t)
+
+ optional_policy(`
+ evolution_dbus_chat(evolution_alarm_t)
+ ')
')
optional_policy(`
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index 7ea2cf40..ce436cfd 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -112,8 +112,17 @@ template(`gnome_role_template',`
dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
optional_policy(`
+ evolution_dbus_chat($1_gkeyringd_t)
+ ')
+
+ optional_policy(`
+ gnome_dbus_chat_gconfd($3)
gnome_dbus_chat_gkeyringd($1, $3)
')
+
+ optional_policy(`
+ wm_dbus_chat($1, $1_gkeyringd_t)
+ ')
')
ifdef(`distro_gentoo',`
@@ -690,6 +699,34 @@ interface(`gnome_read_keyring_home_files',`
########################################
## <summary>
## Send and receive messages from
+## gnome configuration daemon over
+## dbus.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gconfd',`
+ gen_require(`
+ type gconfd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gconfd_t:dbus send_msg;
+ allow gconfd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
## gnome keyring daemon over dbus.
## </summary>
## <param name="role_prefix">
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-04-30 9:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-04-30 9:40 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: 13817b67f3d881a22778a8f4e97763cc83237df0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Apr 21 00:19:38 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:16:47 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=13817b67
Module version bump for changes from Sven Vermeulen and Guido Trentalancia.
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/openoffice.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 9593175b..e69a6c9a 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.12.4)
+policy_module(apache, 2.12.5)
########################################
#
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index 58845575..0be66b6f 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -1,4 +1,4 @@
-policy_module(openoffice, 1.1.0)
+policy_module(openoffice, 1.1.1)
##############################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-04-30 9:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: 99a1aee5df78c8da42caa7bf1df6bc8110898f81
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Apr 21 00:19:13 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:16:47 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=99a1aee5
apache: Move blocks. No rule changes.
policy/modules/contrib/apache.te | 58 +++++++++++++++++++---------------------
1 file changed, 28 insertions(+), 30 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index ce6479e8..9593175b 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -745,14 +745,6 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_t)
')
-optional_policy(`
- tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
- ')
-')
-
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
fs_exec_nfs_files(httpd_t)
')
@@ -877,6 +869,12 @@ optional_policy(`
optional_policy(`
rpc_search_nfs_state_data(httpd_t)
+
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
optional_policy(`
@@ -1016,6 +1014,10 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
+tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_user_home_dirs(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_list_auto_mountpoints(httpd_suexec_t)
fs_read_cifs_files(httpd_suexec_t)
@@ -1040,6 +1042,10 @@ tunable_policy(`httpd_execmem',`
allow httpd_suexec_t self:process { execmem execstack };
')
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_suexec_t)
+')
+
tunable_policy(`httpd_tmp_exec',`
can_exec(httpd_suexec_t, httpd_suexec_tmp_t)
')
@@ -1072,14 +1078,6 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_suexec_t)
')
-optional_policy(`
- tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
- ')
-')
-
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -1106,12 +1104,12 @@ optional_policy(`
')
')
-tunable_policy(`httpd_read_user_content',`
- userdom_read_user_home_content_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_suexec_t)
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_suexec_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
########################################
@@ -1311,14 +1309,6 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_sys_script_t)
')
-optional_policy(`
- tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
- ')
-')
-
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
fs_exec_nfs_files(httpd_sys_script_t)
')
@@ -1331,6 +1321,14 @@ optional_policy(`
postgresql_unpriv_client(httpd_sys_script_t)
')
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
+')
+
########################################
#
# Rotatelogs local policy
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-04-30 9:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-04-30 9:40 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: 2533ba81a266408dc2e9f9c271e7568709c73b48
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 19 01:34:54 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:12:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2533ba81
some userdomain patches from Russell Coker
Added mono_run for unconfined and also xserver_role and allow it to dbus
chat with xdm.
Allow sysadm_t to read kmsg.
Allow user domains to dbus chat with kerneloops for the kerneloops desktop
gui. Also allow them to chat with devicekit disk and power daemons.
Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems
policy/modules/contrib/gnome.te | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index f69c10ba..25fe44da 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.7.0)
+policy_module(gnome, 2.7.1)
##############################
#
@@ -91,6 +91,12 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
+# for /proc/filesystems
+kernel_read_system_state(gconfd_t)
+
+# for /var/lib/gconf/defaults
+files_read_var_lib_files(gconfd_t)
+
userdom_manage_user_tmp_dirs(gconfd_t)
userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-04-30 9:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-04-30 9:40 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: a70ac72ccb9f4e12e93648defadbe3f0c87e3993
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Apr 20 23:18:48 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:16:47 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a70ac72c
Module version bump for gnome fix from Guido Trentalancia.
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 579c21a6..bf456df4 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.6.1)
+policy_module(evolution, 2.6.2)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 25fe44da..1b53cb4f 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.7.1)
+policy_module(gnome, 2.7.2)
##############################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-04-30 9:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: 4028862f0d420c5beed9c6e7fb9887a7805dce26
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 11 05:49:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:31:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4028862f
virt: need to relabel to set categories
libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
policy/modules/contrib/virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 42e68a29..3da04ef9 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-04-30 9:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: 7322c4d5d862125810e0772343c5870ea5c6cee5
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Feb 15 17:15:58 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:31:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7322c4d5
kerberos: Introduce kerberos_filetrans_named_content interface
policy/modules/contrib/kerberos.if | 37 +++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index 01caeead..d9d5811f 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -466,6 +466,43 @@ interface(`kerberos_connect_524',`
########################################
## <summary>
+## Transition to kerberos named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_filetrans_named_content',`
+ gen_require(`
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t;
+ ')
+
+ files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+
+ kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
+ #kerberos_filetrans_admin_home_content($1)
+
+ kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
+ kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
+ kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an kerberos environment.
## </summary>
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-04-30 9:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: e368d3f63f74686ff708251d692666b8bb2a9376
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 30 07:15:39 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:31:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e368d3f6
gssproxy: add policy
borrowed and modified from Fedora
policy/modules/contrib/gssproxy.fc | 8 ++
policy/modules/contrib/gssproxy.if | 199 +++++++++++++++++++++++++++++++++++++
policy/modules/contrib/gssproxy.te | 67 +++++++++++++
3 files changed, 274 insertions(+)
diff --git a/policy/modules/contrib/gssproxy.fc b/policy/modules/contrib/gssproxy.fc
new file mode 100644
index 00000000..a9970159
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0)
+
+/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
+
+/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
+
+/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0)
+/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_run_t,s0)
diff --git a/policy/modules/contrib/gssproxy.if b/policy/modules/contrib/gssproxy.if
new file mode 100644
index 00000000..cebdb20b
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.if
@@ -0,0 +1,199 @@
+
+## <summary>policy for gssproxy</summary>
+
+########################################
+## <summary>
+## Execute gssproxy in the gssproxy domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gssproxy_domtrans',`
+ gen_require(`
+ type gssproxy_t, gssproxy_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+## Search gssproxy lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_search_lib',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ allow $1 gssproxy_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read gssproxy lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_read_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gssproxy lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gssproxy lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_dirs',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read gssproxy PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_read_pid_files',`
+ gen_require(`
+ type gssproxy_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)
+')
+
+########################################
+## <summary>
+## Execute gssproxy server in the gssproxy domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gssproxy_systemctl',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_unit_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 gssproxy_unit_t:file read_file_perms;
+ allow $1 gssproxy_unit_t:service manage_service_perms;
+
+ ps_process_pattern($1, gssproxy_t)
+')
+
+########################################
+## <summary>
+## Connect to gssproxy over an unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_stream_connect',`
+ gen_require(`
+ type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)
+ stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an gssproxy environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`gssproxy_admin',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_var_lib_t;
+ type gssproxy_run_t;
+ type gssproxy_unit_t;
+ ')
+
+ allow $1 gssproxy_t:process { ptrace signal_perms };
+ ps_process_pattern($1, gssproxy_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, gssproxy_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, gssproxy_run_t)
+
+ gssproxy_systemctl($1)
+ admin_pattern($1, gssproxy_unit_t)
+ allow $1 gssproxy_unit_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te
new file mode 100644
index 00000000..20027689
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.te
@@ -0,0 +1,67 @@
+policy_module(gssproxy, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gssproxy_t;
+type gssproxy_exec_t;
+init_daemon_domain(gssproxy_t, gssproxy_exec_t)
+
+type gssproxy_var_lib_t;
+files_type(gssproxy_var_lib_t)
+
+type gssproxy_run_t;
+files_pid_file(gssproxy_run_t)
+
+type gssproxy_unit_t;
+init_unit_file(gssproxy_unit_t)
+
+########################################
+#
+# gssproxy local policy
+#
+allow gssproxy_t self:capability { setuid setgid };
+allow gssproxy_t self:capability2 block_suspend;
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+files_pid_filetrans(gssproxy_t, gssproxy_run_t, { dir file lnk_file sock_file })
+
+kernel_rw_rpc_sysctls(gssproxy_t)
+
+domain_use_interactive_fds(gssproxy_t)
+
+files_read_etc_files(gssproxy_t)
+
+fs_getattr_all_fs(gssproxy_t)
+
+auth_use_nsswitch(gssproxy_t)
+
+dev_read_urand(gssproxy_t)
+
+logging_send_syslog_msg(gssproxy_t)
+
+miscfiles_read_localization(gssproxy_t)
+
+#userdom_read_all_users_keys(gssproxy_t)
+userdom_manage_user_tmp_dirs(gssproxy_t)
+userdom_manage_user_tmp_files(gssproxy_t)
+
+optional_policy(`
+ kerberos_filetrans_named_content(gssproxy_t)
+ kerberos_manage_host_rcache(gssproxy_t)
+ kerberos_read_keytab(gssproxy_t)
+ kerberos_use(gssproxy_t)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-04-30 9:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: 9ad7c51d8626203c3f8661cf39873b4643fe5b94
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 13 16:37:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:31:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ad7c51d
virt: kernel_read_system_state
policy/modules/contrib/virt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 3da04ef9..0f82a04e 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
+kernel_read_system_state(virtlockd_t)
+
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
can_exec(virtlogd_t, virtlogd_exec_t)
+kernel_read_system_state(virtlogd_t)
+
files_read_etc_files(virtlogd_t)
files_list_var_lib(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-04-30 9:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: 53b8a092b78b1f48530145ef0d62cbfeccf47cb0
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 31 15:03:49 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:31:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=53b8a092
WIP virt: image type perms
policy/modules/contrib/virt.te | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0f82a04e..5df86d7b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
- allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-04-30 9:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-04-30 9:40 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: 2c0150452aa2f181971677e246b38487c7df8d75
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 26 22:02:08 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:21:11 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2c015045
some little misc things from Russell Coker.
This patch allows setfiles to use file handles inherited from apt (for dpkg
postinst scripts), adds those rsync permissions that were rejected previously
due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and
allows system_cronjob_t some access it requires (including net_admin for
when it runs utilities that set buffers).
policy/modules/contrib/apt.if | 20 ++++++++++++++++++++
policy/modules/contrib/apt.te | 2 +-
policy/modules/contrib/cron.te | 25 +++++++++++++++++++++----
policy/modules/contrib/mrtg.if | 18 ++++++++++++++++++
policy/modules/contrib/mrtg.te | 2 +-
policy/modules/contrib/rsync.te | 4 +++-
6 files changed, 64 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/apt.if b/policy/modules/contrib/apt.if
index 0a1bc49f..568aa97d 100644
--- a/policy/modules/contrib/apt.if
+++ b/policy/modules/contrib/apt.if
@@ -176,6 +176,26 @@ interface(`apt_read_cache',`
########################################
## <summary>
+## Create, read, write, and delete apt package cache content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apt_manage_cache',`
+ gen_require(`
+ type apt_var_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 apt_var_cache_t:dir manage_dir_perms;
+ allow $1 apt_var_cache_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
## Read apt package database content.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index 05197c4c..dc6f09b1 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.10.1)
+policy_module(apt, 1.10.2)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 5cb7dac1..15e6bdb4 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.3)
+policy_module(cron, 2.11.4)
gen_require(`
class passwd rootok;
@@ -338,6 +338,13 @@ ifdef(`distro_debian',`
allow crond_t self:process setrlimit;
optional_policy(`
+ apt_manage_cache(system_cronjob_t)
+ apt_read_db(system_cronjob_t)
+
+ dpkg_manage_db(system_cronjob_t)
+ ')
+
+ optional_policy(`
logwatch_search_cache_dir(crond_t)
')
')
@@ -429,6 +436,7 @@ optional_policy(`
systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
# so cron jobs can restart daemons
init_stream_connect(system_cronjob_t)
+ init_manage_script_service(system_cronjob_t)
')
optional_policy(`
@@ -440,7 +448,7 @@ optional_policy(`
# System local policy
#
-allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };
+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fd use;
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
@@ -461,10 +469,11 @@ allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
allow system_cronjob_t system_cronjob_lock_t:lnk_file manage_lnk_file_perms;
files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, { file lnk_file })
+manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
@@ -475,7 +484,7 @@ allow system_cronjob_t crond_t:process sigchld;
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
-allow system_cronjob_t crond_tmp_t:file { read write };
+allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_network_state(system_cronjob_t)
@@ -560,10 +569,15 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
+ acct_manage_data(system_cronjob_t)
+')
+
+optional_policy(`
apache_exec_modules(system_cronjob_t)
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
+ apache_delete_lib_files(system_cronjob_t)
')
optional_policy(`
@@ -607,6 +621,7 @@ optional_policy(`
optional_policy(`
mrtg_append_create_logs(system_cronjob_t)
+ mrtg_read_config(system_cronjob_t)
')
optional_policy(`
@@ -649,6 +664,8 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
+allow cronjob_t crond_tmp_t:file rw_inherited_file_perms;
+
kernel_read_system_state(cronjob_t)
kernel_read_kernel_sysctls(cronjob_t)
diff --git a/policy/modules/contrib/mrtg.if b/policy/modules/contrib/mrtg.if
index 0a71bd89..b25b0894 100644
--- a/policy/modules/contrib/mrtg.if
+++ b/policy/modules/contrib/mrtg.if
@@ -2,6 +2,24 @@
########################################
## <summary>
+## Read mrtg configuration
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mrtg_read_config',`
+ gen_require(`
+ type mrtg_etc_t;
+ ')
+
+ allow $1 mrtg_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Create and append mrtg log files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te
index 5126d9d5..96d48f37 100644
--- a/policy/modules/contrib/mrtg.te
+++ b/policy/modules/contrib/mrtg.te
@@ -1,4 +1,4 @@
-policy_module(mrtg, 1.11.0)
+policy_module(mrtg, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
index 2fce98b0..11c7041a 100644
--- a/policy/modules/contrib/rsync.te
+++ b/policy/modules/contrib/rsync.te
@@ -1,4 +1,4 @@
-policy_module(rsync, 1.15.0)
+policy_module(rsync, 1.15.1)
########################################
#
@@ -123,6 +123,8 @@ dev_read_urand(rsync_t)
fs_getattr_all_fs(rsync_t)
fs_search_auto_mountpoints(rsync_t)
+files_getattr_all_pipes(rsync_t)
+files_getattr_all_sockets(rsync_t)
files_search_home(rsync_t)
auth_can_read_shadow_passwords(rsync_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-04-30 9:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: 900b67711c6e9c97828a61cc4922a0bc8b9b535f
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 27 20:44:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:31:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=900b6771
virt: virtlockd doesnt need ps_process_pattern
policy/modules/contrib/virt.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index e1a3bcaf..42e68a29 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
-
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-04-30 9:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: 8cd3d83d2ea5cec1b77b5609cfd47a768e54fb31
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 16:49:07 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:31:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8cd3d83d
virt: add policy for virtlogd
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.te | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index 22c1ed70..dca262ab 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index eb72843f..e1a3bcaf 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-04-30 9:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-04-30 9:40 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: 235046c2e9c4578585bb482e62e44cf1ef0eacd7
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Apr 29 15:13:24 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:21:11 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=235046c2
apt/dpkg strict patches from Russell Coker.
The following are needed for correct operation of apt and dpkg on a "strict"
configuration.
policy/modules/contrib/apt.te | 6 ++++--
policy/modules/contrib/dpkg.if | 20 ++++++++++++++++++++
policy/modules/contrib/dpkg.te | 5 ++++-
policy/modules/contrib/mta.te | 7 ++++++-
4 files changed, 34 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index dc6f09b1..63b93257 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.10.2)
+policy_module(apt, 1.10.3)
########################################
#
@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t)
# Local policy
#
-allow apt_t self:capability { chown dac_override fowner fsetid };
+allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
allow apt_t self:process { signal setpgid fork };
allow apt_t self:fd use;
allow apt_t self:fifo_file rw_fifo_file_perms;
@@ -69,12 +69,14 @@ manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
+manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
files_var_filetrans(apt_t, apt_var_cache_t, dir)
manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
allow apt_t apt_var_log_t:file manage_file_perms;
+allow apt_t apt_var_log_t:dir manage_dir_perms;
logging_log_filetrans(apt_t, apt_var_log_t, file)
can_exec(apt_t, apt_exec_t)
diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if
index 081134f2..c753ad62 100644
--- a/policy/modules/contrib/dpkg.if
+++ b/policy/modules/contrib/dpkg.if
@@ -179,6 +179,26 @@ interface(`dpkg_use_script_fds',`
########################################
## <summary>
+## Inherit and use file descriptors
+## from dpkg scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_script_rw_inherited_pipes',`
+ gen_require(`
+ type dpkg_script_t;
+ ')
+
+ allow $1 dpkg_script_t:fd use;
+ allow $1 dpkg_script_t:fifo_file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Read dpkg package database content.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index a91e4896..e781815d 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.6)
+policy_module(dpkg, 1.11.7)
########################################
#
@@ -42,6 +42,8 @@ role dpkg_roles types dpkg_script_t;
type dpkg_script_tmp_t;
files_tmp_file(dpkg_script_tmp_t)
+# out of order to work around compiler issue
+domain_entry_file(dpkg_script_t, dpkg_script_tmp_t)
type dpkg_script_tmpfs_t;
files_tmpfs_file(dpkg_script_tmpfs_t)
@@ -69,6 +71,7 @@ allow dpkg_t self:msg { send receive };
allow dpkg_t dpkg_lock_t:file manage_file_perms;
spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
+spec_domtrans_pattern(dpkg_t, dpkg_script_tmp_t, dpkg_script_t)
manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 2baa07c9..caa21fb9 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.5)
+policy_module(mta, 2.8.6)
########################################
#
@@ -205,6 +205,11 @@ init_rw_stream_sockets(system_mail_t)
userdom_use_user_terminals(system_mail_t)
optional_policy(`
+ apt_use_fds(system_mail_t)
+ apt_use_ptys(system_mail_t)
+')
+
+optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
apache_dontaudit_append_log(system_mail_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-04-30 9:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-04-30 9:40 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: f328e52e14903e825ae02bf8c25ebdf859278a40
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 26 10:38:44 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:21:11 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f328e52e
Module version bump for patches from Russell Coker.
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/policykit.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 3a6c0b92..88a73ce4 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.21.3)
+policy_module(cups, 1.21.4)
########################################
#
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 80ceb9de..ca39fb6b 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.22.5)
+policy_module(dbus, 1.22.6)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index c795f278..c145fb4c 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.11.0)
+policy_module(gpg, 2.11.1)
########################################
#
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index 29b473e7..997f3e3b 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -1,4 +1,4 @@
-policy_module(hal, 1.17.1)
+policy_module(hal, 1.17.2)
########################################
#
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index ee6ad3da..fc89a486 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.6.1)
+policy_module(policykit, 1.6.2)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-04-30 9:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: 68b598ef6438c11db428e893825e494d76f3fac1
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Apr 16 06:38:47 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:31:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=68b598ef
gpg dirmngr: create and connect to socket
policy/modules/contrib/dirmngr.fc | 2 ++
policy/modules/contrib/dirmngr.if | 22 +++++++++++++++++++++
policy/modules/contrib/dirmngr.te | 13 +++++++++++++
policy/modules/contrib/gpg.if | 41 +++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/gpg.te | 1 +
5 files changed, 79 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc
index a0f261c9..a9cf15a8 100644
--- a/policy/modules/contrib/dirmngr.fc
+++ b/policy/modules/contrib/dirmngr.fc
@@ -12,3 +12,5 @@
/run/dirmngr\.pid -- gen_context(system_u:object_r:dirmngr_var_run_t,s0)
/run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0)
+
+/run/user/%{USERID}/gnupg/S.dirmngr -s gen_context(system_u:object_r:dirmngr_tmp_t,s0)
diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if
index 2f6875a6..989af34a 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -71,6 +71,28 @@ interface(`dirmngr_exec',`
########################################
## <summary>
+## Connect to dirmngr socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirmngr_stream_connect',`
+ gen_require(`
+ type dirmngr_t, dirmngr_tmp_t;
+ ')
+
+ gpg_search_agent_tmp_dirs($1)
+ allow $1 dirmngr_tmp_t:sock_file write_sock_file_perms;
+ allow $1 dirmngr_t:unix_stream_socket connectto;
+ userdom_search_user_runtime($1)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an dirmngr environment.
## </summary>
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index 23f40456..8e4a1a89 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -18,6 +18,9 @@ init_script_file(dirmngr_initrc_exec_t)
type dirmngr_log_t;
logging_log_file(dirmngr_log_t)
+type dirmngr_tmp_t;
+userdom_user_tmp_file(dirmngr_tmp_t)
+
type dirmngr_var_lib_t;
files_type(dirmngr_var_lib_t)
@@ -46,6 +49,8 @@ manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir)
+manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t)
+
manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
@@ -56,3 +61,11 @@ kernel_read_crypto_sysctls(dirmngr_t)
files_read_etc_files(dirmngr_t)
miscfiles_read_localization(dirmngr_t)
+
+userdom_search_user_home_dirs(dirmngr_t)
+userdom_search_user_runtime(dirmngr_t)
+userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
+
+optional_policy(`
+ gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+')
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index efffff87..d34cfbc0 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -216,6 +216,47 @@ interface(`gpg_stream_connect_agent',`
########################################
## <summary>
+## Search gpg agent dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_search_agent_tmp_dirs',`
+ gen_require(`
+ type gpg_agent_tmp_t;
+ ')
+
+ allow $1 gpg_agent_tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## filetrans in gpg_agent_tmp_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_agent_tmp_filetrans',`
+ gen_require(`
+ type gpg_agent_t, gpg_agent_tmp_t;
+ type gpg_secret_t;
+ ')
+
+ filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4)
+ stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+ allow $1 gpg_secret_t:dir search_dir_perms;
+ userdom_search_user_runtime($1)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## Send messages to and from gpg
## pinentry over DBUS.
## </summary>
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 1b8448c7..140d8d94 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -140,6 +140,7 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dirmngr_domtrans(gpg_t)
+ dirmngr_stream_connect(gpg_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-04-30 9:40 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: df8fecccf2694a0351ce8bdb03e1a0abc7845984
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 30 04:58:28 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:31:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=df8feccc
dirmngr: add to roles and allow gpg to domtrans
policy/modules/contrib/dirmngr.if | 69 +++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/gpg.te | 4 +++
2 files changed, 73 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if
index 4cd2810e..2f6875a6 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -1,5 +1,74 @@
## <summary>Server for managing and downloading certificate revocation lists.</summary>
+############################################################
+## <summary>
+## Role access for dirmngr.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`dirmngr_role',`
+ gen_require(`
+ type dirmngr_t, dirmngr_exec_t;
+ ')
+
+ role $1 types dirmngr_t;
+
+ domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
+
+ allow $2 dirmngr_t:process { ptrace signal_perms };
+ ps_process_pattern($2, dirmngr_t)
+
+ allow dirmngr_t $2:fd use;
+ allow dirmngr_t $2:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## Execute dirmngr in the dirmngr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dirmngr_domtrans',`
+ gen_require(`
+ type dirmngr_t, dirmngr_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dirmngr_exec_t, dirmngr_t)
+')
+
+########################################
+## <summary>
+## Execute the dirmngr in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirmngr_exec',`
+ gen_require(`
+ type dirmngr_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, dirmngr_exec_t)
+')
+
########################################
## <summary>
## All of the rules required to
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index c145fb4c..1b8448c7 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ dirmngr_domtrans(gpg_t)
+')
+
+optional_policy(`
evolution_read_orbit_tmp_files(gpg_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-07 17:47 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: 2461473627beea7a5e372c1b3f244c5e30f3438b
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Apr 29 18:18:02 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 15:54:42 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=24614736
plymouth: pid interface usability
Improve the usability of one plymouth interface.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/plymouthd.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/plymouthd.if b/policy/modules/contrib/plymouthd.if
index 30e751f1..54cd777a 100644
--- a/policy/modules/contrib/plymouthd.if
+++ b/policy/modules/contrib/plymouthd.if
@@ -228,6 +228,7 @@ interface(`plymouthd_read_pid_files',`
')
files_search_pids($1)
+ allow $1 plymouthd_var_run_t:dir search_dir_perms;
allow $1 plymouthd_var_run_t:file read_file_perms;
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-05-07 16:09 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-05-07 17:47 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: d4c00f71309403b77db1cdf60a1da0de877d7b30
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Apr 29 18:17:53 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 15:54:42 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4c00f71
loadkeys: use init fds (system bootup)
Update the loadkeys module so that it can use init file descriptors (to
print out messages during boot).
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/loadkeys.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te
index d99a28bf..dcde3ffe 100644
--- a/policy/modules/contrib/loadkeys.te
+++ b/policy/modules/contrib/loadkeys.te
@@ -23,6 +23,8 @@ allow loadkeys_t self:unix_stream_socket { connect create };
kernel_read_system_state(loadkeys_t)
+init_use_fds(loadkeys_t)
+
corecmd_exec_bin(loadkeys_t)
corecmd_exec_shell(loadkeys_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-07 17:47 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: 90bc58d30413ce90fc5f6b86da4114f539d374f0
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Apr 29 18:18:15 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 15:54:42 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=90bc58d3
shutdown: send msg to syslog
Update the shutdown module so that it can send messages to
syslog.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/shutdown.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
index 6a0b126e..4a2b3510 100644
--- a/policy/modules/contrib/shutdown.te
+++ b/policy/modules/contrib/shutdown.te
@@ -42,6 +42,8 @@ domain_use_interactive_fds(shutdown_t)
files_delete_boot_flag(shutdown_t)
files_read_generic_pids(shutdown_t)
+fs_getattr_xattr_fs(shutdown_t)
+
mls_file_write_to_clearance(shutdown_t)
term_use_all_terms(shutdown_t)
@@ -55,6 +57,7 @@ init_telinit(shutdown_t)
logging_search_logs(shutdown_t)
logging_send_audit_msgs(shutdown_t)
+logging_send_syslog_msg(shutdown_t)
miscfiles_read_localization(shutdown_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-05-07 16:09 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-05-07 17:47 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: ec9d897b9e69d1ba90b25c871b12bd72ae6f3b31
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon May 1 22:44:21 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 15:54:42 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ec9d897b
Module version bump for minor fixes from Guido Trentalancia.
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/java.te | 2 +-
policy/modules/contrib/loadkeys.te | 2 +-
policy/modules/contrib/plymouthd.te | 2 +-
policy/modules/contrib/shutdown.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index c30623de..f97985e1 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.6.2)
+policy_module(evolution, 2.6.3)
########################################
#
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 96494b16..9c5c7f2c 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -1,4 +1,4 @@
-policy_module(java, 2.9.2)
+policy_module(java, 2.9.3)
########################################
#
diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te
index dcde3ffe..ce63f0ee 100644
--- a/policy/modules/contrib/loadkeys.te
+++ b/policy/modules/contrib/loadkeys.te
@@ -1,4 +1,4 @@
-policy_module(loadkeys, 1.11.2)
+policy_module(loadkeys, 1.11.3)
########################################
#
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index c9c04040..6c73283c 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -1,4 +1,4 @@
-policy_module(plymouthd, 1.4.1)
+policy_module(plymouthd, 1.4.2)
########################################
#
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
index 4a2b3510..0e38114a 100644
--- a/policy/modules/contrib/shutdown.te
+++ b/policy/modules/contrib/shutdown.te
@@ -1,4 +1,4 @@
-policy_module(shutdown, 1.4.1)
+policy_module(shutdown, 1.4.2)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-05-07 16:09 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-05-07 17:47 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: b8a604ac7ca611afbf53c9e07724030c0555fd30
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu May 4 12:27:23 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 16:02:02 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b8a604ac
Module version bump for /usr/bin fc fixes from Nicolas Iooss.
