From c0cf6e0a6ee181bf58d26680c1f591663023a7ab Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Dec 04 2007 15:05:55 +0000 Subject: trunk: clean up nsswitch usage, from dan. --- diff --git a/Changelog b/Changelog index 87b135b..fb936e2 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Patch to clean up ns switch usage in the policy from Dan Walsh. - More complete labeled networking infrastructure from KaiGai Kohei. - Add interface for libselinux constructor, for libselinux-linked SELinux-enabled programs. diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index 6cee172..093de08 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,5 +1,5 @@ -policy_module(rpm,1.7.1) +policy_module(rpm,1.7.2) ######################################## # @@ -139,6 +139,7 @@ term_list_ptys(rpm_t) auth_relabel_all_files_except_shadow(rpm_t) auth_manage_all_files_except_shadow(rpm_t) auth_dontaudit_read_shadow(rpm_t) +auth_use_nsswitch(rpm_t) # transition to rpm script: rpm_domtrans_script(rpm_t) @@ -171,8 +172,6 @@ logging_send_syslog_msg(rpm_t) seutil_manage_src_policy(rpm_t) seutil_manage_bin_policy(rpm_t) -sysnet_read_config(rpm_t) - userdom_use_unpriv_users_fds(rpm_t) optional_policy(` @@ -184,10 +183,6 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(rpm_t) -') - -optional_policy(` prelink_domtrans(rpm_t) ') @@ -287,6 +282,7 @@ term_list_ptys(rpm_script_t) term_use_all_terms(rpm_script_t) auth_dontaudit_getattr_shadow(rpm_script_t) +auth_use_nsswitch(rpm_script_t) # ideally we would not need this auth_manage_all_files_except_shadow(rpm_script_t) @@ -339,10 +335,6 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(rpm_script_t) -') - -optional_policy(` tzdata_domtrans(rpm_t) tzdata_domtrans(rpm_script_t) ') diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index 8780a20..edf08ed 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -69,7 +69,6 @@ template(`sudo_per_role_template',` allow $1_sudo_t self:unix_dgram_socket sendto; allow $1_sudo_t self:unix_stream_socket connectto; allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read }; - allow $1_sudo_t self:netlink_route_socket r_netlink_socket_perms; # Enter this derived domain from the user domain domtrans_pattern($2, sudo_exec_t, $1_sudo_t) @@ -92,6 +91,7 @@ template(`sudo_per_role_template',` auth_domtrans_chk_passwd($1_sudo_t) # sudo stores a token in the pam_pid directory auth_manage_pam_pid($1_sudo_t) + auth_use_nsswitch($1_sudo_t) corecmd_read_bin_symlinks($1_sudo_t) corecmd_getattr_all_executables($1_sudo_t) @@ -125,14 +125,6 @@ template(`sudo_per_role_template',` # for some PAM modules and for cwd userdom_dontaudit_search_all_users_home_content($1_sudo_t) - optional_policy(` - nis_use_ypbind($1_sudo_t) - ') - - optional_policy(` - nscd_socket_use($1_sudo_t) - ') - ifdef(`TODO',` # for when the network connection is killed dontaudit unpriv_userdomain $1_sudo_t:process signal; diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te index 20a2f5a..e9cd751 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te @@ -1,5 +1,5 @@ -policy_module(sudo,1.2.0) +policy_module(sudo,1.2.1) ######################################## # diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 14b20d9..f399fb0 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -1,5 +1,5 @@ -policy_module(usermanage,1.8.2) +policy_module(usermanage,1.8.3) ######################################## # @@ -93,6 +93,7 @@ dev_read_urand(chfn_t) auth_domtrans_chk_passwd(chfn_t) auth_dontaudit_read_shadow(chfn_t) +auth_use_nsswitch(chfn_t) # allow checking if a shell is executable corecmd_check_exec_shell(chfn_t) @@ -123,14 +124,6 @@ userdom_use_unpriv_users_fds(chfn_t) # on user home dir userdom_dontaudit_search_all_users_home_content(chfn_t) -optional_policy(` - nis_use_ypbind(chfn_t) -') - -optional_policy(` - nscd_socket_use(chfn_t) -') - ######################################## # # Crack local policy @@ -300,6 +293,7 @@ term_use_all_user_ptys(passwd_t) auth_manage_shadow(passwd_t) auth_relabel_shadow(passwd_t) auth_etc_filetrans_shadow(passwd_t) +auth_use_nsswitch(passwd_t) # allow checking if a shell is executable corecmd_check_exec_shell(passwd_t) @@ -335,11 +329,6 @@ userdom_read_all_users_state(passwd_t) userdom_dontaudit_search_all_users_home_content(passwd_t) optional_policy(` - nis_use_ypbind(passwd_t) -') - -optional_policy(` - nscd_socket_use(passwd_t) nscd_domtrans(passwd_t) ') @@ -393,6 +382,7 @@ term_use_all_user_ptys(sysadm_passwd_t) auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) auth_etc_filetrans_shadow(sysadm_passwd_t) +auth_use_nsswitch(sysadm_passwd_t) # allow vipw to exec the editor corecmd_exec_bin(sysadm_passwd_t) @@ -426,11 +416,6 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t) userdom_dontaudit_search_all_users_home_content(sysadm_passwd_t) optional_policy(` - nis_use_ypbind(sysadm_passwd_t) -') - -optional_policy(` - nscd_socket_use(sysadm_passwd_t) nscd_domtrans(sysadm_passwd_t) ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 275cdf2..5a2acaf 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -1,5 +1,5 @@ -policy_module(apache,1.8.3) +policy_module(apache,1.8.4) # # NOTES: @@ -346,8 +346,6 @@ miscfiles_read_certs(httpd_t) seutil_dontaudit_search_config(httpd_t) -sysnet_read_config(httpd_t) - userdom_use_unpriv_users_fds(httpd_t) mta_send_mail(httpd_t) @@ -571,7 +569,6 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; -allow httpd_suexec_t self:netlink_route_socket r_netlink_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) @@ -602,6 +599,8 @@ files_read_usr_files(httpd_suexec_t) files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) +auth_use_nsswitch(httpd_suexec_t) + libs_use_ld_so(httpd_suexec_t) libs_use_shared_libs(httpd_suexec_t) @@ -624,8 +623,6 @@ tunable_policy(`httpd_can_network_connect',` corenet_udp_sendrecv_all_ports(httpd_suexec_t) corenet_tcp_connect_all_ports(httpd_suexec_t) corenet_sendrecv_all_client_packets(httpd_suexec_t) - - sysnet_read_config(httpd_suexec_t) ') tunable_policy(`httpd_enable_cgi && httpd_unified',` @@ -659,14 +656,6 @@ optional_policy(` nagios_domtrans_cgi(httpd_suexec_t) ') -optional_policy(` - nis_use_ypbind(httpd_suexec_t) -') - -optional_policy(` - nscd_socket_use(httpd_suexec_t) -') - ######################################## # # Apache system script local policy diff --git a/policy/modules/services/comsat.te b/policy/modules/services/comsat.te index 7e24f57..599087f 100644 --- a/policy/modules/services/comsat.te +++ b/policy/modules/services/comsat.te @@ -1,5 +1,5 @@ -policy_module(comsat,1.3.0) +policy_module(comsat,1.3.1) ######################################## # @@ -57,6 +57,8 @@ files_list_usr(comsat_t) files_search_spool(comsat_t) files_search_home(comsat_t) +auth_use_nsswitch(comsat_t) + init_read_utmp(comsat_t) init_dontaudit_write_utmp(comsat_t) @@ -67,8 +69,6 @@ logging_send_syslog_msg(comsat_t) miscfiles_read_localization(comsat_t) -sysnet_read_config(comsat_t) - userdom_dontaudit_getattr_sysadm_ttys(comsat_t) mta_getattr_spool(comsat_t) @@ -76,11 +76,3 @@ mta_getattr_spool(comsat_t) optional_policy(` kerberos_use(comsat_t) ') - -optional_policy(` - nis_use_ypbind(comsat_t) -') - -optional_policy(` - nscd_socket_use(comsat_t) -') diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te index 8c986ab..2c6ed4c 100644 --- a/policy/modules/services/consolekit.te +++ b/policy/modules/services/consolekit.te @@ -1,5 +1,5 @@ -policy_module(consolekit,1.2.1) +policy_module(consolekit,1.2.2) ######################################## # @@ -10,7 +10,6 @@ type consolekit_t; type consolekit_exec_t; init_daemon_domain(consolekit_t, consolekit_exec_t) -# pid files type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -25,7 +24,6 @@ allow consolekit_t self:fifo_file rw_fifo_file_perms; allow consolekit_t self:unix_stream_socket create_stream_socket_perms; allow consolekit_t self:unix_dgram_socket create_socket_perms; -# pid file manage_files_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t) files_pid_filetrans(consolekit_t,consolekit_var_run_t, file) @@ -47,6 +45,8 @@ fs_list_inotifyfs(consolekit_t) term_use_all_terms(consolekit_t) +auth_use_nsswitch(consolekit_t) + libs_use_ld_so(consolekit_t) libs_use_shared_libs(consolekit_t) diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index 19eab6a..d9d0633 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron,1.8.1) +policy_module(cron,1.8.2) gen_require(` class passwd rootok; @@ -143,6 +143,8 @@ files_search_default(crond_t) init_rw_utmp(crond_t) +auth_use_nsswitch(crond_t) + libs_use_ld_so(crond_t) libs_use_shared_libs(crond_t) @@ -198,14 +200,6 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(crond_t) -') - -optional_policy(` - nscd_socket_use(crond_t) -') - -optional_policy(` # Commonly used from postinst scripts rpm_read_pipes(crond_t) ') @@ -328,6 +322,8 @@ init_dontaudit_rw_utmp(system_crond_t) # prelink tells init to restart it self, we either need to allow or dontaudit init_write_initctl(system_crond_t) +auth_use_nsswitch(system_crond_t) + libs_use_ld_so(system_crond_t) libs_use_shared_libs(system_crond_t) libs_exec_lib_files(system_crond_t) @@ -396,14 +392,6 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(system_crond_t) -') - -optional_policy(` - nscd_socket_use(system_crond_t) -') - -optional_policy(` postfix_read_config(system_crond_t) ') diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index b934ebb..ed27166 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -1,5 +1,5 @@ -policy_module(cups,1.8.2) +policy_module(cups,1.8.3) ######################################## # @@ -86,7 +86,6 @@ allow cupsd_t self:fifo_file rw_file_perms; allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow cupsd_t self:unix_dgram_socket create_socket_perms; allow cupsd_t self:netlink_selinux_socket create_socket_perms; -allow cupsd_t self:netlink_route_socket r_netlink_socket_perms; allow cupsd_t self:tcp_socket create_stream_socket_perms; allow cupsd_t self:udp_socket create_socket_perms; allow cupsd_t self:appletalk_socket create_socket_perms; @@ -205,6 +204,8 @@ selinux_compute_access_vector(cupsd_t) init_exec_script_files(cupsd_t) +auth_use_nsswitch(cupsd_t) + libs_use_ld_so(cupsd_t) libs_use_shared_libs(cupsd_t) # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* @@ -262,10 +263,6 @@ optional_policy(` ') optional_policy(` - nscd_socket_use(cupsd_t) -') - -optional_policy(` # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) @@ -291,7 +288,6 @@ allow cupsd_config_t self:fifo_file rw_fifo_file_perms; allow cupsd_config_t self:unix_stream_socket create_socket_perms; allow cupsd_config_t self:unix_dgram_socket create_socket_perms; allow cupsd_config_t self:tcp_socket create_stream_socket_perms; -allow cupsd_config_t self:netlink_route_socket r_netlink_socket_perms; allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t,cupsd_t) @@ -349,6 +345,8 @@ files_read_var_symlinks(cupsd_config_t) # Alternatives asks for this init_getattr_script_files(cupsd_config_t) +auth_use_nsswitch(cupsd_config_t) + libs_use_ld_so(cupsd_config_t) libs_use_shared_libs(cupsd_config_t) @@ -358,8 +356,6 @@ miscfiles_read_localization(cupsd_config_t) seutil_dontaudit_search_config(cupsd_config_t) -sysnet_read_config(cupsd_config_t) - userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t) @@ -402,14 +398,6 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(cupsd_config_t) -') - -optional_policy(` - nscd_socket_use(cupsd_config_t) -') - -optional_policy(` rpm_read_db(cupsd_config_t) ') @@ -430,7 +418,6 @@ allow cupsd_lpd_t self:process signal_perms; allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms; allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms; allow cupsd_lpd_t self:udp_socket create_socket_perms; -allow cupsd_lpd_t self:netlink_route_socket r_netlink_socket_perms; # for identd # cjp: this should probably only be inetd_child rules? @@ -480,6 +467,8 @@ fs_getattr_xattr_fs(cupsd_lpd_t) files_read_etc_files(cupsd_lpd_t) +auth_use_nsswitch(cupsd_lpd_t) + libs_use_ld_so(cupsd_lpd_t) libs_use_shared_libs(cupsd_lpd_t) @@ -487,22 +476,12 @@ logging_send_syslog_msg(cupsd_lpd_t) miscfiles_read_localization(cupsd_lpd_t) -sysnet_read_config(cupsd_lpd_t) - cups_stream_connect(cupsd_lpd_t) optional_policy(` inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t) ') -optional_policy(` - nis_use_ypbind(cupsd_lpd_t) -') - -optional_policy(` - nscd_socket_use(cupsd_lpd_t) -') - ######################################## # # HPLIP local policy diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te index 96d3d27..ea2be15 100644 --- a/policy/modules/services/cyrus.te +++ b/policy/modules/services/cyrus.te @@ -1,5 +1,5 @@ -policy_module(cyrus,1.4.1) +policy_module(cyrus,1.4.2) ######################################## # @@ -41,7 +41,6 @@ allow cyrus_t self:unix_dgram_socket sendto; allow cyrus_t self:unix_stream_socket connectto; allow cyrus_t self:tcp_socket create_stream_socket_perms; allow cyrus_t self:udp_socket create_socket_perms; -allow cyrus_t self:netlink_route_socket r_netlink_socket_perms; manage_dirs_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t) manage_files_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t) @@ -95,6 +94,8 @@ files_read_etc_files(cyrus_t) files_read_etc_runtime_files(cyrus_t) files_read_usr_files(cyrus_t) +auth_use_nsswitch(cyrus_t) + libs_use_ld_so(cyrus_t) libs_use_shared_libs(cyrus_t) libs_exec_lib_files(cyrus_t) @@ -126,10 +127,6 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(cyrus_t) -') - -optional_policy(` sasl_connect(cyrus_t) ') diff --git a/policy/modules/services/dbskk.te b/policy/modules/services/dbskk.te index c52fa92..e72cc69 100644 --- a/policy/modules/services/dbskk.te +++ b/policy/modules/services/dbskk.te @@ -1,5 +1,5 @@ -policy_module(dbskk,1.3.0) +policy_module(dbskk,1.3.1) ######################################## # @@ -63,19 +63,11 @@ fs_getattr_xattr_fs(dbskkd_t) files_read_etc_files(dbskkd_t) +auth_use_nsswitch(dbskkd_t) + libs_use_ld_so(dbskkd_t) libs_use_shared_libs(dbskkd_t) logging_send_syslog_msg(dbskkd_t) miscfiles_read_localization(dbskkd_t) - -sysnet_read_config(dbskkd_t) - -optional_policy(` - nis_use_ypbind(dbskkd_t) -') - -optional_policy(` - nscd_socket_use(dbskkd_t) -') diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index 3f01887..1485fdd 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -148,6 +148,7 @@ template(`dbus_per_role_template',` selinux_compute_user_contexts($1_dbusd_t) auth_read_pam_console_data($1_dbusd_t) + auth_use_nsswitch($1_dbusd_t) libs_use_ld_so($1_dbusd_t) libs_use_shared_libs($1_dbusd_t) @@ -160,8 +161,6 @@ template(`dbus_per_role_template',` seutil_read_config($1_dbusd_t) seutil_read_default_contexts($1_dbusd_t) - sysnet_read_config($1_dbusd_t) - userdom_read_user_home_content_files($1, $1_dbusd_t) ifdef(`hide_broken_symptoms', ` @@ -181,10 +180,6 @@ template(`dbus_per_role_template',` ') optional_policy(` - nscd_socket_use($1_dbusd_t) - ') - - optional_policy(` xserver_use_xdm_fds($1_dbusd_t) xserver_rw_xdm_pipes($1_dbusd_t) ') diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 860998e..da273c6 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -1,5 +1,5 @@ -policy_module(dbus,1.7.3) +policy_module(dbus,1.7.4) gen_require(` class dbus