From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RLm3o-0006Gu-Fu for garchives@archives.gentoo.org; Thu, 03 Nov 2011 01:25:40 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 413F121C159; Thu, 3 Nov 2011 01:25:28 +0000 (UTC) Received: from noci.xs4all.nl (noci.xs4all.nl [83.160.115.210]) by pigeon.gentoo.org (Postfix) with ESMTP id C9F9721C092 for ; Thu, 3 Nov 2011 01:25:05 +0000 (UTC) Received: from [127.0.0.1] (helo=localhost) by noci.xs4all.nl with esmtp (Exim 4.76) (envelope-from ) id 1RLm3E-0003Xl-Tf for gentoo-hardened@lists.gentoo.org; Thu, 03 Nov 2011 02:25:04 +0100 X-Virus-Scanned: amavisd-new at noci.xs4all.nl Received: from noci.xs4all.nl ([127.0.0.1]) by localhost (firewall.noci.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mjF_SuVQK1Br for ; Thu, 3 Nov 2011 02:25:03 +0100 (CET) Received: from [2001:888:1c2b:243:c617:feff:fe16:838f] (helo=laptop-4.localnet) by noci.xs4all.nl with esmtp (Exim 4.76) (envelope-from ) id 1RLm3C-0003XX-Ut for gentoo-hardened@lists.gentoo.org; Thu, 03 Nov 2011 02:25:02 +0100 From: Nico Baggus To: gentoo-hardened@lists.gentoo.org Subject: [gentoo-hardened] Asterisk... Date: Thu, 3 Nov 2011 02:24:44 +0100 User-Agent: KMail/1.13.7 (Linux/2.6.39-gentoo-r3; KDE/4.6.5; x86_64; ; ) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201111030224.47326.gentoo@noci.xs4all.nl> X-Archives-Salt: 946b6de1-d783-41c4-bb93-00e43541a478 X-Archives-Hash: 0cfac361c7a93c3ff9b7457691d0eda2 This fixed quite some messages. module astnb 1.0; require { type var_run_t; type var_log_t; type asterisk_t; type var_spool_t; type initrc_t; type var_lib_t; type sysadm_t; type asterisk_log_t; type initrc_var_run_t; type asterisk_var_run_t; class socket { write read }; class process setpgid; class unix_stream_socket { connectto accept listen }; class capability { dac_read_search chown }; class file { rename setattr read create write getattr link unlink open append }; class sock_file { write create unlink }; class dir { read write add_name setattr remove_name }; } #============= asterisk_t ============== allow asterisk_t initrc_t:unix_stream_socket connectto; allow asterisk_t initrc_var_run_t:file { write getattr }; allow asterisk_t self:capability { dac_read_search chown }; allow asterisk_t self:process setpgid; allow asterisk_t self:socket { write read }; allow asterisk_t self:unix_stream_socket { accept listen }; allow asterisk_t var_lib_t:file { read write getattr open }; allow asterisk_t var_log_t:file { getattr open append }; allow asterisk_t var_run_t:dir setattr; allow asterisk_t var_run_t:sock_file { write create unlink }; allow asterisk_t var_spool_t:dir { read write add_name remove_name }; allow asterisk_t var_spool_t:file { rename write getattr link create unlink open }; #============= initrc_t ============== allow initrc_t asterisk_log_t:file setattr; allow initrc_t asterisk_var_run_t:file setattr; allow initrc_t var_run_t:dir setattr; #============= sysadm_t ============== allow sysadm_t asterisk_t:unix_stream_socket connectto