policy/modules/contrib/abrt.te | 2 +-
policy/modules/contrib/acct.te | 2 +-
policy/modules/contrib/acpi.te | 2 +-
policy/modules/contrib/afs.te | 2 +-
policy/modules/contrib/aiccu.te | 2 +-
policy/modules/contrib/aisexec.te | 2 +-
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/amanda.te | 2 +-
policy/modules/contrib/amavis.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/apcupsd.te | 2 +-
policy/modules/contrib/arpwatch.te | 2 +-
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/automount.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/bacula.te | 2 +-
policy/modules/contrib/bcfg2.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/bird.te | 2 +-
policy/modules/contrib/bitlbee.te | 2 +-
policy/modules/contrib/bluetooth.te | 2 +-
policy/modules/contrib/brctl.te | 2 +-
policy/modules/contrib/cachefilesd.te | 2 +-
policy/modules/contrib/callweaver.te | 2 +-
policy/modules/contrib/canna.te | 2 +-
policy/modules/contrib/ccs.te | 2 +-
policy/modules/contrib/certmonger.te | 2 +-
policy/modules/contrib/cfengine.te | 2 +-
policy/modules/contrib/cgroup.te | 2 +-
policy/modules/contrib/chronyd.te | 2 +-
policy/modules/contrib/cipe.te | 2 +-
policy/modules/contrib/clamav.te | 2 +-
policy/modules/contrib/clogd.te | 2 +-
policy/modules/contrib/cmirrord.te | 2 +-
policy/modules/contrib/collectd.te | 2 +-
policy/modules/contrib/comsat.te | 2 +-
policy/modules/contrib/condor.te | 2 +-
policy/modules/contrib/consolekit.te | 2 +-
policy/modules/contrib/corosync.te | 2 +-
policy/modules/contrib/courier.te | 2 +-
policy/modules/contrib/cpucontrol.te | 2 +-
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/ctdb.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/dante.te | 2 +-
policy/modules/contrib/dbskk.te | 2 +-
policy/modules/contrib/dcc.te | 2 +-
policy/modules/contrib/ddclient.te | 2 +-
policy/modules/contrib/ddcprobe.te | 2 +-
policy/modules/contrib/dhcp.te | 2 +-
policy/modules/contrib/dictd.te | 2 +-
policy/modules/contrib/dkim.te | 2 +-
policy/modules/contrib/dmidecode.te | 2 +-
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/dnssectrigger.te | 2 +-
policy/modules/contrib/dovecot.te | 2 +-
policy/modules/contrib/dphysswapfile.te | 2 +-
policy/modules/contrib/dpkg.te | 2 +-
policy/modules/contrib/drbd.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/fakehwclock.te | 2 +-
policy/modules/contrib/fcoe.te | 2 +-
policy/modules/contrib/finger.te | 2 +-
policy/modules/contrib/firewalld.te | 2 +-
policy/modules/contrib/firstboot.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/gatekeeper.te | 2 +-
policy/modules/contrib/glusterfs.te | 2 +-
policy/modules/contrib/gpm.te | 2 +-
policy/modules/contrib/gpsd.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/hddtemp.te | 2 +-
policy/modules/contrib/hwloc.te | 2 +-
policy/modules/contrib/hypervkvp.te | 2 +-
policy/modules/contrib/i18n_input.te | 2 +-
policy/modules/contrib/ifplugd.te | 2 +-
policy/modules/contrib/inetd.te | 2 +-
policy/modules/contrib/inn.te | 2 +-
policy/modules/contrib/iodine.te | 2 +-
policy/modules/contrib/ircd.te | 2 +-
policy/modules/contrib/irqbalance.te | 2 +-
policy/modules/contrib/iscsi.te | 2 +-
policy/modules/contrib/isns.te | 2 +-
policy/modules/contrib/jabber.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/kerberos.te | 2 +-
policy/modules/contrib/kerneloops.te | 2 +-
policy/modules/contrib/ksmtuned.te | 2 +-
policy/modules/contrib/ktalk.te | 2 +-
policy/modules/contrib/kudzu.te | 2 +-
policy/modules/contrib/l2tp.te | 2 +-
policy/modules/contrib/ldap.te | 2 +-
policy/modules/contrib/likewise.te | 2 +-
policy/modules/contrib/lircd.te | 2 +-
policy/modules/contrib/lldpad.te | 2 +-
policy/modules/contrib/lockdev.te | 2 +-
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/logwatch.te | 2 +-
policy/modules/contrib/lpd.te | 2 +-
policy/modules/contrib/mailscanner.te | 2 +-
policy/modules/contrib/mcelog.te | 2 +-
policy/modules/contrib/milter.te | 2 +-
policy/modules/contrib/minidlna.te | 2 +-
policy/modules/contrib/minissdpd.te | 2 +-
policy/modules/contrib/modemmanager.te | 2 +-
policy/modules/contrib/mon.te | 2 +-
policy/modules/contrib/monop.te | 2 +-
policy/modules/contrib/mta.te | 2 +-
policy/modules/contrib/mysql.te | 2 +-
policy/modules/contrib/nessus.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/nis.te | 2 +-
policy/modules/contrib/nscd.te | 2 +-
policy/modules/contrib/nsd.te | 2 +-
policy/modules/contrib/nslcd.te | 2 +-
policy/modules/contrib/ntop.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/nut.te | 2 +-
policy/modules/contrib/oav.te | 2 +-
policy/modules/contrib/oddjob.te | 2 +-
policy/modules/contrib/oident.te | 2 +-
policy/modules/contrib/openct.te | 2 +-
policy/modules/contrib/openhpi.te | 2 +-
policy/modules/contrib/openvpn.te | 2 +-
policy/modules/contrib/pacemaker.te | 2 +-
policy/modules/contrib/pcmcia.te | 2 +-
policy/modules/contrib/pcscd.te | 2 +-
policy/modules/contrib/pegasus.te | 2 +-
policy/modules/contrib/perdition.te | 2 +-
policy/modules/contrib/pingd.te | 2 +-
policy/modules/contrib/pkcs.te | 2 +-
policy/modules/contrib/plymouthd.te | 2 +-
policy/modules/contrib/portmap.te | 2 +-
policy/modules/contrib/portreserve.te | 2 +-
policy/modules/contrib/portslave.te | 2 +-
policy/modules/contrib/postfix.te | 2 +-
policy/modules/contrib/postfixpolicyd.te | 2 +-
policy/modules/contrib/postgrey.te | 2 +-
policy/modules/contrib/ppp.te | 2 +-
policy/modules/contrib/prelink.te | 2 +-
policy/modules/contrib/prelude.te | 2 +-
policy/modules/contrib/privoxy.te | 2 +-
policy/modules/contrib/psad.te | 2 +-
policy/modules/contrib/pxe.te | 2 +-
policy/modules/contrib/qmail.te | 2 +-
policy/modules/contrib/qpid.te | 2 +-
policy/modules/contrib/quota.te | 2 +-
policy/modules/contrib/radius.te | 2 +-
policy/modules/contrib/radvd.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/rdisc.te | 2 +-
policy/modules/contrib/readahead.te | 2 +-
policy/modules/contrib/redis.te | 2 +-
policy/modules/contrib/resmgr.te | 2 +-
policy/modules/contrib/rgmanager.te | 2 +-
policy/modules/contrib/rhcs.te | 2 +-
policy/modules/contrib/ricci.te | 2 +-
policy/modules/contrib/rlogin.te | 2 +-
policy/modules/contrib/rngd.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/rshd.te | 2 +-
policy/modules/contrib/rwho.te | 2 +-
policy/modules/contrib/samba.te | 2 +-
policy/modules/contrib/samhain.te | 2 +-
policy/modules/contrib/sanlock.te | 2 +-
policy/modules/contrib/sasl.te | 2 +-
policy/modules/contrib/sblim.te | 2 +-
policy/modules/contrib/sensord.te | 2 +-
policy/modules/contrib/setroubleshoot.te | 2 +-
policy/modules/contrib/shibboleth.te | 2 +-
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/shutdown.te | 2 +-
policy/modules/contrib/slpd.te | 2 +-
policy/modules/contrib/smartmon.te | 2 +-
policy/modules/contrib/smokeping.te | 2 +-
policy/modules/contrib/smstools.te | 2 +-
policy/modules/contrib/snmp.te | 2 +-
policy/modules/contrib/snort.te | 2 +-
policy/modules/contrib/sosreport.te | 2 +-
policy/modules/contrib/soundserver.te | 2 +-
policy/modules/contrib/spamassassin.te | 2 +-
policy/modules/contrib/speedtouch.te | 2 +-
policy/modules/contrib/squid.te | 2 +-
policy/modules/contrib/sssd.te | 2 +-
policy/modules/contrib/sxid.te | 2 +-
policy/modules/contrib/tboot.te | 2 +-
policy/modules/contrib/tcpd.te | 2 +-
policy/modules/contrib/tcsd.te | 2 +-
policy/modules/contrib/telnet.te | 2 +-
policy/modules/contrib/tftp.te | 2 +-
policy/modules/contrib/tgtd.te | 2 +-
policy/modules/contrib/tmpreaper.te | 2 +-
policy/modules/contrib/transproxy.te | 2 +-
policy/modules/contrib/tripwire.te | 2 +-
policy/modules/contrib/tuned.te | 2 +-
policy/modules/contrib/tzdata.te | 2 +-
policy/modules/contrib/ulogd.te | 2 +-
policy/modules/contrib/updfstab.te | 2 +-
policy/modules/contrib/uptime.te | 2 +-
policy/modules/contrib/usbmodules.te | 2 +-
policy/modules/contrib/usbmuxd.te | 2 +-
policy/modules/contrib/userhelper.te | 2 +-
policy/modules/contrib/usernetctl.te | 2 +-
policy/modules/contrib/uucp.te | 2 +-
policy/modules/contrib/uuidd.te | 2 +-
policy/modules/contrib/varnishd.te | 2 +-
policy/modules/contrib/vbetool.te | 2 +-
policy/modules/contrib/vdagent.te | 2 +-
policy/modules/contrib/vhostmd.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
policy/modules/contrib/vlock.te | 2 +-
policy/modules/contrib/vmware.te | 2 +-
policy/modules/contrib/vnstatd.te | 2 +-
policy/modules/contrib/vpn.te | 2 +-
policy/modules/contrib/watchdog.te | 2 +-
policy/modules/contrib/wdmd.te | 2 +-
policy/modules/contrib/xen.te | 2 +-
policy/modules/contrib/zabbix.te | 2 +-
policy/modules/contrib/zebra.te | 2 +-
policy/modules/contrib/zosremote.te | 2 +-
223 files changed, 223 insertions(+), 223 deletions(-)
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index 8c52ac9b..9fb4f3ff 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -1,4 +1,4 @@
-policy_module(abrt, 1.7.0)
+policy_module(abrt, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/acct.te b/policy/modules/contrib/acct.te
index fb2e1ebe..dfe0ec7c 100644
--- a/policy/modules/contrib/acct.te
+++ b/policy/modules/contrib/acct.te
@@ -1,4 +1,4 @@
-policy_module(acct, 1.7.2)
+policy_module(acct, 1.7.3)
########################################
#
diff --git a/policy/modules/contrib/acpi.te b/policy/modules/contrib/acpi.te
index 0cd3d884..083dfe92 100644
--- a/policy/modules/contrib/acpi.te
+++ b/policy/modules/contrib/acpi.te
@@ -1,4 +1,4 @@
-policy_module(acpi, 1.0.0)
+policy_module(acpi, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te
index b95757a5..8b7c7765 100644
--- a/policy/modules/contrib/afs.te
+++ b/policy/modules/contrib/afs.te
@@ -1,4 +1,4 @@
-policy_module(afs, 1.10.0)
+policy_module(afs, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/aiccu.te b/policy/modules/contrib/aiccu.te
index 6202f38c..a3ea7e6a 100644
--- a/policy/modules/contrib/aiccu.te
+++ b/policy/modules/contrib/aiccu.te
@@ -1,4 +1,4 @@
-policy_module(aiccu, 1.3.1)
+policy_module(aiccu, 1.3.2)
########################################
#
diff --git a/policy/modules/contrib/aisexec.te b/policy/modules/contrib/aisexec.te
index 06b61940..1e5dffe4 100644
--- a/policy/modules/contrib/aisexec.te
+++ b/policy/modules/contrib/aisexec.te
@@ -1,4 +1,4 @@
-policy_module(aisexec, 1.4.0)
+policy_module(aisexec, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 6946ef0a..7654ae0e 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.16.2)
+policy_module(alsa, 1.16.3)
########################################
#
diff --git a/policy/modules/contrib/amanda.te b/policy/modules/contrib/amanda.te
index ecf15211..6b058e02 100644
--- a/policy/modules/contrib/amanda.te
+++ b/policy/modules/contrib/amanda.te
@@ -1,4 +1,4 @@
-policy_module(amanda, 1.16.0)
+policy_module(amanda, 1.16.1)
#######################################
#
diff --git a/policy/modules/contrib/amavis.te b/policy/modules/contrib/amavis.te
index 44913b37..f0722742 100644
--- a/policy/modules/contrib/amavis.te
+++ b/policy/modules/contrib/amavis.te
@@ -1,4 +1,4 @@
-policy_module(amavis, 1.17.0)
+policy_module(amavis, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index e69a6c9a..47e47b05 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.12.5)
+policy_module(apache, 2.12.6)
########################################
#
diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te
index e1586b36..fcb60aa3 100644
--- a/policy/modules/contrib/apcupsd.te
+++ b/policy/modules/contrib/apcupsd.te
@@ -1,4 +1,4 @@
-policy_module(apcupsd, 1.12.1)
+policy_module(apcupsd, 1.12.2)
########################################
#
diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
index 8c1ded68..441c0f3c 100644
--- a/policy/modules/contrib/arpwatch.te
+++ b/policy/modules/contrib/arpwatch.te
@@ -1,4 +1,4 @@
-policy_module(arpwatch, 1.14.0)
+policy_module(arpwatch, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index 9c6a947f..3291031a 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -1,4 +1,4 @@
-policy_module(asterisk, 1.17.0)
+policy_module(asterisk, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index 09b82b0c..f99ecc18 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -1,4 +1,4 @@
-policy_module(automount, 1.18.0)
+policy_module(automount, 1.18.1)
########################################
#
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index b2e43eed..e38e0b09 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.18.0)
+policy_module(avahi, 1.18.1)
########################################
#
diff --git a/policy/modules/contrib/bacula.te b/policy/modules/contrib/bacula.te
index 20b92c3f..aac922f7 100644
--- a/policy/modules/contrib/bacula.te
+++ b/policy/modules/contrib/bacula.te
@@ -1,4 +1,4 @@
-policy_module(bacula, 1.4.0)
+policy_module(bacula, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/bcfg2.te b/policy/modules/contrib/bcfg2.te
index 24e70b89..cc84cd9f 100644
--- a/policy/modules/contrib/bcfg2.te
+++ b/policy/modules/contrib/bcfg2.te
@@ -1,4 +1,4 @@
-policy_module(bcfg2, 1.3.0)
+policy_module(bcfg2, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index 25329fdb..2351e024 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.18.1)
+policy_module(bind, 1.18.2)
########################################
#
diff --git a/policy/modules/contrib/bird.te b/policy/modules/contrib/bird.te
index dcf8f0bd..27df06b2 100644
--- a/policy/modules/contrib/bird.te
+++ b/policy/modules/contrib/bird.te
@@ -1,4 +1,4 @@
-policy_module(bird, 1.3.0)
+policy_module(bird, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/bitlbee.te b/policy/modules/contrib/bitlbee.te
index 90ff0dc6..b30a5ec4 100644
--- a/policy/modules/contrib/bitlbee.te
+++ b/policy/modules/contrib/bitlbee.te
@@ -1,4 +1,4 @@
-policy_module(bitlbee, 1.7.1)
+policy_module(bitlbee, 1.7.2)
########################################
#
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index 75d739da..208a146b 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -1,4 +1,4 @@
-policy_module(bluetooth, 3.7.0)
+policy_module(bluetooth, 3.7.1)
########################################
#
diff --git a/policy/modules/contrib/brctl.te b/policy/modules/contrib/brctl.te
index fd789b5f..4582159b 100644
--- a/policy/modules/contrib/brctl.te
+++ b/policy/modules/contrib/brctl.te
@@ -1,4 +1,4 @@
-policy_module(brctl, 1.7.1)
+policy_module(brctl, 1.7.2)
########################################
#
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index c92149d1..954dc2a8 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -1,4 +1,4 @@
-policy_module(cachefilesd, 1.3.1)
+policy_module(cachefilesd, 1.3.2)
########################################
#
diff --git a/policy/modules/contrib/callweaver.te b/policy/modules/contrib/callweaver.te
index f9443343..6bf2d777 100644
--- a/policy/modules/contrib/callweaver.te
+++ b/policy/modules/contrib/callweaver.te
@@ -1,4 +1,4 @@
-policy_module(callweaver, 1.3.0)
+policy_module(callweaver, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/canna.te b/policy/modules/contrib/canna.te
index ea8f64b5..9fee410c 100644
--- a/policy/modules/contrib/canna.te
+++ b/policy/modules/contrib/canna.te
@@ -1,4 +1,4 @@
-policy_module(canna, 1.14.0)
+policy_module(canna, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index bc766e74..7da9d409 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -1,4 +1,4 @@
-policy_module(ccs, 1.10.1)
+policy_module(ccs, 1.10.2)
########################################
#
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index f6c9d20d..0770f117 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -1,4 +1,4 @@
-policy_module(certmonger, 1.5.0)
+policy_module(certmonger, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/cfengine.te b/policy/modules/contrib/cfengine.te
index c888ff23..d381792e 100644
--- a/policy/modules/contrib/cfengine.te
+++ b/policy/modules/contrib/cfengine.te
@@ -1,4 +1,4 @@
-policy_module(cfengine, 1.2.0)
+policy_module(cfengine, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te
index 3599d7a2..9705e1af 100644
--- a/policy/modules/contrib/cgroup.te
+++ b/policy/modules/contrib/cgroup.te
@@ -1,4 +1,4 @@
-policy_module(cgroup, 1.5.1)
+policy_module(cgroup, 1.5.2)
########################################
#
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 618f6cf5..3e9a1c5b 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -1,4 +1,4 @@
-policy_module(chronyd, 1.4.0)
+policy_module(chronyd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/cipe.te b/policy/modules/contrib/cipe.te
index 729d7820..8b31ca11 100644
--- a/policy/modules/contrib/cipe.te
+++ b/policy/modules/contrib/cipe.te
@@ -1,4 +1,4 @@
-policy_module(cipe, 1.7.0)
+policy_module(cipe, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index 11e568a6..5706540d 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.14.1)
+policy_module(clamav, 1.14.2)
## <desc>
## <p>
diff --git a/policy/modules/contrib/clogd.te b/policy/modules/contrib/clogd.te
index b9a57b18..6a667109 100644
--- a/policy/modules/contrib/clogd.te
+++ b/policy/modules/contrib/clogd.te
@@ -1,4 +1,4 @@
-policy_module(clogd, 1.2.0)
+policy_module(clogd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/cmirrord.te b/policy/modules/contrib/cmirrord.te
index ece1a1ce..22c88cfd 100644
--- a/policy/modules/contrib/cmirrord.te
+++ b/policy/modules/contrib/cmirrord.te
@@ -1,4 +1,4 @@
-policy_module(cmirrord, 1.3.0)
+policy_module(cmirrord, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/collectd.te b/policy/modules/contrib/collectd.te
index e9e6d135..4d375ce5 100644
--- a/policy/modules/contrib/collectd.te
+++ b/policy/modules/contrib/collectd.te
@@ -1,4 +1,4 @@
-policy_module(collectd, 1.3.0)
+policy_module(collectd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/comsat.te b/policy/modules/contrib/comsat.te
index 9b7b3706..9a4a146e 100644
--- a/policy/modules/contrib/comsat.te
+++ b/policy/modules/contrib/comsat.te
@@ -1,4 +1,4 @@
-policy_module(comsat, 1.8.0)
+policy_module(comsat, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index fbb70249..18012be1 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -1,4 +1,4 @@
-policy_module(condor, 1.4.0)
+policy_module(condor, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index a2a51ba8..06451dff 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -1,4 +1,4 @@
-policy_module(consolekit, 1.12.0)
+policy_module(consolekit, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/corosync.te b/policy/modules/contrib/corosync.te
index 771582f0..c8ecef1c 100644
--- a/policy/modules/contrib/corosync.te
+++ b/policy/modules/contrib/corosync.te
@@ -1,4 +1,4 @@
-policy_module(corosync, 1.3.0)
+policy_module(corosync, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 31ee1073..57ef751c 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -1,4 +1,4 @@
-policy_module(courier, 1.16.1)
+policy_module(courier, 1.16.2)
########################################
#
diff --git a/policy/modules/contrib/cpucontrol.te b/policy/modules/contrib/cpucontrol.te
index cff0e16c..0d255fce 100644
--- a/policy/modules/contrib/cpucontrol.te
+++ b/policy/modules/contrib/cpucontrol.te
@@ -1,4 +1,4 @@
-policy_module(cpucontrol, 1.6.1)
+policy_module(cpucontrol, 1.6.2)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 15e6bdb4..49e58a0b 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.4)
+policy_module(cron, 2.11.5)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/ctdb.te b/policy/modules/contrib/ctdb.te
index 4f9c3f06..e62f3912 100644
--- a/policy/modules/contrib/ctdb.te
+++ b/policy/modules/contrib/ctdb.te
@@ -1,4 +1,4 @@
-policy_module(ctdb, 1.4.0)
+policy_module(ctdb, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 88a73ce4..2b81255f 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.21.4)
+policy_module(cups, 1.21.5)
########################################
#
diff --git a/policy/modules/contrib/dante.te b/policy/modules/contrib/dante.te
index 124f2c58..bcabb498 100644
--- a/policy/modules/contrib/dante.te
+++ b/policy/modules/contrib/dante.te
@@ -1,4 +1,4 @@
-policy_module(dante, 1.11.0)
+policy_module(dante, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/dbskk.te b/policy/modules/contrib/dbskk.te
index f55c4208..6b5a7471 100644
--- a/policy/modules/contrib/dbskk.te
+++ b/policy/modules/contrib/dbskk.te
@@ -1,4 +1,4 @@
-policy_module(dbskk, 1.6.0)
+policy_module(dbskk, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/dcc.te b/policy/modules/contrib/dcc.te
index 9b1c25e7..eb05bbda 100644
--- a/policy/modules/contrib/dcc.te
+++ b/policy/modules/contrib/dcc.te
@@ -1,4 +1,4 @@
-policy_module(dcc, 1.13.0)
+policy_module(dcc, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/ddclient.te b/policy/modules/contrib/ddclient.te
index 333d3094..6e3f3bd2 100644
--- a/policy/modules/contrib/ddclient.te
+++ b/policy/modules/contrib/ddclient.te
@@ -1,4 +1,4 @@
-policy_module(ddclient, 1.12.0)
+policy_module(ddclient, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/ddcprobe.te b/policy/modules/contrib/ddcprobe.te
index 8d1263ae..4e67816a 100644
--- a/policy/modules/contrib/ddcprobe.te
+++ b/policy/modules/contrib/ddcprobe.te
@@ -1,4 +1,4 @@
-policy_module(ddcprobe, 1.3.0)
+policy_module(ddcprobe, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index 2fbf84ed..77d18aee 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -1,4 +1,4 @@
-policy_module(dhcp, 1.14.0)
+policy_module(dhcp, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te
index c390b549..13947f21 100644
--- a/policy/modules/contrib/dictd.te
+++ b/policy/modules/contrib/dictd.te
@@ -1,4 +1,4 @@
-policy_module(dictd, 1.10.0)
+policy_module(dictd, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index 5ffc618b..2cb15e39 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -1,4 +1,4 @@
-policy_module(dkim, 1.5.1)
+policy_module(dkim, 1.5.2)
########################################
#
diff --git a/policy/modules/contrib/dmidecode.te b/policy/modules/contrib/dmidecode.te
index aa8e3e6d..93000a01 100644
--- a/policy/modules/contrib/dmidecode.te
+++ b/policy/modules/contrib/dmidecode.te
@@ -1,4 +1,4 @@
-policy_module(dmidecode, 1.6.0)
+policy_module(dmidecode, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index ee961ce2..e7278d0a 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.14.0)
+policy_module(dnsmasq, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/dnssectrigger.te b/policy/modules/contrib/dnssectrigger.te
index e6c58402..c48910d0 100644
--- a/policy/modules/contrib/dnssectrigger.te
+++ b/policy/modules/contrib/dnssectrigger.te
@@ -1,4 +1,4 @@
-policy_module(dnssectrigger, 1.3.0)
+policy_module(dnssectrigger, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index d18f9adc..208d9957 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.19.1)
+policy_module(dovecot, 1.19.2)
########################################
#
diff --git a/policy/modules/contrib/dphysswapfile.te b/policy/modules/contrib/dphysswapfile.te
index 5a308095..fe11baec 100644
--- a/policy/modules/contrib/dphysswapfile.te
+++ b/policy/modules/contrib/dphysswapfile.te
@@ -1,4 +1,4 @@
-policy_module(dphysswapfile, 1.0.2)
+policy_module(dphysswapfile, 1.0.3)
########################################
#
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index e781815d..730e38f6 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.7)
+policy_module(dpkg, 1.11.8)
########################################
#
diff --git a/policy/modules/contrib/drbd.te b/policy/modules/contrib/drbd.te
index 0d1e6366..e7907f2b 100644
--- a/policy/modules/contrib/drbd.te
+++ b/policy/modules/contrib/drbd.te
@@ -1,4 +1,4 @@
-policy_module(drbd, 1.2.1)
+policy_module(drbd, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
index 991b6219..a788c570 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -1,4 +1,4 @@
-policy_module(entropyd, 1.11.0)
+policy_module(entropyd, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 66421ff3..389aa302 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.10.0)
+policy_module(exim, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/fakehwclock.te b/policy/modules/contrib/fakehwclock.te
index 5caedf9f..5a6e57ca 100644
--- a/policy/modules/contrib/fakehwclock.te
+++ b/policy/modules/contrib/fakehwclock.te
@@ -1,4 +1,4 @@
-policy_module(fakehwclock, 1.0.1)
+policy_module(fakehwclock, 1.0.2)
########################################
#
diff --git a/policy/modules/contrib/fcoe.te b/policy/modules/contrib/fcoe.te
index 706874f3..20714983 100644
--- a/policy/modules/contrib/fcoe.te
+++ b/policy/modules/contrib/fcoe.te
@@ -1,4 +1,4 @@
-policy_module(fcoe, 1.3.0)
+policy_module(fcoe, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/finger.te
index d7fdd5eb..2619a20b 100644
--- a/policy/modules/contrib/finger.te
+++ b/policy/modules/contrib/finger.te
@@ -1,4 +1,4 @@
-policy_module(finger, 1.12.0)
+policy_module(finger, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 70f5fb43..c05dff4e 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -1,4 +1,4 @@
-policy_module(firewalld, 1.5.1)
+policy_module(firewalld, 1.5.2)
########################################
#
diff --git a/policy/modules/contrib/firstboot.te b/policy/modules/contrib/firstboot.te
index e5c5ecdb..a1afc1b7 100644
--- a/policy/modules/contrib/firstboot.te
+++ b/policy/modules/contrib/firstboot.te
@@ -1,4 +1,4 @@
-policy_module(firstboot, 1.13.1)
+policy_module(firstboot, 1.13.2)
gen_require(`
class passwd { passwd chfn chsh rootok };
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index 7e81e249..f18dc97b 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.20.0)
+policy_module(ftp, 1.20.1)
########################################
#
diff --git a/policy/modules/contrib/gatekeeper.te b/policy/modules/contrib/gatekeeper.te
index 01dc4562..504f10e4 100644
--- a/policy/modules/contrib/gatekeeper.te
+++ b/policy/modules/contrib/gatekeeper.te
@@ -1,4 +1,4 @@
-policy_module(gatekeeper, 1.10.0)
+policy_module(gatekeeper, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te
index 07bd10d7..c32ed752 100644
--- a/policy/modules/contrib/glusterfs.te
+++ b/policy/modules/contrib/glusterfs.te
@@ -1,4 +1,4 @@
-policy_module(glusterfs, 1.4.0)
+policy_module(glusterfs, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te
index 4e2b5f9c..4452e0e6 100644
--- a/policy/modules/contrib/gpm.te
+++ b/policy/modules/contrib/gpm.te
@@ -1,4 +1,4 @@
-policy_module(gpm, 1.11.1)
+policy_module(gpm, 1.11.2)
########################################
#
diff --git a/policy/modules/contrib/gpsd.te b/policy/modules/contrib/gpsd.te
index 6f4e8b79..20c377aa 100644
--- a/policy/modules/contrib/gpsd.te
+++ b/policy/modules/contrib/gpsd.te
@@ -1,4 +1,4 @@
-policy_module(gpsd, 1.4.0)
+policy_module(gpsd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index 997f3e3b..bce0de22 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -1,4 +1,4 @@
-policy_module(hal, 1.17.2)
+policy_module(hal, 1.17.3)
########################################
#
diff --git a/policy/modules/contrib/hddtemp.te b/policy/modules/contrib/hddtemp.te
index 90b148ec..135d8844 100644
--- a/policy/modules/contrib/hddtemp.te
+++ b/policy/modules/contrib/hddtemp.te
@@ -1,4 +1,4 @@
-policy_module(hddtemp, 1.3.0)
+policy_module(hddtemp, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/hwloc.te b/policy/modules/contrib/hwloc.te
index 716a590e..e6d6e0ae 100644
--- a/policy/modules/contrib/hwloc.te
+++ b/policy/modules/contrib/hwloc.te
@@ -1,4 +1,4 @@
-policy_module(hwloc, 1.1.0)
+policy_module(hwloc, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/hypervkvp.te b/policy/modules/contrib/hypervkvp.te
index 5f3e48da..8af768a4 100644
--- a/policy/modules/contrib/hypervkvp.te
+++ b/policy/modules/contrib/hypervkvp.te
@@ -1,4 +1,4 @@
-policy_module(hypervkvp, 1.1.0)
+policy_module(hypervkvp, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/i18n_input.te b/policy/modules/contrib/i18n_input.te
index d1a42660..6cb963ca 100644
--- a/policy/modules/contrib/i18n_input.te
+++ b/policy/modules/contrib/i18n_input.te
@@ -1,4 +1,4 @@
-policy_module(i18n_input, 1.11.0)
+policy_module(i18n_input, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/ifplugd.te b/policy/modules/contrib/ifplugd.te
index 4f1223db..46cc865a 100644
--- a/policy/modules/contrib/ifplugd.te
+++ b/policy/modules/contrib/ifplugd.te
@@ -1,4 +1,4 @@
-policy_module(ifplugd, 1.3.0)
+policy_module(ifplugd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/inetd.te b/policy/modules/contrib/inetd.te
index 70ecd1e5..678cacdf 100644
--- a/policy/modules/contrib/inetd.te
+++ b/policy/modules/contrib/inetd.te
@@ -1,4 +1,4 @@
-policy_module(inetd, 1.14.1)
+policy_module(inetd, 1.14.2)
########################################
#
diff --git a/policy/modules/contrib/inn.te b/policy/modules/contrib/inn.te
index dc5c007e..fd579875 100644
--- a/policy/modules/contrib/inn.te
+++ b/policy/modules/contrib/inn.te
@@ -1,4 +1,4 @@
-policy_module(inn, 1.13.0)
+policy_module(inn, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te
index b316ec5b..f0896487 100644
--- a/policy/modules/contrib/iodine.te
+++ b/policy/modules/contrib/iodine.te
@@ -1,4 +1,4 @@
-policy_module(iodine, 1.2.2)
+policy_module(iodine, 1.2.3)
########################################
#
diff --git a/policy/modules/contrib/ircd.te b/policy/modules/contrib/ircd.te
index 94c9c233..75aaa8f9 100644
--- a/policy/modules/contrib/ircd.te
+++ b/policy/modules/contrib/ircd.te
@@ -1,4 +1,4 @@
-policy_module(ircd, 1.10.0)
+policy_module(ircd, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/irqbalance.te b/policy/modules/contrib/irqbalance.te
index b8cea5ec..0c78171b 100644
--- a/policy/modules/contrib/irqbalance.te
+++ b/policy/modules/contrib/irqbalance.te
@@ -1,4 +1,4 @@
-policy_module(irqbalance, 1.9.0)
+policy_module(irqbalance, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te
index 8061f7ea..ebd7b255 100644
--- a/policy/modules/contrib/iscsi.te
+++ b/policy/modules/contrib/iscsi.te
@@ -1,4 +1,4 @@
-policy_module(iscsi, 1.11.1)
+policy_module(iscsi, 1.11.2)
########################################
#
diff --git a/policy/modules/contrib/isns.te b/policy/modules/contrib/isns.te
index 83356b97..1afc0a09 100644
--- a/policy/modules/contrib/isns.te
+++ b/policy/modules/contrib/isns.te
@@ -1,4 +1,4 @@
-policy_module(isns, 1.2.0)
+policy_module(isns, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/jabber.te b/policy/modules/contrib/jabber.te
index 36f603c3..954f3613 100644
--- a/policy/modules/contrib/jabber.te
+++ b/policy/modules/contrib/jabber.te
@@ -1,4 +1,4 @@
-policy_module(jabber, 1.12.1)
+policy_module(jabber, 1.12.2)
########################################
#
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index fb6f1378..659b3aeb 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.5.2)
+policy_module(kdump, 1.5.3)
#######################################
#
diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
index d226156e..2c75d8ec 100644
--- a/policy/modules/contrib/kerberos.te
+++ b/policy/modules/contrib/kerberos.te
@@ -1,4 +1,4 @@
-policy_module(kerberos, 1.14.0)
+policy_module(kerberos, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/kerneloops.te b/policy/modules/contrib/kerneloops.te
index 58ee9516..f974f045 100644
--- a/policy/modules/contrib/kerneloops.te
+++ b/policy/modules/contrib/kerneloops.te
@@ -1,4 +1,4 @@
-policy_module(kerneloops, 1.6.2)
+policy_module(kerneloops, 1.6.3)
########################################
#
diff --git a/policy/modules/contrib/ksmtuned.te b/policy/modules/contrib/ksmtuned.te
index f03cf59a..bbfdb4c8 100644
--- a/policy/modules/contrib/ksmtuned.te
+++ b/policy/modules/contrib/ksmtuned.te
@@ -1,4 +1,4 @@
-policy_module(ksmtuned, 1.4.0)
+policy_module(ksmtuned, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/ktalk.te b/policy/modules/contrib/ktalk.te
index 52f3be7e..bcd12a05 100644
--- a/policy/modules/contrib/ktalk.te
+++ b/policy/modules/contrib/ktalk.te
@@ -1,4 +1,4 @@
-policy_module(ktalk, 1.10.0)
+policy_module(ktalk, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
index b1696618..e893b789 100644
--- a/policy/modules/contrib/kudzu.te
+++ b/policy/modules/contrib/kudzu.te
@@ -1,4 +1,4 @@
-policy_module(kudzu, 1.12.2)
+policy_module(kudzu, 1.12.3)
########################################
#
diff --git a/policy/modules/contrib/l2tp.te b/policy/modules/contrib/l2tp.te
index b45a216f..a0f598e1 100644
--- a/policy/modules/contrib/l2tp.te
+++ b/policy/modules/contrib/l2tp.te
@@ -1,4 +1,4 @@
-policy_module(l2tp, 1.3.0)
+policy_module(l2tp, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 023884ab..35a1ff33 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.15.0)
+policy_module(ldap, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/likewise.te b/policy/modules/contrib/likewise.te
index 21d18a3c..a0673fd5 100644
--- a/policy/modules/contrib/likewise.te
+++ b/policy/modules/contrib/likewise.te
@@ -1,4 +1,4 @@
-policy_module(likewise, 1.5.0)
+policy_module(likewise, 1.5.1)
#################################
#
diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te
index 88078024..1be40213 100644
--- a/policy/modules/contrib/lircd.te
+++ b/policy/modules/contrib/lircd.te
@@ -1,4 +1,4 @@
-policy_module(lircd, 1.4.0)
+policy_module(lircd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te
index 803bf48f..b30a33d1 100644
--- a/policy/modules/contrib/lldpad.te
+++ b/policy/modules/contrib/lldpad.te
@@ -1,4 +1,4 @@
-policy_module(lldpad, 1.3.0)
+policy_module(lldpad, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/lockdev.te b/policy/modules/contrib/lockdev.te
index 61db5a0a..f60ee157 100644
--- a/policy/modules/contrib/lockdev.te
+++ b/policy/modules/contrib/lockdev.te
@@ -1,4 +1,4 @@
-policy_module(lockdev, 1.5.0)
+policy_module(lockdev, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 1c63e097..b0176afb 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.18.3)
+policy_module(logrotate, 1.18.4)
########################################