all_dbus_perms; diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index 526c8dd..cec5b27 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -1,5 +1,5 @@ -policy_module(dovecot,1.6.1) +policy_module(dovecot,1.6.2) ######################################## # @@ -46,7 +46,6 @@ allow dovecot_t self:fifo_file rw_fifo_file_perms; allow dovecot_t self:tcp_socket create_stream_socket_perms; allow dovecot_t self:unix_dgram_socket create_socket_perms; allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow dovecot_t self:netlink_route_socket r_netlink_socket_perms; domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) @@ -103,6 +102,8 @@ files_getattr_all_mountpoints(dovecot_t) init_getattr_utmp(dovecot_t) +auth_use_nsswitch(dovecot_t) + libs_use_ld_so(dovecot_t) libs_use_shared_libs(dovecot_t) @@ -111,9 +112,6 @@ logging_send_syslog_msg(dovecot_t) miscfiles_read_certs(dovecot_t) miscfiles_read_localization(dovecot_t) -sysnet_read_config(dovecot_t) -sysnet_use_ldap(dovecot_auth_t) - userdom_dontaudit_use_unpriv_user_fds(dovecot_t) userdom_dontaudit_search_sysadm_home_dirs(dovecot_t) userdom_priveleged_home_dir_manager(dovecot_t) @@ -125,10 +123,6 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(dovecot_t) -') - -optional_policy(` seutil_sigchld_newrole(dovecot_t) ') @@ -185,8 +179,6 @@ miscfiles_read_localization(dovecot_auth_t) seutil_dontaudit_search_config(dovecot_auth_t) -sysnet_dns_name_resolve(dovecot_auth_t) - optional_policy(` kerberos_use(dovecot_auth_t) ') diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te index 3db53fb..7cbd41a 100644 --- a/policy/modules/services/ldap.te +++ b/policy/modules/services/ldap.te @@ -1,5 +1,5 @@ -policy_module(ldap,1.5.1) +policy_module(ldap,1.5.2) ######################################## # @@ -42,7 +42,6 @@ allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read dontaudit slapd_t self:capability sys_tty_config; allow slapd_t self:process setsched; allow slapd_t self:fifo_file { read write }; -allow slapd_t self:netlink_route_socket r_netlink_socket_perms; allow slapd_t self:udp_socket create_socket_perms; #slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach) allow slapd_t self:tcp_socket create_stream_socket_perms; @@ -104,6 +103,8 @@ files_read_etc_runtime_files(slapd_t) files_read_usr_files(slapd_t) files_list_var_lib(slapd_t) +auth_use_nsswitch(slapd_t) + libs_use_ld_so(slapd_t) libs_use_shared_libs(slapd_t) @@ -112,8 +113,6 @@ logging_send_syslog_msg(slapd_t) miscfiles_read_certs(slapd_t) miscfiles_read_localization(slapd_t) -sysnet_read_config(slapd_t) - userdom_dontaudit_use_unpriv_user_fds(slapd_t) userdom_dontaudit_search_sysadm_home_dirs(slapd_t) @@ -122,10 +121,6 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(slapd_t) -') - -optional_policy(` seutil_sigchld_newrole(slapd_t) ') diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if index d61cf18..af7276a 100644 --- a/policy/modules/services/mailman.if +++ b/policy/modules/services/mailman.if @@ -74,6 +74,8 @@ template(`mailman_domain_template', ` files_read_var_lib_symlinks(mailman_$1_t) files_read_etc_runtime_files(mailman_$1_t) + auth_use_nsswitch(mailman_$1_t) + libs_use_ld_so(mailman_$1_t) libs_use_shared_libs(mailman_$1_t) libs_exec_ld_so(mailman_$1_t) @@ -82,12 +84,6 @@ template(`mailman_domain_template', ` logging_send_syslog_msg(mailman_$1_t) miscfiles_read_localization(mailman_$1_t) - - sysnet_read_config(mailman_$1_t) - - optional_policy(` - nis_use_ypbind(mailman_$1_t) - ') ') ####################################### diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te index 597d62e..dc84aac 100644 --- a/policy/modules/services/mailman.te +++ b/policy/modules/services/mailman.te @@ -1,5 +1,5 @@ -policy_module(mailman,1.3.0) +policy_module(mailman,1.3.1) ######################################## # @@ -36,8 +36,6 @@ mailman_domain_template(queue) # to global scope until such facilities exist. optional_policy(` - allow mailman_cgi_t self:netlink_route_socket r_netlink_socket_perms; - dev_read_urand(mailman_cgi_t) manage_dirs_pattern(mailman_cgi_t,mailman_archive_t,mailman_archive_t) @@ -87,7 +85,6 @@ allow mailman_queue_t self:capability { setgid setuid }; allow mailman_queue_t self:process signal; allow mailman_queue_t self:fifo_file rw_fifo_file_perms; allow mailman_queue_t self:unix_dgram_socket create_socket_perms; -allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms; manage_dirs_pattern(mailman_queue_t,mailman_archive_t,mailman_archive_t) manage_files_pattern(mailman_queue_t,mailman_archive_t,mailman_archive_t) @@ -112,7 +109,3 @@ su_exec(mailman_queue_t) optional_policy(` cron_system_entry(mailman_queue_t,mailman_queue_exec_t) ') - -optional_policy(` - nscd_socket_use(mailman_queue_t) -') diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te index 0b5388a..a326ad9 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te @@ -1,5 +1,5 @@ -policy_module(nagios,1.4.1) +policy_module(nagios,1.4.2) ######################################## # @@ -93,6 +93,8 @@ fs_search_auto_mountpoints(nagios_t) # for who init_read_utmp(nagios_t) +auth_use_nsswitch(nagios_t) + libs_use_ld_so(nagios_t) libs_use_shared_libs(nagios_t) @@ -106,10 +108,6 @@ userdom_dontaudit_search_sysadm_home_dirs(nagios_t) mta_send_mail(nagios_t) optional_policy(` - auth_use_nsswitch(nagios_t) -') - -optional_policy(` netutils_domtrans_ping(nagios_t) netutils_signal_ping(nagios_t) netutils_kill_ping(nagios_t) diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te index 904f0ff..842d5c4 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te @@ -1,5 +1,5 @@ -policy_module(ntp,1.4.1) +policy_module(ntp,1.4.2) ######################################## # @@ -105,8 +105,6 @@ logging_send_syslog_msg(ntpd_t) miscfiles_read_localization(ntpd_t) -sysnet_read_config(ntpd_t) - userdom_dontaudit_use_unpriv_user_fds(ntpd_t) userdom_list_sysadm_home_dirs(ntpd_t) userdom_dontaudit_list_sysadm_home_dirs(ntpd_t) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if index 89fc44e..5cf7186 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -83,6 +83,8 @@ template(`postfix_domain_template',` init_dontaudit_use_fds(postfix_$1_t) init_sigchld(postfix_$1_t) + auth_use_nsswitch(postfix_$1_t) + libs_use_ld_so(postfix_$1_t) libs_use_shared_libs(postfix_$1_t) @@ -94,10 +96,6 @@ template(`postfix_domain_template',` userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t) optional_policy(` - nscd_socket_use(postfix_$1_t) - ') - - optional_policy(` udev_read_db(postfix_$1_t) ') ') @@ -134,10 +132,6 @@ template(`postfix_server_domain_template',` corenet_udp_bind_all_nodes(postfix_$1_t) corenet_tcp_connect_all_ports(postfix_$1_t) corenet_sendrecv_all_client_packets(postfix_$1_t) - - optional_policy(` - auth_use_nsswitch(postfix_$1_t) - ') ') ######################################## diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index a996b85..8be4667 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -1,5 +1,5 @@ -policy_module(postfix,1.7.1) +policy_module(postfix,1.7.2) ######################################## # @@ -172,15 +172,10 @@ seutil_sigchld_newrole(postfix_master_t) # postfix does a "find" on startup for some reason - keep it quiet seutil_dontaudit_search_config(postfix_master_t) -sysnet_read_config(postfix_master_t) - mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) optional_policy(` - auth_use_nsswitch(postfix_master_t) -') -optional_policy(` cyrus_stream_connect(postfix_master_t) ') @@ -342,6 +337,8 @@ files_read_etc_files(postfix_map_t) files_read_etc_runtime_files(postfix_map_t) files_dontaudit_search_var(postfix_map_t) +auth_use_nsswitch(postfix_map_t) + libs_use_ld_so(postfix_map_t) libs_use_shared_libs(postfix_map_t) @@ -351,8 +348,6 @@ miscfiles_read_localization(postfix_map_t) seutil_read_config(postfix_map_t) -sysnet_read_config(postfix_map_t) - tunable_policy(`read_default_t',` files_list_default(postfix_map_t) files_read_default_files(postfix_map_t) @@ -365,10 +360,6 @@ optional_policy(` locallogin_dontaudit_use_fds(postfix_map_t) ') -optional_policy(` - nscd_socket_use(postfix_map_t) -') - ######################################## # # Postfix pickup local policy @@ -433,8 +424,6 @@ corenet_udp_sendrecv_all_nodes(postfix_postdrop_t) term_dontaudit_use_all_user_ptys(postfix_postdrop_t) term_dontaudit_use_all_user_ttys(postfix_postdrop_t) -sysnet_dns_name_resolve(postfix_postdrop_t) - mta_rw_user_mail_stream_sockets(postfix_postdrop_t) optional_policy(` @@ -474,8 +463,6 @@ term_use_all_user_ttys(postfix_postqueue_t) init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -sysnet_dontaudit_read_config(postfix_postqueue_t) - ######################################## # # Postfix qmgr local policy @@ -518,8 +505,6 @@ allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read }; term_use_all_user_ptys(postfix_showq_t) term_use_all_user_ttys(postfix_showq_t) -sysnet_dns_name_resolve(postfix_showq_t) - ######################################## # # Postfix smtp delivery local policy diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te index b422dad..f6349f8 100644 --- a/policy/modules/services/rlogin.te +++ b/policy/modules/services/rlogin.te @@ -1,5 +1,5 @@ -policy_module(rlogin,1.5.0) +policy_module(rlogin,1.5.1) ######################################## # @@ -84,8 +84,6 @@ miscfiles_read_localization(rlogind_t) seutil_dontaudit_search_config(rlogind_t) -sysnet_read_config(rlogind_t) - userdom_setattr_unpriv_users_ptys(rlogind_t) # cjp: this is egregious userdom_read_all_users_home_content_files(rlogind_t) diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if index 9046f67..afc5e81 100644 --- a/policy/modules/services/rpc.if +++ b/policy/modules/services/rpc.if @@ -53,7 +53,6 @@ template(`rpc_domain_template', ` allow $1_t self:process signal_perms; allow $1_t self:unix_dgram_socket create_socket_perms; allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:netlink_route_socket r_netlink_socket_perms; allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; @@ -100,6 +99,8 @@ template(`rpc_domain_template', ` files_search_var($1_t) files_search_var_lib($1_t) + auth_use_nsswitch($1_t) + libs_use_ld_so($1_t) libs_use_shared_libs($1_t) @@ -107,16 +108,9 @@ template(`rpc_domain_template', ` miscfiles_read_localization($1_t) - sysnet_dns_name_resolve($1_t) - sysnet_read_config($1_t) - userdom_dontaudit_use_unpriv_user_fds($1_t) optional_policy(` - nis_use_ypbind($1_t) - ') - - optional_policy(` seutil_sigchld_newrole($1_t) ') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index b443e1f..d9cf3f2 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -1,5 +1,5 @@ -policy_module(rpc,1.6.1) +policy_module(rpc,1.6.2) ######################################## # diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te index 68e05a1..58d9fa8 100644 --- a/policy/modules/services/rsync.te +++ b/policy/modules/services/rsync.te @@ -1,5 +1,5 @@ -policy_module(rsync,1.5.2) +policy_module(rsync,1.5.3) ######################################## # @@ -65,8 +65,6 @@ files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir }) manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t) files_pid_filetrans(rsync_t,rsync_var_run_t,file) -auth_use_nsswitch(rsync_t) - kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) @@ -90,6 +88,8 @@ fs_getattr_xattr_fs(rsync_t) files_read_etc_files(rsync_t) files_search_home(rsync_t) +auth_use_nsswitch(rsync_t) + libs_use_ld_so(rsync_t) libs_use_shared_libs(rsync_t) diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index 68cc712..19aaa10 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -1,5 +1,5 @@ -policy_module(samba,1.6.2) +policy_module(samba,1.6.3) ################################# # @@ -146,7 +146,6 @@ allow samba_net_t self:unix_dgram_socket create_socket_perms; allow samba_net_t self:unix_stream_socket create_stream_socket_perms; allow samba_net_t self:udp_socket create_socket_perms; allow samba_net_t self:tcp_socket create_socket_perms; -allow samba_net_t self:netlink_route_socket r_netlink_socket_perms; allow samba_net_t samba_etc_t:file read_file_perms; @@ -183,6 +182,8 @@ domain_use_interactive_fds(samba_net_t) files_read_etc_files(samba_net_t) +auth_use_nsswitch(samba_net_t) + libs_use_ld_so(samba_net_t) libs_use_shared_libs(samba_net_t) @@ -190,9 +191,6 @@ logging_send_syslog_msg(samba_net_t) miscfiles_read_localization(samba_net_t) -sysnet_read_config(samba_net_t) -sysnet_use_ldap(samba_net_t) - userdom_dontaudit_search_sysadm_home_dirs(samba_net_t) optional_policy(` @@ -222,7 +220,6 @@ allow smbd_t self:tcp_socket create_stream_socket_perms; allow smbd_t self:udp_socket create_socket_perms; allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow smbd_t self:netlink_route_socket r_netlink_socket_perms; allow smbd_t samba_etc_t:file { rw_file_perms setattr }; @@ -321,8 +318,6 @@ logging_send_syslog_msg(smbd_t) miscfiles_read_localization(smbd_t) miscfiles_read_public_files(smbd_t) -sysnet_read_config(smbd_t) - userdom_dontaudit_search_sysadm_home_dirs(smbd_t) userdom_dontaudit_use_unpriv_user_fds(smbd_t) userdom_use_unpriv_users_fds(smbd_t) @@ -454,6 +449,8 @@ files_read_usr_files(nmbd_t) files_read_etc_files(nmbd_t) files_list_var_lib(nmbd_t) +auth_use_nsswitch(nmbd_t) + libs_use_ld_so(nmbd_t) libs_use_shared_libs(nmbd_t) @@ -462,17 +459,11 @@ logging_send_syslog_msg(nmbd_t) miscfiles_read_localization(nmbd_t) -sysnet_read_config(nmbd_t) - userdom_dontaudit_search_sysadm_home_dirs(nmbd_t) userdom_dontaudit_use_unpriv_user_fds(nmbd_t) userdom_use_unpriv_users_fds(nmbd_t) optional_policy(` - nis_use_ypbind(nmbd_t) -') - -optional_policy(` seutil_sigchld_newrole(nmbd_t) ') @@ -542,6 +533,8 @@ files_manage_etc_runtime_files(smbmount_t) files_etc_filetrans_etc_runtime(smbmount_t,file) files_read_etc_files(smbmount_t) +auth_use_nsswitch(smbmount_t) + miscfiles_read_localization(smbmount_t) mount_use_fds(smbmount_t) @@ -553,18 +546,8 @@ locallogin_use_fds(smbmount_t) logging_search_logs(smbmount_t) -sysnet_read_config(smbmount_t) - userdom_use_all_users_fds(smbmount_t) -optional_policy(` - nis_use_ypbind(smbmount_t) -') - -optional_policy(` - nscd_socket_use(smbmount_t) -') - ######################################## # # SWAT Local policy @@ -576,7 +559,6 @@ allow swat_t self:fifo_file rw_file_perms; allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow swat_t self:tcp_socket create_stream_socket_perms; allow swat_t self:udp_socket create_socket_perms; -allow swat_t self:netlink_route_socket r_netlink_socket_perms; allow swat_t nmbd_exec_t:file { execute read }; @@ -628,6 +610,7 @@ files_read_usr_files(swat_t) fs_getattr_xattr_fs(swat_t) auth_domtrans_chk_passwd(swat_t) +auth_use_nsswitch(swat_t) libs_use_ld_so(swat_t) libs_use_shared_libs(swat_t) @@ -637,8 +620,6 @@ logging_search_logs(swat_t) miscfiles_read_localization(swat_t) -sysnet_read_config(swat_t) - optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) @@ -652,14 +633,6 @@ optional_policy(` kerberos_use(swat_t) ') -optional_policy(` - nis_use_ypbind(swat_t) -') - -optional_policy(` - nscd_socket_use(swat_t) -') - ######################################## # # Winbind local policy @@ -672,7 +645,6 @@ allow winbind_t self:process signal_perms; allow winbind_t self:fifo_file { read write }; allow winbind_t self:unix_dgram_socket create_socket_perms; allow winbind_t self:unix_stream_socket