From 1464a9aa54d0761b38154416af4108bff273a880 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Oct 09 2012 11:46:15 +0000 Subject: Changes to the ktalk policy module Module clean up Signed-off-by: Dominick Grift --- diff --git a/ktalk.fc b/ktalk.fc index 270e000..38ecb07 100644 --- a/ktalk.fc +++ b/ktalk.fc @@ -2,5 +2,6 @@ /usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) /usr/sbin/in\.ntalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) +/usr/sbin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) /var/log/talkd.* -- gen_context(system_u:object_r:ktalkd_log_t,s0) diff --git a/ktalk.if b/ktalk.if index 5ba36db..19777b8 100644 --- a/ktalk.if +++ b/ktalk.if @@ -1 +1 @@ -## KDE Talk daemon +## KDE Talk daemon. diff --git a/ktalk.te b/ktalk.te index ca5cfdf..2cf3815 100644 --- a/ktalk.te +++ b/ktalk.te @@ -1,4 +1,4 @@ -policy_module(ktalk, 1.8.0) +policy_module(ktalk, 1.8.1) ######################################## # @@ -8,7 +8,6 @@ policy_module(ktalk, 1.8.0) type ktalkd_t; type ktalkd_exec_t; inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t) -role system_r types ktalkd_t; type ktalkd_log_t; logging_log_file(ktalkd_log_t) @@ -16,9 +15,6 @@ logging_log_file(ktalkd_log_t) type ktalkd_tmp_t; files_tmp_file(ktalkd_tmp_t) -type ktalkd_var_run_t; -files_pid_file(ktalkd_var_run_t) - ######################################## # # Local policy @@ -26,48 +22,23 @@ files_pid_file(ktalkd_var_run_t) allow ktalkd_t self:process signal_perms; allow ktalkd_t self:fifo_file rw_fifo_file_perms; -allow ktalkd_t self:tcp_socket connected_stream_socket_perms; -allow ktalkd_t self:udp_socket create_socket_perms; -# for identd -# cjp: this should probably only be inetd_child rules? -allow ktalkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow ktalkd_t self:capability { setuid setgid }; -files_search_home(ktalkd_t) -optional_policy(` - kerberos_use(ktalkd_t) -') -#end for identd - -allow ktalkd_t ktalkd_log_t:file manage_file_perms; +allow ktalkd_t self:tcp_socket { accept listen }; + +allow ktalkd_t ktalkd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(ktalkd_t, ktalkd_log_t, file) manage_dirs_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t) manage_files_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t) files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir }) -manage_files_pattern(ktalkd_t, ktalkd_var_run_t, ktalkd_var_run_t) -files_pid_filetrans(ktalkd_t, ktalkd_var_run_t, file) - kernel_read_kernel_sysctls(ktalkd_t) kernel_read_system_state(ktalkd_t) kernel_read_network_state(ktalkd_t) -corenet_all_recvfrom_unlabeled(ktalkd_t) -corenet_all_recvfrom_netlabel(ktalkd_t) -corenet_tcp_sendrecv_generic_if(ktalkd_t) -corenet_udp_sendrecv_generic_if(ktalkd_t) -corenet_tcp_sendrecv_generic_node(ktalkd_t) -corenet_udp_sendrecv_generic_node(ktalkd_t) -corenet_tcp_sendrecv_all_ports(ktalkd_t) -corenet_udp_sendrecv_all_ports(ktalkd_t) - dev_read_urand(ktalkd_t) fs_getattr_xattr_fs(ktalkd_t) -files_read_etc_files(ktalkd_t) - -term_search_ptys(ktalkd_t) term_use_all_terms(ktalkd_t) auth_use_nsswitch(ktalkd_t)