#
diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te
index d2b54207..0e115309 100644
--- a/policy/modules/contrib/logwatch.te
+++ b/policy/modules/contrib/logwatch.te
@@ -1,4 +1,4 @@
-policy_module(logwatch, 1.14.1)
+policy_module(logwatch, 1.14.2)
#################################
#
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te
index 8ebe2435..64fd6e50 100644
--- a/policy/modules/contrib/lpd.te
+++ b/policy/modules/contrib/lpd.te
@@ -1,4 +1,4 @@
-policy_module(lpd, 1.15.2)
+policy_module(lpd, 1.15.3)
########################################
#
diff --git a/policy/modules/contrib/mailscanner.te b/policy/modules/contrib/mailscanner.te
index d8dcb317..2da0a226 100644
--- a/policy/modules/contrib/mailscanner.te
+++ b/policy/modules/contrib/mailscanner.te
@@ -1,4 +1,4 @@
-policy_module(mailscanner, 1.3.0)
+policy_module(mailscanner, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/mcelog.te b/policy/modules/contrib/mcelog.te
index 8e62b7a8..d5e1cba0 100644
--- a/policy/modules/contrib/mcelog.te
+++ b/policy/modules/contrib/mcelog.te
@@ -1,4 +1,4 @@
-policy_module(mcelog, 1.5.0)
+policy_module(mcelog, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te
index 8295ca64..96c0c59d 100644
--- a/policy/modules/contrib/milter.te
+++ b/policy/modules/contrib/milter.te
@@ -1,4 +1,4 @@
-policy_module(milter, 1.6.1)
+policy_module(milter, 1.6.2)
########################################
#
diff --git a/policy/modules/contrib/minidlna.te b/policy/modules/contrib/minidlna.te
index 3ab4189d..7b8aa39d 100644
--- a/policy/modules/contrib/minidlna.te
+++ b/policy/modules/contrib/minidlna.te
@@ -1,4 +1,4 @@
-policy_module(minidlna, 1.1.0)
+policy_module(minidlna, 1.1.1)
#############################################
#
diff --git a/policy/modules/contrib/minissdpd.te b/policy/modules/contrib/minissdpd.te
index d16cdb1b..5145a16a 100644
--- a/policy/modules/contrib/minissdpd.te
+++ b/policy/modules/contrib/minissdpd.te
@@ -1,4 +1,4 @@
-policy_module(minissdpd, 1.3.0)
+policy_module(minissdpd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/contrib/modemmanager.te
index 20c99b63..b4236dd7 100644
--- a/policy/modules/contrib/modemmanager.te
+++ b/policy/modules/contrib/modemmanager.te
@@ -1,4 +1,4 @@
-policy_module(modemmanager, 1.4.0)
+policy_module(modemmanager, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te
index 0207d0ac..b8a92025 100644
--- a/policy/modules/contrib/mon.te
+++ b/policy/modules/contrib/mon.te
@@ -1,4 +1,4 @@
-policy_module(mon, 1.0.3)
+policy_module(mon, 1.0.4)
########################################
#
diff --git a/policy/modules/contrib/monop.te b/policy/modules/contrib/monop.te
index 091f315b..9337497d 100644
--- a/policy/modules/contrib/monop.te
+++ b/policy/modules/contrib/monop.te
@@ -1,4 +1,4 @@
-policy_module(monop, 1.10.0)
+policy_module(monop, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index caa21fb9..a330ed83 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.6)
+policy_module(mta, 2.8.7)
########################################
#
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 6fe1ce56..04d9c9e9 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.19.1)
+policy_module(mysql, 1.19.2)
########################################
#
diff --git a/policy/modules/contrib/nessus.te b/policy/modules/contrib/nessus.te
index e14a3f35..ba5114fa 100644
--- a/policy/modules/contrib/nessus.te
+++ b/policy/modules/contrib/nessus.te
@@ -1,4 +1,4 @@
-policy_module(nessus, 1.11.0)
+policy_module(nessus, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index c6d62977..1614b533 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.20.5)
+policy_module(networkmanager, 1.20.6)
########################################
#
diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te
index c49ecb0b..11a3bde2 100644
--- a/policy/modules/contrib/nis.te
+++ b/policy/modules/contrib/nis.te
@@ -1,4 +1,4 @@
-policy_module(nis, 1.15.1)
+policy_module(nis, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te
index dfd1adf8..93daee41 100644
--- a/policy/modules/contrib/nscd.te
+++ b/policy/modules/contrib/nscd.te
@@ -1,4 +1,4 @@
-policy_module(nscd, 1.15.0)
+policy_module(nscd, 1.15.1)
gen_require(`
class nscd all_nscd_perms;
diff --git a/policy/modules/contrib/nsd.te b/policy/modules/contrib/nsd.te
index 911aa8ca..8851506f 100644
--- a/policy/modules/contrib/nsd.te
+++ b/policy/modules/contrib/nsd.te
@@ -1,4 +1,4 @@
-policy_module(nsd, 1.10.0)
+policy_module(nsd, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/nslcd.te b/policy/modules/contrib/nslcd.te
index 30639e64..eb6ed983 100644
--- a/policy/modules/contrib/nslcd.te
+++ b/policy/modules/contrib/nslcd.te
@@ -1,4 +1,4 @@
-policy_module(nslcd, 1.7.0)
+policy_module(nslcd, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/ntop.te b/policy/modules/contrib/ntop.te
index 025f5d4a..1b5251a5 100644
--- a/policy/modules/contrib/ntop.te
+++ b/policy/modules/contrib/ntop.te
@@ -1,4 +1,4 @@
-policy_module(ntop, 1.12.0)
+policy_module(ntop, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 89b31bf3..cbd5fd18 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.16.4)
+policy_module(ntp, 1.16.5)
########################################
#
diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
index d38ced7b..0a12ac89 100644
--- a/policy/modules/contrib/nut.te
+++ b/policy/modules/contrib/nut.te
@@ -1,4 +1,4 @@
-policy_module(nut, 1.6.1)
+policy_module(nut, 1.6.2)
########################################
#
diff --git a/policy/modules/contrib/oav.te b/policy/modules/contrib/oav.te
index b09c4c41..4a171f13 100644
--- a/policy/modules/contrib/oav.te
+++ b/policy/modules/contrib/oav.te
@@ -1,4 +1,4 @@
-policy_module(oav, 1.10.0)
+policy_module(oav, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/oddjob.te b/policy/modules/contrib/oddjob.te
index 507d6d24..dd34cec0 100644
--- a/policy/modules/contrib/oddjob.te
+++ b/policy/modules/contrib/oddjob.te
@@ -1,4 +1,4 @@
-policy_module(oddjob, 1.11.1)
+policy_module(oddjob, 1.11.2)
########################################
#
diff --git a/policy/modules/contrib/oident.te b/policy/modules/contrib/oident.te
index c1f42dc1..6d19804e 100644
--- a/policy/modules/contrib/oident.te
+++ b/policy/modules/contrib/oident.te
@@ -1,4 +1,4 @@
-policy_module(oident, 2.4.0)
+policy_module(oident, 2.4.1)
########################################
#
diff --git a/policy/modules/contrib/openct.te b/policy/modules/contrib/openct.te
index 5002e6ac..c4157e74 100644
--- a/policy/modules/contrib/openct.te
+++ b/policy/modules/contrib/openct.te
@@ -1,4 +1,4 @@
-policy_module(openct, 1.9.0)
+policy_module(openct, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/openhpi.te b/policy/modules/contrib/openhpi.te
index ea840550..d33d901a 100644
--- a/policy/modules/contrib/openhpi.te
+++ b/policy/modules/contrib/openhpi.te
@@ -1,4 +1,4 @@
-policy_module(openhpi, 1.3.0)
+policy_module(openhpi, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index 54170a62..49c3dc0e 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -1,4 +1,4 @@
-policy_module(openvpn, 1.15.1)
+policy_module(openvpn, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/pacemaker.te b/policy/modules/contrib/pacemaker.te
index 218470bb..d5509e77 100644
--- a/policy/modules/contrib/pacemaker.te
+++ b/policy/modules/contrib/pacemaker.te
@@ -1,4 +1,4 @@
-policy_module(pacemaker, 1.3.0)
+policy_module(pacemaker, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/pcmcia.te b/policy/modules/contrib/pcmcia.te
index 5d8ccb2f..63a42663 100644
--- a/policy/modules/contrib/pcmcia.te
+++ b/policy/modules/contrib/pcmcia.te
@@ -1,4 +1,4 @@
-policy_module(pcmcia, 1.8.2)
+policy_module(pcmcia, 1.8.3)
########################################
#
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index e33dc6b6..1b3b1302 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -1,4 +1,4 @@
-policy_module(pcscd, 1.12.0)
+policy_module(pcscd, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/pegasus.te b/policy/modules/contrib/pegasus.te
index b2138295..1648e483 100644
--- a/policy/modules/contrib/pegasus.te
+++ b/policy/modules/contrib/pegasus.te
@@ -1,4 +1,4 @@
-policy_module(pegasus, 1.12.0)
+policy_module(pegasus, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/perdition.te b/policy/modules/contrib/perdition.te
index 2975c2cc..42df124f 100644
--- a/policy/modules/contrib/perdition.te
+++ b/policy/modules/contrib/perdition.te
@@ -1,4 +1,4 @@
-policy_module(perdition, 1.10.1)
+policy_module(perdition, 1.10.2)
########################################
#
diff --git a/policy/modules/contrib/pingd.te b/policy/modules/contrib/pingd.te
index fbe72918..6614fd9e 100644
--- a/policy/modules/contrib/pingd.te
+++ b/policy/modules/contrib/pingd.te
@@ -1,4 +1,4 @@
-policy_module(pingd, 1.2.0)
+policy_module(pingd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index b10f18e7..eeb4bacd 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -1,4 +1,4 @@
-policy_module(pkcs, 1.3.0)
+policy_module(pkcs, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index 6c73283c..71467854 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -1,4 +1,4 @@
-policy_module(plymouthd, 1.4.2)
+policy_module(plymouthd, 1.4.3)
########################################
#
diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te
index 2a8c850b..b894502e 100644
--- a/policy/modules/contrib/portmap.te
+++ b/policy/modules/contrib/portmap.te
@@ -1,4 +1,4 @@
-policy_module(portmap, 1.13.1)
+policy_module(portmap, 1.13.2)
########################################
#
diff --git a/policy/modules/contrib/portreserve.te b/policy/modules/contrib/portreserve.te
index a09698ce..298d5905 100644
--- a/policy/modules/contrib/portreserve.te
+++ b/policy/modules/contrib/portreserve.te
@@ -1,4 +1,4 @@
-policy_module(portreserve, 1.6.1)
+policy_module(portreserve, 1.6.2)
########################################
#
diff --git a/policy/modules/contrib/portslave.te b/policy/modules/contrib/portslave.te
index b34887c9..217bebaf 100644
--- a/policy/modules/contrib/portslave.te
+++ b/policy/modules/contrib/portslave.te
@@ -1,4 +1,4 @@
-policy_module(portslave, 1.8.0)
+policy_module(portslave, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 1b562bab..33f2cdd1 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.17.2)
+policy_module(postfix, 1.17.3)
########################################
#
diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te
index be84e714..082b2a06 100644
--- a/policy/modules/contrib/postfixpolicyd.te
+++ b/policy/modules/contrib/postfixpolicyd.te
@@ -1,4 +1,4 @@
-policy_module(postfixpolicyd, 1.5.1)
+policy_module(postfixpolicyd, 1.5.2)
########################################
#
diff --git a/policy/modules/contrib/postgrey.te b/policy/modules/contrib/postgrey.te
index 4fe73487..0628a4e5 100644
--- a/policy/modules/contrib/postgrey.te
+++ b/policy/modules/contrib/postgrey.te
@@ -1,4 +1,4 @@
-policy_module(postgrey, 1.11.1)
+policy_module(postgrey, 1.11.2)
########################################
#
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index 6d34d7b7..8f05b2d6 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -1,4 +1,4 @@
-policy_module(ppp, 1.17.2)
+policy_module(ppp, 1.17.3)
########################################
#
diff --git a/policy/modules/contrib/prelink.te b/policy/modules/contrib/prelink.te
index 784b81ae..3198c925 100644
--- a/policy/modules/contrib/prelink.te
+++ b/policy/modules/contrib/prelink.te
@@ -1,4 +1,4 @@
-policy_module(prelink, 1.11.1)
+policy_module(prelink, 1.11.2)
########################################
#
diff --git a/policy/modules/contrib/prelude.te b/policy/modules/contrib/prelude.te
index 4f14f0b6..5c8efc5d 100644
--- a/policy/modules/contrib/prelude.te
+++ b/policy/modules/contrib/prelude.te
@@ -1,4 +1,4 @@
-policy_module(prelude, 1.7.1)
+policy_module(prelude, 1.7.2)
########################################
#
diff --git a/policy/modules/contrib/privoxy.te b/policy/modules/contrib/privoxy.te
index ce344917..5205da69 100644
--- a/policy/modules/contrib/privoxy.te
+++ b/policy/modules/contrib/privoxy.te
@@ -1,4 +1,4 @@
-policy_module(privoxy, 1.14.0)
+policy_module(privoxy, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/psad.te b/policy/modules/contrib/psad.te
index b94e44a9..53fc70b2 100644
--- a/policy/modules/contrib/psad.te
+++ b/policy/modules/contrib/psad.te
@@ -1,4 +1,4 @@
-policy_module(psad, 1.4.0)
+policy_module(psad, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/pxe.te b/policy/modules/contrib/pxe.te
index 8694d852..c9ef2a2c 100644
--- a/policy/modules/contrib/pxe.te
+++ b/policy/modules/contrib/pxe.te
@@ -1,4 +1,4 @@
-policy_module(pxe, 1.7.0)
+policy_module(pxe, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/qmail.te b/policy/modules/contrib/qmail.te
index 455f2c0e..99b31343 100644
--- a/policy/modules/contrib/qmail.te
+++ b/policy/modules/contrib/qmail.te
@@ -1,4 +1,4 @@
-policy_module(qmail, 1.7.0)
+policy_module(qmail, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/qpid.te b/policy/modules/contrib/qpid.te
index edae1871..4a7e0bf9 100644
--- a/policy/modules/contrib/qpid.te
+++ b/policy/modules/contrib/qpid.te
@@ -1,4 +1,4 @@
-policy_module(qpid, 1.3.0)
+policy_module(qpid, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te
index 95fc0aa3..6100ff21 100644
--- a/policy/modules/contrib/quota.te
+++ b/policy/modules/contrib/quota.te
@@ -1,4 +1,4 @@
-policy_module(quota, 1.9.1)
+policy_module(quota, 1.9.2)
########################################
#
diff --git a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te
index bbe4e1ce..0d3a0c57 100644
--- a/policy/modules/contrib/radius.te
+++ b/policy/modules/contrib/radius.te
@@ -1,4 +1,4 @@
-policy_module(radius, 1.15.0)
+policy_module(radius, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/radvd.te b/policy/modules/contrib/radvd.te
index 41df3b57..b9972ee5 100644
--- a/policy/modules/contrib/radvd.te
+++ b/policy/modules/contrib/radvd.te
@@ -1,4 +1,4 @@
-policy_module(radvd, 1.16.0)
+policy_module(radvd, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index 49c7dbb4..011b2967 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.17.1)
+policy_module(raid, 1.17.2)
########################################
#
diff --git a/policy/modules/contrib/rdisc.te b/policy/modules/contrib/rdisc.te
index ea6d2d92..d4b488de 100644
--- a/policy/modules/contrib/rdisc.te
+++ b/policy/modules/contrib/rdisc.te
@@ -1,4 +1,4 @@
-policy_module(rdisc, 1.8.1)
+policy_module(rdisc, 1.8.2)
########################################
#
diff --git a/policy/modules/contrib/readahead.te b/policy/modules/contrib/readahead.te
index ec587591..e70c52a6 100644
--- a/policy/modules/contrib/readahead.te
+++ b/policy/modules/contrib/readahead.te
@@ -1,4 +1,4 @@
-policy_module(readahead, 1.15.1)
+policy_module(readahead, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index b5162055..362cc355 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -1,4 +1,4 @@
-policy_module(redis, 1.4.0)
+policy_module(redis, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/resmgr.te b/policy/modules/contrib/resmgr.te
index 25e40670..3fce4733 100644
--- a/policy/modules/contrib/resmgr.te
+++ b/policy/modules/contrib/resmgr.te
@@ -1,4 +1,4 @@
-policy_module(resmgr, 1.5.1)
+policy_module(resmgr, 1.5.2)
########################################
#
diff --git a/policy/modules/contrib/rgmanager.te b/policy/modules/contrib/rgmanager.te
index 905c3d44..e63c628f 100644
--- a/policy/modules/contrib/rgmanager.te
+++ b/policy/modules/contrib/rgmanager.te
@@ -1,4 +1,4 @@
-policy_module(rgmanager, 1.6.0)
+policy_module(rgmanager, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index 85a3a066..2cf91164 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -1,4 +1,4 @@
-policy_module(rhcs, 1.6.0)
+policy_module(rhcs, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/ricci.te b/policy/modules/contrib/ricci.te
index e576ff12..f2e9c806 100644
--- a/policy/modules/contrib/ricci.te
+++ b/policy/modules/contrib/ricci.te
@@ -1,4 +1,4 @@
-policy_module(ricci, 1.10.1)
+policy_module(ricci, 1.10.2)
########################################
#
diff --git a/policy/modules/contrib/rlogin.te b/policy/modules/contrib/rlogin.te
index 94d41e81..fa544703 100644
--- a/policy/modules/contrib/rlogin.te
+++ b/policy/modules/contrib/rlogin.te
@@ -1,4 +1,4 @@
-policy_module(rlogin, 1.12.0)
+policy_module(rlogin, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/rngd.te b/policy/modules/contrib/rngd.te
index ee1f1349..6f41db77 100644
--- a/policy/modules/contrib/rngd.te
+++ b/policy/modules/contrib/rngd.te
@@ -1,4 +1,4 @@
-policy_module(rngd, 1.4.0)
+policy_module(rngd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 0b9a71fc..a8a83400 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.19.2)
+policy_module(rpc, 1.19.3)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index abe55b18..75b5725f 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.11.2)
+policy_module(rpcbind, 1.11.3)
########################################
#
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 2e3596b0..2dcf018c 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.19.2)
+policy_module(rpm, 1.19.3)
########################################
#
diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te
index 78a8f3c7..4cff9508 100644
--- a/policy/modules/contrib/rshd.te
+++ b/policy/modules/contrib/rshd.te
@@ -1,4 +1,4 @@
-policy_module(rshd, 1.9.1)
+policy_module(rshd, 1.9.2)
########################################
#
diff --git a/policy/modules/contrib/rwho.te b/policy/modules/contrib/rwho.te
index 0cd90acd..9b731982 100644
--- a/policy/modules/contrib/rwho.te
+++ b/policy/modules/contrib/rwho.te
@@ -1,4 +1,4 @@
-policy_module(rwho, 1.8.0)
+policy_module(rwho, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 06323b49..2bde1870 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.20.1)
+policy_module(samba, 1.20.2)
#################################
#
diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te
index 9618e95c..20972aa3 100644
--- a/policy/modules/contrib/samhain.te
+++ b/policy/modules/contrib/samhain.te
@@ -1,4 +1,4 @@
-policy_module(samhain, 1.4.1)
+policy_module(samhain, 1.4.2)
########################################
#
diff --git a/policy/modules/contrib/sanlock.te b/policy/modules/contrib/sanlock.te
index fccc1c29..b818f2b6 100644
--- a/policy/modules/contrib/sanlock.te
+++ b/policy/modules/contrib/sanlock.te
@@ -1,4 +1,4 @@
-policy_module(sanlock, 1.3.0)
+policy_module(sanlock, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/sasl.te b/policy/modules/contrib/sasl.te
index 235a66d8..daf996eb 100644
--- a/policy/modules/contrib/sasl.te
+++ b/policy/modules/contrib/sasl.te
@@ -1,4 +1,4 @@
-policy_module(sasl, 1.18.0)
+policy_module(sasl, 1.18.1)
########################################
#
diff --git a/policy/modules/contrib/sblim.te b/policy/modules/contrib/sblim.te
index 77632c25..9a901bd5 100644
--- a/policy/modules/contrib/sblim.te
+++ b/policy/modules/contrib/sblim.te
@@ -1,4 +1,4 @@
-policy_module(sblim, 1.3.0)
+policy_module(sblim, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/sensord.te b/policy/modules/contrib/sensord.te
index f5d4288a..572bf7cf 100644
--- a/policy/modules/contrib/sensord.te
+++ b/policy/modules/contrib/sensord.te
@@ -1,4 +1,4 @@
-policy_module(sensord, 1.2.0)
+policy_module(sensord, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/setroubleshoot.te b/policy/modules/contrib/setroubleshoot.te
index 68f546fe..2d8adf9e 100644
--- a/policy/modules/contrib/setroubleshoot.te
+++ b/policy/modules/contrib/setroubleshoot.te
@@ -1,4 +1,4 @@
-policy_module(setroubleshoot, 1.15.0)
+policy_module(setroubleshoot, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/shibboleth.te b/policy/modules/contrib/shibboleth.te
index 0d742041..7ed9e3f9 100644
--- a/policy/modules/contrib/shibboleth.te
+++ b/policy/modules/contrib/shibboleth.te
@@ -1,4 +1,4 @@
-policy_module(shibboleth, 1.2.0)
+policy_module(shibboleth, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index e7249426..a56cab4a 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -1,4 +1,4 @@
-policy_module(shorewall, 1.6.2)
+policy_module(shorewall, 1.6.3)
########################################
#
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
index 0e38114a..881f6c1f 100644
--- a/policy/modules/contrib/shutdown.te
+++ b/policy/modules/contrib/shutdown.te
@@ -1,4 +1,4 @@
-policy_module(shutdown, 1.4.2)
+policy_module(shutdown, 1.4.3)
########################################
#
diff --git a/policy/modules/contrib/slpd.te b/policy/modules/contrib/slpd.te
index f4f1edfd..116f3e35 100644
--- a/policy/modules/contrib/slpd.te
+++ b/policy/modules/contrib/slpd.te
@@ -1,4 +1,4 @@
-policy_module(slpd, 1.3.0)
+policy_module(slpd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te
index 1ad706c7..74925838 100644
--- a/policy/modules/contrib/smartmon.te
+++ b/policy/modules/contrib/smartmon.te
@@ -1,4 +1,4 @@
-policy_module(smartmon, 1.14.1)
+policy_module(smartmon, 1.14.2)
########################################
#
diff --git a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te
index cc19c38d..ed86ad9a 100644
--- a/policy/modules/contrib/smokeping.te
+++ b/policy/modules/contrib/smokeping.te
@@ -1,4 +1,4 @@
-policy_module(smokeping, 1.4.0)
+policy_module(smokeping, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/smstools.te b/policy/modules/contrib/smstools.te
index 55096f6a..e18a79b6 100644
--- a/policy/modules/contrib/smstools.te
+++ b/policy/modules/contrib/smstools.te
@@ -1,4 +1,4 @@
-policy_module(smstools, 1.2.0)
+policy_module(smstools, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/snmp.te b/policy/modules/contrib/snmp.te
index fe37b52d..134094e8 100644
--- a/policy/modules/contrib/snmp.te
+++ b/policy/modules/contrib/snmp.te
@@ -1,4 +1,4 @@
-policy_module(snmp, 1.16.0)
+policy_module(snmp, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index 536efd00..6ccb88d2 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -1,4 +1,4 @@
-policy_module(snort, 1.14.0)
+policy_module(snort, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te
index 940f220a..0adbde7e 100644
--- a/policy/modules/contrib/sosreport.te
+++ b/policy/modules/contrib/sosreport.te
@@ -1,4 +1,4 @@
-policy_module(sosreport, 1.4.0)
+policy_module(sosreport, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/soundserver.te b/policy/modules/contrib/soundserver.te
index 5b8bd927..18386afd 100644
--- a/policy/modules/contrib/soundserver.te
+++ b/policy/modules/contrib/soundserver.te
@@ -1,4 +1,4 @@
-policy_module(soundserver, 1.11.0)
+policy_module(soundserver, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 2f770d2d..74d30072 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.10.1)
+policy_module(spamassassin, 2.10.2)
########################################
#
diff --git a/policy/modules/contrib/speedtouch.te b/policy/modules/contrib/speedtouch.te
index 70dcf8d4..e91ca9e4 100644
--- a/policy/modules/contrib/speedtouch.te
+++ b/policy/modules/contrib/speedtouch.te
@@ -1,4 +1,4 @@
-policy_module(speedtouch, 1.6.0)
+policy_module(speedtouch, 1.6.1)
#######################################
#
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index f4fd15e8..626e10bc 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -1,4 +1,4 @@
-policy_module(squid, 1.15.1)
+policy_module(squid, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index e273c904..2e9b28ac 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -1,4 +1,4 @@
-policy_module(sssd, 1.4.0)
+policy_module(sssd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/sxid.te b/policy/modules/contrib/sxid.te
index 010c40ce..3c9f9a73 100644
--- a/policy/modules/contrib/sxid.te
+++ b/policy/modules/contrib/sxid.te
@@ -1,4 +1,4 @@
-policy_module(sxid, 1.8.0)
+policy_module(sxid, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/tboot.te b/policy/modules/contrib/tboot.te
index 4961a362..02bae3b7 100644
--- a/policy/modules/contrib/tboot.te
+++ b/policy/modules/contrib/tboot.te
@@ -1,4 +1,4 @@
-policy_module(tboot, 1.0.0)
+policy_module(tboot, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/tcpd.te b/policy/modules/contrib/tcpd.te
index 2d6d2c23..32485347 100644
--- a/policy/modules/contrib/tcpd.te
+++ b/policy/modules/contrib/tcpd.te
@@ -1,4 +1,4 @@
-policy_module(tcpd, 1.5.0)
+policy_module(tcpd, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te
index ca98bf86..36434768 100644
--- a/policy/modules/contrib/tcsd.te
+++ b/policy/modules/contrib/tcsd.te
@@ -1,4 +1,4 @@
-policy_module(tcsd, 1.3.0)
+policy_module(tcsd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te
index 6007d763..f0da2757 100644
--- a/policy/modules/contrib/telnet.te
+++ b/policy/modules/contrib/telnet.te
@@ -1,4 +1,4 @@
-policy_module(telnet, 1.12.0)
+policy_module(telnet, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/tftp.te b/policy/modules/contrib/tftp.te
index cfaa2a19..02dfb404 100644
--- a/policy/modules/contrib/tftp.te
+++ b/policy/modules/contrib/tftp.te
@@ -1,4 +1,4 @@
-policy_module(tftp, 1.13.0)
+policy_module(tftp, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/tgtd.te b/policy/modules/contrib/tgtd.te
index c3761188..d21cf4b4 100644
--- a/policy/modules/contrib/tgtd.te
+++ b/policy/modules/contrib/tgtd.te
@@ -1,4 +1,4 @@
-policy_module(tgtd, 1.6.0)
+policy_module(tgtd, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/tmpreaper.te b/policy/modules/contrib/tmpreaper.te
index f96e6242..f6fad636 100644
--- a/policy/modules/contrib/tmpreaper.te
+++ b/policy/modules/contrib/tmpreaper.te
@@ -1,4 +1,4 @@
-policy_module(tmpreaper, 1.8.0)
+policy_module(tmpreaper, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/transproxy.te b/policy/modules/contrib/transproxy.te
index 61b6f5cb..2e7c2f7e 100644
--- a/policy/modules/contrib/transproxy.te
+++ b/policy/modules/contrib/transproxy.te
@@ -1,4 +1,4 @@
-policy_module(transproxy, 1.10.0)
+policy_module(transproxy, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/tripwire.te b/policy/modules/contrib/tripwire.te
index 47dc24b3..0a098f30 100644
--- a/policy/modules/contrib/tripwire.te
+++ b/policy/modules/contrib/tripwire.te
@@ -1,4 +1,4 @@
-policy_module(tripwire, 1.3.0)
+policy_module(tripwire, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/tuned.te b/policy/modules/contrib/tuned.te
index ba1e1471..5aef872b 100644
--- a/policy/modules/contrib/tuned.te
+++ b/policy/modules/contrib/tuned.te
@@ -1,4 +1,4 @@
-policy_module(tuned, 1.4.0)
+policy_module(tuned, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/tzdata.te b/policy/modules/contrib/tzdata.te
index 221c43b8..55656375 100644
--- a/policy/modules/contrib/tzdata.te
+++ b/policy/modules/contrib/tzdata.te
@@ -1,4 +1,4 @@
-policy_module(tzdata, 1.5.0)
+policy_module(tzdata, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te
index 50beee26..d2ac9c3c 100644
--- a/policy/modules/contrib/ulogd.te
+++ b/policy/modules/contrib/ulogd.te
@@ -1,4 +1,4 @@
-policy_module(ulogd, 1.4.0)
+policy_module(ulogd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/updfstab.te b/policy/modules/contrib/updfstab.te
index 02754be8..735a3cc2 100644
--- a/policy/modules/contrib/updfstab.te
+++ b/policy/modules/contrib/updfstab.te
@@ -1,4 +1,4 @@
-policy_module(updfstab, 1.6.1)
+policy_module(updfstab, 1.6.2)
########################################
#
diff --git a/policy/modules/contrib/uptime.te b/policy/modules/contrib/uptime.te
index 79c6c8ed..8130870c 100644
--- a/policy/modules/contrib/uptime.te
+++ b/policy/modules/contrib/uptime.te
@@ -1,4 +1,4 @@
-policy_module(uptime, 1.8.0)
+policy_module(uptime, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/usbmodules.te b/policy/modules/contrib/usbmodules.te
index d4307b9d..84312dd4 100644
--- a/policy/modules/contrib/usbmodules.te
+++ b/policy/modules/contrib/usbmodules.te
@@ -1,4 +1,4 @@
-policy_module(usbmodules, 1.3.1)
+policy_module(usbmodules, 1.3.2)
########################################
#
diff --git a/policy/modules/contrib/usbmuxd.te b/policy/modules/contrib/usbmuxd.te
index a1d498e6..77f7a7e6 100644
--- a/policy/modules/contrib/usbmuxd.te
+++ b/policy/modules/contrib/usbmuxd.te
@@ -1,4 +1,4 @@
-policy_module(usbmuxd, 1.3.0)
+policy_module(usbmuxd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te
index 9c7ac268..d620c666 100644
--- a/policy/modules/contrib/userhelper.te
+++ b/policy/modules/contrib/userhelper.te
@@ -1,4 +1,4 @@
-policy_module(userhelper, 1.10.0)
+policy_module(userhelper, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/usernetctl.te b/policy/modules/contrib/usernetctl.te
index 1c8b8dfd..3a4d5caa 100644
--- a/policy/modules/contrib/usernetctl.te
+++ b/policy/modules/contrib/usernetctl.te
@@ -1,4 +1,4 @@
-policy_module(usernetctl, 1.7.1)
+policy_module(usernetctl, 1.7.2)
########################################
#
diff --git a/policy/modules/contrib/uucp.te b/policy/modules/contrib/uucp.te
index d44d025f..7547ba14 100644
--- a/policy/modules/contrib/uucp.te
+++ b/policy/modules/contrib/uucp.te
@@ -1,4 +1,4 @@
-policy_module(uucp, 1.14.0)
+policy_module(uucp, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/uuidd.te b/policy/modules/contrib/uuidd.te
index 176ae298..fc83244f 100644
--- a/policy/modules/contrib/uuidd.te
+++ b/policy/modules/contrib/uuidd.te
@@ -1,4 +1,4 @@
-policy_module(uuidd, 1.3.0)
+policy_module(uuidd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
index b36f69ca..bc464524 100644
--- a/policy/modules/contrib/varnishd.te
+++ b/policy/modules/contrib/varnishd.te
@@ -1,4 +1,4 @@
-policy_module(varnishd, 1.5.0)
+policy_module(varnishd, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/vbetool.te b/policy/modules/contrib/vbetool.te
index 09980a08..ed76f796 100644
--- a/policy/modules/contrib/vbetool.te
+++ b/policy/modules/contrib/vbetool.te
@@ -1,4 +1,4 @@
-policy_module(vbetool, 1.7.0)
+policy_module(vbetool, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/vdagent.te b/policy/modules/contrib/vdagent.te
index 4ceabe08..dca28b43 100644
--- a/policy/modules/contrib/vdagent.te
+++ b/policy/modules/contrib/vdagent.te
@@ -1,4 +1,4 @@
-policy_module(vdagent, 1.4.0)
+policy_module(vdagent, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/vhostmd.te b/policy/modules/contrib/vhostmd.te
index f6636a99..8720c22f 100644
--- a/policy/modules/contrib/vhostmd.te
+++ b/policy/modules/contrib/vhostmd.te
@@ -1,4 +1,4 @@
-policy_module(vhostmd, 1.3.0)
+policy_module(vhostmd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index eb72843f..4fb34894 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.11.0)
+policy_module(virt, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/vlock.te b/policy/modules/contrib/vlock.te
index 3ef60af7..4e49bd9c 100644
--- a/policy/modules/contrib/vlock.te
+++ b/policy/modules/contrib/vlock.te
@@ -1,4 +1,4 @@
-policy_module(vlock, 1.2.1)
+policy_module(vlock, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
index a4346aad..2332cc12 100644
--- a/policy/modules/contrib/vmware.te
+++ b/policy/modules/contrib/vmware.te
@@ -1,4 +1,4 @@
-policy_module(vmware, 2.8.1)
+policy_module(vmware, 2.8.2)
########################################
#
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index ee8ae063..1170dc37 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -1,4 +1,4 @@
-policy_module(vnstatd, 1.3.2)
+policy_module(vnstatd, 1.3.3)
########################################
#
diff --git a/policy/modules/contrib/vpn.te b/policy/modules/contrib/vpn.te
index 10fb1013..a6769a65 100644
--- a/policy/modules/contrib/vpn.te
+++ b/policy/modules/contrib/vpn.te
@@ -1,4 +1,4 @@
-policy_module(vpn, 1.17.1)
+policy_module(vpn, 1.17.2)
########################################
#
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index bac0a747..c58a46bc 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -1,4 +1,4 @@
-policy_module(watchdog, 1.12.0)
+policy_module(watchdog, 1.12.1)
#################################
#
diff --git a/policy/modules/contrib/wdmd.te b/policy/modules/contrib/wdmd.te
index 24c3802e..03351241 100644
--- a/policy/modules/contrib/wdmd.te
+++ b/policy/modules/contrib/wdmd.te
@@ -1,4 +1,4 @@
-policy_module(wdmd, 1.3.0)
+policy_module(wdmd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
index 0d680116..5886a0c2 100644
--- a/policy/modules/contrib/xen.te
+++ b/policy/modules/contrib/xen.te
@@ -1,4 +1,4 @@
-policy_module(xen, 1.15.1)
+policy_module(xen, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te
index a021b743..3f45497a 100644
--- a/policy/modules/contrib/zabbix.te
+++ b/policy/modules/contrib/zabbix.te
@@ -1,4 +1,4 @@
-policy_module(zabbix, 1.10.0)
+policy_module(zabbix, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te
index bfc2d21d..25e66cae 100644
--- a/policy/modules/contrib/zebra.te
+++ b/policy/modules/contrib/zebra.te
@@ -1,4 +1,4 @@
-policy_module(zebra, 1.15.0)
+policy_module(zebra, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/zosremote.te b/policy/modules/contrib/zosremote.te
index 7139cde4..67ea8925 100644
--- a/policy/modules/contrib/zosremote.te
+++ b/policy/modules/contrib/zosremote.te
@@ -1,4 +1,4 @@
-policy_module(zosremote, 1.2.1)
+policy_module(zosremote, 1.2.2)
########################################
#
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-05-07 16:09 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-05-07 17:47 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: 17df41e7dfd69017344a22a0033cc2c75da1b9bf
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Apr 15 18:52:04 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 16:02:02 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=17df41e7
Support systems with a single /usr/bin directory
Create /usr/bin/... file context definitions for all /usr/sbin/... ones.
This implements https://github.com/TresysTechnology/refpolicy/pull/116
for contrib modules.