create_stream_socket_perms; -allow winbind_t self:netlink_route_socket r_netlink_socket_perms; allow winbind_t self:tcp_socket create_stream_socket_perms; allow winbind_t self:udp_socket create_socket_perms; @@ -734,6 +706,7 @@ fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) auth_domtrans_chk_passwd(winbind_t) +auth_use_nsswitch(winbind_t) domain_use_interactive_fds(winbind_t) @@ -746,9 +719,6 @@ logging_send_syslog_msg(winbind_t) miscfiles_read_localization(winbind_t) -sysnet_read_config(winbind_t) -sysnet_dns_name_resolve(winbind_t) - userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_dontaudit_search_sysadm_home_dirs(winbind_t) userdom_priveleged_home_dir_manager(winbind_t) diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te index 428678f..8a4ddb3 100644 --- a/policy/modules/services/squid.te +++ b/policy/modules/services/squid.te @@ -1,5 +1,5 @@ -policy_module(squid,1.4.1) +policy_module(squid,1.4.2) ######################################## # @@ -127,6 +127,8 @@ files_search_spool(squid_t) files_dontaudit_getattr_tmp_dirs(squid_t) files_getattr_home_dir(squid_t) +auth_use_nsswitch(squid_t) + libs_use_ld_so(squid_t) libs_use_shared_libs(squid_t) # to allow running programs from /usr/lib/squid (IE unlinkd) @@ -137,9 +139,6 @@ logging_send_syslog_msg(squid_t) miscfiles_read_certs(squid_t) miscfiles_read_localization(squid_t) -sysnet_dns_name_resolve(squid_t) -sysnet_read_config(squid_t) - userdom_use_unpriv_users_fds(squid_t) userdom_dontaudit_use_unpriv_user_fds(squid_t) userdom_dontaudit_search_sysadm_home_dirs(squid_t) @@ -157,14 +156,6 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(squid_t) -') - -optional_policy(` - nscd_socket_use(squid_t) -') - -optional_policy(` samba_domtrans_winbind_helper(squid_t) ') diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te index bb5fe2b..53d44c7 100644 --- a/policy/modules/services/stunnel.te +++ b/policy/modules/services/stunnel.te @@ -1,5 +1,5 @@ -policy_module(stunnel,1.4.1) +policy_module(stunnel,1.4.2) ######################################## # @@ -38,7 +38,6 @@ allow stunnel_t self:process signal_perms; allow stunnel_t self:fifo_file rw_fifo_file_perms; allow stunnel_t self:tcp_socket create_stream_socket_perms; allow stunnel_t self:udp_socket create_socket_perms; -allow stunnel_t self:netlink_route_socket r_netlink_socket_perms; allow stunnel_t stunnel_etc_t:dir { getattr read search }; allow stunnel_t stunnel_etc_t:file { read getattr }; @@ -68,6 +67,8 @@ corenet_tcp_connect_all_ports(stunnel_t) fs_getattr_all_fs(stunnel_t) +auth_use_nsswitch(stunnel_t) + libs_use_ld_so(stunnel_t) libs_use_shared_libs(stunnel_t) @@ -112,14 +113,6 @@ ifdef(`distro_gentoo', ` optional_policy(` kerberos_use(stunnel_t) ') - - optional_policy(` - nis_use_ypbind(stunnel_t) - ') - - optional_policy(` - nscd_socket_use(stunnel_t) - ') ') # hack since this port has no interfaces since it doesnt diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te index 0110cd4..95380b8 100644 --- a/policy/modules/services/telnet.te +++ b/policy/modules/services/telnet.te @@ -1,5 +1,5 @@ -policy_module(telnet,1.5.0) +policy_module(telnet,1.5.1) ######################################## # @@ -32,7 +32,6 @@ allow telnetd_t self:tcp_socket connected_stream_socket_perms; allow telnetd_t self:udp_socket create_socket_perms; # for identd; cjp: this should probably only be inetd_child rules? allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow telnetd_t self:netlink_route_socket r_netlink_socket_perms; allow telnetd_t self:capability { setuid setgid }; allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr }; @@ -63,6 +62,7 @@ dev_read_urand(telnetd_t) fs_getattr_xattr_fs(telnetd_t) auth_rw_login_records(telnetd_t) +auth_use_nsswitch(telnetd_t) corecmd_search_bin(telnetd_t) @@ -82,8 +82,6 @@ miscfiles_read_localization(telnetd_t) seutil_dontaudit_search_config(telnetd_t) -sysnet_read_config(telnetd_t) - remotelogin_domtrans(telnetd_t) # for identd; cjp: this should probably only be inetd_child rules? @@ -92,14 +90,6 @@ optional_policy(` kerberos_read_keytab(telnetd_t) ') -optional_policy(` - nis_use_ypbind(telnetd_t) -') - -optional_policy(` - nscd_socket_use(telnetd_t) -') - ifdef(`TODO',` # Allow krb5 telnetd to use fork and open /dev/tty for use allow telnetd_t userpty_type:chr_file setattr; diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te index 858e549..21086f4 100644 --- a/policy/modules/services/uucp.te +++ b/policy/modules/services/uucp.te @@ -1,5 +1,5 @@ -policy_module(uucp,1.5.1) +policy_module(uucp,1.5.2) ######################################## # @@ -88,6 +88,8 @@ files_read_etc_files(uucpd_t) files_search_home(uucpd_t) files_search_spool(uucpd_t) +auth_use_nsswitch(uucpd_t) + libs_use_ld_so(uucpd_t) libs_use_shared_libs(uucpd_t) @@ -95,20 +97,10 @@ logging_send_syslog_msg(uucpd_t) miscfiles_read_localization(uucpd_t) -sysnet_read_config(uucpd_t) - optional_policy(` kerberos_use(uucpd_t) ') -optional_policy(` - nis_use_ypbind(uucpd_t) -') - -optional_policy(` - nscd_socket_use(uucpd_t) -') - ######################################## # # UUX