policy/modules/contrib/abrt.fc | 3 +++
policy/modules/contrib/acct.fc | 2 ++
policy/modules/contrib/acpi.fc | 3 +++
policy/modules/contrib/afs.fc | 3 +++
policy/modules/contrib/aiccu.fc | 2 ++
policy/modules/contrib/aisexec.fc | 2 ++
policy/modules/contrib/alsa.fc | 2 ++
policy/modules/contrib/amanda.fc | 3 +++
policy/modules/contrib/amavis.fc | 2 ++
policy/modules/contrib/apache.fc | 12 ++++++++++++
policy/modules/contrib/apcupsd.fc | 2 ++
policy/modules/contrib/arpwatch.fc | 2 ++
policy/modules/contrib/asterisk.fc | 2 ++
policy/modules/contrib/automount.fc | 2 ++
policy/modules/contrib/avahi.fc | 4 ++++
policy/modules/contrib/bacula.fc | 4 ++++
policy/modules/contrib/bcfg2.fc | 2 ++
policy/modules/contrib/bind.fc | 6 ++++++
policy/modules/contrib/bird.fc | 2 ++
policy/modules/contrib/bitlbee.fc | 1 +
policy/modules/contrib/bluetooth.fc | 5 +++++
policy/modules/contrib/brctl.fc | 2 ++
policy/modules/contrib/cachefilesd.fc | 2 ++
policy/modules/contrib/callweaver.fc | 2 ++
policy/modules/contrib/canna.fc | 4 +++-
policy/modules/contrib/ccs.fc | 2 ++
policy/modules/contrib/certmonger.fc | 2 ++
policy/modules/contrib/cfengine.fc | 4 ++++
policy/modules/contrib/cgroup.fc | 4 ++++
policy/modules/contrib/chronyd.fc | 3 ++-
policy/modules/contrib/cipe.fc | 2 ++
policy/modules/contrib/clamav.fc | 2 ++
policy/modules/contrib/clogd.fc | 2 ++
policy/modules/contrib/cmirrord.fc | 2 ++
policy/modules/contrib/collectd.fc | 2 ++
policy/modules/contrib/comsat.fc | 2 ++
policy/modules/contrib/condor.fc | 8 ++++++++
policy/modules/contrib/consolekit.fc | 2 ++
policy/modules/contrib/corosync.fc | 3 +++
policy/modules/contrib/courier.fc | 9 ++++++++-
policy/modules/contrib/cpucontrol.fc | 5 +++++
policy/modules/contrib/cron.fc | 7 ++++++-
policy/modules/contrib/ctdb.fc | 2 ++
policy/modules/contrib/cups.fc | 9 +++++++++
policy/modules/contrib/dante.fc | 3 +++
policy/modules/contrib/dbskk.fc | 2 ++
policy/modules/contrib/dcc.fc | 6 +++++-
policy/modules/contrib/ddclient.fc | 3 +++
policy/modules/contrib/ddcprobe.fc | 2 ++
policy/modules/contrib/dhcp.fc | 2 ++
policy/modules/contrib/dictd.fc | 2 ++
policy/modules/contrib/dkim.fc | 3 +++
policy/modules/contrib/dmidecode.fc | 5 +++++
policy/modules/contrib/dnsmasq.fc | 2 ++
policy/modules/contrib/dnssectrigger.fc | 2 ++
policy/modules/contrib/dovecot.fc | 2 ++
policy/modules/contrib/dphysswapfile.fc | 2 ++
policy/modules/contrib/dpkg.fc | 2 ++
policy/modules/contrib/drbd.fc | 3 +++
policy/modules/contrib/entropyd.fc | 3 +++
policy/modules/contrib/exim.fc | 3 +++
policy/modules/contrib/fakehwclock.fc | 2 ++
policy/modules/contrib/fcoe.fc | 2 ++
policy/modules/contrib/finger.fc | 3 +++
policy/modules/contrib/firewalld.fc | 2 ++
policy/modules/contrib/firstboot.fc | 2 ++
policy/modules/contrib/ftp.fc | 5 +++++
policy/modules/contrib/gatekeeper.fc | 3 +++
policy/modules/contrib/glusterfs.fc | 3 +++
policy/modules/contrib/gpm.fc | 2 ++
policy/modules/contrib/gpsd.fc | 2 ++
policy/modules/contrib/hal.fc | 2 ++
policy/modules/contrib/hddtemp.fc | 2 ++
policy/modules/contrib/hwloc.fc | 4 +++-
policy/modules/contrib/hypervkvp.fc | 2 ++
policy/modules/contrib/i18n_input.fc | 2 ++
policy/modules/contrib/ifplugd.fc | 2 ++
policy/modules/contrib/inetd.fc | 6 ++++++
policy/modules/contrib/inn.fc | 10 ++++++----
policy/modules/contrib/iodine.fc | 2 ++
policy/modules/contrib/ircd.fc | 2 ++
policy/modules/contrib/irqbalance.fc | 2 ++
policy/modules/contrib/iscsi.fc | 4 ++++
policy/modules/contrib/isns.fc | 2 ++
policy/modules/contrib/jabber.fc | 11 +++++++----
policy/modules/contrib/kdump.fc | 2 ++
policy/modules/contrib/kerberos.fc | 3 +++
policy/modules/contrib/kerneloops.fc | 2 ++
policy/modules/contrib/ksmtuned.fc | 2 ++
policy/modules/contrib/ktalk.fc | 4 +++-
policy/modules/contrib/kudzu.fc | 5 ++++-
policy/modules/contrib/l2tp.fc | 2 ++
policy/modules/contrib/ldap.fc | 2 ++
policy/modules/contrib/likewise.fc | 9 +++++++++
policy/modules/contrib/lircd.fc | 2 ++
policy/modules/contrib/lldpad.fc | 2 ++
policy/modules/contrib/lockdev.fc | 2 ++
policy/modules/contrib/logrotate.fc | 2 ++
policy/modules/contrib/logwatch.fc | 4 ++++
policy/modules/contrib/lpd.fc | 19 +++++++++++++------
policy/modules/contrib/mailscanner.fc | 2 ++
policy/modules/contrib/mcelog.fc | 2 ++
policy/modules/contrib/milter.fc | 5 +++++
policy/modules/contrib/minidlna.fc | 2 ++
policy/modules/contrib/minissdpd.fc | 2 ++
policy/modules/contrib/modemmanager.fc | 3 +++
policy/modules/contrib/mon.fc | 2 ++
policy/modules/contrib/monop.fc | 2 ++
policy/modules/contrib/mta.fc | 4 ++++
policy/modules/contrib/mysql.fc | 3 +++
policy/modules/contrib/nessus.fc | 2 ++
policy/modules/contrib/networkmanager.fc | 9 ++++++---
policy/modules/contrib/nis.fc | 5 +++++
policy/modules/contrib/nscd.fc | 2 ++
policy/modules/contrib/nsd.fc | 5 +++++
policy/modules/contrib/nslcd.fc | 2 ++
policy/modules/contrib/ntop.fc | 2 ++
policy/modules/contrib/ntp.fc | 4 ++++
policy/modules/contrib/nut.fc | 4 ++++
policy/modules/contrib/oav.fc | 3 +++
policy/modules/contrib/oddjob.fc | 3 +++
policy/modules/contrib/oident.fc | 2 ++
policy/modules/contrib/openct.fc | 3 +++
policy/modules/contrib/openhpi.fc | 2 ++
policy/modules/contrib/openvpn.fc | 2 ++
policy/modules/contrib/pacemaker.fc | 2 ++
policy/modules/contrib/pcmcia.fc | 3 +++
policy/modules/contrib/pcscd.fc | 2 ++
policy/modules/contrib/pegasus.fc | 3 +++
policy/modules/contrib/perdition.fc | 2 ++
policy/modules/contrib/pingd.fc | 2 ++
policy/modules/contrib/pkcs.fc | 2 ++
policy/modules/contrib/plymouthd.fc | 1 +
policy/modules/contrib/portmap.fc | 4 ++++
policy/modules/contrib/portreserve.fc | 2 ++
policy/modules/contrib/portslave.fc | 3 +++
policy/modules/contrib/postfix.fc | 11 +++++++++++
policy/modules/contrib/postfixpolicyd.fc | 2 ++
policy/modules/contrib/postgrey.fc | 2 ++
policy/modules/contrib/ppp.fc | 6 ++++++
policy/modules/contrib/prelink.fc | 2 ++
policy/modules/contrib/prelude.fc | 3 ++-
policy/modules/contrib/privoxy.fc | 2 ++
policy/modules/contrib/psad.fc | 2 ++
policy/modules/contrib/pxe.fc | 2 ++
policy/modules/contrib/qmail.fc | 12 ++++++++++++
policy/modules/contrib/qpid.fc | 2 ++
policy/modules/contrib/quota.fc | 4 ++++
policy/modules/contrib/radius.fc | 3 +++
policy/modules/contrib/radvd.fc | 2 ++
policy/modules/contrib/raid.fc | 8 ++++++++
policy/modules/contrib/rdisc.fc | 2 ++
policy/modules/contrib/readahead.fc | 2 ++
policy/modules/contrib/redis.fc | 2 ++
policy/modules/contrib/resmgr.fc | 2 ++
policy/modules/contrib/rgmanager.fc | 5 ++++-
policy/modules/contrib/rhcs.fc | 9 +++++++++
policy/modules/contrib/ricci.fc | 3 +++
policy/modules/contrib/rlogin.fc | 2 ++
policy/modules/contrib/rngd.fc | 2 ++
policy/modules/contrib/rpc.fc | 9 +++++++++
policy/modules/contrib/rpcbind.fc | 2 ++
policy/modules/contrib/rpm.fc | 10 ++++++++++
policy/modules/contrib/rshd.fc | 3 +++
policy/modules/contrib/rwho.fc | 2 ++
policy/modules/contrib/samba.fc | 4 ++++
policy/modules/contrib/samhain.fc | 3 +++
policy/modules/contrib/sanlock.fc | 2 ++
policy/modules/contrib/sasl.fc | 2 ++
policy/modules/contrib/sblim.fc | 3 +++
policy/modules/contrib/sensord.fc | 2 ++
policy/modules/contrib/setroubleshoot.fc | 2 ++
policy/modules/contrib/shibboleth.fc | 2 ++
policy/modules/contrib/shorewall.fc | 3 +++
policy/modules/contrib/shutdown.fc | 2 ++
policy/modules/contrib/slpd.fc | 2 ++
policy/modules/contrib/smartmon.fc | 2 ++
policy/modules/contrib/smokeping.fc | 2 ++
policy/modules/contrib/smstools.fc | 2 ++
policy/modules/contrib/snmp.fc | 4 ++++
policy/modules/contrib/snort.fc | 5 +++--
policy/modules/contrib/sosreport.fc | 2 ++
policy/modules/contrib/soundserver.fc | 1 +
policy/modules/contrib/spamassassin.fc | 5 +++--
policy/modules/contrib/speedtouch.fc | 2 ++
policy/modules/contrib/squid.fc | 2 ++
policy/modules/contrib/sssd.fc | 2 ++
policy/modules/contrib/sxid.fc | 1 +
policy/modules/contrib/tboot.fc | 2 ++
policy/modules/contrib/tcpd.fc | 2 ++
policy/modules/contrib/tcsd.fc | 2 ++
policy/modules/contrib/telnet.fc | 2 ++
policy/modules/contrib/tftp.fc | 2 ++
policy/modules/contrib/tgtd.fc | 2 ++
policy/modules/contrib/tmpreaper.fc | 3 +++
policy/modules/contrib/transproxy.fc | 2 ++
policy/modules/contrib/tripwire.fc | 5 +++++
policy/modules/contrib/tuned.fc | 2 ++
policy/modules/contrib/tzdata.fc | 2 ++
policy/modules/contrib/ulogd.fc | 2 ++
policy/modules/contrib/updfstab.fc | 3 +++
policy/modules/contrib/uptime.fc | 2 ++
policy/modules/contrib/usbmodules.fc | 2 ++
policy/modules/contrib/usbmuxd.fc | 2 ++
policy/modules/contrib/userhelper.fc | 1 +
policy/modules/contrib/usernetctl.fc | 2 ++
policy/modules/contrib/uucp.fc | 1 +
policy/modules/contrib/uuidd.fc | 2 ++
policy/modules/contrib/varnishd.fc | 1 +
policy/modules/contrib/vbetool.fc | 2 ++
policy/modules/contrib/vdagent.fc | 2 ++
policy/modules/contrib/vhostmd.fc | 2 ++
policy/modules/contrib/virt.fc | 7 ++++++-
policy/modules/contrib/vlock.fc | 3 ++-
policy/modules/contrib/vmware.fc | 2 ++
policy/modules/contrib/vnstatd.fc | 1 +
policy/modules/contrib/vpn.fc | 1 +
policy/modules/contrib/watchdog.fc | 2 ++
policy/modules/contrib/wdmd.fc | 2 ++
policy/modules/contrib/xen.fc | 9 +++++++++
policy/modules/contrib/zabbix.fc | 7 +++++--
policy/modules/contrib/zebra.fc | 5 +++++
policy/modules/contrib/zosremote.fc | 2 ++
223 files changed, 670 insertions(+), 35 deletions(-)
diff --git a/policy/modules/contrib/abrt.fc b/policy/modules/contrib/abrt.fc
index d1b1f4e8..d05819be 100644
--- a/policy/modules/contrib/abrt.fc
+++ b/policy/modules/contrib/abrt.fc
@@ -1,8 +1,11 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/usr/bin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/bin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/bin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
diff --git a/policy/modules/contrib/acct.fc b/policy/modules/contrib/acct.fc
index 204e5375..5a772ec6 100644
--- a/policy/modules/contrib/acct.fc
+++ b/policy/modules/contrib/acct.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/psacct -- gen_context(system_u:object_r:acct_initrc_exec_t,s0)
+/usr/bin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
+
/usr/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
/var/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0)
diff --git a/policy/modules/contrib/acpi.fc b/policy/modules/contrib/acpi.fc
index bfbe255b..ffd4ea00 100644
--- a/policy/modules/contrib/acpi.fc
+++ b/policy/modules/contrib/acpi.fc
@@ -1,6 +1,9 @@
/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:acpid_initrc_exec_t,s0)
+/usr/bin/acpid -- gen_context(system_u:object_r:acpid_exec_t,s0)
/usr/bin/apm -- gen_context(system_u:object_r:acpi_exec_t,s0)
+/usr/bin/apmd -- gen_context(system_u:object_r:acpid_exec_t,s0)
+/usr/bin/powersaved -- gen_context(system_u:object_r:acpid_exec_t,s0)
/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:acpid_unit_t,s0)
diff --git a/policy/modules/contrib/afs.fc b/policy/modules/contrib/afs.fc
index c40fe9ae..9307074e 100644
--- a/policy/modules/contrib/afs.fc
+++ b/policy/modules/contrib/afs.fc
@@ -27,6 +27,9 @@
/usr/afs/logs(/.*)? gen_context(system_u:object_r:afs_logfile_t,s0)
+/usr/bin/afsd -- gen_context(system_u:object_r:afs_exec_t,s0)
+/usr/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
+
/usr/libexec/openafs/dafileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/libexec/openafs/dasalvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/libexec/openafs/davolserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
diff --git a/policy/modules/contrib/aiccu.fc b/policy/modules/contrib/aiccu.fc
index 86e436cb..5fc50bec 100644
--- a/policy/modules/contrib/aiccu.fc
+++ b/policy/modules/contrib/aiccu.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
+/usr/bin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
+
/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
diff --git a/policy/modules/contrib/aisexec.fc b/policy/modules/contrib/aisexec.fc
index f9c20c63..578f2d33 100644
--- a/policy/modules/contrib/aisexec.fc
+++ b/policy/modules/contrib/aisexec.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0)
+/usr/bin/aisexec -- gen_context(system_u:object_r:aisexec_exec_t,s0)
+
/usr/sbin/aisexec -- gen_context(system_u:object_r:aisexec_exec_t,s0)
/var/lib/openais(/.*)? gen_context(system_u:object_r:aisexec_var_lib_t,s0)
diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc
index 0f9e5196..75ea9ebf 100644
--- a/policy/modules/contrib/alsa.fc
+++ b/policy/modules/contrib/alsa.fc
@@ -6,7 +6,9 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
/run/alsa(/.*)? gen_context(system_u:object_r:alsa_runtime_t,s0)
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/usr/bin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/usr/bin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/lib/systemd/system/[^/]*alsa-restore.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
/usr/lib/systemd/system/[^/]*alsa-state.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
diff --git a/policy/modules/contrib/amanda.fc b/policy/modules/contrib/amanda.fc
index 7f4dfbca..0d90d71e 100644
--- a/policy/modules/contrib/amanda.fc
+++ b/policy/modules/contrib/amanda.fc
@@ -7,6 +7,9 @@
/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
+/usr/bin/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/bin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
+
/usr/lib/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
/usr/lib/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
/usr/lib/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
diff --git a/policy/modules/contrib/amavis.fc b/policy/modules/contrib/amavis.fc
index 7b8beae4..da86959b 100644
--- a/policy/modules/contrib/amavis.fc
+++ b/policy/modules/contrib/amavis.fc
@@ -4,6 +4,8 @@
/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
/etc/rc\.d/init\.d/amavisd-snmp -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
+/usr/bin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
+
/usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0)
/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index 591c8ad2..f55535e7 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -37,9 +37,21 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:objec
/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/bin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+/usr/bin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
/usr/bin/ssi-cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/bin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
diff --git a/policy/modules/contrib/apcupsd.fc b/policy/modules/contrib/apcupsd.fc
index c9a7900c..43666b34 100644
--- a/policy/modules/contrib/apcupsd.fc
+++ b/policy/modules/contrib/apcupsd.fc
@@ -2,6 +2,8 @@
/usr/lib/systemd/system/apcupsd.*\.service -- gen_context(system_u:object_r:apcupsd_unit_t,s0)
+/usr/bin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
+
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
diff --git a/policy/modules/contrib/arpwatch.fc b/policy/modules/contrib/arpwatch.fc
index 5e0e6862..b439c10c 100644
--- a/policy/modules/contrib/arpwatch.fc
+++ b/policy/modules/contrib/arpwatch.fc
@@ -2,6 +2,8 @@
/usr/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)
+/usr/bin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
+
/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
diff --git a/policy/modules/contrib/asterisk.fc b/policy/modules/contrib/asterisk.fc
index 0aaa615a..337bf601 100644
--- a/policy/modules/contrib/asterisk.fc
+++ b/policy/modules/contrib/asterisk.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/asterisk -- gen_context(system_u:object_r:asterisk_initrc_exec_t,s0)
+/usr/bin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t,s0)
+
/usr/sbin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t,s0)
/var/lib/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_lib_t,s0)
diff --git a/policy/modules/contrib/automount.fc b/policy/modules/contrib/automount.fc
index 8bd48bc4..dadd3a9f 100644
--- a/policy/modules/contrib/automount.fc
+++ b/policy/modules/contrib/automount.fc
@@ -3,6 +3,8 @@
/usr/lib/systemd/system/autofs.*\.service -- gen_context(system_u:object_r:automount_unit_t,s0)
+/usr/bin/automount -- gen_context(system_u:object_r:automount_exec_t,s0)
+
/usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0)
/var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
diff --git a/policy/modules/contrib/avahi.fc b/policy/modules/contrib/avahi.fc
index 80248b62..2f72be4a 100644
--- a/policy/modules/contrib/avahi.fc
+++ b/policy/modules/contrib/avahi.fc
@@ -1,5 +1,9 @@
/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
+/usr/bin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
+/usr/bin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
+/usr/bin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
+
/usr/lib/systemd/system/avahi.*\.service -- gen_context(system_u:object_r:avahi_unit_t,s0)
/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
diff --git a/policy/modules/contrib/bacula.fc b/policy/modules/contrib/bacula.fc
index 3550dcc4..27c021c3 100644
--- a/policy/modules/contrib/bacula.fc
+++ b/policy/modules/contrib/bacula.fc
@@ -4,6 +4,10 @@
/etc/rc\.d/init\.d/bacula.* -- gen_context(system_u:object_r:bacula_initrc_exec_t,s0)
+/usr/bin/bacula.* -- gen_context(system_u:object_r:bacula_exec_t,s0)
+/usr/bin/bat -- gen_context(system_u:object_r:bacula_admin_exec_t,s0)
+/usr/bin/bconsole -- gen_context(system_u:object_r:bacula_admin_exec_t,s0)
+
/usr/sbin/bacula.* -- gen_context(system_u:object_r:bacula_exec_t,s0)
/usr/sbin/bat -- gen_context(system_u:object_r:bacula_admin_exec_t,s0)
/usr/sbin/bconsole -- gen_context(system_u:object_r:bacula_admin_exec_t,s0)
diff --git a/policy/modules/contrib/bcfg2.fc b/policy/modules/contrib/bcfg2.fc
index 10f28688..feb5d9d9 100644
--- a/policy/modules/contrib/bcfg2.fc
+++ b/policy/modules/contrib/bcfg2.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/bcfg2-server -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
+/usr/bin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
+
/usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
/var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc
index de596aed..b4879dc1 100644
--- a/policy/modules/contrib/bind.fc
+++ b/policy/modules/contrib/bind.fc
@@ -14,6 +14,12 @@
/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/usr/bin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/bin/named -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/bin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+/usr/bin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/bin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
+
/usr/lib/systemd/system/named.*\.service -- gen_context(system_u:object_r:named_unit_t,s0)
/usr/lib/systemd/system/unbound.*\.service -- gen_context(system_u:object_r:named_unit_t,s0)
diff --git a/policy/modules/contrib/bird.fc b/policy/modules/contrib/bird.fc
index d4524d56..d415fdf3 100644
--- a/policy/modules/contrib/bird.fc
+++ b/policy/modules/contrib/bird.fc
@@ -4,6 +4,8 @@
/etc/rc\.d/init\.d/bird -- gen_context(system_u:object_r:bird_initrc_exec_t,s0)
+/usr/bin/bird -- gen_context(system_u:object_r:bird_exec_t,s0)
+
/usr/sbin/bird -- gen_context(system_u:object_r:bird_exec_t,s0)
/var/log/bird\.log.* -- gen_context(system_u:object_r:bird_log_t,s0)
diff --git a/policy/modules/contrib/bitlbee.fc b/policy/modules/contrib/bitlbee.fc
index a6c071f8..e7b0aa60 100644
--- a/policy/modules/contrib/bitlbee.fc
+++ b/policy/modules/contrib/bitlbee.fc
@@ -3,6 +3,7 @@
/etc/rc\.d/init\.d/bitlbee -- gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0)
/usr/bin/bip -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
+/usr/bin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
diff --git a/policy/modules/contrib/bluetooth.fc b/policy/modules/contrib/bluetooth.fc
index 495fb7c0..4fbe7955 100644
--- a/policy/modules/contrib/bluetooth.fc
+++ b/policy/modules/contrib/bluetooth.fc
@@ -6,9 +6,14 @@
/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
+/usr/bin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/sdpd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
# Systemd unit file
/usr/lib/systemd/system/[^/]*bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_t,s0)
diff --git a/policy/modules/contrib/brctl.fc b/policy/modules/contrib/brctl.fc
index 32f8ee97..ed472f09 100644
--- a/policy/modules/contrib/brctl.fc
+++ b/policy/modules/contrib/brctl.fc
@@ -1 +1,3 @@
+/usr/bin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0)
+
/usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0)
diff --git a/policy/modules/contrib/cachefilesd.fc b/policy/modules/contrib/cachefilesd.fc
index 1ddbe60d..f58be76b 100644
--- a/policy/modules/contrib/cachefilesd.fc
+++ b/policy/modules/contrib/cachefilesd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/cachefilesd -- gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0)
+/usr/bin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
+
/usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefilesd_cache_t,s0)
diff --git a/policy/modules/contrib/callweaver.fc b/policy/modules/contrib/callweaver.fc
index 4a86bec5..3cdd635b 100644
--- a/policy/modules/contrib/callweaver.fc
+++ b/policy/modules/contrib/callweaver.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/callweaver -- gen_context(system_u:object_r:callweaver_initrc_exec_t,s0)
+/usr/bin/callweaver -- gen_context(system_u:object_r:callweaver_exec_t,s0)
+
/usr/sbin/callweaver -- gen_context(system_u:object_r:callweaver_exec_t,s0)
/var/lib/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_lib_t,s0)
diff --git a/policy/modules/contrib/canna.fc b/policy/modules/contrib/canna.fc
index df523340..7688d0ec 100644
--- a/policy/modules/contrib/canna.fc
+++ b/policy/modules/contrib/canna.fc
@@ -1,7 +1,9 @@
/etc/rc\.d/init\.d/canna -- gen_context(system_u:object_r:canna_initrc_exec_t,s0)
/usr/bin/cannaping -- gen_context(system_u:object_r:canna_exec_t,s0)
-/usr/bin/catdic -- gen_context(system_u:object_r:canna_exec_t,s0)
+/usr/bin/cannaserver -- gen_context(system_u:object_r:canna_exec_t,s0)
+/usr/bin/catdic -- gen_context(system_u:object_r:canna_exec_t,s0)
+/usr/bin/jserver -- gen_context(system_u:object_r:canna_exec_t,s0)
/usr/sbin/cannaserver -- gen_context(system_u:object_r:canna_exec_t,s0)
/usr/sbin/jserver -- gen_context(system_u:object_r:canna_exec_t,s0)
diff --git a/policy/modules/contrib/ccs.fc b/policy/modules/contrib/ccs.fc
index 4bf5e8f3..f428bee0 100644
--- a/policy/modules/contrib/ccs.fc
+++ b/policy/modules/contrib/ccs.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/((ccs)|(ccsd)) -- gen_context(system_u:object_r:ccs_initrc_exec_t,s0)
+/usr/bin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
+
/usr/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
/var/lib/cluster/((ccs)|(ccsd)).* gen_context(system_u:object_r:ccs_var_lib_t,s0)
diff --git a/policy/modules/contrib/certmonger.fc b/policy/modules/contrib/certmonger.fc
index d3e1d6cf..7d357324 100644
--- a/policy/modules/contrib/certmonger.fc
+++ b/policy/modules/contrib/certmonger.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0)
+/usr/bin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0)
+
/usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0)
/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
diff --git a/policy/modules/contrib/cfengine.fc b/policy/modules/contrib/cfengine.fc
index 5b605d6b..807467cb 100644
--- a/policy/modules/contrib/cfengine.fc
+++ b/policy/modules/contrib/cfengine.fc
@@ -1,5 +1,9 @@
/etc/rc\.d/init\.d/((cf-serverd)|(cf-monitord)|(cf-execd)) -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0)
+/usr/bin/cf-serverd -- gen_context(system_u:object_r:cfengine_serverd_exec_t,s0)
+/usr/bin/cf-execd -- gen_context(system_u:object_r:cfengine_execd_exec_t,s0)
+/usr/bin/cf-monitord -- gen_context(system_u:object_r:cfengine_monitord_exec_t,s0)
+
/usr/sbin/cf-serverd -- gen_context(system_u:object_r:cfengine_serverd_exec_t,s0)
/usr/sbin/cf-execd -- gen_context(system_u:object_r:cfengine_execd_exec_t,s0)
/usr/sbin/cf-monitord -- gen_context(system_u:object_r:cfengine_monitord_exec_t,s0)
diff --git a/policy/modules/contrib/cgroup.fc b/policy/modules/contrib/cgroup.fc
index cfe6b48c..f631358e 100644
--- a/policy/modules/contrib/cgroup.fc
+++ b/policy/modules/contrib/cgroup.fc
@@ -7,6 +7,10 @@
/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0)
/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0)
+/usr/bin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0)
+/usr/bin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
+/usr/bin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
+
/usr/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0)
/usr/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
/usr/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc
index d3069a0a..66f001b8 100644
--- a/policy/modules/contrib/chronyd.fc
+++ b/policy/modules/contrib/chronyd.fc
@@ -2,11 +2,12 @@
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+/usr/bin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+
# Systend unit files
/usr/lib/systemd/system/[^/]*chrony-wait.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
/usr/lib/systemd/system/[^/]*chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
-
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
diff --git a/policy/modules/contrib/cipe.fc b/policy/modules/contrib/cipe.fc
index c7535226..2cfb0ae9 100644
--- a/policy/modules/contrib/cipe.fc
+++ b/policy/modules/contrib/cipe.fc
@@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/ciped.* -- gen_context(system_u:object_r:ciped_initrc_exec_t,s0)
+/usr/bin/ciped.* -- gen_context(system_u:object_r:ciped_exec_t,s0)
+
/usr/sbin/ciped.* -- gen_context(system_u:object_r:ciped_exec_t,s0)
diff --git a/policy/modules/contrib/clamav.fc b/policy/modules/contrib/clamav.fc
index ccca6aaa..70fb22e6 100644
--- a/policy/modules/contrib/clamav.fc
+++ b/policy/modules/contrib/clamav.fc
@@ -2,7 +2,9 @@
/etc/rc\.d/init\.d/clamd.* -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
+/usr/bin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
/usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
+/usr/bin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
diff --git a/policy/modules/contrib/clogd.fc b/policy/modules/contrib/clogd.fc
index ba3bca7f..6c5de73b 100644
--- a/policy/modules/contrib/clogd.fc
+++ b/policy/modules/contrib/clogd.fc
@@ -1,3 +1,5 @@
+/usr/bin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0)
+
/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0)
/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0)
diff --git a/policy/modules/contrib/cmirrord.fc b/policy/modules/contrib/cmirrord.fc
index 9a26f5e1..c948aacf 100644
--- a/policy/modules/contrib/cmirrord.fc
+++ b/policy/modules/contrib/cmirrord.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
+/usr/bin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
+
/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0)
diff --git a/policy/modules/contrib/collectd.fc b/policy/modules/contrib/collectd.fc
index 9ac08967..4e9b367e 100644
--- a/policy/modules/contrib/collectd.fc
+++ b/policy/modules/contrib/collectd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
+/usr/bin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
+
/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
diff --git a/policy/modules/contrib/comsat.fc b/policy/modules/contrib/comsat.fc
index 90461f93..63e73363 100644
--- a/policy/modules/contrib/comsat.fc
+++ b/policy/modules/contrib/comsat.fc
@@ -1 +1,3 @@
+/usr/bin/in\.comsat -- gen_context(system_u:object_r:comsat_exec_t,s0)
+
/usr/sbin/in\.comsat -- gen_context(system_u:object_r:comsat_exec_t,s0)
diff --git a/policy/modules/contrib/condor.fc b/policy/modules/contrib/condor.fc
index 19ffde01..eed1e341 100644
--- a/policy/modules/contrib/condor.fc
+++ b/policy/modules/contrib/condor.fc
@@ -2,6 +2,14 @@
/etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0)
+/usr/bin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
+/usr/bin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
+/usr/bin/condor_negotiator -- gen_context(system_u:object_r:condor_negotiator_exec_t,s0)
+/usr/bin/condor_procd -- gen_context(system_u:object_r:condor_procd_exec_t,s0)
+/usr/bin/condor_schedd -- gen_context(system_u:object_r:condor_schedd_exec_t,s0)
+/usr/bin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
+/usr/bin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
+
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
/usr/sbin/condor_negotiator -- gen_context(system_u:object_r:condor_negotiator_exec_t,s0)
diff --git a/policy/modules/contrib/consolekit.fc b/policy/modules/contrib/consolekit.fc
index e3827ccd..8b440c56 100644
--- a/policy/modules/contrib/consolekit.fc
+++ b/policy/modules/contrib/consolekit.fc
@@ -1,3 +1,5 @@
+/usr/bin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
+
/usr/lib/systemd/system/console-kit.*\.service -- gen_context(system_u:object_r:consolekit_unit_t,s0)
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
diff --git a/policy/modules/contrib/corosync.fc b/policy/modules/contrib/corosync.fc
index e00b036b..3671df61 100644
--- a/policy/modules/contrib/corosync.fc
+++ b/policy/modules/contrib/corosync.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+/usr/bin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/bin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
diff --git a/policy/modules/contrib/courier.fc b/policy/modules/contrib/courier.fc
index 3db41fbc..c28b2209 100644
--- a/policy/modules/contrib/courier.fc
+++ b/policy/modules/contrib/courier.fc
@@ -1,7 +1,14 @@
/etc/courier(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
/etc/courier-imap(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
-/usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/bin/authdaemond -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+/usr/bin/courier-imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/bin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0)
+/usr/bin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0)
+/usr/bin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+/usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/bin/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+
/usr/sbin/authdaemond -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
/usr/sbin/courier-imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
diff --git a/policy/modules/contrib/cpucontrol.fc b/policy/modules/contrib/cpucontrol.fc
index 06f5d0f9..d01f2350 100644
--- a/policy/modules/contrib/cpucontrol.fc
+++ b/policy/modules/contrib/cpucontrol.fc
@@ -1,5 +1,10 @@
/usr/lib/firmware/microcode.*\.dat -- gen_context(system_u:object_r:cpucontrol_conf_t,s0)
+/usr/bin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+/usr/bin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+/usr/bin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
+/usr/bin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+
/usr/sbin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
/usr/sbin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
/usr/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc
index 6d4f5397..e1b3e7b3 100644
--- a/policy/modules/contrib/cron.fc
+++ b/policy/modules/contrib/cron.fc
@@ -3,7 +3,12 @@
/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-
+/usr/bin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
+/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/bin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/bin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/bin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/bin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/lib/systemd/system/atd.*\.service -- gen_context(system_u:object_r:crond_unit_t,s0)
diff --git a/policy/modules/contrib/ctdb.fc b/policy/modules/contrib/ctdb.fc
index be3db334..98484341 100644
--- a/policy/modules/contrib/ctdb.fc
+++ b/policy/modules/contrib/ctdb.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0)
+/usr/bin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+
/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
diff --git a/policy/modules/contrib/cups.fc b/policy/modules/contrib/cups.fc
index 72afd973..43c4616a 100644
--- a/policy/modules/contrib/cups.fc
+++ b/policy/modules/contrib/cups.fc
@@ -21,8 +21,17 @@
/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/bin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/bin/cups-browsed -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/bin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/bin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/bin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
+/usr/bin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
+/usr/bin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/policy/modules/contrib/dante.fc b/policy/modules/contrib/dante.fc
index 44c83be9..3aea9187 100644
--- a/policy/modules/contrib/dante.fc
+++ b/policy/modules/contrib/dante.fc
@@ -3,6 +3,9 @@
/etc/danted\.conf -- gen_context(system_u:object_r:dante_conf_t,s0)
/etc/socks(/.*)? gen_context(system_u:object_r:dante_conf_t,s0)
+/usr/bin/danted -- gen_context(system_u:object_r:dante_exec_t,s0)
+/usr/bin/sockd -- gen_context(system_u:object_r:dante_exec_t,s0)
+
/usr/sbin/danted -- gen_context(system_u:object_r:dante_exec_t,s0)
/usr/sbin/sockd -- gen_context(system_u:object_r:dante_exec_t,s0)
diff --git a/policy/modules/contrib/dbskk.fc b/policy/modules/contrib/dbskk.fc
index 6fb8fead..a3028746 100644
--- a/policy/modules/contrib/dbskk.fc
+++ b/policy/modules/contrib/dbskk.fc
@@ -1 +1,3 @@
+/usr/bin/dbskkd-cdb -- gen_context(system_u:object_r:dbskkd_exec_t,s0)
+
/usr/sbin/dbskkd-cdb -- gen_context(system_u:object_r:dbskkd_exec_t,s0)
diff --git a/policy/modules/contrib/dcc.fc b/policy/modules/contrib/dcc.fc
index ccfe6037..bc9189c8 100644
--- a/policy/modules/contrib/dcc.fc
+++ b/policy/modules/contrib/dcc.fc
@@ -2,8 +2,12 @@
/etc/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0)
/etc/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
-/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0)
+/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0)
+/usr/bin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
+/usr/bin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
+/usr/bin/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
/usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0)
+/usr/bin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
/usr/libexec/dcc/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
/usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
diff --git a/policy/modules/contrib/ddclient.fc b/policy/modules/contrib/ddclient.fc
index 81b69d02..64d55e5c 100644
--- a/policy/modules/contrib/ddclient.fc
+++ b/policy/modules/contrib/ddclient.fc
@@ -3,6 +3,9 @@
/etc/rc\.d/init\.d/ddclient -- gen_context(system_u:object_r:ddclient_initrc_exec_t,s0)
+/usr/bin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0)
+/usr/bin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0)
+
/usr/sbin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0)
/usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0)
diff --git a/policy/modules/contrib/ddcprobe.fc b/policy/modules/contrib/ddcprobe.fc
index 9f2a27f5..747c416e 100644
--- a/policy/modules/contrib/ddcprobe.fc
+++ b/policy/modules/contrib/ddcprobe.fc
@@ -1 +1,3 @@
+/usr/bin/ddcprobe -- gen_context(system_u:object_r:ddcprobe_exec_t,s0)
+
/usr/sbin/ddcprobe -- gen_context(system_u:object_r:ddcprobe_exec_t,s0)
diff --git a/policy/modules/contrib/dhcp.fc b/policy/modules/contrib/dhcp.fc
index b85ea22a..c4166794 100644
--- a/policy/modules/contrib/dhcp.fc
+++ b/policy/modules/contrib/dhcp.fc
@@ -2,6 +2,8 @@
/usr/lib/systemd/system/dhcpcd.*\.service -- gen_context(system_u:object_r:dhcpd_unit_t,s0)
+/usr/bin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
+
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
diff --git a/policy/modules/contrib/dictd.fc b/policy/modules/contrib/dictd.fc
index 5902d746..b2c773b2 100644
--- a/policy/modules/contrib/dictd.fc
+++ b/policy/modules/contrib/dictd.fc
@@ -2,6 +2,8 @@
/etc/dictd\.conf -- gen_context(system_u:object_r:dictd_etc_t,s0)
+/usr/bin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
+
/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0)
diff --git a/policy/modules/contrib/dkim.fc b/policy/modules/contrib/dkim.fc
index aa146efa..832c1585 100644
--- a/policy/modules/contrib/dkim.fc
+++ b/policy/modules/contrib/dkim.fc
@@ -2,6 +2,9 @@
/etc/rc\.d/init\.d/((opendkim)|(dkim-milter)) -- gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0)
+/usr/bin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/bin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+
/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
diff --git a/policy/modules/contrib/dmidecode.fc b/policy/modules/contrib/dmidecode.fc
index c394e45d..0ca4c99a 100644
--- a/policy/modules/contrib/dmidecode.fc
+++ b/policy/modules/contrib/dmidecode.fc
@@ -1,3 +1,8 @@
+/usr/bin/biosdecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
+/usr/bin/dmidecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
+/usr/bin/ownership -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
+/usr/bin/vpddecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
+
/usr/sbin/biosdecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
/usr/sbin/dmidecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
/usr/sbin/ownership -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
diff --git a/policy/modules/contrib/dnsmasq.fc b/policy/modules/contrib/dnsmasq.fc
index a7169462..07ffc0d4 100644
--- a/policy/modules/contrib/dnsmasq.fc
+++ b/policy/modules/contrib/dnsmasq.fc
@@ -3,6 +3,8 @@
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+/usr/bin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
+
# Systemd unit file
/usr/lib/systemd/system/[^/]*dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_t,s0)
diff --git a/policy/modules/contrib/dnssectrigger.fc b/policy/modules/contrib/dnssectrigger.fc
index 312949dc..e2ed6e23 100644
--- a/policy/modules/contrib/dnssectrigger.fc
+++ b/policy/modules/contrib/dnssectrigger.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_triggerd_initrc_exec_t,s0)
+/usr/bin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_triggerd_exec_t,s0)
+
/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_triggerd_exec_t,s0)
/var/log/dnssec-trigger\.log.* -- gen_context(system_u:object_r:dnssec_trigger_log_t,s0)
diff --git a/policy/modules/contrib/dovecot.fc b/policy/modules/contrib/dovecot.fc
index c2f5734e..1ab9d643 100644
--- a/policy/modules/contrib/dovecot.fc
+++ b/policy/modules/contrib/dovecot.fc
@@ -8,6 +8,8 @@
/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
+/usr/bin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0)
+
/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0)
/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
diff --git a/policy/modules/contrib/dphysswapfile.fc b/policy/modules/contrib/dphysswapfile.fc
index 5c0feb83..70b0ee3a 100644
--- a/policy/modules/contrib/dphysswapfile.fc
+++ b/policy/modules/contrib/dphysswapfile.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_initrc_exec_t,s0)
+/usr/bin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
+
/usr/sbin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
/var/swap -- gen_context(system_u:object_r:dphysswapfile_swap_t,s0)
diff --git a/policy/modules/contrib/dpkg.fc b/policy/modules/contrib/dpkg.fc
index ad87459f..9ba6e312 100644
--- a/policy/modules/contrib/dpkg.fc
+++ b/policy/modules/contrib/dpkg.fc
@@ -2,6 +2,8 @@
/usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0)
/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+/usr/bin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+/usr/bin/dpkg-reconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)
/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0)
/var/lib/debtags(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0)
diff --git a/policy/modules/contrib/drbd.fc b/policy/modules/contrib/drbd.fc
index d5d54f78..3b7da568 100644
--- a/policy/modules/contrib/drbd.fc
+++ b/policy/modules/contrib/drbd.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/drbd -- gen_context(system_u:object_r:drbd_initrc_exec_t,s0)
+/usr/bin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
+/usr/bin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
+
/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
/usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
diff --git a/policy/modules/contrib/entropyd.fc b/policy/modules/contrib/entropyd.fc
index 3a0377e9..b7342ef2 100644
--- a/policy/modules/contrib/entropyd.fc
+++ b/policy/modules/contrib/entropyd.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/((audio-entropyd)|(haveged)) -- gen_context(system_u:object_r:entropyd_initrc_exec_t,s0)
+/usr/bin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
+/usr/bin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0)
+
/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0)
diff --git a/policy/modules/contrib/exim.fc b/policy/modules/contrib/exim.fc
index 842cb34a..bd1f558a 100644
--- a/policy/modules/contrib/exim.fc
+++ b/policy/modules/contrib/exim.fc
@@ -3,6 +3,9 @@
/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_pid_t,s0)
/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_pid_t,s0)
+/usr/bin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
+/usr/bin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
+
/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
diff --git a/policy/modules/contrib/fakehwclock.fc b/policy/modules/contrib/fakehwclock.fc
index b0a55f6e..0ab3bd87 100644
--- a/policy/modules/contrib/fakehwclock.fc
+++ b/policy/modules/contrib/fakehwclock.fc
@@ -1,5 +1,7 @@
/etc/fake-hwclock\.data -- gen_context(system_u:object_r:fakehwclock_backup_t,s0)
+/usr/bin/fake-hwclock -- gen_context(system_u:object_r:fakehwclock_exec_t,s0)
+
/usr/sbin/fake-hwclock -- gen_context(system_u:object_r:fakehwclock_exec_t,s0)
/usr/lib/systemd/system/fake-hwclock\.service -- gen_context(system_u:object_r:fakehwclock_unit_t,s0)
diff --git a/policy/modules/contrib/fcoe.fc b/policy/modules/contrib/fcoe.fc
index 0cf8db8a..cb9552db 100644
--- a/policy/modules/contrib/fcoe.fc
+++ b/policy/modules/contrib/fcoe.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/fcoe -- gen_context(system_u:object_r:fcoemon_initrc_exec_t,s0)
+/usr/bin/fcoemon -- gen_context(system_u:object_r:fcoemon_exec_t,s0)
+
/usr/sbin/fcoemon -- gen_context(system_u:object_r:fcoemon_exec_t,s0)
/run/fcm(/.*)? gen_context(system_u:object_r:fcoemon_var_run_t,s0)
diff --git a/policy/modules/contrib/finger.fc b/policy/modules/contrib/finger.fc
index 422a9492..ce3adb5c 100644
--- a/policy/modules/contrib/finger.fc
+++ b/policy/modules/contrib/finger.fc
@@ -2,6 +2,9 @@
/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+/usr/bin/in\.(x)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+/usr/bin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+
/usr/sbin/in\.(x)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
/usr/sbin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
diff --git a/policy/modules/contrib/firewalld.fc b/policy/modules/contrib/firewalld.fc
index 0e595c42..19fc9177 100644
--- a/policy/modules/contrib/firewalld.fc
+++ b/policy/modules/contrib/firewalld.fc
@@ -2,6 +2,8 @@
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
+/usr/bin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
+
/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
/var/log/firewalld.* -- gen_context(system_u:object_r:firewalld_var_log_t,s0)
diff --git a/policy/modules/contrib/firstboot.fc b/policy/modules/contrib/firstboot.fc
index 12c782c8..2aafeb25 100644
--- a/policy/modules/contrib/firstboot.fc
+++ b/policy/modules/contrib/firstboot.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/firstboot.* -- gen_context(system_u:object_r:firstboot_initrc_exec_t,s0)
+/usr/bin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
+
/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0)
diff --git a/policy/modules/contrib/ftp.fc b/policy/modules/contrib/ftp.fc
index 03adaab6..6af8b34f 100644
--- a/policy/modules/contrib/ftp.fc
+++ b/policy/modules/contrib/ftp.fc
@@ -6,6 +6,11 @@
/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
/usr/bin/ftpdctl -- gen_context(system_u:object_r:ftpdctl_exec_t,s0)
+/usr/bin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/bin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/bin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/bin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/bin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
diff --git a/policy/modules/contrib/gatekeeper.fc b/policy/modules/contrib/gatekeeper.fc
index 5d37898e..516f65a2 100644
--- a/policy/modules/contrib/gatekeeper.fc
+++ b/policy/modules/contrib/gatekeeper.fc
@@ -2,6 +2,9 @@
/etc/rc\.d/init\.d/gnugk -- gen_context(system_u:object_r:gatekeeper_initrc_exec_t,s0)
+/usr/bin/gk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
+/usr/bin/gnugk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
+
/usr/sbin/gk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
/usr/sbin/gnugk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
diff --git a/policy/modules/contrib/glusterfs.fc b/policy/modules/contrib/glusterfs.fc
index e2d1f847..be43eb4f 100644
--- a/policy/modules/contrib/glusterfs.fc
+++ b/policy/modules/contrib/glusterfs.fc
@@ -3,6 +3,9 @@
/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
+/usr/bin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+/usr/bin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+
/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
diff --git a/policy/modules/contrib/gpm.fc b/policy/modules/contrib/gpm.fc
index aacc7f9f..24531dc0 100644
--- a/policy/modules/contrib/gpm.fc
+++ b/policy/modules/contrib/gpm.fc
@@ -6,6 +6,8 @@
/etc/rc\.d/init\.d/gpm -- gen_context(system_u:object_r:gpm_initrc_exec_t,s0)
+/usr/bin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0)
+
/usr/sbin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0)
/run/gpm\.pid -- gen_context(system_u:object_r:gpm_var_run_t,s0)
diff --git a/policy/modules/contrib/gpsd.fc b/policy/modules/contrib/gpsd.fc
index 9909197d..4e62fd9e 100644
--- a/policy/modules/contrib/gpsd.fc
+++ b/policy/modules/contrib/gpsd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0)
+/usr/bin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0)
+
/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0)
/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0)
diff --git a/policy/modules/contrib/hal.fc b/policy/modules/contrib/hal.fc
index cf311f5a..5ac1f7a7 100644
--- a/policy/modules/contrib/hal.fc
+++ b/policy/modules/contrib/hal.fc
@@ -2,6 +2,8 @@
/etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
/usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0)
+/usr/bin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
+/usr/bin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
/usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0)
/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0)
diff --git a/policy/modules/contrib/hddtemp.fc b/policy/modules/contrib/hddtemp.fc
index 993b14ac..f1d334eb 100644
--- a/policy/modules/contrib/hddtemp.fc
+++ b/policy/modules/contrib/hddtemp.fc
@@ -2,4 +2,6 @@
/etc/sysconfig/hddtemp -- gen_context(system_u:object_r:hddtemp_etc_t,s0)
+/usr/bin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0)
+
/usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0)
diff --git a/policy/modules/contrib/hwloc.fc b/policy/modules/contrib/hwloc.fc
index ade2ac01..136bb697 100644
--- a/policy/modules/contrib/hwloc.fc
+++ b/policy/modules/contrib/hwloc.fc
@@ -1,5 +1,7 @@
-/usr/sbin/hwloc-dump-hwdata -- gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
+/usr/bin/hwloc-dump-hwdata -- gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
/usr/lib/systemd/system/hwloc-dump-hwdata.* -- gen_context(system_u:object_r:hwloc_dhwd_unit_t,s0)
+/usr/sbin/hwloc-dump-hwdata -- gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
+
/run/hwloc(/.*)? gen_context(system_u:object_r:hwloc_var_run_t,s0)
diff --git a/policy/modules/contrib/hypervkvp.fc b/policy/modules/contrib/hypervkvp.fc
index b46130ef..d1bbb44c 100644
--- a/policy/modules/contrib/hypervkvp.fc
+++ b/policy/modules/contrib/hypervkvp.fc
@@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0)
+/usr/bin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
+
/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
diff --git a/policy/modules/contrib/i18n_input.fc b/policy/modules/contrib/i18n_input.fc
index 05aa1da3..9dcc65aa 100644
--- a/policy/modules/contrib/i18n_input.fc
+++ b/policy/modules/contrib/i18n_input.fc
@@ -2,6 +2,8 @@
/usr/bin/iiimd -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
/usr/bin/iiimd\.bin -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/bin/htt -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/bin/htt_server -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
/usr/bin/httx -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
/usr/bin/htt_xbe -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
/usr/bin/iiimx -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
diff --git a/policy/modules/contrib/ifplugd.fc b/policy/modules/contrib/ifplugd.fc
index 8c365f5c..2a1e9290 100644
--- a/policy/modules/contrib/ifplugd.fc
+++ b/policy/modules/contrib/ifplugd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/ifplugd -- gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0)
+/usr/bin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0)
+
/usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0)
/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0)
diff --git a/policy/modules/contrib/inetd.fc b/policy/modules/contrib/inetd.fc
index 7973588d..3329de47 100644
--- a/policy/modules/contrib/inetd.fc
+++ b/policy/modules/contrib/inetd.fc
@@ -2,6 +2,12 @@
/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+/usr/bin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+/usr/bin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+
+/usr/bin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+/usr/bin/(x)?inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+
/usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
/usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
diff --git a/policy/modules/contrib/inn.fc b/policy/modules/contrib/inn.fc
index 28a4f604..eb9bda28 100644
--- a/policy/modules/contrib/inn.fc
+++ b/policy/modules/contrib/inn.fc
@@ -3,10 +3,12 @@
/etc/rc\.d/init\.d/innd -- gen_context(system_u:object_r:innd_initrc_exec_t,s0)
-/usr/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/bin/rpost -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/bin/suck -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/in\.nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/innd.* -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/rpost -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/suck -- gen_context(system_u:object_r:innd_exec_t,s0)
/usr/sbin/in\.nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
/usr/sbin/innd.* -- gen_context(system_u:object_r:innd_exec_t,s0)
diff --git a/policy/modules/contrib/iodine.fc b/policy/modules/contrib/iodine.fc
index 53b6a139..7ae0c069 100644
--- a/policy/modules/contrib/iodine.fc
+++ b/policy/modules/contrib/iodine.fc
@@ -2,4 +2,6 @@
/run/iodine(/.*)? gen_context(system_u:object_r:iodined_var_run_t,s0)
+/usr/bin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
+
/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
diff --git a/policy/modules/contrib/ircd.fc b/policy/modules/contrib/ircd.fc
index 07decaa2..f1944c75 100644
--- a/policy/modules/contrib/ircd.fc
+++ b/policy/modules/contrib/ircd.fc
@@ -5,7 +5,9 @@
/etc/rc\.d/init\.d/((ircd)|(ngircd)|(dancer-ircd)) -- gen_context(system_u:object_r:ircd_initrc_exec_t,s0)
+/usr/bin/dancer-ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
/usr/bin/ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
+/usr/bin/ngircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
/usr/sbin/dancer-ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
/usr/sbin/ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
diff --git a/policy/modules/contrib/irqbalance.fc b/policy/modules/contrib/irqbalance.fc
index 77530088..a9fb4296 100644
--- a/policy/modules/contrib/irqbalance.fc
+++ b/policy/modules/contrib/irqbalance.fc
@@ -4,4 +4,6 @@
/run/irqbalance\.pid -- gen_context(system_u:object_r:irqbalance_pid_t,s0)
+/usr/bin/irqbalance -- gen_context(system_u:object_r:irqbalance_exec_t,s0)
+
/usr/sbin/irqbalance -- gen_context(system_u:object_r:irqbalance_exec_t,s0)
diff --git a/policy/modules/contrib/iscsi.fc b/policy/modules/contrib/iscsi.fc
index 29c1e5cd..9503952e 100644
--- a/policy/modules/contrib/iscsi.fc
+++ b/policy/modules/contrib/iscsi.fc
@@ -1,5 +1,9 @@
/etc/rc\.d/init\.d/((iscsi)|(iscsid)) -- gen_context(system_u:object_r:iscsi_initrc_exec_t,s0)
+/usr/bin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/usr/bin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/usr/bin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+
/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
diff --git a/policy/modules/contrib/isns.fc b/policy/modules/contrib/isns.fc
index f00d23d1..488e9a0c 100644
--- a/policy/modules/contrib/isns.fc
+++ b/policy/modules/contrib/isns.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/isnsd -- gen_context(system_u:object_r:isnsd_initrc_exec_t,s0)
+/usr/bin/isnsd -- gen_context(system_u:object_r:isnsd_exec_t,s0)
+
/usr/sbin/isnsd -- gen_context(system_u:object_r:isnsd_exec_t,s0)
/var/lib/isns(/.*)? gen_context(system_u:object_r:isnsd_var_lib_t,s0)
diff --git a/policy/modules/contrib/jabber.fc b/policy/modules/contrib/jabber.fc
index e31f56e8..bda8b8c5 100644
--- a/policy/modules/contrib/jabber.fc
+++ b/policy/modules/contrib/jabber.fc
@@ -1,10 +1,13 @@
/etc/rc\.d/init\.d/((jabber)|(ejabberd)|(jabberd)) -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
-/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
-/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/ejabberdctl -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/usr/bin/prosody -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/usr/sbin/ejabberdctl -- gen_context(system_u:object_r:jabberd_exec_t,s0)
diff --git a/policy/modules/contrib/kdump.fc b/policy/modules/contrib/kdump.fc
index 94c0daa2..4e396725 100644
--- a/policy/modules/contrib/kdump.fc
+++ b/policy/modules/contrib/kdump.fc
@@ -2,7 +2,9 @@
/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
+/usr/bin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
+/usr/bin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
/usr/lib/systemd/system/kdump.*\.service -- gen_context(system_u:object_r:kdump_unit_t,s0)
diff --git a/policy/modules/contrib/kerberos.fc b/policy/modules/contrib/kerberos.fc
index 4fe75fd6..df21fcc7 100644
--- a/policy/modules/contrib/kerberos.fc
+++ b/policy/modules/contrib/kerberos.fc
@@ -13,6 +13,9 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/usr/bin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+/usr/bin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+
/usr/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
/usr/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
diff --git a/policy/modules/contrib/kerneloops.fc b/policy/modules/contrib/kerneloops.fc
index 5ef261a3..d0db3544 100644
--- a/policy/modules/contrib/kerneloops.fc
+++ b/policy/modules/contrib/kerneloops.fc
@@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/kerneloops -- gen_context(system_u:object_r:kerneloops_initrc_exec_t,s0)
+/usr/bin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0)
+
/usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0)
diff --git a/policy/modules/contrib/ksmtuned.fc b/policy/modules/contrib/ksmtuned.fc
index 7229ce8b..68f3623b 100644
--- a/policy/modules/contrib/ksmtuned.fc
+++ b/policy/modules/contrib/ksmtuned.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
+/usr/bin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
+
/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
diff --git a/policy/modules/contrib/ktalk.fc b/policy/modules/contrib/ktalk.fc
index 38ecb07d..fae3b8c4 100644
--- a/policy/modules/contrib/ktalk.fc
+++ b/policy/modules/contrib/ktalk.fc
@@ -1,4 +1,6 @@
-/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+/usr/bin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+/usr/bin/in\.ntalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
/usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
/usr/sbin/in\.ntalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
diff --git a/policy/modules/contrib/kudzu.fc b/policy/modules/contrib/kudzu.fc
index a0030a74..a0127d49 100644
--- a/policy/modules/contrib/kudzu.fc
+++ b/policy/modules/contrib/kudzu.fc
@@ -1,6 +1,9 @@
/etc/rc\.d/init\.d/kudzu -- gen_context(system_u:object_r:kudzu_initrc_exec_t,s0)
+/usr/bin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+/usr/bin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+
/usr/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
-/usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+/usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
/run/kudzu(/.*)? gen_context(system_u:object_r:kudzu_var_run_t,s0)
diff --git a/policy/modules/contrib/l2tp.fc b/policy/modules/contrib/l2tp.fc
index 77d5c5a6..499c7de6 100644
--- a/policy/modules/contrib/l2tp.fc
+++ b/policy/modules/contrib/l2tp.fc
@@ -4,6 +4,8 @@
/etc/sysconfig/.*l2tpd -- gen_context(system_u:object_r:l2tp_conf_t,s0)
+/usr/bin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
+
/usr/sbin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/policy/modules/contrib/ldap.fc b/policy/modules/contrib/ldap.fc
index 38b123d7..174f4d73 100644
--- a/policy/modules/contrib/ldap.fc
+++ b/policy/modules/contrib/ldap.fc
@@ -4,6 +4,8 @@
/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+/usr/bin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
/usr/lib/openldap/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
diff --git a/policy/modules/contrib/likewise.fc b/policy/modules/contrib/likewise.fc
index 0a5cc34e..c95fd7d5 100644
--- a/policy/modules/contrib/likewise.fc
+++ b/policy/modules/contrib/likewise.fc
@@ -21,6 +21,15 @@
/opt/likewise/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
/opt/likewise/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
+/usr/bin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
+/usr/bin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
+/usr/bin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
+/usr/bin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0)
+/usr/bin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0)
+/usr/bin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0)
+/usr/bin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
+/usr/bin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
+
/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
diff --git a/policy/modules/contrib/lircd.fc b/policy/modules/contrib/lircd.fc
index d38234fd..79947d0c 100644
--- a/policy/modules/contrib/lircd.fc
+++ b/policy/modules/contrib/lircd.fc
@@ -5,6 +5,8 @@
/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
+/usr/bin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
+
# Systemd unit file
/usr/lib/systemd/system/[^/]*lircd.* -- gen_context(system_u:object_r:lircd_unit_t,s0)
diff --git a/policy/modules/contrib/lldpad.fc b/policy/modules/contrib/lldpad.fc
index 385eccf4..305b8de7 100644
--- a/policy/modules/contrib/lldpad.fc
+++ b/policy/modules/contrib/lldpad.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/lldpad -- gen_context(system_u:object_r:lldpad_initrc_exec_t,s0)
+/usr/bin/lldpad -- gen_context(system_u:object_r:lldpad_exec_t,s0)
+
/usr/sbin/lldpad -- gen_context(system_u:object_r:lldpad_exec_t,s0)
/var/lib/lldpad(/.*)? gen_context(system_u:object_r:lldpad_var_lib_t,s0)
diff --git a/policy/modules/contrib/lockdev.fc b/policy/modules/contrib/lockdev.fc
index 4fd0fda9..65ed30df 100644
--- a/policy/modules/contrib/lockdev.fc
+++ b/policy/modules/contrib/lockdev.fc
@@ -1,3 +1,5 @@
+/usr/bin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0)
+
/usr/sbin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0)
/var/lock/lockdev(/.*)? gen_context(system_u:object_r:lockdev_lock_t,s0)
diff --git a/policy/modules/contrib/logrotate.fc b/policy/modules/contrib/logrotate.fc
index ad215962..dac1af39 100644
--- a/policy/modules/contrib/logrotate.fc
+++ b/policy/modules/contrib/logrotate.fc
@@ -1,6 +1,8 @@
/etc/cron\.(daily|weekly)/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+/usr/bin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+
# Systemd unit file
/usr/lib/systemd/system/[^/]*logrotate.* -- gen_context(system_u:object_r:logrotate_unit_t,s0)
diff --git a/policy/modules/contrib/logwatch.fc b/policy/modules/contrib/logwatch.fc
index 792e3cf7..7e83c901 100644
--- a/policy/modules/contrib/logwatch.fc
+++ b/policy/modules/contrib/logwatch.fc
@@ -1,3 +1,7 @@
+/usr/bin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0)
+/usr/bin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
+/usr/bin/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t,s0)
+
/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0)
/usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
/usr/sbin/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t,s0)
diff --git a/policy/modules/contrib/lpd.fc b/policy/modules/contrib/lpd.fc
index cd1aa707..8916d38e 100644
--- a/policy/modules/contrib/lpd.fc
+++ b/policy/modules/contrib/lpd.fc
@@ -3,19 +3,26 @@
/opt/gutenprint/bin(/.*)? gen_context(system_u:object_r:lpr_exec_t,s0)
/opt/gutenprint/sbin(/.*)? gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/accept -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/bin/cancel(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/bin/lpoptions -- gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
+/usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpadmin -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpc(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
+/usr/bin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpoptions -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/bin/lpstat(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/accept -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
-/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
/usr/sbin/lpadmin -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/lpc(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
diff --git a/policy/modules/contrib/mailscanner.fc b/policy/modules/contrib/mailscanner.fc
index 00ecd1b2..cc6a8f88 100644
--- a/policy/modules/contrib/mailscanner.fc
+++ b/policy/modules/contrib/mailscanner.fc
@@ -6,6 +6,8 @@
/etc/sysconfig/update_spamassassin -- gen_context(system_u:object_r:mscan_etc_t,s0)
+/usr/bin/MailScanner -- gen_context(system_u:object_r:mscan_exec_t,s0)
+
/usr/sbin/MailScanner -- gen_context(system_u:object_r:mscan_exec_t,s0)
/run/MailScanner\.pid -- gen_context(system_u:object_r:mscan_var_run_t,s0)
diff --git a/policy/modules/contrib/mcelog.fc b/policy/modules/contrib/mcelog.fc
index 86d8bdba..a91a13f9 100644
--- a/policy/modules/contrib/mcelog.fc
+++ b/policy/modules/contrib/mcelog.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
+/usr/bin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
+
/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0)
diff --git a/policy/modules/contrib/milter.fc b/policy/modules/contrib/milter.fc
index 38a65aac..378d5e4c 100644
--- a/policy/modules/contrib/milter.fc
+++ b/policy/modules/contrib/milter.fc
@@ -1,3 +1,8 @@
+/usr/bin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+/usr/bin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+/usr/bin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/bin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+
/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
diff --git a/policy/modules/contrib/minidlna.fc b/policy/modules/contrib/minidlna.fc
index 37239ebf..79af2d74 100644
--- a/policy/modules/contrib/minidlna.fc
+++ b/policy/modules/contrib/minidlna.fc
@@ -2,6 +2,8 @@
/etc/minidlna\.conf -- gen_context(system_u:object_r:minidlna_conf_t,s0)
+/usr/bin/minidlna -- gen_context(system_u:object_r:minidlna_exec_t,s0)
+
/usr/sbin/minidlna -- gen_context(system_u:object_r:minidlna_exec_t,s0)
/var/cache/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0)
diff --git a/policy/modules/contrib/minissdpd.fc b/policy/modules/contrib/minissdpd.fc
index c7a5368b..cdad38ed 100644
--- a/policy/modules/contrib/minissdpd.fc
+++ b/policy/modules/contrib/minissdpd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/minissdpd -- gen_context(system_u:object_r:minissdpd_initrc_exec_t,s0)
+/usr/bin/minissdpd -- gen_context(system_u:object_r:minissdpd_exec_t,s0)
+
/usr/sbin/minissdpd -- gen_context(system_u:object_r:minissdpd_exec_t,s0)
/run/minissdpd\.pid -- gen_context(system_u:object_r:minissdpd_var_run_t,s0)
diff --git a/policy/modules/contrib/modemmanager.fc b/policy/modules/contrib/modemmanager.fc
index c43901e6..88d8ff3f 100644
--- a/policy/modules/contrib/modemmanager.fc
+++ b/policy/modules/contrib/modemmanager.fc
@@ -1,2 +1,5 @@
+/usr/bin/ModemManager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
+/usr/bin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
+
/usr/sbin/ModemManager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
/usr/sbin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
diff --git a/policy/modules/contrib/mon.fc b/policy/modules/contrib/mon.fc
index c92575b4..71b42ee7 100644
--- a/policy/modules/contrib/mon.fc
+++ b/policy/modules/contrib/mon.fc
@@ -1,5 +1,7 @@
/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
+/usr/bin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
+
/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
/usr/lib/mon/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
diff --git a/policy/modules/contrib/monop.fc b/policy/modules/contrib/monop.fc
index f25a1820..f89b50f9 100644
--- a/policy/modules/contrib/monop.fc
+++ b/policy/modules/contrib/monop.fc
@@ -2,6 +2,8 @@
/etc/monopd\.conf -- gen_context(system_u:object_r:monopd_etc_t,s0)
+/usr/bin/monopd -- gen_context(system_u:object_r:monopd_exec_t,s0)
+
/usr/sbin/monopd -- gen_context(system_u:object_r:monopd_exec_t,s0)
/usr/share/monopd/games(/.*)? gen_context(system_u:object_r:monopd_share_t,s0)
diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
index dd9f799a..ace4a1f1 100644
--- a/policy/modules/contrib/mta.fc
+++ b/policy/modules/contrib/mta.fc
@@ -14,6 +14,10 @@ HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/bin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/bin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/bin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/bin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/policy/modules/contrib/mysql.fc b/policy/modules/contrib/mysql.fc
index 6735c459..8213e53c 100644
--- a/policy/modules/contrib/mysql.fc
+++ b/policy/modules/contrib/mysql.fc
@@ -7,8 +7,11 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
/etc/rc\.d/init\.d/mysqld? -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
+/usr/bin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/bin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
+/usr/bin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/lib/systemd/system/mysqld.*\.service -- gen_context(system_u:object_r:mysqld_unit_t,s0)
diff --git a/policy/modules/contrib/nessus.fc b/policy/modules/contrib/nessus.fc
index 9640c364..2065c1b8 100644
--- a/policy/modules/contrib/nessus.fc
+++ b/policy/modules/contrib/nessus.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/nessusd -- gen_context(system_u:object_r:nessusd_initrc_exec_t,s0)
+/usr/bin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0)
+
/usr/lib/nessus/plugins/.* -- gen_context(system_u:object_r:nessusd_exec_t,s0)
/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0)
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index 1e6d0f5b..16b3c06f 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -21,9 +21,12 @@
/usr/lib/systemd/system/[^/]*NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
/usr/lib/systemd/system/[^/]*wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
-/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
+/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
diff --git a/policy/modules/contrib/nis.fc b/policy/modules/contrib/nis.fc
index 2b86f44d..46f101bc 100644
--- a/policy/modules/contrib/nis.fc
+++ b/policy/modules/contrib/nis.fc
@@ -5,6 +5,11 @@
/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
+/usr/bin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+/usr/bin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/bin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
+/usr/bin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
+
/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
/usr/lib/systemd/system/ypbind.*\.service -- gen_context(system_u:object_r:ypbind_unit_t,s0)
diff --git a/policy/modules/contrib/nscd.fc b/policy/modules/contrib/nscd.fc
index 51460f89..4857b5b7 100644
--- a/policy/modules/contrib/nscd.fc
+++ b/policy/modules/contrib/nscd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
+/usr/bin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
+
/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
diff --git a/policy/modules/contrib/nsd.fc b/policy/modules/contrib/nsd.fc
index 286a4ecf..d4fc584e 100644
--- a/policy/modules/contrib/nsd.fc
+++ b/policy/modules/contrib/nsd.fc
@@ -5,6 +5,11 @@
/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
/etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+/usr/bin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/bin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/bin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/bin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
+
/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0)
/usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0)
diff --git a/policy/modules/contrib/nslcd.fc b/policy/modules/contrib/nslcd.fc
index cdeb9350..89543b3e 100644
--- a/policy/modules/contrib/nslcd.fc
+++ b/policy/modules/contrib/nslcd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
+/usr/bin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
+
/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
diff --git a/policy/modules/contrib/ntop.fc b/policy/modules/contrib/ntop.fc
index cbbec58a..3ededdd2 100644
--- a/policy/modules/contrib/ntop.fc
+++ b/policy/modules/contrib/ntop.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/ntop -- gen_context(system_u:object_r:ntop_initrc_exec_t,s0)
+/usr/bin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0)
+
/usr/sbin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0)
/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 67c2b883..903c131c 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -13,6 +13,10 @@
/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_pid_t,s0)
+/usr/bin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/bin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/bin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+
/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:ntpd_exec_t,s0)
diff --git a/policy/modules/contrib/nut.fc b/policy/modules/contrib/nut.fc
index fdf658f1..6dbfbde1 100644
--- a/policy/modules/contrib/nut.fc
+++ b/policy/modules/contrib/nut.fc
@@ -4,6 +4,10 @@
/etc/rc\.d/init\.d/nut-driver -- gen_context(system_u:object_r:nut_initrc_exec_t,s0)
/etc/rc\.d/init\.d/nut-server -- gen_context(system_u:object_r:nut_initrc_exec_t,s0)
+/usr/bin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
+/usr/bin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+/usr/bin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
+
/usr/lib/cgi-bin/nut/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
/usr/lib/cgi-bin/nut/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
/usr/lib/cgi-bin/nut/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
diff --git a/policy/modules/contrib/oav.fc b/policy/modules/contrib/oav.fc
index 2448426e..dabf41ee 100644
--- a/policy/modules/contrib/oav.fc
+++ b/policy/modules/contrib/oav.fc
@@ -1,6 +1,9 @@
/etc/oav-update(/.*)? gen_context(system_u:object_r:oav_update_etc_t,s0)
/etc/scannerdaemon/scannerdaemon\.conf -- gen_context(system_u:object_r:scannerdaemon_etc_t,s0)
+/usr/bin/oav-update -- gen_context(system_u:object_r:oav_update_exec_t,s0)
+/usr/bin/scannerdaemon -- gen_context(system_u:object_r:scannerdaemon_exec_t,s0)
+
/usr/sbin/oav-update -- gen_context(system_u:object_r:oav_update_exec_t,s0)
/usr/sbin/scannerdaemon -- gen_context(system_u:object_r:scannerdaemon_exec_t,s0)
diff --git a/policy/modules/contrib/oddjob.fc b/policy/modules/contrib/oddjob.fc
index d20f5ea2..f1c819ef 100644
--- a/policy/modules/contrib/oddjob.fc
+++ b/policy/modules/contrib/oddjob.fc
@@ -2,6 +2,9 @@
/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/bin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
+/usr/bin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+
/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
diff --git a/policy/modules/contrib/oident.fc b/policy/modules/contrib/oident.fc
index df3b9758..584d948f 100644
--- a/policy/modules/contrib/oident.fc
+++ b/policy/modules/contrib/oident.fc
@@ -5,4 +5,6 @@ HOME_DIR/\.oidentd\.conf -- gen_context(system_u:object_r:oidentd_home_t,s0)
/etc/rc\.d/init\.d/oidentd -- gen_context(system_u:object_r:oidentd_initrc_exec_t,s0)
+/usr/bin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t,s0)
+
/usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t,s0)
diff --git a/policy/modules/contrib/openct.fc b/policy/modules/contrib/openct.fc
index b5c2b05d..4c0236d2 100644
--- a/policy/modules/contrib/openct.fc
+++ b/policy/modules/contrib/openct.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/openct -- gen_context(system_u:object_r:openct_initrc_exec_t,s0)
+/usr/bin/ifdhandler -- gen_context(system_u:object_r:openct_exec_t,s0)
+/usr/bin/openct-control -- gen_context(system_u:object_r:openct_exec_t,s0)
+
/usr/sbin/ifdhandler -- gen_context(system_u:object_r:openct_exec_t,s0)
/usr/sbin/openct-control -- gen_context(system_u:object_r:openct_exec_t,s0)
diff --git a/policy/modules/contrib/openhpi.fc b/policy/modules/contrib/openhpi.fc
index e1ee3e4a..1ce9da3d 100644
--- a/policy/modules/contrib/openhpi.fc
+++ b/policy/modules/contrib/openhpi.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/openhpid -- gen_context(system_u:object_r:openhpid_initrc_exec_t,s0)
+/usr/bin/openhpid -- gen_context(system_u:object_r:openhpid_exec_t,s0)
+
/usr/sbin/openhpid -- gen_context(system_u:object_r:openhpid_exec_t,s0)
/var/lib/openhpi(/.*)? gen_context(system_u:object_r:openhpid_var_lib_t,s0)
diff --git a/policy/modules/contrib/openvpn.fc b/policy/modules/contrib/openvpn.fc
index 00d176d3..7a00b7a8 100644
--- a/policy/modules/contrib/openvpn.fc
+++ b/policy/modules/contrib/openvpn.fc
@@ -4,6 +4,8 @@
/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
+/usr/bin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)
+
/usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)
/var/log/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0)
diff --git a/policy/modules/contrib/pacemaker.fc b/policy/modules/contrib/pacemaker.fc
index 6de95e79..3b398450 100644
--- a/policy/modules/contrib/pacemaker.fc
+++ b/policy/modules/contrib/pacemaker.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0)
+/usr/bin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0)
+
/usr/sbin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0)
/var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
diff --git a/policy/modules/contrib/pcmcia.fc b/policy/modules/contrib/pcmcia.fc
index b508069e..f9fadf5f 100644
--- a/policy/modules/contrib/pcmcia.fc
+++ b/policy/modules/contrib/pcmcia.fc
@@ -1,5 +1,8 @@
/etc/apm/event\.d/pcmcia -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
+/usr/bin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
+/usr/bin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
+
/usr/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
/usr/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
diff --git a/policy/modules/contrib/pcscd.fc b/policy/modules/contrib/pcscd.fc
index 79e96b1b..4d667ea2 100644
--- a/policy/modules/contrib/pcscd.fc
+++ b/policy/modules/contrib/pcscd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/pcscd -- gen_context(system_u:object_r:pcscd_initrc_exec_t,s0)
+/usr/bin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0)
+
/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0)
# Systemd unit file
diff --git a/policy/modules/contrib/pegasus.fc b/policy/modules/contrib/pegasus.fc
index 4791c0e2..0f7fe617 100644
--- a/policy/modules/contrib/pegasus.fc
+++ b/policy/modules/contrib/pegasus.fc
@@ -3,6 +3,9 @@
/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
+/usr/bin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+/usr/bin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+
/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
diff --git a/policy/modules/contrib/perdition.fc b/policy/modules/contrib/perdition.fc
index a7d2a8be..f9f88dfb 100644
--- a/policy/modules/contrib/perdition.fc
+++ b/policy/modules/contrib/perdition.fc
@@ -2,6 +2,8 @@
/etc/perdition(/.*)? gen_context(system_u:object_r:perdition_etc_t,s0)
+/usr/bin/perdition.* -- gen_context(system_u:object_r:perdition_exec_t,s0)
+
/usr/sbin/perdition.* -- gen_context(system_u:object_r:perdition_exec_t,s0)
/run/perdition\.pid -- gen_context(system_u:object_r:perdition_var_run_t,s0)
diff --git a/policy/modules/contrib/pingd.fc b/policy/modules/contrib/pingd.fc
index 494a24cc..1cbbf6d8 100644
--- a/policy/modules/contrib/pingd.fc
+++ b/policy/modules/contrib/pingd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/whatsup-pingd -- gen_context(system_u:object_r:pingd_initrc_exec_t,s0)
+/usr/bin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0)
+
/usr/lib/pingd(/.*)? gen_context(system_u:object_r:pingd_modules_t,s0)
/usr/sbin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0)
diff --git a/policy/modules/contrib/pkcs.fc b/policy/modules/contrib/pkcs.fc
index 65a25e37..148293a9 100644
--- a/policy/modules/contrib/pkcs.fc
+++ b/policy/modules/contrib/pkcs.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_initrc_exec_t,s0)
+/usr/bin/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_exec_t,s0)
+
/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_exec_t,s0)
/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0)
diff --git a/policy/modules/contrib/plymouthd.fc b/policy/modules/contrib/plymouthd.fc
index 8eab91b8..c99ccd2d 100644
--- a/policy/modules/contrib/plymouthd.fc
+++ b/policy/modules/contrib/plymouthd.fc
@@ -1,4 +1,5 @@
/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
+/usr/bin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
# Systemd unit file
/usr/lib/systemd/system/[^/]*plymouth-.* -- gen_context(system_u:object_r:plymouthd_unit_t,s0)
diff --git a/policy/modules/contrib/portmap.fc b/policy/modules/contrib/portmap.fc
index d15c7072..b33b5f4e 100644
--- a/policy/modules/contrib/portmap.fc
+++ b/policy/modules/contrib/portmap.fc
@@ -1,5 +1,9 @@
/etc/rc\.d/init\.d/portmap -- gen_context(system_u:object_r:portmap_initrc_exec_t,s0)
+/usr/bin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+/usr/bin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+/usr/bin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
+
/usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
diff --git a/policy/modules/contrib/portreserve.fc b/policy/modules/contrib/portreserve.fc
index de7da13c..d649d58d 100644
--- a/policy/modules/contrib/portreserve.fc
+++ b/policy/modules/contrib/portreserve.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
+/usr/bin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
+
/usr/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0)
diff --git a/policy/modules/contrib/portslave.fc b/policy/modules/contrib/portslave.fc
index 22ca4a50..1afb1976 100644
--- a/policy/modules/contrib/portslave.fc
+++ b/policy/modules/contrib/portslave.fc
@@ -1,5 +1,8 @@
/etc/portslave(/.*)? gen_context(system_u:object_r:portslave_etc_t,s0)
+/usr/bin/ctlportslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
+/usr/bin/portslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
+
/usr/sbin/ctlportslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
/usr/sbin/portslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
diff --git a/policy/modules/contrib/postfix.fc b/policy/modules/contrib/postfix.fc
index 707b5be0..ecf447d6 100644
--- a/policy/modules/contrib/postfix.fc
+++ b/policy/modules/contrib/postfix.fc
@@ -4,6 +4,17 @@
/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
+/usr/bin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/bin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/bin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
+/usr/bin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/bin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/bin/postlock -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/bin/postlog -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/bin/postmap -- gen_context(system_u:object_r:postfix_map_exec_t,s0)
+/usr/bin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
+/usr/bin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+
# Remove catch-all so that .so files remain lib_t
#/usr/lib/postfix/(sbin/)?.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/lib/postfix/(sbin/)?cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
diff --git a/policy/modules/contrib/postfixpolicyd.fc b/policy/modules/contrib/postfixpolicyd.fc
index ed79fe20..a8fb9f8c 100644
--- a/policy/modules/contrib/postfixpolicyd.fc
+++ b/policy/modules/contrib/postfixpolicyd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/postfixpolicyd -- gen_context(system_u:object_r:postfix_policyd_initrc_exec_t,s0)
+/usr/bin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t,s0)
+
/usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t,s0)
/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t,s0)
diff --git a/policy/modules/contrib/postgrey.fc b/policy/modules/contrib/postgrey.fc
index 955207fc..076987a6 100644
--- a/policy/modules/contrib/postgrey.fc
+++ b/policy/modules/contrib/postgrey.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/postgrey -- gen_context(system_u:object_r:postgrey_initrc_exec_t,s0)
+/usr/bin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0)
+
/usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0)
/var/lib/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_lib_t,s0)
diff --git a/policy/modules/contrib/ppp.fc b/policy/modules/contrib/ppp.fc
index d31591a5..67de5b3e 100644
--- a/policy/modules/contrib/ppp.fc
+++ b/policy/modules/contrib/ppp.fc
@@ -9,6 +9,12 @@ HOME_DIR/\.ppprc -- gen_context(system_u:object_r:ppp_home_t,s0)
/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+/usr/bin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/bin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/bin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/bin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/bin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
+
/usr/lib/systemd/system/ppp.*\.service -- gen_context(system_u:object_r:pppd_unit_t,s0)
/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
diff --git a/policy/modules/contrib/prelink.fc b/policy/modules/contrib/prelink.fc
index a90d6231..8823d27a 100644
--- a/policy/modules/contrib/prelink.fc
+++ b/policy/modules/contrib/prelink.fc
@@ -2,6 +2,8 @@
/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
+/usr/bin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
+
/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0)
diff --git a/policy/modules/contrib/prelude.fc b/policy/modules/contrib/prelude.fc
index 75df3cf6..ca48c982 100644
--- a/policy/modules/contrib/prelude.fc
+++ b/policy/modules/contrib/prelude.fc
@@ -4,8 +4,9 @@
/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
+/usr/bin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t,s0)
-/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0)
+/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0)
/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0)
/usr/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
diff --git a/policy/modules/contrib/privoxy.fc b/policy/modules/contrib/privoxy.fc
index cf3678a4..9feef4f7 100644
--- a/policy/modules/contrib/privoxy.fc
+++ b/policy/modules/contrib/privoxy.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/privoxy -- gen_context(system_u:object_r:privoxy_initrc_exec_t,s0)