Local policy diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index e572a3a..8760558 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -58,7 +58,6 @@ template(`xserver_common_domain_template',` allow $1_xserver_t self:msg { send receive }; allow $1_xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow $1_xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow $1_xserver_t self:netlink_route_socket r_netlink_socket_perms; allow $1_xserver_t self:tcp_socket create_stream_socket_perms; allow $1_xserver_t self:udp_socket create_socket_perms; @@ -143,6 +142,8 @@ template(`xserver_common_domain_template',` fs_search_auto_mountpoints($1_xserver_t) fs_search_ramfs($1_xserver_t) + auth_use_nsswitch($1_xserver_t) + init_getpgid($1_xserver_t) term_setattr_unallocated_ttys($1_xserver_t) @@ -160,8 +161,6 @@ template(`xserver_common_domain_template',` seutil_dontaudit_search_config($1_xserver_t) - sysnet_read_config($1_xserver_t) - ifndef(`distro_redhat',` allow $1_xserver_t self:process { execmem execheap execstack }; ') @@ -179,14 +178,6 @@ template(`xserver_common_domain_template',` ') optional_policy(` - nis_use_ypbind($1_xserver_t) - ') - - optional_policy(` - nscd_socket_use($1_xserver_t) - ') - - optional_policy(` rhgb_getpgid($1_xserver_t) rhgb_signal($1_xserver_t) ') @@ -370,11 +361,11 @@ template(`xserver_per_role_template',` # cjp: why? term_use_ptmx($1_xauth_t) + auth_use_nsswitch($1_xauth_t) + libs_use_ld_so($1_xauth_t) libs_use_shared_libs($1_xauth_t) - sysnet_dns_name_resolve($1_xauth_t) - userdom_use_user_terminals($1,$1_xauth_t) userdom_read_user_tmp_files($1,$1_xauth_t) @@ -387,10 +378,6 @@ template(`xserver_per_role_template',` ') optional_policy(` - nis_use_ypbind($1_xauth_t) - ') - - optional_policy(` ssh_sigchld($1_xauth_t) ssh_read_pipes($1_xauth_t) ssh_dontaudit_rw_tcp_sockets($1_xauth_t) diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index a7fb7bc..a3e5a66 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,5 +1,5 @@ -policy_module(xserver,1.6.2) +policy_module(xserver,1.6.3) ######################################## # diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 20e5ff2..7afe98e 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.8.2) +policy_module(init,1.8.3) gen_require(` class passwd rootok; @@ -196,7 +196,6 @@ allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr allow initrc_t self:tcp_socket create_stream_socket_perms; allow initrc_t self:udp_socket create_socket_perms; allow initrc_t self:fifo_file rw_file_perms; -allow initrc_t self:netlink_route_socket r_netlink_socket_perms; allow initrc_t initrc_devpts_t:chr_file rw_term_perms; term_create_pty(initrc_t,initrc_devpts_t) @@ -345,6 +344,8 @@ files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) +auth_use_nsswitch(initrc_t) + libs_rw_ld_so_cache(initrc_t) libs_use_ld_so(initrc_t) libs_use_shared_libs(initrc_t) @@ -365,8 +366,6 @@ modutils_domtrans_insmod(initrc_t) seutil_read_config(initrc_t) -sysnet_read_config(initrc_t) - userdom_read_all_users_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such @@ -648,15 +647,10 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(initrc_t) nis_list_var_yp(initrc_t) ') optional_policy(` - nscd_socket_use(initrc_t) -') - -optional_policy(` openvpn_read_config(initrc_t) ') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index ad34043..2518e0d 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -1,5 +1,5 @@ -policy_module(lvm,1.7.2) +policy_module(lvm,1.7.3) ######################################## # @@ -104,6 +104,8 @@ domain_use_interactive_fds(clvmd_t) storage_raw_read_fixed_disk(clvmd_t) +auth_use_nsswitch(clvmd_t) + libs_use_ld_so(clvmd_t) libs_use_shared_libs(clvmd_t) @@ -114,8 +116,6 @@ miscfiles_read_localization(clvmd_t) seutil_dontaudit_search_config(clvmd_t) seutil_sigchld_newrole(clvmd_t) -sysnet_read_config(clvmd_t) - userdom_dontaudit_use_unpriv_user_fds(clvmd_t) userdom_dontaudit_search_sysadm_home_dirs(clvmd_t) @@ -131,10 +131,6 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(clvmd_t) -') - -optional_policy(` ricci_dontaudit_rw_modcluster_pipes(clvmd_t) ricci_dontaudit_use_modcluster_fds(clvmd_t) ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index fdc8c0f..7cb9ab8 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -1,5 +1,5 @@ -policy_module(mount,1.8.1) +policy_module(mount,1.8.2) ######################################## # @@ -39,7 +39,6 @@ application_domain(unconfined_mount_t,mount_exec_t) allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; allow mount_t mount_loopback_t:file read_file_perms; -allow mount_t self:netlink_route_socket r_netlink_socket_perms; allow mount_t mount_tmp_t:file manage_file_perms; allow mount_t mount_tmp_t:dir manage_dir_perms; @@ -102,6 +101,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) +auth_use_nsswitch(mount_t) + libs_use_ld_so(mount_t) libs_use_shared_libs(mount_t) @@ -159,13 +160,7 @@ optional_policy(` fs_search_rpc(mount_t) - sysnet_dns_name_resolve(mount_t) - rpc_stub(mount_t) - - optional_policy(` - nis_use_ypbind(mount_t) - ') ') optional_policy(`