+/usr/bin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0)
+
/usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0)
/var/log/privoxy(/.*)? gen_context(system_u:object_r:privoxy_log_t,s0)
diff --git a/policy/modules/contrib/psad.fc b/policy/modules/contrib/psad.fc
index 1157cebc..d26a15b5 100644
--- a/policy/modules/contrib/psad.fc
+++ b/policy/modules/contrib/psad.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/psad -- gen_context(system_u:object_r:psad_initrc_exec_t,s0)
+/usr/bin/psad -- gen_context(system_u:object_r:psad_exec_t,s0)
+
/usr/sbin/psad -- gen_context(system_u:object_r:psad_exec_t,s0)
/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0)
diff --git a/policy/modules/contrib/pxe.fc b/policy/modules/contrib/pxe.fc
index 270f819a..56ca3ecd 100644
--- a/policy/modules/contrib/pxe.fc
+++ b/policy/modules/contrib/pxe.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/pxe -- gen_context(system_u:object_r:pxe_initrc_exec_t,s0)
+/usr/bin/pxe -- gen_context(system_u:object_r:pxe_exec_t,s0)
+
/usr/sbin/pxe -- gen_context(system_u:object_r:pxe_exec_t,s0)
/var/log/pxe\.log.* -- gen_context(system_u:object_r:pxe_log_t,s0)
diff --git a/policy/modules/contrib/qmail.fc b/policy/modules/contrib/qmail.fc
index e53fe5a9..54e0847f 100644
--- a/policy/modules/contrib/qmail.fc
+++ b/policy/modules/contrib/qmail.fc
@@ -1,5 +1,17 @@
/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+/usr/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+/usr/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
+/usr/bin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
+/usr/bin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
+/usr/bin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
+/usr/bin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
+/usr/bin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
+/usr/bin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
+/usr/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
+/usr/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
+/usr/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
+/usr/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
diff --git a/policy/modules/contrib/qpid.fc b/policy/modules/contrib/qpid.fc
index fdcf49dc..ed8f5432 100644
--- a/policy/modules/contrib/qpid.fc
+++ b/policy/modules/contrib/qpid.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0)
+/usr/bin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0)
+
/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0)
/var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0)
diff --git a/policy/modules/contrib/quota.fc b/policy/modules/contrib/quota.fc
index c3d05ba1..28a21a8b 100644
--- a/policy/modules/contrib/quota.fc
+++ b/policy/modules/contrib/quota.fc
@@ -10,6 +10,10 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/etc/rc\.d/init\.d/quota_nld -- gen_context(system_u:object_r:quota_nld_initrc_exec_t,s0)
+/usr/bin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
+/usr/bin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
+/usr/bin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
+
/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
/usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
diff --git a/policy/modules/contrib/radius.fc b/policy/modules/contrib/radius.fc
index 663b804a..19ff8e93 100644
--- a/policy/modules/contrib/radius.fc
+++ b/policy/modules/contrib/radius.fc
@@ -6,6 +6,9 @@
/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0)
/etc/raddb/db\.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0)
+/usr/bin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+/usr/bin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+
/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
diff --git a/policy/modules/contrib/radvd.fc b/policy/modules/contrib/radvd.fc
index 350bb7e8..9765e456 100644
--- a/policy/modules/contrib/radvd.fc
+++ b/policy/modules/contrib/radvd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/radvd -- gen_context(system_u:object_r:radvd_initrc_exec_t,s0)
+/usr/bin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0)
+
/usr/sbin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0)
/run/radvd(/.*)? gen_context(system_u:object_r:radvd_var_run_t,s0)
diff --git a/policy/modules/contrib/raid.fc b/policy/modules/contrib/raid.fc
index dc26d8d3..323a8865 100644
--- a/policy/modules/contrib/raid.fc
+++ b/policy/modules/contrib/raid.fc
@@ -3,6 +3,14 @@
/etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0)
+/usr/bin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/bin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/bin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/bin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/bin/mdmon -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/bin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/bin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+
# Systemd unit files
/usr/lib/systemd/system/[^/]*mdadm-.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
/usr/lib/systemd/system/[^/]*mdmon.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
diff --git a/policy/modules/contrib/rdisc.fc b/policy/modules/contrib/rdisc.fc
index 168de323..0c4d5b55 100644
--- a/policy/modules/contrib/rdisc.fc
+++ b/policy/modules/contrib/rdisc.fc
@@ -1 +1,3 @@
+/usr/bin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
+
/usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
diff --git a/policy/modules/contrib/readahead.fc b/policy/modules/contrib/readahead.fc
index 5932e207..823f5454 100644
--- a/policy/modules/contrib/readahead.fc
+++ b/policy/modules/contrib/readahead.fc
@@ -1,3 +1,5 @@
+/usr/bin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+
/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
diff --git a/policy/modules/contrib/redis.fc b/policy/modules/contrib/redis.fc
index 2ea69aa9..74443abd 100644
--- a/policy/modules/contrib/redis.fc
+++ b/policy/modules/contrib/redis.fc
@@ -2,6 +2,8 @@
/etc/redis.*\.conf -- gen_context(system_u:object_r:redis_conf_t,s0)
+/usr/bin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
+
/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
diff --git a/policy/modules/contrib/resmgr.fc b/policy/modules/contrib/resmgr.fc
index 138f76e2..c5b467dc 100644
--- a/policy/modules/contrib/resmgr.fc
+++ b/policy/modules/contrib/resmgr.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/resmgr -- gen_context(system_u:object_r:resmgrd_initrc_exec_t,s0)
+/usr/bin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
+
/usr/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0)
diff --git a/policy/modules/contrib/rgmanager.fc b/policy/modules/contrib/rgmanager.fc
index fd21f975..0e064444 100644
--- a/policy/modules/contrib/rgmanager.fc
+++ b/policy/modules/contrib/rgmanager.fc
@@ -1,9 +1,12 @@
/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
-/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/bin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/bin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/bin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
diff --git a/policy/modules/contrib/rhcs.fc b/policy/modules/contrib/rhcs.fc
index ff20b9ce..90d0c0de 100644
--- a/policy/modules/contrib/rhcs.fc
+++ b/policy/modules/contrib/rhcs.fc
@@ -1,6 +1,15 @@
/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/bin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/usr/bin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/bin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/bin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/bin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
+/usr/bin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/usr/bin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+/usr/bin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
+
/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
diff --git a/policy/modules/contrib/ricci.fc b/policy/modules/contrib/ricci.fc
index 08d8abac..b7918a93 100644
--- a/policy/modules/contrib/ricci.fc
+++ b/policy/modules/contrib/ricci.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/ricci -- gen_context(system_u:object_r:ricci_initrc_exec_t,s0)
+/usr/bin/modclusterd -- gen_context(system_u:object_r:ricci_modclusterd_exec_t,s0)
+/usr/bin/ricci -- gen_context(system_u:object_r:ricci_exec_t,s0)
+
/usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0)
/usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
diff --git a/policy/modules/contrib/rlogin.fc b/policy/modules/contrib/rlogin.fc
index f1118772..00e7f3a5 100644
--- a/policy/modules/contrib/rlogin.fc
+++ b/policy/modules/contrib/rlogin.fc
@@ -3,6 +3,8 @@ HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+/usr/bin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+
/usr/lib/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0)
/usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
diff --git a/policy/modules/contrib/rngd.fc b/policy/modules/contrib/rngd.fc
index 3bba53a8..c49ab4ac 100644
--- a/policy/modules/contrib/rngd.fc
+++ b/policy/modules/contrib/rngd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
+/usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
+
/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
/run/rngd\.pid -- gen_context(system_u:object_r:rngd_var_run_t,s0)
diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc
index 9d6d5241..6674a53e 100644
--- a/policy/modules/contrib/rpc.fc
+++ b/policy/modules/contrib/rpc.fc
@@ -4,6 +4,15 @@
/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+/usr/bin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/usr/bin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/usr/bin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
+/usr/bin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/bin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/bin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/usr/bin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
+/usr/bin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+
/usr/lib/systemd/system/nfs.*\.service -- gen_context(system_u:object_r:nfsd_unit_t,s0)
/usr/lib/systemd/system/rpc.*\.service -- gen_context(system_u:object_r:rpcd_unit_t,s0)
diff --git a/policy/modules/contrib/rpcbind.fc b/policy/modules/contrib/rpcbind.fc
index 35f6ae43..afba9b29 100644
--- a/policy/modules/contrib/rpcbind.fc
+++ b/policy/modules/contrib/rpcbind.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
+/usr/bin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
+
/usr/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
index 71c90c7e..9faf3c42 100644
--- a/policy/modules/contrib/rpm.fc
+++ b/policy/modules/contrib/rpm.fc
@@ -1,12 +1,22 @@
/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
+/usr/bin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
# Systemd unit file
diff --git a/policy/modules/contrib/rshd.fc b/policy/modules/contrib/rshd.fc
index 9ad0d58d..b77f12dc 100644
--- a/policy/modules/contrib/rshd.fc
+++ b/policy/modules/contrib/rshd.fc
@@ -1,4 +1,7 @@
/usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0)
+/usr/bin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0)
+/usr/bin/in\.rshd -- gen_context(system_u:object_r:rshd_exec_t,s0)
+
/usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0)
/usr/sbin/in\.rshd -- gen_context(system_u:object_r:rshd_exec_t,s0)
diff --git a/policy/modules/contrib/rwho.fc b/policy/modules/contrib/rwho.fc
index 5a630a99..fd5fdf71 100644
--- a/policy/modules/contrib/rwho.fc
+++ b/policy/modules/contrib/rwho.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/rwhod -- gen_context(system_u:object_r:rwho_initrc_exec_t,s0)
+/usr/bin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0)
+
/usr/sbin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0)
/var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0)
diff --git a/policy/modules/contrib/samba.fc b/policy/modules/contrib/samba.fc
index 753a009c..e104d2ba 100644
--- a/policy/modules/contrib/samba.fc
+++ b/policy/modules/contrib/samba.fc
@@ -9,10 +9,14 @@
/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
+/usr/bin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
+/usr/bin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0)
/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/bin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
+/usr/bin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0)
/usr/lib/systemd/system/smb.*\.service -- gen_context(system_u:object_r:samba_unit_t,s0)
diff --git a/policy/modules/contrib/samhain.fc b/policy/modules/contrib/samhain.fc
index 39d915d9..76b448c8 100644
--- a/policy/modules/contrib/samhain.fc
+++ b/policy/modules/contrib/samhain.fc
@@ -2,6 +2,9 @@
/etc/samhainrc -- gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh)
+/usr/bin/samhain -- gen_context(system_u:object_r:samhain_exec_t,s0)
+/usr/bin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,s0)
+
/usr/sbin/samhain -- gen_context(system_u:object_r:samhain_exec_t,s0)
/usr/sbin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,s0)
diff --git a/policy/modules/contrib/sanlock.fc b/policy/modules/contrib/sanlock.fc
index b8a7a0a2..6c6f3dec 100644
--- a/policy/modules/contrib/sanlock.fc
+++ b/policy/modules/contrib/sanlock.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0)
+/usr/bin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
+
/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
diff --git a/policy/modules/contrib/sasl.fc b/policy/modules/contrib/sasl.fc
index 1ec050a2..72551273 100644
--- a/policy/modules/contrib/sasl.fc
+++ b/policy/modules/contrib/sasl.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0)
+/usr/bin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0)
+
/usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0)
/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
diff --git a/policy/modules/contrib/sblim.fc b/policy/modules/contrib/sblim.fc
index 84fa5384..c2aed416 100644
--- a/policy/modules/contrib/sblim.fc
+++ b/policy/modules/contrib/sblim.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/gatherer -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0)
+/usr/bin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0)
+/usr/bin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0)
+
/usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0)
/usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0)
diff --git a/policy/modules/contrib/sensord.fc b/policy/modules/contrib/sensord.fc
index bcd8a2ed..1216f4bf 100644
--- a/policy/modules/contrib/sensord.fc
+++ b/policy/modules/contrib/sensord.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/sensord -- gen_context(system_u:object_r:sensord_initrc_exec_t,s0)
+/usr/bin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0)
+
/usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0)
/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0)
diff --git a/policy/modules/contrib/setroubleshoot.fc b/policy/modules/contrib/setroubleshoot.fc
index 8c66d707..096fd47c 100644
--- a/policy/modules/contrib/setroubleshoot.fc
+++ b/policy/modules/contrib/setroubleshoot.fc
@@ -1,3 +1,5 @@
+/usr/bin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
+
/usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
/usr/share/setroubleshoot/SetroubleshootFixit\.py -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
diff --git a/policy/modules/contrib/shibboleth.fc b/policy/modules/contrib/shibboleth.fc
index 0e05da75..fc32f7c9 100644
--- a/policy/modules/contrib/shibboleth.fc
+++ b/policy/modules/contrib/shibboleth.fc
@@ -1,5 +1,7 @@
/etc/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_etc_t,s0)
+/usr/bin/shibd -- gen_context(system_u:object_r:shibboleth_exec_t,s0)
+
/usr/sbin/shibd -- gen_context(system_u:object_r:shibboleth_exec_t,s0)
/var/log/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_log_t,s0)
diff --git a/policy/modules/contrib/shorewall.fc b/policy/modules/contrib/shorewall.fc
index e92567aa..aae46ecb 100644
--- a/policy/modules/contrib/shorewall.fc
+++ b/policy/modules/contrib/shorewall.fc
@@ -3,6 +3,9 @@
/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
+/usr/bin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+/usr/bin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+
/usr/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
/usr/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
diff --git a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc
index e6730a03..03a2230c 100644
--- a/policy/modules/contrib/shutdown.fc
+++ b/policy/modules/contrib/shutdown.fc
@@ -1,5 +1,7 @@
/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0)
+/usr/bin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
diff --git a/policy/modules/contrib/slpd.fc b/policy/modules/contrib/slpd.fc
index be0072b4..77ff516b 100644
--- a/policy/modules/contrib/slpd.fc
+++ b/policy/modules/contrib/slpd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/slpd -- gen_context(system_u:object_r:slpd_initrc_exec_t,s0)
+/usr/bin/slpd -- gen_context(system_u:object_r:slpd_exec_t,s0)
+
/usr/sbin/slpd -- gen_context(system_u:object_r:slpd_exec_t,s0)
/var/log/slpd\.log.* -- gen_context(system_u:object_r:slpd_log_t,s0)
diff --git a/policy/modules/contrib/smartmon.fc b/policy/modules/contrib/smartmon.fc
index 92988a26..daff956c 100644
--- a/policy/modules/contrib/smartmon.fc
+++ b/policy/modules/contrib/smartmon.fc
@@ -1,6 +1,8 @@
/etc/rc\.d/init\.d/smartd -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0)
/etc/rc\.d/init\.d/smartmontools -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0)
+/usr/bin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0)
+
/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0)
/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0)
diff --git a/policy/modules/contrib/smokeping.fc b/policy/modules/contrib/smokeping.fc
index e92613ff..c75825e8 100644
--- a/policy/modules/contrib/smokeping.fc
+++ b/policy/modules/contrib/smokeping.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/smokeping -- gen_context(system_u:object_r:smokeping_initrc_exec_t,s0)
+/usr/bin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0)
+
/usr/sbin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0)
/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0)
diff --git a/policy/modules/contrib/smstools.fc b/policy/modules/contrib/smstools.fc
index d77f5b5f..12a58511 100644
--- a/policy/modules/contrib/smstools.fc
+++ b/policy/modules/contrib/smstools.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/(smsd|smstools) -- gen_context(system_u:object_r:smsd_initrc_exec_t,s0)
+/usr/bin/smsd -- gen_context(system_u:object_r:smsd_exec_t,s0)
+
/usr/sbin/smsd -- gen_context(system_u:object_r:smsd_exec_t,s0)
/var/lib/smstools(/.*)? gen_context(system_u:object_r:smsd_var_lib_t,s0)
diff --git a/policy/modules/contrib/snmp.fc b/policy/modules/contrib/snmp.fc
index c3d5ed71..8974ac9d 100644
--- a/policy/modules/contrib/snmp.fc
+++ b/policy/modules/contrib/snmp.fc
@@ -1,5 +1,9 @@
/etc/rc\.d/init\.d/(snmpd|snmptrapd) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
+/usr/bin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
+/usr/bin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0)
+/usr/bin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
+
/usr/sbin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
/usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0)
/usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
diff --git a/policy/modules/contrib/snort.fc b/policy/modules/contrib/snort.fc
index 1e2faf00..97797bd6 100644
--- a/policy/modules/contrib/snort.fc
+++ b/policy/modules/contrib/snort.fc
@@ -2,9 +2,10 @@
/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0)
-/usr/bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
-/usr/sbin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
+/usr/bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
+/usr/bin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0)
+/usr/sbin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0)
/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
diff --git a/policy/modules/contrib/sosreport.fc b/policy/modules/contrib/sosreport.fc
index 704e2dab..d445530f 100644
--- a/policy/modules/contrib/sosreport.fc
+++ b/policy/modules/contrib/sosreport.fc
@@ -1,3 +1,5 @@
+/usr/bin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0)
+
/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0)
/\.ismount-test-file -- gen_context(system_u:object_r:sosreport_tmp_t,s0)
diff --git a/policy/modules/contrib/soundserver.fc b/policy/modules/contrib/soundserver.fc
index 038f0315..d1880f66 100644
--- a/policy/modules/contrib/soundserver.fc
+++ b/policy/modules/contrib/soundserver.fc
@@ -5,6 +5,7 @@
/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0)
/usr/bin/gpe-soundserver -- gen_context(system_u:object_r:soundd_exec_t,s0)
+/usr/bin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0)
/usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0)
diff --git a/policy/modules/contrib/spamassassin.fc b/policy/modules/contrib/spamassassin.fc
index 58dce766..bc2dbadf 100644
--- a/policy/modules/contrib/spamassassin.fc
+++ b/policy/modules/contrib/spamassassin.fc
@@ -5,16 +5,17 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0)
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
-/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
-/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0)
diff --git a/policy/modules/contrib/speedtouch.fc b/policy/modules/contrib/speedtouch.fc
index 0caf3cc0..48fe2da3 100644
--- a/policy/modules/contrib/speedtouch.fc
+++ b/policy/modules/contrib/speedtouch.fc
@@ -1,3 +1,5 @@
+/usr/bin/speedmgmt -- gen_context(system_u:object_r:speedmgmt_exec_t,s0)
+
/usr/sbin/speedmgmt -- gen_context(system_u:object_r:speedmgmt_exec_t,s0)
/run/speedmgmt\.pid -- gen_context(system_u:object_r:speedmgmt_var_run_t,s0)
diff --git a/policy/modules/contrib/squid.fc b/policy/modules/contrib/squid.fc
index 7051c3e1..4d838b27 100644
--- a/policy/modules/contrib/squid.fc
+++ b/policy/modules/contrib/squid.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
+/usr/bin/squid.* -- gen_context(system_u:object_r:squid_exec_t,s0)
+
/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
/usr/sbin/squid.* -- gen_context(system_u:object_r:squid_exec_t,s0)
diff --git a/policy/modules/contrib/sssd.fc b/policy/modules/contrib/sssd.fc
index 6ff3e253..ef8a215b 100644
--- a/policy/modules/contrib/sssd.fc
+++ b/policy/modules/contrib/sssd.fc
@@ -2,6 +2,8 @@
/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
+/usr/bin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
+
/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
diff --git a/policy/modules/contrib/sxid.fc b/policy/modules/contrib/sxid.fc
index 95299487..92d3ff1a 100644
--- a/policy/modules/contrib/sxid.fc
+++ b/policy/modules/contrib/sxid.fc
@@ -1,3 +1,4 @@
+/usr/bin/checksecurity\.se -- gen_context(system_u:object_r:sxid_exec_t,s0)
/usr/bin/sxid -- gen_context(system_u:object_r:sxid_exec_t,s0)
/usr/sbin/checksecurity\.se -- gen_context(system_u:object_r:sxid_exec_t,s0)
diff --git a/policy/modules/contrib/tboot.fc b/policy/modules/contrib/tboot.fc
index 437e1d5d..8c3e66c4 100644
--- a/policy/modules/contrib/tboot.fc
+++ b/policy/modules/contrib/tboot.fc
@@ -1 +1,3 @@
+/usr/bin/txt-stat -- gen_context(system_u:object_r:txtstat_exec_t,s0)
+
/usr/sbin/txt-stat -- gen_context(system_u:object_r:txtstat_exec_t,s0)
diff --git a/policy/modules/contrib/tcpd.fc b/policy/modules/contrib/tcpd.fc
index 034ec7f6..57fe2bf1 100644
--- a/policy/modules/contrib/tcpd.fc
+++ b/policy/modules/contrib/tcpd.fc
@@ -1 +1,3 @@
+/usr/bin/tcpd -- gen_context(system_u:object_r:tcpd_exec_t,s0)
+
/usr/sbin/tcpd -- gen_context(system_u:object_r:tcpd_exec_t,s0)
diff --git a/policy/modules/contrib/tcsd.fc b/policy/modules/contrib/tcsd.fc
index 0e086e71..d6980334 100644
--- a/policy/modules/contrib/tcsd.fc
+++ b/policy/modules/contrib/tcsd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/(tcsd|trousers) -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
+/usr/bin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0)
+
# Systemd unit file
/usr/lib/systemd/system/[^/]*tcsd.* -- gen_context(system_u:object_r:tcsd_unit_t,s0)
diff --git a/policy/modules/contrib/telnet.fc b/policy/modules/contrib/telnet.fc
index 3d7d07aa..05d4726c 100644
--- a/policy/modules/contrib/telnet.fc
+++ b/policy/modules/contrib/telnet.fc
@@ -1,3 +1,5 @@
+/usr/bin/in\.telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0)
+
/usr/sbin/in\.telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0)
/usr/kerberos/sbin/telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0)
diff --git a/policy/modules/contrib/tftp.fc b/policy/modules/contrib/tftp.fc
index fb0b982d..dbd7f2a8 100644
--- a/policy/modules/contrib/tftp.fc
+++ b/policy/modules/contrib/tftp.fc
@@ -1,5 +1,7 @@
/etc/(x)?inetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0)
+/usr/bin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
+/usr/bin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
/usr/bin/tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
diff --git a/policy/modules/contrib/tgtd.fc b/policy/modules/contrib/tgtd.fc
index be16a4c0..1989d090 100644
--- a/policy/modules/contrib/tgtd.fc
+++ b/policy/modules/contrib/tgtd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
+/usr/bin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
+
/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
diff --git a/policy/modules/contrib/tmpreaper.fc b/policy/modules/contrib/tmpreaper.fc
index d19a6cf0..f4ce55e1 100644
--- a/policy/modules/contrib/tmpreaper.fc
+++ b/policy/modules/contrib/tmpreaper.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/mountall-bootclean\.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
/etc/rc\.d/init\.d/mountnfs-bootclean\.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+/usr/bin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+/usr/bin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+
/usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
/usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
diff --git a/policy/modules/contrib/transproxy.fc b/policy/modules/contrib/transproxy.fc
index c4aa885e..ce0eb7d6 100644
--- a/policy/modules/contrib/transproxy.fc
+++ b/policy/modules/contrib/transproxy.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/transproxy -- gen_context(system_u:object_r:transproxy_initrc_exec_t,s0)
+/usr/bin/tproxy -- gen_context(system_u:object_r:transproxy_exec_t,s0)
+
/usr/sbin/tproxy -- gen_context(system_u:object_r:transproxy_exec_t,s0)
/run/tproxy\.pid -- gen_context(system_u:object_r:transproxy_var_run_t,s0)
diff --git a/policy/modules/contrib/tripwire.fc b/policy/modules/contrib/tripwire.fc
index a27298be..77b259a4 100644
--- a/policy/modules/contrib/tripwire.fc
+++ b/policy/modules/contrib/tripwire.fc
@@ -1,5 +1,10 @@
/etc/tripwire(/.*)? gen_context(system_u:object_r:tripwire_etc_t,s0)
+/usr/bin/siggen -- gen_context(system_u:object_r:siggen_exec_t,s0)
+/usr/bin/tripwire -- gen_context(system_u:object_r:tripwire_exec_t,s0)
+/usr/bin/twadmin -- gen_context(system_u:object_r:twadmin_exec_t,s0)
+/usr/bin/twprint -- gen_context(system_u:object_r:twprint_exec_t,s0)
+
/usr/sbin/siggen -- gen_context(system_u:object_r:siggen_exec_t,s0)
/usr/sbin/tripwire -- gen_context(system_u:object_r:tripwire_exec_t,s0)
/usr/sbin/twadmin -- gen_context(system_u:object_r:twadmin_exec_t,s0)
diff --git a/policy/modules/contrib/tuned.fc b/policy/modules/contrib/tuned.fc
index d22fde30..21ea1295 100644
--- a/policy/modules/contrib/tuned.fc
+++ b/policy/modules/contrib/tuned.fc
@@ -3,6 +3,8 @@
/etc/tuned(/.*)? gen_context(system_u:object_r:tuned_etc_t,s0)
/etc/tuned/active_profile -- gen_context(system_u:object_r:tuned_rw_etc_t,s0)
+/usr/bin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
+
/usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
/var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0)
diff --git a/policy/modules/contrib/tzdata.fc b/policy/modules/contrib/tzdata.fc
index 04b85488..c8448c68 100644
--- a/policy/modules/contrib/tzdata.fc
+++ b/policy/modules/contrib/tzdata.fc
@@ -1 +1,3 @@
+/usr/bin/tzdata-update -- gen_context(system_u:object_r:tzdata_exec_t,s0)
+
/usr/sbin/tzdata-update -- gen_context(system_u:object_r:tzdata_exec_t,s0)
diff --git a/policy/modules/contrib/ulogd.fc b/policy/modules/contrib/ulogd.fc
index d5f8ac0b..ca27a1d2 100644
--- a/policy/modules/contrib/ulogd.fc
+++ b/policy/modules/contrib/ulogd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0)
+/usr/bin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0)
+
/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0)
/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0)
diff --git a/policy/modules/contrib/updfstab.fc b/policy/modules/contrib/updfstab.fc
index b62ab19e..27ac178d 100644
--- a/policy/modules/contrib/updfstab.fc
+++ b/policy/modules/contrib/updfstab.fc
@@ -1,2 +1,5 @@
+/usr/bin/fstab-sync -- gen_context(system_u:object_r:updfstab_exec_t,s0)
+/usr/bin/updfstab -- gen_context(system_u:object_r:updfstab_exec_t,s0)
+
/usr/sbin/fstab-sync -- gen_context(system_u:object_r:updfstab_exec_t,s0)
/usr/sbin/updfstab -- gen_context(system_u:object_r:updfstab_exec_t,s0)
diff --git a/policy/modules/contrib/uptime.fc b/policy/modules/contrib/uptime.fc
index d15608f6..535dda0b 100644
--- a/policy/modules/contrib/uptime.fc
+++ b/policy/modules/contrib/uptime.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/uptimed -- gen_context(system_u:object_r:uptimed_initrc_exec_t,s0)
+/usr/bin/uptimed -- gen_context(system_u:object_r:uptimed_exec_t,s0)
+
/usr/sbin/uptimed -- gen_context(system_u:object_r:uptimed_exec_t,s0)
/run/uptimed\.pid -- gen_context(system_u:object_r:uptimed_var_run_t,s0)
diff --git a/policy/modules/contrib/usbmodules.fc b/policy/modules/contrib/usbmodules.fc
index 66604b50..72188740 100644
--- a/policy/modules/contrib/usbmodules.fc
+++ b/policy/modules/contrib/usbmodules.fc
@@ -1 +1,3 @@
+/usr/bin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0)
+
/usr/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0)
diff --git a/policy/modules/contrib/usbmuxd.fc b/policy/modules/contrib/usbmuxd.fc
index 413eef4b..dd949dde 100644
--- a/policy/modules/contrib/usbmuxd.fc
+++ b/policy/modules/contrib/usbmuxd.fc
@@ -1,3 +1,5 @@
+/usr/bin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
+
/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
diff --git a/policy/modules/contrib/userhelper.fc b/policy/modules/contrib/userhelper.fc
index 9fe12582..6a2cd2f0 100644
--- a/policy/modules/contrib/userhelper.fc
+++ b/policy/modules/contrib/userhelper.fc
@@ -1,5 +1,6 @@
/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0)
/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
+/usr/bin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
diff --git a/policy/modules/contrib/usernetctl.fc b/policy/modules/contrib/usernetctl.fc
index ddaf787d..72f38b1b 100644
--- a/policy/modules/contrib/usernetctl.fc
+++ b/policy/modules/contrib/usernetctl.fc
@@ -1 +1,3 @@
+/usr/bin/usernetctl -- gen_context(system_u:object_r:usernetctl_exec_t,s0)
+
/usr/sbin/usernetctl -- gen_context(system_u:object_r:usernetctl_exec_t,s0)
diff --git a/policy/modules/contrib/uucp.fc b/policy/modules/contrib/uucp.fc
index ec159fe5..21b5d723 100644
--- a/policy/modules/contrib/uucp.fc
+++ b/policy/modules/contrib/uucp.fc
@@ -1,6 +1,7 @@
/etc/rc\.d/init\.d/uucp -- gen_context(system_u:object_r:uucpd_initrc_exec_t,s0)
/usr/bin/uux -- gen_context(system_u:object_r:uux_exec_t,s0)
+/usr/bin/uucico -- gen_context(system_u:object_r:uucpd_exec_t,s0)
/usr/sbin/uucico -- gen_context(system_u:object_r:uucpd_exec_t,s0)
diff --git a/policy/modules/contrib/uuidd.fc b/policy/modules/contrib/uuidd.fc
index 03f98e30..d0a8520d 100644
--- a/policy/modules/contrib/uuidd.fc
+++ b/policy/modules/contrib/uuidd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0)
+/usr/bin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0)
+
/usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0)
/var/lib/libuuid(/.*)? gen_context(system_u:object_r:uuidd_var_lib_t,s0)
diff --git a/policy/modules/contrib/varnishd.fc b/policy/modules/contrib/varnishd.fc
index e93b95c3..5d3f0915 100644
--- a/policy/modules/contrib/varnishd.fc
+++ b/policy/modules/contrib/varnishd.fc
@@ -4,6 +4,7 @@
/etc/varnish(/.*)? gen_context(system_u:object_r:varnishd_etc_t,s0)
+/usr/bin/varnishd -- gen_context(system_u:object_r:varnishd_exec_t,s0)
/usr/bin/varnishlog -- gen_context(system_u:object_r:varnishlog_exec_t,s0)
/usr/bin/varnishncsa -- gen_context(system_u:object_r:varnishlog_exec_t,s0)
diff --git a/policy/modules/contrib/vbetool.fc b/policy/modules/contrib/vbetool.fc
index d00970f1..af6c0e38 100644
--- a/policy/modules/contrib/vbetool.fc
+++ b/policy/modules/contrib/vbetool.fc
@@ -1 +1,3 @@
+/usr/bin/vbetool -- gen_context(system_u:object_r:vbetool_exec_t,s0)
+
/usr/sbin/vbetool -- gen_context(system_u:object_r:vbetool_exec_t,s0)
diff --git a/policy/modules/contrib/vdagent.fc b/policy/modules/contrib/vdagent.fc
index e03441a3..13aecb58 100644
--- a/policy/modules/contrib/vdagent.fc
+++ b/policy/modules/contrib/vdagent.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/spice-vdagentd -- gen_context(system_u:object_r:vdagentd_initrc_exec_t,s0)
+/usr/bin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0)
+
/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0)
/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0)
diff --git a/policy/modules/contrib/vhostmd.fc b/policy/modules/contrib/vhostmd.fc
index 83e6b4d4..ded76282 100644
--- a/policy/modules/contrib/vhostmd.fc
+++ b/policy/modules/contrib/vhostmd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0)
+/usr/bin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0)
+
/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0)
/run/vhostmd.* gen_context(system_u:object_r:vhostmd_var_run_t,s0)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index 22c1ed70..b1f9b1c8 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -24,7 +24,12 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
/usr/libexec/libvirt_leaseshelper -- gen_context(system_u:object_r:virt_leaseshelper_exec_t,s0)
-/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/bin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/fence_virtd -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/bin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
+/usr/bin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/bin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
diff --git a/policy/modules/contrib/vlock.fc b/policy/modules/contrib/vlock.fc
index f84b61a5..f668cde9 100644
--- a/policy/modules/contrib/vlock.fc
+++ b/policy/modules/contrib/vlock.fc
@@ -1,3 +1,4 @@
-/usr/bin/vlock -- gen_context(system_u:object_r:vlock_exec_t,s0)
+/usr/bin/vlock -- gen_context(system_u:object_r:vlock_exec_t,s0)
+/usr/bin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0)
/usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0)
diff --git a/policy/modules/contrib/vmware.fc b/policy/modules/contrib/vmware.fc
index ea5a13b5..b1557721 100644
--- a/policy/modules/contrib/vmware.fc
+++ b/policy/modules/contrib/vmware.fc
@@ -9,9 +9,11 @@ HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0)
/usr/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-network -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
diff --git a/policy/modules/contrib/vnstatd.fc b/policy/modules/contrib/vnstatd.fc
index 400d7f76..c3e1ad90 100644
--- a/policy/modules/contrib/vnstatd.fc
+++ b/policy/modules/contrib/vnstatd.fc
@@ -3,6 +3,7 @@
/run/vnstat.* gen_context(system_u:object_r:vnstatd_pid_t,s0)
/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0)
+/usr/bin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0)
/usr/lib/systemd/system/vnstat\.service -- gen_context(system_u:object_r:vnstatd_unit_t,s0)
diff --git a/policy/modules/contrib/vpn.fc b/policy/modules/contrib/vpn.fc
index 1cd43c66..3e40c477 100644
--- a/policy/modules/contrib/vpn.fc
+++ b/policy/modules/contrib/vpn.fc
@@ -1,4 +1,5 @@
/usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+/usr/bin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
diff --git a/policy/modules/contrib/watchdog.fc b/policy/modules/contrib/watchdog.fc
index 093ebc6d..1e4f1158 100644
--- a/policy/modules/contrib/watchdog.fc
+++ b/policy/modules/contrib/watchdog.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/watchdog -- gen_context(system_u:object_r:watchdog_initrc_exec_t,s0)
+/usr/bin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
+
/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
/var/log/watchdog.* gen_context(system_u:object_r:watchdog_log_t,s0)
diff --git a/policy/modules/contrib/wdmd.fc b/policy/modules/contrib/wdmd.fc
index b0fbf65a..849f93cc 100644
--- a/policy/modules/contrib/wdmd.fc
+++ b/policy/modules/contrib/wdmd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0)
+/usr/bin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0)
+
/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0)
/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0)
diff --git a/policy/modules/contrib/xen.fc b/policy/modules/contrib/xen.fc
index be0374df..ac5439f9 100644
--- a/policy/modules/contrib/xen.fc
+++ b/policy/modules/contrib/xen.fc
@@ -7,6 +7,15 @@
/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
/usr/lib/xen-[^/]*/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
+/usr/bin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
+/usr/bin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
+/usr/bin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
+/usr/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+/usr/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
+/usr/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
+/usr/bin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
+/usr/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
+
/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
diff --git a/policy/modules/contrib/zabbix.fc b/policy/modules/contrib/zabbix.fc
index 4c9f1409..076e8544 100644
--- a/policy/modules/contrib/zabbix.fc
+++ b/policy/modules/contrib/zabbix.fc
@@ -1,11 +1,14 @@
/etc/rc\.d/init\.d/(zabbix|zabbix-server) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)
-/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
+/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/bin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/bin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/bin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
-/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/sbin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
+/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
diff --git a/policy/modules/contrib/zebra.fc b/policy/modules/contrib/zebra.fc
index 0c173382..3ded81f8 100644
--- a/policy/modules/contrib/zebra.fc
+++ b/policy/modules/contrib/zebra.fc
@@ -8,6 +8,11 @@
/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/usr/bin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/bin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/bin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/bin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
+
/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
/usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
diff --git a/policy/modules/contrib/zosremote.fc b/policy/modules/contrib/zosremote.fc
index adfd4a21..ca923534 100644
--- a/policy/modules/contrib/zosremote.fc
+++ b/policy/modules/contrib/zosremote.fc
@@ -1 +1,3 @@
+/usr/bin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
+
/usr/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-07 17:47 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: b082a2690d496136e825b47bb7c0d82607b6e393
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 7 13:42:53 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 17:40:29 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b082a269
dirmngr: fcontext for ~/.gnupg/crls.d/
policy/modules/contrib/dirmngr.fc | 2 ++
policy/modules/contrib/dirmngr.te | 7 +++++++
policy/modules/contrib/gpg.if | 20 ++++++++++++++++++++
3 files changed, 29 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc
index a9cf15a8..60f19f47 100644
--- a/policy/modules/contrib/dirmngr.fc
+++ b/policy/modules/contrib/dirmngr.fc
@@ -1,3 +1,5 @@
+HOME_DIR/\.gnupg/crls\.d(/.+)? gen_context(system_u:object_r:dirmngr_home_t,s0)
+
/etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0)
/etc/rc\.d/init\.d/dirmngr -- gen_context(system_u:object_r:dirmngr_initrc_exec_t,s0)
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index 8e4a1a89..17cce56a 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -27,6 +27,9 @@ files_type(dirmngr_var_lib_t)
type dirmngr_var_run_t;
files_pid_file(dirmngr_var_run_t)
+type dirmngr_home_t;
+userdom_user_home_content(dirmngr_home_t)
+
########################################
#
# Local policy
@@ -37,6 +40,8 @@ allow dirmngr_t self:fifo_file rw_file_perms;
allow dirmngr_t dirmngr_conf_t:dir list_dir_perms;
allow dirmngr_t dirmngr_conf_t:file read_file_perms;
allow dirmngr_t dirmngr_conf_t:lnk_file read_lnk_file_perms;
+allow dirmngr_t dirmngr_home_t:dir list_dir_perms;
+allow dirmngr_t dirmngr_home_t:file read_file_perms;
manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
append_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
@@ -61,6 +66,7 @@ kernel_read_crypto_sysctls(dirmngr_t)
files_read_etc_files(dirmngr_t)
miscfiles_read_localization(dirmngr_t)
+miscfiles_read_generic_certs(dirmngr_t)
userdom_search_user_home_dirs(dirmngr_t)
userdom_search_user_runtime(dirmngr_t)
@@ -68,4 +74,5 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
optional_policy(`
gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+ gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
')
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 4480f9c6..e5a12750 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -254,6 +254,26 @@ interface(`gpg_agent_tmp_filetrans',`
########################################
## <summary>
+## filetrans in gpg_secret_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_secret_filetrans',`
+ gen_require(`
+ type gpg_secret_t;
+ ')
+
+ filetrans_pattern($1, gpg_secret_t, $2, $3, $4)
+ allow $1 gpg_secret_t:dir search_dir_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## Send messages to and from gpg
## pinentry over DBUS.
## </summary>
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-07 17:47 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: 1eec4f19a444a8bc6e8387f83318139d7182a6b0
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 13 16:37:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 17:40:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1eec4f19
virt: kernel_read_system_state
policy/modules/contrib/virt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index b30765c8..fb3c3f37 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
+kernel_read_system_state(virtlockd_t)
+
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
can_exec(virtlogd_t, virtlogd_exec_t)
+kernel_read_system_state(virtlogd_t)
+
files_read_etc_files(virtlogd_t)
files_list_var_lib(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-07 17:47 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: 5dbc2a2a3beff47187df1b133efc77ef75f597c4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 16:49:07 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 17:40:29 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5dbc2a2a
virt: add policy for virtlogd
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.te | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index b1f9b1c8..46839588 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -37,6 +37,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 4fb34894..63fef29b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-07 17:47 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: a1662dfe50303bf9e7e268f20bb835bb54576de8
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 27 20:44:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 17:40:29 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a1662dfe
virt: virtlockd doesnt need ps_process_pattern
policy/modules/contrib/virt.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 63fef29b..b80abb97 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
-
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-07 17:47 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: 83244b1264056d64fe3c979671a68ec3a80cd7dd
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 7 03:39:18 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 17:40:29 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=83244b12
chromium: allow cap_userns for the sandbox
https://patchwork.kernel.org/patch/8785151/
policy/modules/contrib/chromium.te | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index cd1e1116..a4fba97c 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -89,10 +89,12 @@ xdg_cache_home_content(chromium_xdg_cache_t)
#
# execmem for load in plugins
-allow chromium_t self:process { execmem getsched setcap setrlimit setsched sigkill signal };
-allow chromium_t self:fifo_file rw_fifo_file_perms;;
+allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal };
+allow chromium_t self:fifo_file rw_fifo_file_perms;
allow chromium_t self:sem create_sem_perms;
allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
+# cap_userns sys_admin for the sandbox
+allow chromium_t self:cap_userns { sys_admin sys_chroot sys_ptrace };
allow chromium_t chromium_exec_t:file execute_no_trans;
@@ -135,6 +137,7 @@ domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t)
domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
kernel_list_proc(chromium_t)
+kernel_read_net_sysctls(chromium_t)
corecmd_exec_bin(chromium_t)
# Look for /etc/gentoo-release through a shell invocation running find
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-07 17:47 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: 301b59bff67c4833c98e6fec5bd2cb04a13e31a2
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 30 04:58:28 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 17:40:29 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=301b59bf
dirmngr: add to roles and allow gpg to domtrans
policy/modules/contrib/dirmngr.if | 69 +++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/gpg.te | 4 +++
2 files changed, 73 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if
index 4cd2810e..2f6875a6 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -1,5 +1,74 @@
## <summary>Server for managing and downloading certificate revocation lists.</summary>
+############################################################
+## <summary>
+## Role access for dirmngr.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`dirmngr_role',`
+ gen_require(`
+ type dirmngr_t, dirmngr_exec_t;
+ ')
+
+ role $1 types dirmngr_t;
+
+ domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
+
+ allow $2 dirmngr_t:process { ptrace signal_perms };
+ ps_process_pattern($2, dirmngr_t)
+
+ allow dirmngr_t $2:fd use;
+ allow dirmngr_t $2:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## Execute dirmngr in the dirmngr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dirmngr_domtrans',`
+ gen_require(`
+ type dirmngr_t, dirmngr_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dirmngr_exec_t, dirmngr_t)
+')
+
+########################################
+## <summary>
+## Execute the dirmngr in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirmngr_exec',`
+ gen_require(`
+ type dirmngr_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, dirmngr_exec_t)
+')
+
########################################
## <summary>
## All of the rules required to
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index c145fb4c..1b8448c7 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ dirmngr_domtrans(gpg_t)
+')
+
+optional_policy(`
evolution_read_orbit_tmp_files(gpg_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-07 17:47 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: 580d4297b7b45b13a933df9b4ca788eb9b6331a6
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 7 13:43:31 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 17:40:29 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=580d4297
dirmngr: Network rules to connect to keyserver
type=AVC msg=audit(1494163667.921:24917): avc: denied { name_bind } for pid=15683 comm=636F6E6E2066643D36 src=19321 scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0
policy/modules/contrib/dirmngr.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index 17cce56a..b64fc610 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -62,6 +62,12 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
kernel_read_crypto_sysctls(dirmngr_t)
+dev_read_rand(dirmngr_t)
+sysnet_dns_name_resolve(dirmngr_t)
+
+corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
+corenet_udp_bind_generic_node(dirmngr_t)
+corenet_udp_bind_all_unreserved_ports(dirmngr_t)
files_read_etc_files(dirmngr_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-07 17:47 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: 78cc3af7eeadb770d4f84393a382979862a580c9
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Apr 16 06:38:47 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 17:40:29 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=78cc3af7
gpg dirmngr: create and connect to socket
policy/modules/contrib/dirmngr.fc | 2 ++
policy/modules/contrib/dirmngr.if | 25 +++++++++++++++++++++++++
policy/modules/contrib/dirmngr.te | 13 +++++++++++++
policy/modules/contrib/gpg.if | 38 ++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/gpg.te | 1 +
5 files changed, 79 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc
index a0f261c9..a9cf15a8 100644
--- a/policy/modules/contrib/dirmngr.fc
+++ b/policy/modules/contrib/dirmngr.fc
@@ -12,3 +12,5 @@
/run/dirmngr\.pid -- gen_context(system_u:object_r:dirmngr_var_run_t,s0)
/run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0)
+
+/run/user/%{USERID}/gnupg/S.dirmngr -s gen_context(system_u:object_r:dirmngr_tmp_t,s0)
diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if
index 2f6875a6..07af5063 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -18,6 +18,7 @@
interface(`dirmngr_role',`
gen_require(`
type dirmngr_t, dirmngr_exec_t;
+ type dirmngr_tmp_t;
')
role $1 types dirmngr_t;
@@ -29,6 +30,8 @@ interface(`dirmngr_role',`
allow dirmngr_t $2:fd use;
allow dirmngr_t $2:fifo_file { read write };
+
+ allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
')
########################################
@@ -71,6 +74,28 @@ interface(`dirmngr_exec',`
########################################
## <summary>
+## Connect to dirmngr socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirmngr_stream_connect',`
+ gen_require(`
+ type dirmngr_t, dirmngr_tmp_t;
+ ')
+
+ gpg_search_agent_tmp_dirs($1)
+ allow $1 dirmngr_tmp_t:sock_file rw_sock_file_perms;
+ allow $1 dirmngr_t:unix_stream_socket connectto;
+ userdom_search_user_runtime($1)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an dirmngr environment.
## </summary>
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index 23f40456..8e4a1a89 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -18,6 +18,9 @@ init_script_file(dirmngr_initrc_exec_t)
type dirmngr_log_t;
logging_log_file(dirmngr_log_t)
+type dirmngr_tmp_t;
+userdom_user_tmp_file(dirmngr_tmp_t)
+
type dirmngr_var_lib_t;
files_type(dirmngr_var_lib_t)
@@ -46,6 +49,8 @@ manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir)
+manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t)
+
manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
@@ -56,3 +61,11 @@ kernel_read_crypto_sysctls(dirmngr_t)
files_read_etc_files(dirmngr_t)
miscfiles_read_localization(dirmngr_t)
+
+userdom_search_user_home_dirs(dirmngr_t)
+userdom_search_user_runtime(dirmngr_t)
+userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
+
+optional_policy(`
+ gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+')
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index efffff87..4480f9c6 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -216,6 +216,44 @@ interface(`gpg_stream_connect_agent',`
########################################
## <summary>
+## Search gpg agent dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_search_agent_tmp_dirs',`
+ gen_require(`
+ type gpg_agent_tmp_t;
+ ')
+
+ allow $1 gpg_agent_tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## filetrans in gpg_agent_tmp_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_agent_tmp_filetrans',`
+ gen_require(`
+ type gpg_agent_t, gpg_agent_tmp_t;
+ type gpg_secret_t;
+ ')
+
+ filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4)
+ userdom_search_user_runtime($1)
+')
+
+########################################
+## <summary>
## Send messages to and from gpg
## pinentry over DBUS.
## </summary>
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 1b8448c7..140d8d94 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -140,6 +140,7 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dirmngr_domtrans(gpg_t)
+ dirmngr_stream_connect(gpg_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-05-07 17:41 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-05-07 17:47 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: 6bc27759a132a8acc69946da46bb4aefce6bbaeb
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 7 03:11:50 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 17:40:29 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6bc27759
consolekit: allow run fifo_files
audit: type=1400 audit(1494126304.815:19): avc: denied { create } for pid=5335 comm="console-kit-dae" name="inhibit.IWBEZY.pipe" scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:consolekit_var_run_t:s0 tclass=fifo_file permissive=0
policy/modules/contrib/consolekit.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 06451dff..19d4d1b4 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -40,6 +40,7 @@ logging_log_filetrans(consolekit_t, consolekit_log_t, file)
manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
+manage_fifo_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
files_pid_filetrans(consolekit_t, consolekit_var_run_t, { dir file })
kernel_read_system_state(consolekit_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-07 17:47 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: 92be7193ee0470dbb1024bb20ffd9acee80b696e
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 11 05:49:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 17:40:29 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=92be7193
virt: need to relabel to set categories
libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
policy/modules/contrib/virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index b80abb97..b30765c8 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-07 17:47 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: 87b0247f46a8debf2829f3b5b87087fb0f43fbe2
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 31 15:03:49 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 17:40:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=87b0247f
WIP virt: image type perms
policy/modules/contrib/virt.te | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index fb3c3f37..6ccafff3 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
- allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-07 17:47 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: 3a5dcd577d402e3e178785da772dad2d9fd128b0
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Feb 15 17:15:58 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 17:40:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3a5dcd57
kerberos: Introduce kerberos_filetrans_named_content interface
policy/modules/contrib/kerberos.if | 37 +++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index 01caeead..d9d5811f 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -466,6 +466,43 @@ interface(`kerberos_connect_524',`
########################################
## <summary>
+## Transition to kerberos named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_filetrans_named_content',`
+ gen_require(`
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t;
+ ')
+
+ files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+
+ kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
+ #kerberos_filetrans_admin_home_content($1)
+
+ kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
+ kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
+ kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an kerberos environment.
## </summary>
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-07 17:47 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: 51eb554ea9d25c69d2054336b6efee2f9d1153e5
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 30 07:15:39 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 17:40:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=51eb554e
gssproxy: add policy
borrowed and modified from Fedora
policy/modules/contrib/gssproxy.fc | 8 ++
policy/modules/contrib/gssproxy.if | 199 +++++++++++++++++++++++++++++++++++++
policy/modules/contrib/gssproxy.te | 67 +++++++++++++
3 files changed, 274 insertions(+)
diff --git a/policy/modules/contrib/gssproxy.fc b/policy/modules/contrib/gssproxy.fc
new file mode 100644
index 00000000..a9970159
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0)
+
+/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
+
+/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
+
+/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0)
+/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_run_t,s0)
diff --git a/policy/modules/contrib/gssproxy.if b/policy/modules/contrib/gssproxy.if
new file mode 100644
index 00000000..cebdb20b
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.if
@@ -0,0 +1,199 @@
+
+## <summary>policy for gssproxy</summary>
+
+########################################
+## <summary>
+## Execute gssproxy in the gssproxy domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gssproxy_domtrans',`
+ gen_require(`
+ type gssproxy_t, gssproxy_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+## Search gssproxy lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_search_lib',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ allow $1 gssproxy_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read gssproxy lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_read_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gssproxy lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gssproxy lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_dirs',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read gssproxy PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_read_pid_files',`
+ gen_require(`
+ type gssproxy_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)
+')
+
+########################################
+## <summary>
+## Execute gssproxy server in the gssproxy domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gssproxy_systemctl',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_unit_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 gssproxy_unit_t:file read_file_perms;
+ allow $1 gssproxy_unit_t:service manage_service_perms;
+
+ ps_process_pattern($1, gssproxy_t)
+')
+
+########################################
+## <summary>
+## Connect to gssproxy over an unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_stream_connect',`
+ gen_require(`
+ type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)
+ stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an gssproxy environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`gssproxy_admin',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_var_lib_t;
+ type gssproxy_run_t;
+ type gssproxy_unit_t;
+ ')
+
+ allow $1 gssproxy_t:process { ptrace signal_perms };
+ ps_process_pattern($1, gssproxy_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, gssproxy_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, gssproxy_run_t)
+
+ gssproxy_systemctl($1)
+ admin_pattern($1, gssproxy_unit_t)
+ allow $1 gssproxy_unit_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te
new file mode 100644
index 00000000..20027689
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.te
@@ -0,0 +1,67 @@
+policy_module(gssproxy, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gssproxy_t;
+type gssproxy_exec_t;
+init_daemon_domain(gssproxy_t, gssproxy_exec_t)
+
+type gssproxy_var_lib_t;
+files_type(gssproxy_var_lib_t)
+
+type gssproxy_run_t;
+files_pid_file(gssproxy_run_t)
+
+type gssproxy_unit_t;
+init_unit_file(gssproxy_unit_t)
+
+########################################
+#
+# gssproxy local policy
+#
+allow gssproxy_t self:capability { setuid setgid };
+allow gssproxy_t self:capability2 block_suspend;
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+files_pid_filetrans(gssproxy_t, gssproxy_run_t, { dir file lnk_file sock_file })
+
+kernel_rw_rpc_sysctls(gssproxy_t)
+
+domain_use_interactive_fds(gssproxy_t)
+
+files_read_etc_files(gssproxy_t)
+
+fs_getattr_all_fs(gssproxy_t)
+
+auth_use_nsswitch(gssproxy_t)
+
+dev_read_urand(gssproxy_t)
+
+logging_send_syslog_msg(gssproxy_t)
+
+miscfiles_read_localization(gssproxy_t)
+
+#userdom_read_all_users_keys(gssproxy_t)
+userdom_manage_user_tmp_dirs(gssproxy_t)
+userdom_manage_user_tmp_files(gssproxy_t)
+
+optional_policy(`
+ kerberos_filetrans_named_content(gssproxy_t)
+ kerberos_manage_host_rcache(gssproxy_t)
+ kerberos_read_keytab(gssproxy_t)
+ kerberos_use(gssproxy_t)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2017-05-25 17:04 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2017-05-25 17:08 ` Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-25 17:08 UTC (permalink / raw
To: gentoo-commits
commit: 8327ce0c3856f07497d5df5d9b77fa820e915cfb
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 25 17:03:37 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 17:03:37 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8327ce0c
consolekit: remove gentoo blocks now that its upstreamed
policy/modules/contrib/consolekit.fc | 5 -----
policy/modules/contrib/consolekit.te | 31 +++++++++++--------------------
2 files changed, 11 insertions(+), 25 deletions(-)
diff --git a/policy/modules/contrib/consolekit.fc b/policy/modules/contrib/consolekit.fc
index 8b440c56..d4623586 100644
--- a/policy/modules/contrib/consolekit.fc
+++ b/policy/modules/contrib/consolekit.fc
@@ -9,8 +9,3 @@
/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
-
-ifdef(`distro_gentoo',`
-# Bug 497986
-/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-')
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 19d4d1b4..d51634ea 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -54,7 +54,8 @@ corecmd_exec_bin(consolekit_t)
corecmd_exec_shell(consolekit_t)
dev_read_urand(consolekit_t)
-dev_read_sysfs(consolekit_t)
+dev_rw_sysfs(consolekit_t)
+dev_setattr_all_chr_files(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
@@ -105,6 +106,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ cgmanager_stream_connect(consolekit_t)
+')
+
+optional_policy(`
dbus_read_lib_files(consolekit_t)
dbus_system_domain(consolekit_t, consolekit_exec_t)
@@ -126,6 +131,10 @@ optional_policy(`
')
optional_policy(`
+ devicekit_manage_log_files(consolekit_t)
+')
+
+optional_policy(`
hal_ptrace(consolekit_t)
')
@@ -157,28 +166,10 @@ optional_policy(`
optional_policy(`
udev_domtrans(consolekit_t)
udev_read_db(consolekit_t)
+ udev_read_pid_files(consolekit_t)
udev_signal(consolekit_t)
')
optional_policy(`
unconfined_stream_connect(consolekit_t)
')
-
-ifdef(`distro_gentoo',`
- # consolekit needs to be able to chown /dev nodes when logging in
- dev_setattr_all_chr_files(consolekit_t)
-
- optional_policy(`
- udev_read_pid_files(consolekit_t)
- ')
-
- # needs to write to sys for suspend
- dev_rw_sysfs(consolekit_t)
- optional_policy(`
- devicekit_manage_log_files(consolekit_t)
- ')
-
- optional_policy(`
- cgmanager_stream_connect(consolekit_t)
- ')
-')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-25 17:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-25 17:08 UTC (permalink / raw
To: gentoo-commits
commit: d629bd240173172035ad48db7586e6a163bb8e4b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 30 04:58:28 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 17:03:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d629bd24
dirmngr: add to roles and allow gpg to domtrans
policy/modules/contrib/dirmngr.if | 69 +++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/gpg.te | 4 +++
2 files changed, 73 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if
index 4cd2810e..2f6875a6 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -1,5 +1,74 @@
## <summary>Server for managing and downloading certificate revocation lists.</summary>
+############################################################
+## <summary>
+## Role access for dirmngr.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`dirmngr_role',`
+ gen_require(`
+ type dirmngr_t, dirmngr_exec_t;
+ ')
+
+ role $1 types dirmngr_t;
+
+ domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
+
+ allow $2 dirmngr_t:process { ptrace signal_perms };
+ ps_process_pattern($2, dirmngr_t)
+
+ allow dirmngr_t $2:fd use;
+ allow dirmngr_t $2:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## Execute dirmngr in the dirmngr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dirmngr_domtrans',`
+ gen_require(`
+ type dirmngr_t, dirmngr_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dirmngr_exec_t, dirmngr_t)
+')
+
+########################################
+## <summary>
+## Execute the dirmngr in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirmngr_exec',`
+ gen_require(`
+ type dirmngr_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, dirmngr_exec_t)
+')
+
########################################
## <summary>
## All of the rules required to
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index c145fb4c..1b8448c7 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ dirmngr_domtrans(gpg_t)
+')
+
+optional_policy(`
evolution_read_orbit_tmp_files(gpg_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-25 17:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-25 17:08 UTC (permalink / raw
To: gentoo-commits
commit: 7bee6518835d0d0c4a6ab9041f9cfeef363813e2
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 16:49:07 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 17:03:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7bee6518
virt: add policy for virtlogd
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.te | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index b1f9b1c8..46839588 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -37,6 +37,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 4fb34894..63fef29b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-25 17:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-25 17:08 UTC (permalink / raw
To: gentoo-commits
commit: c85529b2e1cd810f266ac3faad133210cc8787e7
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 7 13:43:31 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 17:03:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c85529b2
dirmngr: Network rules to connect to keyserver
type=AVC msg=audit(1494163667.921:24917): avc: denied { name_bind } for pid=15683 comm=636F6E6E2066643D36 src=19321 scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0
policy/modules/contrib/dirmngr.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index 17cce56a..b64fc610 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -62,6 +62,12 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
kernel_read_crypto_sysctls(dirmngr_t)
+dev_read_rand(dirmngr_t)
+sysnet_dns_name_resolve(dirmngr_t)
+
+corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
+corenet_udp_bind_generic_node(dirmngr_t)
+corenet_udp_bind_all_unreserved_ports(dirmngr_t)
files_read_etc_files(dirmngr_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-25 17:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-25 17:08 UTC (permalink / raw
To: gentoo-commits
commit: 4c92736636a7012c7d831dfdd6acc0d9be2afd2b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 11 05:49:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 17:03:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4c927366
virt: need to relabel to set categories
libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
policy/modules/contrib/virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index b80abb97..b30765c8 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-25 17:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-25 17:08 UTC (permalink / raw
To: gentoo-commits
commit: e8b9afa5c6358e954388e5568f739a75d26f2e72
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Apr 16 06:38:47 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 17:03:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e8b9afa5
gpg dirmngr: create and connect to socket
policy/modules/contrib/dirmngr.fc | 2 ++
policy/modules/contrib/dirmngr.if | 25 +++++++++++++++++++++++++
policy/modules/contrib/dirmngr.te | 13 +++++++++++++
policy/modules/contrib/gpg.if | 38 ++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/gpg.te | 1 +
5 files changed, 79 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc
index a0f261c9..a9cf15a8 100644
--- a/policy/modules/contrib/dirmngr.fc
+++ b/policy/modules/contrib/dirmngr.fc
@@ -12,3 +12,5 @@
/run/dirmngr\.pid -- gen_context(system_u:object_r:dirmngr_var_run_t,s0)
/run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0)
+
+/run/user/%{USERID}/gnupg/S.dirmngr -s gen_context(system_u:object_r:dirmngr_tmp_t,s0)
diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if
index 2f6875a6..07af5063 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -18,6 +18,7 @@
interface(`dirmngr_role',`
gen_require(`
type dirmngr_t, dirmngr_exec_t;
+ type dirmngr_tmp_t;
')
role $1 types dirmngr_t;
@@ -29,6 +30,8 @@ interface(`dirmngr_role',`
allow dirmngr_t $2:fd use;
allow dirmngr_t $2:fifo_file { read write };
+
+ allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
')
########################################
@@ -71,6 +74,28 @@ interface(`dirmngr_exec',`
########################################
## <summary>
+## Connect to dirmngr socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirmngr_stream_connect',`
+ gen_require(`
+ type dirmngr_t, dirmngr_tmp_t;
+ ')
+
+ gpg_search_agent_tmp_dirs($1)
+ allow $1 dirmngr_tmp_t:sock_file rw_sock_file_perms;
+ allow $1 dirmngr_t:unix_stream_socket connectto;
+ userdom_search_user_runtime($1)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an dirmngr environment.
## </summary>
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index 23f40456..8e4a1a89 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -18,6 +18,9 @@ init_script_file(dirmngr_initrc_exec_t)
type dirmngr_log_t;
logging_log_file(dirmngr_log_t)
+type dirmngr_tmp_t;
+userdom_user_tmp_file(dirmngr_tmp_t)
+
type dirmngr_var_lib_t;
files_type(dirmngr_var_lib_t)
@@ -46,6 +49,8 @@ manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir)
+manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t)
+
manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
@@ -56,3 +61,11 @@ kernel_read_crypto_sysctls(dirmngr_t)
files_read_etc_files(dirmngr_t)
miscfiles_read_localization(dirmngr_t)
+
+userdom_search_user_home_dirs(dirmngr_t)
+userdom_search_user_runtime(dirmngr_t)
+userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
+
+optional_policy(`
+ gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+')
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index efffff87..4480f9c6 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -216,6 +216,44 @@ interface(`gpg_stream_connect_agent',`
########################################
## <summary>
+## Search gpg agent dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_search_agent_tmp_dirs',`
+ gen_require(`
+ type gpg_agent_tmp_t;
+ ')
+
+ allow $1 gpg_agent_tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## filetrans in gpg_agent_tmp_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_agent_tmp_filetrans',`
+ gen_require(`
+ type gpg_agent_t, gpg_agent_tmp_t;
+ type gpg_secret_t;
+ ')
+
+ filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4)
+ userdom_search_user_runtime($1)
+')
+
+########################################
+## <summary>
## Send messages to and from gpg
## pinentry over DBUS.
## </summary>
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 1b8448c7..140d8d94 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -140,6 +140,7 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dirmngr_domtrans(gpg_t)
+ dirmngr_stream_connect(gpg_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-25 17:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-25 17:08 UTC (permalink / raw
To: gentoo-commits
commit: 7e6eaa2e942d4ea5924fceabf404167b80f93a50
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 27 20:44:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 17:03:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7e6eaa2e
virt: virtlockd doesnt need ps_process_pattern
policy/modules/contrib/virt.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 63fef29b..b80abb97 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
-
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-25 17:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-25 17:08 UTC (permalink / raw
To: gentoo-commits
commit: 91bc9686ff5065f7cdcce4ec14ac9d6dd89b769d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 7 13:42:53 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 17:03:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=91bc9686
dirmngr: fcontext for ~/.gnupg/crls.d/
policy/modules/contrib/dirmngr.fc | 2 ++
policy/modules/contrib/dirmngr.te | 7 +++++++
policy/modules/contrib/gpg.if | 20 ++++++++++++++++++++
3 files changed, 29 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc
index a9cf15a8..60f19f47 100644
--- a/policy/modules/contrib/dirmngr.fc
+++ b/policy/modules/contrib/dirmngr.fc
@@ -1,3 +1,5 @@
+HOME_DIR/\.gnupg/crls\.d(/.+)? gen_context(system_u:object_r:dirmngr_home_t,s0)
+
/etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0)
/etc/rc\.d/init\.d/dirmngr -- gen_context(system_u:object_r:dirmngr_initrc_exec_t,s0)
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index 8e4a1a89..17cce56a 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -27,6 +27,9 @@ files_type(dirmngr_var_lib_t)
type dirmngr_var_run_t;
files_pid_file(dirmngr_var_run_t)
+type dirmngr_home_t;
+userdom_user_home_content(dirmngr_home_t)
+
########################################
#
# Local policy
@@ -37,6 +40,8 @@ allow dirmngr_t self:fifo_file rw_file_perms;
allow dirmngr_t dirmngr_conf_t:dir list_dir_perms;
allow dirmngr_t dirmngr_conf_t:file read_file_perms;
allow dirmngr_t dirmngr_conf_t:lnk_file read_lnk_file_perms;
+allow dirmngr_t dirmngr_home_t:dir list_dir_perms;
+allow dirmngr_t dirmngr_home_t:file read_file_perms;
manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
append_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
@@ -61,6 +66,7 @@ kernel_read_crypto_sysctls(dirmngr_t)
files_read_etc_files(dirmngr_t)
miscfiles_read_localization(dirmngr_t)
+miscfiles_read_generic_certs(dirmngr_t)
userdom_search_user_home_dirs(dirmngr_t)
userdom_search_user_runtime(dirmngr_t)
@@ -68,4 +74,5 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
optional_policy(`
gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+ gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
')
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 4480f9c6..e5a12750 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -254,6 +254,26 @@ interface(`gpg_agent_tmp_filetrans',`
########################################
## <summary>
+## filetrans in gpg_secret_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_secret_filetrans',`
+ gen_require(`
+ type gpg_secret_t;
+ ')
+
+ filetrans_pattern($1, gpg_secret_t, $2, $3, $4)
+ allow $1 gpg_secret_t:dir search_dir_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## Send messages to and from gpg
## pinentry over DBUS.
## </summary>
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-25 17:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-25 17:08 UTC (permalink / raw
To: gentoo-commits
commit: 023ca1139b4798c5cb5988ece143221988517236
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed May 10 09:31:23 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 17:03:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=023ca113
networkmanager: use consolekit inhibit locks
policy/modules/contrib/networkmanager.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index dee77c73..4190eaae 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -228,6 +228,7 @@ optional_policy(`
optional_policy(`
consolekit_dbus_chat(NetworkManager_t)
+ consolekit_use_inhibit_lock(NetworkManager_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-25 17:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-25 17:08 UTC (permalink / raw
To: gentoo-commits
commit: cc786a07ee93677d6b41dc10e61e3810038f4c6f
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Feb 15 17:15:58 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 17:03:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cc786a07
kerberos: Introduce kerberos_filetrans_named_content interface
policy/modules/contrib/kerberos.if | 37 +++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index 01caeead..d9d5811f 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -466,6 +466,43 @@ interface(`kerberos_connect_524',`
########################################
## <summary>
+## Transition to kerberos named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_filetrans_named_content',`
+ gen_require(`
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t;
+ ')
+
+ files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+
+ kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
+ #kerberos_filetrans_admin_home_content($1)
+
+ kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
+ kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
+ kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an kerberos environment.
## </summary>
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-25 17:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-25 17:08 UTC (permalink / raw
To: gentoo-commits
commit: 4a876f4221ab4a0ac55a44712e6afe962bbc278d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 30 07:15:39 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 17:03:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4a876f42
gssproxy: add policy
borrowed and modified from Fedora
policy/modules/contrib/gssproxy.fc | 8 ++
policy/modules/contrib/gssproxy.if | 199 +++++++++++++++++++++++++++++++++++++
policy/modules/contrib/gssproxy.te | 67 +++++++++++++
3 files changed, 274 insertions(+)
diff --git a/policy/modules/contrib/gssproxy.fc b/policy/modules/contrib/gssproxy.fc
new file mode 100644
index 00000000..a9970159
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0)
+
+/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
+
+/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
+
+/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0)
+/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_run_t,s0)
diff --git a/policy/modules/contrib/gssproxy.if b/policy/modules/contrib/gssproxy.if
new file mode 100644
index 00000000..cebdb20b
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.if
@@ -0,0 +1,199 @@
+
+## <summary>policy for gssproxy</summary>
+
+########################################
+## <summary>
+## Execute gssproxy in the gssproxy domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gssproxy_domtrans',`
+ gen_require(`
+ type gssproxy_t, gssproxy_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+## Search gssproxy lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_search_lib',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ allow $1 gssproxy_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read gssproxy lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_read_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gssproxy lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gssproxy lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_dirs',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read gssproxy PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_read_pid_files',`
+ gen_require(`
+ type gssproxy_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)
+')
+
+########################################
+## <summary>
+## Execute gssproxy server in the gssproxy domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gssproxy_systemctl',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_unit_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 gssproxy_unit_t:file read_file_perms;
+ allow $1 gssproxy_unit_t:service manage_service_perms;
+
+ ps_process_pattern($1, gssproxy_t)
+')
+
+########################################
+## <summary>
+## Connect to gssproxy over an unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_stream_connect',`
+ gen_require(`
+ type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)
+ stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an gssproxy environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`gssproxy_admin',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_var_lib_t;
+ type gssproxy_run_t;
+ type gssproxy_unit_t;
+ ')
+
+ allow $1 gssproxy_t:process { ptrace signal_perms };
+ ps_process_pattern($1, gssproxy_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, gssproxy_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, gssproxy_run_t)
+
+ gssproxy_systemctl($1)
+ admin_pattern($1, gssproxy_unit_t)
+ allow $1 gssproxy_unit_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te
new file mode 100644
index 00000000..20027689
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.te
@@ -0,0 +1,67 @@
+policy_module(gssproxy, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gssproxy_t;
+type gssproxy_exec_t;
+init_daemon_domain(gssproxy_t, gssproxy_exec_t)
+
+type gssproxy_var_lib_t;
+files_type(gssproxy_var_lib_t)
+
+type gssproxy_run_t;
+files_pid_file(gssproxy_run_t)
+
+type gssproxy_unit_t;
+init_unit_file(gssproxy_unit_t)
+
+########################################
+#
+# gssproxy local policy
+#
+allow gssproxy_t self:capability { setuid setgid };
+allow gssproxy_t self:capability2 block_suspend;
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+files_pid_filetrans(gssproxy_t, gssproxy_run_t, { dir file lnk_file sock_file })
+
+kernel_rw_rpc_sysctls(gssproxy_t)
+
+domain_use_interactive_fds(gssproxy_t)
+
+files_read_etc_files(gssproxy_t)
+
+fs_getattr_all_fs(gssproxy_t)
+
+auth_use_nsswitch(gssproxy_t)
+
+dev_read_urand(gssproxy_t)
+
+logging_send_syslog_msg(gssproxy_t)
+
+miscfiles_read_localization(gssproxy_t)
+
+#userdom_read_all_users_keys(gssproxy_t)
+userdom_manage_user_tmp_dirs(gssproxy_t)
+userdom_manage_user_tmp_files(gssproxy_t)
+
+optional_policy(`
+ kerberos_filetrans_named_content(gssproxy_t)
+ kerberos_manage_host_rcache(gssproxy_t)
+ kerberos_read_keytab(gssproxy_t)
+ kerberos_use(gssproxy_t)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-25 17:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-25 17:08 UTC (permalink / raw
To: gentoo-commits
commit: a337f867d9be283b99af8ca7714f110918da5551
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed May 10 09:09:34 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 17:03:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a337f867
consolekit: allow purging tmp
Needs to be able to clear out /run/user/UID on logout
policy/modules/contrib/consolekit.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index d51634ea..ea4db82b 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -64,6 +64,7 @@ domain_dontaudit_ptrace_all_domains(consolekit_t)
files_read_usr_files(consolekit_t)
files_read_var_lib_files(consolekit_t)
files_search_all_mountpoints(consolekit_t)
+files_purge_tmp(consolekit_t)
fs_list_inotifyfs(consolekit_t)
fs_mount_tmpfs(consolekit_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-25 17:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-25 17:08 UTC (permalink / raw
To: gentoo-commits
commit: a4c5b41a18ebfee686fb65ce8a484dc4493ff087
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 13 16:37:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 17:03:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a4c5b41a
virt: kernel_read_system_state
policy/modules/contrib/virt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index b30765c8..fb3c3f37 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
+kernel_read_system_state(virtlockd_t)
+
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
can_exec(virtlogd_t, virtlogd_exec_t)
+kernel_read_system_state(virtlogd_t)
+
files_read_etc_files(virtlogd_t)
files_list_var_lib(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-25 17:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-25 17:08 UTC (permalink / raw
To: gentoo-commits
commit: 5a8818391194c993b1e0a4b8c2dc758097f8aed3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed May 10 09:07:26 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 17:03:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5a881839
consolekit: introduce consolekit_use_inhibit_lock interface
Applications hold FDs while they hold the lock.
Implements this API:
https://www.freedesktop.org/wiki/Software/systemd/inhibit/
policy/modules/contrib/consolekit.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/contrib/consolekit.if b/policy/modules/contrib/consolekit.if
index 5b830ec9..c2c203f1 100644
--- a/policy/modules/contrib/consolekit.if
+++ b/policy/modules/contrib/consolekit.if
@@ -42,6 +42,25 @@ interface(`consolekit_dbus_chat',`
########################################
## <summary>
+## Take inhibit locks from consolekit
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_use_inhibit_lock',`
+ gen_require(`
+ type consolekit_t, consolekit_var_run_t;
+ ')
+
+ allow $1 consolekit_t:fd use;
+ allow $1 consolekit_var_run_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
## Read consolekit log files.
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-25 17:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-25 17:08 UTC (permalink / raw
To: gentoo-commits
commit: 741fe2c6d5f0925daf2c18f635c9a928bfcd5bc8
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed May 10 09:31:08 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 17:03:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=741fe2c6
dbus: use consolekit inhibit locks
policy/modules/contrib/dbus.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index ca39fb6b..be216326 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -167,6 +167,10 @@ optional_policy(`
')
optional_policy(`
+ consolekit_use_inhibit_lock(system_dbusd_t)
+')
+
+optional_policy(`
policykit_read_lib(system_dbusd_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-25 17:08 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-05-25 17:08 UTC (permalink / raw
To: gentoo-commits
commit: 3a654acf88973e1295e05bf253e9ec787b19cf23
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 31 15:03:49 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 17:03:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3a654acf
WIP virt: image type perms
policy/modules/contrib/virt.te | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index fb3c3f37..6ccafff3 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
- allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-09-10 14:03 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-09-10 14:03 UTC (permalink / raw
To: gentoo-commits
commit: fde0a68cdd425a6496b4223667d75e9b1f4783f8
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 7 13:43:31 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 13:53:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fde0a68c
dirmngr: Network rules to connect to keyserver
type=AVC msg=audit(1494163667.921:24917): avc: denied { name_bind } for pid=15683 comm=636F6E6E2066643D36 src=19321 scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0
policy/modules/contrib/dirmngr.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index 8f4cb991..fb8a7e50 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -63,6 +63,12 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
kernel_read_crypto_sysctls(dirmngr_t)
+dev_read_rand(dirmngr_t)
+sysnet_dns_name_resolve(dirmngr_t)
+
+corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
+corenet_udp_bind_generic_node(dirmngr_t)
+corenet_udp_bind_all_unreserved_ports(dirmngr_t)
dev_read_rand(dirmngr_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-09-10 14:03 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-09-10 14:03 UTC (permalink / raw
To: gentoo-commits
commit: a248b34332e48cff32b36b60714c3658ea96d1c6
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 10 12:55:51 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 12:55:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a248b343
resolvconf: allow reading localization
policy/modules/contrib/resolvconf.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/resolvconf.te b/policy/modules/contrib/resolvconf.te
index b8c8e7e8..58bb165d 100644
--- a/policy/modules/contrib/resolvconf.te
+++ b/policy/modules/contrib/resolvconf.te
@@ -31,6 +31,8 @@ corecmd_exec_shell(resolvconf_t)
files_pid_filetrans(resolvconf_t, resolvconf_var_run_t, { dir file })
files_read_etc_files(resolvconf_t)
+miscfiles_read_localization(resolvconf_t)
+
sysnet_manage_config(resolvconf_t)
optional_policy(`
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-09-10 14:03 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-09-10 14:03 UTC (permalink / raw
To: gentoo-commits
commit: 9f5bef71012d46627f45471c31aaf2928447359f
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 10 13:20:05 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 13:20:05 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f5bef71
cgmanager: use nsswitch
cgmanager looks up usernames. the nsswitch interface will allow file map
for /etc/passwd.
policy/modules/contrib/cgmanager.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/cgmanager.te b/policy/modules/contrib/cgmanager.te
index c3cc5217..2674193f 100644
--- a/policy/modules/contrib/cgmanager.te
+++ b/policy/modules/contrib/cgmanager.te
@@ -40,6 +40,8 @@ allow cgmanager_t cgmanager_run_t:dir mounton;
kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
kernel_read_system_state(cgmanager_t)
+auth_use_nsswitch(cgmanager_t)
+
corecmd_exec_bin(cgmanager_t)
domain_read_all_domains_state(cgmanager_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-09-10 14:03 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-09-10 14:03 UTC (permalink / raw
To: gentoo-commits
commit: 234f522a12f0214e10a7a56092e31a3ac747017a
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 10 13:47:28 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 13:47:28 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=234f522a
xdg: allow map perms
policy/modules/contrib/xdg.if | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/policy/modules/contrib/xdg.if b/policy/modules/contrib/xdg.if
index 649266b3..3188d96f 100644
--- a/policy/modules/contrib/xdg.if
+++ b/policy/modules/contrib/xdg.if
@@ -79,6 +79,7 @@ interface(`xdg_read_cache_home_files',`
')
read_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ allow $1 xdg_cache_home_t:file map;
list_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
userdom_search_user_home_dirs($1)
@@ -100,6 +101,7 @@ interface(`xdg_read_all_cache_home_files',`
')
read_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
+ allow $1 xdg_cache_home_type:file map;
userdom_search_user_home_dirs($1)
')
@@ -208,6 +210,7 @@ interface(`xdg_manage_cache_home',`
manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ allow $1 xdg_cache_home_t:file map;
manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
@@ -232,6 +235,7 @@ interface(`xdg_manage_all_cache_home',`
manage_dirs_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
manage_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
+ allow $1 xdg_cache_home_type:file map;
manage_lnk_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
manage_fifo_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
manage_sock_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
@@ -323,6 +327,7 @@ interface(`xdg_read_config_home_files',`
')
read_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ allow $1 xdg_config_home_t:file map;
list_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
userdom_search_user_home_dirs($1)
@@ -344,6 +349,7 @@ interface(`xdg_read_all_config_home_files',`
')
read_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
+ allow $1 xdg_config_home_type:file map;
userdom_search_user_home_dirs($1)
')
@@ -453,6 +459,7 @@ interface(`xdg_manage_config_home',`
manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ allow $1 xdg_config_home_t:file map;
manage_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
manage_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
manage_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
@@ -477,6 +484,7 @@ interface(`xdg_manage_all_config_home',`
manage_dirs_pattern($1, xdg_config_home_type, xdg_config_home_type)
manage_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
+ allow $1 xdg_config_home_type:file map;
manage_lnk_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
manage_fifo_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
manage_sock_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
@@ -548,6 +556,7 @@ interface(`xdg_read_data_home_files',`
')
read_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ allow $1 xdg_data_home_t:file map;
list_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
userdom_search_user_home_dirs($1)
@@ -569,6 +578,7 @@ interface(`xdg_read_all_data_home_files',`
')
read_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
+ allow $1 xdg_data_home_type:file map;
userdom_search_user_home_dirs($1)
')
@@ -677,6 +687,7 @@ interface(`xdg_manage_data_home',`
manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ allow $1 xdg_data_home_t:file map;
manage_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
manage_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
manage_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
@@ -701,6 +712,7 @@ interface(`xdg_manage_all_data_home',`
manage_dirs_pattern($1, xdg_data_home_type, xdg_data_home_type)
manage_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
+ allow $1 xdg_data_home_type:file map;
manage_lnk_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
manage_fifo_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
manage_sock_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
@@ -772,6 +784,7 @@ interface(`xdg_read_downloads_home',`
')
read_files_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t)
+ allow $1 xdg_downloads_home_t:file map;
userdom_search_user_home_dirs($1)
')
@@ -792,6 +805,7 @@ interface(`xdg_read_videos_home',`
')
read_files_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
+ allow $1 xdg_videos_home_t:file map;
list_dirs_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
userdom_search_user_home_dirs($1)
@@ -813,6 +827,7 @@ interface(`xdg_read_pictures_home',`
')
read_files_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
+ allow $1 xdg_pictures_home_t:file map;
list_dirs_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
userdom_search_user_home_dirs($1)
@@ -834,6 +849,7 @@ interface(`xdg_read_music_home',`
')
read_files_pattern($1, xdg_music_home_t, xdg_music_home_t)
+ allow $1 xdg_music_home_t:file map;
list_dirs_pattern($1, xdg_music_home_t, xdg_music_home_t)
userdom_search_user_home_dirs($1)
@@ -855,6 +871,7 @@ interface(`xdg_create_downloads_home',`
')
create_files_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t)
+ allow $1 xdg_downloads_home_t:file map;
userdom_search_user_home_dirs($1)
')
@@ -875,6 +892,7 @@ interface(`xdg_write_downloads_home',`
')
write_files_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t)
+ allow $1 xdg_downloads_home_t:file map;
userdom_search_user_home_dirs($1)
')
@@ -896,6 +914,7 @@ interface(`xdg_manage_downloads_home',`
manage_dirs_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t)
manage_files_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t)
+ allow $1 xdg_downloads_home_t:file map;
')
#########################################
@@ -915,6 +934,7 @@ interface(`xdg_manage_documents_home',`
manage_dirs_pattern($1, xdg_documents_home_t, xdg_documents_home_t)
manage_files_pattern($1, xdg_documents_home_t, xdg_documents_home_t)
+ allow $1 xdg_documents_home_t:file map;
')
#########################################
@@ -934,6 +954,7 @@ interface(`xdg_manage_music_home',`
manage_dirs_pattern($1, xdg_music_home_t, xdg_music_home_t)
manage_files_pattern($1, xdg_music_home_t, xdg_music_home_t)
+ allow $1 xdg_music_home_t:file map;
')
#########################################
@@ -953,6 +974,7 @@ interface(`xdg_manage_pictures_home',`
manage_dirs_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
manage_files_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
+ allow $1 xdg_pictures_home_t:file map;
')
#########################################
@@ -972,4 +994,5 @@ interface(`xdg_manage_videos_home',`
manage_dirs_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
manage_files_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
+ allow $1 xdg_videos_home_t:file map;
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-09-10 14:03 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-09-10 14:03 UTC (permalink / raw
To: gentoo-commits
commit: 6c7a09fcabc376f277efceecd68dfbf58f33a510
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 10 12:56:26 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 12:56:26 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6c7a09fc
pulseaudio: add map perms
policy/modules/contrib/pulseaudio.if | 2 +-
policy/modules/contrib/pulseaudio.te | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pulseaudio.if b/policy/modules/contrib/pulseaudio.if
index 921e519c..3073fd4a 100644
--- a/policy/modules/contrib/pulseaudio.if
+++ b/policy/modules/contrib/pulseaudio.if
@@ -33,7 +33,7 @@ interface(`pulseaudio_role',`
allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms };
+ allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms map };
allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index b4154208..9202f23f 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -138,6 +138,7 @@ logging_send_syslog_msg(pulseaudio_t)
miscfiles_read_localization(pulseaudio_t)
userdom_read_user_tmpfs_files(pulseaudio_t)
+userdom_map_user_tmpfs_files(pulseaudio_t)
userdom_delete_user_tmpfs_files(pulseaudio_t)
userdom_search_user_home_dirs(pulseaudio_t)
userdom_search_user_home_content(pulseaudio_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-09-10 14:03 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-09-10 14:03 UTC (permalink / raw
To: gentoo-commits
commit: 9ec53a8a43b7f1d03a84c333c1265a63b8ef334c
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 13 16:37:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 13:53:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ec53a8a
virt: kernel_read_system_state
policy/modules/contrib/virt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 51429d5b..0a770ea1 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
+kernel_read_system_state(virtlockd_t)
+
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
can_exec(virtlogd_t, virtlogd_exec_t)
+kernel_read_system_state(virtlogd_t)
+
files_read_etc_files(virtlogd_t)
files_list_var_lib(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-09-10 14:03 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-09-10 14:03 UTC (permalink / raw
To: gentoo-commits
commit: 97f88106f6933c0c77204b1fefcda8885d5fa516
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 31 15:03:49 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 13:53:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=97f88106
WIP virt: image type perms
policy/modules/contrib/virt.te | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0a770ea1..e06d912f 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
- allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-09-10 14:03 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-09-10 14:03 UTC (permalink / raw
To: gentoo-commits
commit: c4d741a059de129238da9d8f669085cd216973c6
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 30 07:15:39 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 13:53:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4d741a0
gssproxy: add policy
borrowed and modified from Fedora
policy/modules/contrib/gssproxy.fc | 8 ++
policy/modules/contrib/gssproxy.if | 199 +++++++++++++++++++++++++++++++++++++
policy/modules/contrib/gssproxy.te | 67 +++++++++++++
3 files changed, 274 insertions(+)
diff --git a/policy/modules/contrib/gssproxy.fc b/policy/modules/contrib/gssproxy.fc
new file mode 100644
index 00000000..a9970159
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0)
+
+/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
+
+/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
+
+/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0)
+/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_run_t,s0)
diff --git a/policy/modules/contrib/gssproxy.if b/policy/modules/contrib/gssproxy.if
new file mode 100644
index 00000000..cebdb20b
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.if
@@ -0,0 +1,199 @@
+
+## <summary>policy for gssproxy</summary>
+
+########################################
+## <summary>
+## Execute gssproxy in the gssproxy domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gssproxy_domtrans',`
+ gen_require(`
+ type gssproxy_t, gssproxy_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+## Search gssproxy lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_search_lib',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ allow $1 gssproxy_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read gssproxy lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_read_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gssproxy lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gssproxy lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_dirs',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read gssproxy PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_read_pid_files',`
+ gen_require(`
+ type gssproxy_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)
+')
+
+########################################
+## <summary>
+## Execute gssproxy server in the gssproxy domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gssproxy_systemctl',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_unit_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 gssproxy_unit_t:file read_file_perms;
+ allow $1 gssproxy_unit_t:service manage_service_perms;
+
+ ps_process_pattern($1, gssproxy_t)
+')
+
+########################################
+## <summary>
+## Connect to gssproxy over an unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_stream_connect',`
+ gen_require(`
+ type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)
+ stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an gssproxy environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`gssproxy_admin',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_var_lib_t;
+ type gssproxy_run_t;
+ type gssproxy_unit_t;
+ ')
+
+ allow $1 gssproxy_t:process { ptrace signal_perms };
+ ps_process_pattern($1, gssproxy_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, gssproxy_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, gssproxy_run_t)
+
+ gssproxy_systemctl($1)
+ admin_pattern($1, gssproxy_unit_t)
+ allow $1 gssproxy_unit_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te
new file mode 100644
index 00000000..20027689
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.te
@@ -0,0 +1,67 @@
+policy_module(gssproxy, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gssproxy_t;
+type gssproxy_exec_t;
+init_daemon_domain(gssproxy_t, gssproxy_exec_t)
+
+type gssproxy_var_lib_t;
+files_type(gssproxy_var_lib_t)
+
+type gssproxy_run_t;
+files_pid_file(gssproxy_run_t)
+
+type gssproxy_unit_t;
+init_unit_file(gssproxy_unit_t)
+
+########################################
+#
+# gssproxy local policy
+#
+allow gssproxy_t self:capability { setuid setgid };
+allow gssproxy_t self:capability2 block_suspend;
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+files_pid_filetrans(gssproxy_t, gssproxy_run_t, { dir file lnk_file sock_file })
+
+kernel_rw_rpc_sysctls(gssproxy_t)
+
+domain_use_interactive_fds(gssproxy_t)
+
+files_read_etc_files(gssproxy_t)
+
+fs_getattr_all_fs(gssproxy_t)
+
+auth_use_nsswitch(gssproxy_t)
+
+dev_read_urand(gssproxy_t)
+
+logging_send_syslog_msg(gssproxy_t)
+
+miscfiles_read_localization(gssproxy_t)
+
+#userdom_read_all_users_keys(gssproxy_t)
+userdom_manage_user_tmp_dirs(gssproxy_t)
+userdom_manage_user_tmp_files(gssproxy_t)
+
+optional_policy(`
+ kerberos_filetrans_named_content(gssproxy_t)
+ kerberos_manage_host_rcache(gssproxy_t)
+ kerberos_read_keytab(gssproxy_t)
+ kerberos_use(gssproxy_t)
+')
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-09-10 14:03 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-09-10 14:03 UTC (permalink / raw
To: gentoo-commits
commit: 8e9fc437ae1727920d4fcabea0910b7f9e3d3dce
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 11 05:49:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 13:53:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8e9fc437
virt: need to relabel to set categories
libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
policy/modules/contrib/virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index e27d24a6..51429d5b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-09-10 14:03 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-09-10 14:03 UTC (permalink / raw
To: gentoo-commits
commit: 8c6ec37b74ac4fbf76957ac569cddaf737aae65d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Feb 15 17:15:58 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 13:53:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8c6ec37b
kerberos: Introduce kerberos_filetrans_named_content interface
policy/modules/contrib/kerberos.if | 37 +++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index c8c5a37d..7bfd8a2a 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -425,6 +425,43 @@ interface(`kerberos_connect_524',`
########################################
## <summary>
+## Transition to kerberos named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_filetrans_named_content',`
+ gen_require(`
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t;
+ ')
+
+ files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+
+ kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
+ #kerberos_filetrans_admin_home_content($1)
+
+ kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
+ kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
+ kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an kerberos environment.
## </summary>
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-09-10 14:03 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-09-10 14:03 UTC (permalink / raw
To: gentoo-commits
commit: fc9b00c559fa5e62f2063b2614932a274e4a103a
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 27 20:44:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 13:53:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fc9b00c5
virt: virtlockd doesnt need ps_process_pattern
policy/modules/contrib/virt.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 3d93fac4..e27d24a6 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
-
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-09-10 14:03 Jason Zaman
0 siblings, 0 replies; 413+ messages in thread
From: Jason Zaman @ 2017-09-10 14:03 UTC (permalink / raw
To: gentoo-commits
commit: 15f0a66ac8e45129d70d1cb0bbe6a8ae6771953f
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 16:49:07 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 13:53:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=15f0a66a
virt: add policy for virtlogd
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.te | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index b1f9b1c8..46839588 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -37,6 +37,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index fce37958..3d93fac4 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)
^ permalink raw reply related [flat|nested] 413+ messages in thread
end of thread, other threads:[~2017-09-10 14:04 UTC | newest]
Thread overview: 413+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-05-07 17:47 [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ Jason Zaman
-- strict thread matches above, loose matches on Subject: below --
2017-09-10 14:03 Jason Zaman
2017-09-10 14:03 Jason Zaman
2017-09-10 14:03 Jason Zaman
2017-09-10 14:03 Jason Zaman
2017-09-10 14:03 Jason Zaman
2017-09-10 14:03 Jason Zaman
2017-09-10 14:03 Jason Zaman
2017-09-10 14:03 Jason Zaman
2017-09-10 14:03 Jason Zaman
2017-09-10 14:03 Jason Zaman
2017-09-10 14:03 Jason Zaman
2017-09-10 14:03 Jason Zaman
2017-05-25 17:08 Jason Zaman
2017-05-25 17:08 Jason Zaman
2017-05-25 17:08 Jason Zaman
2017-05-25 17:08 Jason Zaman
2017-05-25 17:08 Jason Zaman
2017-05-25 17:08 Jason Zaman
2017-05-25 17:08 Jason Zaman
2017-05-25 17:08 Jason Zaman
2017-05-25 17:08 Jason Zaman
2017-05-25 17:08 Jason Zaman
2017-05-25 17:08 Jason Zaman
2017-05-25 17:08 Jason Zaman
2017-05-25 17:08 Jason Zaman
2017-05-25 17:08 Jason Zaman
2017-05-25 17:08 Jason Zaman
2017-05-25 17:04 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-05-25 17:08 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-05-07 17:47 Jason Zaman
2017-05-07 17:47 Jason Zaman
2017-05-07 17:47 Jason Zaman
2017-05-07 17:47 Jason Zaman
2017-05-07 17:47 Jason Zaman
2017-05-07 17:47 Jason Zaman
2017-05-07 17:47 Jason Zaman
2017-05-07 17:47 Jason Zaman
2017-05-07 17:47 Jason Zaman
2017-05-07 17:47 Jason Zaman
2017-05-07 17:47 Jason Zaman
2017-05-07 17:47 Jason Zaman
2017-05-07 17:47 Jason Zaman
2017-05-07 17:41 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-05-07 17:47 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-05-07 16:09 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-05-07 17:47 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-05-07 16:09 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-05-07 17:47 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-05-07 16:09 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-05-07 17:47 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-05-07 16:09 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-05-07 17:47 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-04-30 9:40 Jason Zaman
2017-04-30 9:40 Jason Zaman
2017-04-30 9:40 Jason Zaman
2017-04-30 9:40 Jason Zaman
2017-04-30 9:40 Jason Zaman
2017-04-30 9:40 Jason Zaman
2017-04-30 9:40 Jason Zaman
2017-04-30 9:40 Jason Zaman
2017-04-30 9:40 Jason Zaman
2017-04-30 9:40 Jason Zaman
2017-04-30 9:40 Jason Zaman
2017-04-30 9:40 Jason Zaman
2017-04-30 9:40 Jason Zaman
2017-04-30 9:40 Jason Zaman
2017-04-30 9:40 Jason Zaman
2017-04-30 9:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-04-30 9:40 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-04-30 9:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-04-30 9:40 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-04-30 9:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-04-30 9:40 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-04-30 9:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-04-30 9:40 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-04-30 9:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-04-30 9:40 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-04-30 9:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-04-30 9:40 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-03-30 17:09 Jason Zaman
2017-03-30 17:09 Jason Zaman
2017-03-30 17:09 Jason Zaman
2017-03-30 17:09 Jason Zaman
2017-03-30 17:09 Jason Zaman
2017-03-30 17:09 Jason Zaman
2017-03-30 17:09 Jason Zaman
2017-03-30 17:09 Jason Zaman
2017-03-30 17:09 Jason Zaman
2017-03-30 17:09 Jason Zaman
2017-03-30 17:09 Jason Zaman
2017-03-30 17:09 Jason Zaman
2017-03-30 17:09 Jason Zaman
2017-03-30 17:06 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-03-30 17:09 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-03-30 17:06 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-03-30 17:09 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-03-30 17:06 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-03-30 17:09 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-03-30 17:06 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-03-30 17:09 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-03-30 17:06 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-03-30 17:09 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-27 11:40 Jason Zaman
2017-02-27 11:40 Jason Zaman
2017-02-27 11:40 Jason Zaman
2017-02-27 11:40 Jason Zaman
2017-02-27 11:40 Jason Zaman
2017-02-27 11:40 Jason Zaman
2017-02-27 11:40 Jason Zaman
2017-02-27 11:40 Jason Zaman
2017-02-27 10:50 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-27 11:40 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-25 16:58 Jason Zaman
2017-02-25 16:58 Jason Zaman
2017-02-25 16:58 Jason Zaman
2017-02-25 16:58 Jason Zaman
2017-02-25 16:58 Jason Zaman
2017-02-25 16:58 Jason Zaman
2017-02-25 16:58 Jason Zaman
2017-02-25 16:58 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-25 16:58 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-25 15:28 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-25 16:58 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-25 14:59 Jason Zaman
2017-02-25 14:59 Jason Zaman
2017-02-25 14:59 Jason Zaman
2017-02-25 14:59 Jason Zaman
2017-02-25 14:59 Jason Zaman
2017-02-25 14:59 Jason Zaman
2017-02-25 14:59 Jason Zaman
2017-02-25 14:59 Jason Zaman
2017-02-25 14:59 Jason Zaman
2017-02-25 14:59 Jason Zaman
2017-02-25 14:59 Jason Zaman
2017-02-25 14:51 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-25 14:59 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-25 14:51 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-25 14:59 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-25 14:51 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-25 14:59 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-17 8:50 Jason Zaman
2017-02-17 8:50 Jason Zaman
2017-02-17 8:50 Jason Zaman
2017-02-17 8:50 Jason Zaman
2017-02-17 8:50 Jason Zaman
2017-02-17 8:50 Jason Zaman
2017-02-17 8:50 Jason Zaman
2017-02-17 8:50 Jason Zaman
2017-02-17 8:50 Jason Zaman
2017-02-17 8:50 Jason Zaman
2017-02-17 8:50 Jason Zaman
2017-02-17 8:50 Jason Zaman
2017-02-17 8:44 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-17 8:50 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-17 8:44 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-17 8:50 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-17 8:44 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-17 8:50 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-17 8:44 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-17 8:50 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-17 8:44 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-17 8:50 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-17 8:44 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-17 8:50 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-01-01 16:47 Jason Zaman
2017-01-01 16:47 Jason Zaman
2017-01-01 16:47 Jason Zaman
2017-01-01 16:47 Jason Zaman
2017-01-01 16:47 Jason Zaman
2017-01-01 16:37 Jason Zaman
2017-01-01 16:37 Jason Zaman
2017-01-01 16:37 Jason Zaman
2017-01-01 16:37 Jason Zaman
2017-01-01 16:37 Jason Zaman
2016-12-08 5:03 Jason Zaman
2016-12-08 5:03 Jason Zaman
2016-12-08 5:03 Jason Zaman
2016-12-08 5:03 Jason Zaman
2016-12-08 5:03 Jason Zaman
2016-12-08 5:03 Jason Zaman
2016-12-08 4:47 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-08 5:03 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 15:10 Jason Zaman
2016-12-06 15:10 Jason Zaman
2016-12-06 15:10 Jason Zaman
2016-12-06 15:10 Jason Zaman
2016-12-06 15:10 Jason Zaman
2016-12-06 15:10 Jason Zaman
2016-12-06 14:25 Jason Zaman
2016-12-06 14:25 Jason Zaman
2016-12-06 14:25 Jason Zaman
2016-12-06 14:25 Jason Zaman
2016-12-06 14:25 Jason Zaman
2016-12-06 14:25 Jason Zaman
2016-12-06 14:25 Jason Zaman
2016-12-06 14:25 Jason Zaman
2016-12-06 14:25 Jason Zaman
2016-12-06 14:21 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-06 14:25 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-06 14:25 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-06 14:25 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-06 14:25 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-06 14:25 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-06 14:25 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-06 14:25 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-06 14:25 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-06 14:25 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-06 14:25 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-10-26 11:08 Jason Zaman
2016-10-26 11:08 Jason Zaman
2016-10-26 11:08 Jason Zaman
2016-10-26 11:08 Jason Zaman
2016-10-26 11:08 Jason Zaman
2016-10-26 11:08 Jason Zaman
2016-10-26 11:08 Jason Zaman
2016-10-24 17:14 Sven Vermeulen
2016-10-24 17:14 Sven Vermeulen
2016-10-24 17:14 Sven Vermeulen
2016-10-24 17:14 Sven Vermeulen
2016-10-24 17:14 Sven Vermeulen
2016-10-24 16:56 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 17:13 ` [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2016-10-24 16:03 Sven Vermeulen
2016-10-24 16:03 Sven Vermeulen
2016-10-24 16:03 Sven Vermeulen
2016-10-24 16:03 Sven Vermeulen
2016-10-24 16:03 Sven Vermeulen
2016-10-24 16:03 Sven Vermeulen
2016-10-24 16:03 Sven Vermeulen
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:03 ` [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:03 ` [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:03 ` [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:03 ` [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2016-10-24 15:44 Jason Zaman
2016-10-03 6:26 Jason Zaman
2016-10-03 6:26 Jason Zaman
2016-10-03 6:26 Jason Zaman
2016-10-03 6:26 Jason Zaman
2016-10-03 6:26 Jason Zaman
2016-10-03 6:26 Jason Zaman
2016-10-03 6:26 Jason Zaman
2016-10-03 6:26 Jason Zaman
2016-10-03 6:26 Jason Zaman
2016-10-03 6:26 Jason Zaman
2016-10-03 6:26 Jason Zaman
2016-10-03 6:26 Jason Zaman
2016-10-03 6:26 Jason Zaman
2016-10-03 6:26 Jason Zaman
2016-10-03 6:20 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-10-03 6:26 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-10-03 6:20 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-10-03 6:26 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-10-03 6:20 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-10-03 6:26 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-10-03 6:20 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-10-03 6:26 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-10-03 6:20 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-10-03 6:26 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-10-03 6:20 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-10-03 6:26 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-10-03 6:20 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-10-03 6:26 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-17 16:59 Jason Zaman
2016-08-17 16:59 Jason Zaman
2016-08-17 16:59 Jason Zaman
2016-08-17 16:59 Jason Zaman
2016-08-17 16:59 Jason Zaman
2016-08-17 16:59 Jason Zaman
2016-08-17 16:59 Jason Zaman
2016-08-17 16:59 Jason Zaman
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-13 18:35 Jason Zaman
2016-08-13 18:35 Jason Zaman
2016-08-13 18:35 Jason Zaman
2016-08-13 18:35 Jason Zaman
2016-08-13 18:35 Jason Zaman
2016-08-13 18:35 Jason Zaman
2016-08-13 18:35 Jason Zaman
2016-08-13 18:35 Jason Zaman
2016-08-13 18:35 Jason Zaman
2016-08-13 18:35 Jason Zaman
2016-08-13 18:35 Jason Zaman
2016-08-13 18:35 Jason Zaman
2016-08-13 18:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-13 18:35 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-13 18:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-13 18:35 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-13 18:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-13 18:35 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-13 18:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-13 18:35 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-13 18:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-13 18:35 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-13 18:32 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-13 18:35 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-05-26 19:28 Jason Zaman
2016-05-26 19:28 Jason Zaman
2016-05-26 17:39 Jason Zaman
2016-05-26 17:39 Jason Zaman
2016-05-26 15:54 Jason Zaman
2016-05-26 15:54 Jason Zaman
2015-12-18 4:14 Jason Zaman
2015-12-18 3:49 Jason Zaman
2015-12-17 18:52 Jason Zaman
2015-12-17 18:49 Jason Zaman
2015-12-17 18:49 Jason Zaman
2015-12-17 18:49 Jason Zaman
2015-12-17 18:49 Jason Zaman
2015-12-17 18:49 Jason Zaman
2015-12-17 18:49 Jason Zaman
2015-12-17 18:49 Jason Zaman
2015-12-17 18:49 Jason Zaman
2015-12-17 18:49 Jason Zaman
2015-12-17 18:49 Jason Zaman
2015-12-17 18:49 Jason Zaman
2015-12-17 16:10 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-12-17 18:49 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-12-17 16:10 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-12-17 18:49 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-12-17 16:10 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-12-17 18:49 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-12-17 16:10 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-12-17 18:49 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-12-17 16:10 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-12-17 18:49 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-12-17 16:10 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-12-17 18:49 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-11-23 13:42 Jason Zaman
2015-11-22 10:14 Jason Zaman
2015-11-22 10:14 Jason Zaman
2015-10-26 5:48 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-26 5:36 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-10-26 5:48 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-26 5:36 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-10-26 5:36 Jason Zaman
2015-10-22 13:44 Jason Zaman
2015-10-17 17:02 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-17 17:02 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-10-17 17:02 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-17 17:02 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-10-17 17:02 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-17 17:02 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-10-17 17:02 Jason Zaman
2015-10-11 10:48 Jason Zaman
2015-10-11 10:48 Jason Zaman
2015-09-20 7:00 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-11 10:48 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-09-06 11:25 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-09-06 11:23 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-09-06 11:25 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-09-06 11:23 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-09-06 11:23 Jason Zaman
2015-09-06 11:23 Jason Zaman
2015-09-02 14:41 Jason Zaman
2015-09-02 14:41 Jason Zaman
2015-08-27 19:52 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-08-27 19:52 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-27 19:11 Jason Zaman
2015-08-27 19:11 Jason Zaman
2015-08-27 19:11 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-08-27 19:11 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-27 19:11 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-08-27 19:11 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-27 19:11 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-08-27 19:11 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-27 19:11 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-08-27 19:11 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-27 18:58 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-08-26 6:46 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-27 18:00 Jason Zaman
2015-08-27 17:49 Jason Zaman
2015-08-27 13:26 Jason Zaman
2015-08-26 6:46 Jason Zaman
2015-08-26 6:46 Jason Zaman
2015-08-26 6:46 Jason Zaman
2015-08-26 6:46 Jason Zaman
2015-08-23 4:13 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-08-26 6:46 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-02 19:06 Jason Zaman
2015-08-02 19:06 Jason Zaman
2015-08-02 19:06 Jason Zaman
2015-08-02 19:06 Jason Zaman
2015-08-02 19:06 Jason Zaman
2015-08-02 19:06 Jason Zaman
2015-07-31 14:15 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-08-02 19:06 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-07-13 21:45 Jason Zaman
2015-07-13 21:45 Jason Zaman
2015-07-13 21:45 Jason Zaman
2015-07-13 21:45 Jason Zaman
2015-07-13 21:45 Jason Zaman
2015-07-13 21:45 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-07-13 21:45 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-07-13 21:45 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-07-13 21:45 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-07-13 20:59 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-07-13 21:45 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-07-11 19:57 Jason Zaman
2015-07-11 19:57 Jason Zaman
2015-07-11 19:57 Jason Zaman
2015-07-11 19:57 Jason Zaman
2015-07-11 19:57 Jason Zaman
2015-07-11 19:55 Jason Zaman
2015-07-11 19:52 Jason Zaman
2015-07-11 19:52 Jason Zaman
2015-07-11 19:52 Jason Zaman
2015-07-11 19:52 Jason Zaman
2015-07-11 19:52 Jason Zaman
2015-07-11 19:52 Jason Zaman
2015-07-02 19:28 Jason Zaman
2015-07-02 18:37 Jason Zaman
2015-07-02 18:07 Jason Zaman
2015-07-02 18:07 Jason Zaman
2015-07-02 18:07 Jason Zaman
2015-07-02 18:07 Jason Zaman
2015-07-02 17:07 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-07-02 18:07 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-05-11 22:57 Jason Zaman
2015-05-11 22:10 Jason Zaman
2015-05-11 21:49 Jason Zaman
2015-03-29 10:01 Jason Zaman
2015-03-29 10:01 Jason Zaman
2015-03-29 10:01 Jason Zaman
2015-03-29 10:01 Jason Zaman
2015-03-29 9:59 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-03-29 10:01 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-03-25 16:01 Jason Zaman
2015-03-25 16:01 Jason Zaman
2015-03-25 16:01 Jason Zaman
2015-03-25 16:01 Jason Zaman
2015-03-25 16:01 Jason Zaman
2015-03-25 16:01 Jason Zaman
2015-03-25 16:01 Jason Zaman
2015-03-25 16:01 Jason Zaman
2015-03-25 16:01 Jason Zaman
2015-03-25 16:01 Jason Zaman
2015-03-25 16:01 Jason Zaman
2015-03-25 15:55 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-03-25 16:01 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-03-25 2:17 Jason Zaman
2015-03-24 13:25 Jason Zaman
2015-03-24 13:25 Jason Zaman
2015-03-23 14:58 Jason Zaman
2015-03-23 14:58 Jason Zaman
2015-03-23 14:58 Jason Zaman
2015-03-04 17:03 Sven Vermeulen
2015-03-04 17:03 Sven Vermeulen
2015-02-24 17:11 Jason Zaman
2015-02-24 17:11 Jason Zaman
2015-02-24 17:11 Jason Zaman
2015-02-24 17:11 Jason Zaman
2015-02-24 17:11 Jason Zaman
2015-02-24 17:11 Jason Zaman
2015-02-24 17:11 Jason Zaman
2015-02-24 17:11 Jason Zaman
2015-02-09 18:35 [gentoo-commits] proj/hardened-refpolicy:adminroles " Jason Zaman
2015-02-09 18:33 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-02-09 18:33 Jason Zaman
2015-01-29 9:12 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-01-29 8:38 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-01-29 9:12 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-01-29 8:38 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-01-29 8:38 Jason Zaman
2015-01-29 8:38 Jason Zaman
2015-01-29 8:38 Jason Zaman
2015-01-29 6:51 Jason Zaman
2015-01-29 6:51 Jason Zaman
2015-01-29 6:51 Jason Zaman
2015-01-29 6:51 Jason Zaman
2015-01-29 6:51 Jason Zaman
2015-01-26 5:59 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-01-29 6:51 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-01-25 13:46 Sven Vermeulen
2015-01-25 13:46 Sven Vermeulen
2015-01-25 13:46 Sven Vermeulen
2015-01-25 13:46 Sven Vermeulen
2015-01-25 13:46 Sven Vermeulen
2015-01-20 15:08 Jason Zaman
2015-01-20 15:08 Jason Zaman
2015-01-20 15:08 Jason Zaman
2015-01-20 15:08 Jason Zaman
2015-01-20 15:08 Jason Zaman
2014-12-21 12:49 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2014-12-20 15:49 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2014-11-28 11:16 Sven Vermeulen
2014-11-28 10:44 Sven Vermeulen
2014-11-28 9:40 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-11-28 10:04 ` [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2014-11-23 13:22 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-11-28 10:04 ` [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox