From c3af651a5d7f292a3fec531dd7939c3db593371b Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 06 2012 12:48:34 +0000 Subject: Merge others * git remains --- diff --git a/aiccu.if b/aiccu.if index aa8fcd0..8f77bf5 100644 --- a/aiccu.if +++ b/aiccu.if @@ -79,7 +79,6 @@ interface(`aiccu_admin',` type aiccu_var_run_t; ') -<<<<<<< HEAD allow $1 aiccu_t:process signal_perms; ps_process_pattern($1, aiccu_t) @@ -87,11 +86,6 @@ interface(`aiccu_admin',` allow $1 aiccu_t:process ptrace; ') -======= - allow $1 aiccu_t:process { ptrace signal_perms }; - ps_process_pattern($1, aiccu_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 aiccu_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 aiccu_initrc_exec_t system_r; diff --git a/aide.te b/aide.te index 289b753..7ada82f 100644 --- a/aide.te +++ b/aide.te @@ -32,7 +32,6 @@ manage_files_pattern(aide_t, aide_log_t, aide_log_t) logging_log_filetrans(aide_t, aide_log_t, file) files_read_all_files(aide_t) -<<<<<<< HEAD files_read_boot_symlinks(aide_t) files_read_all_symlinks(aide_t) files_getattr_all_pipes(aide_t) @@ -40,8 +39,6 @@ files_getattr_all_sockets(aide_t) mls_file_read_to_clearance(aide_t) mls_file_write_to_clearance(aide_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 logging_send_audit_msgs(aide_t) # AIDE can be configured to log to syslog diff --git a/alsa.if b/alsa.if index 9318655..25e02df 100644 --- a/alsa.if +++ b/alsa.if @@ -148,10 +148,7 @@ interface(`alsa_manage_home_files',` userdom_search_user_home_dirs($1) allow $1 alsa_home_t:file manage_file_perms; -<<<<<<< HEAD alsa_filetrans_home_content(unpriv_userdomain) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -210,7 +207,6 @@ interface(`alsa_read_lib',` files_search_var_lib($1) read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) ') -<<<<<<< HEAD ######################################## ## @@ -277,5 +273,3 @@ interface(`alsa_systemctl',` ps_process_pattern($1, alsa_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/apcupsd.if b/apcupsd.if index 506d22d..1fedbe5 100644 --- a/apcupsd.if +++ b/apcupsd.if @@ -123,7 +123,6 @@ interface(`apcupsd_cgi_script_domtrans',` ######################################## ## -<<<<<<< HEAD ## Execute apcupsd server in the apcupsd domain. ## ## @@ -147,8 +146,6 @@ interface(`apcupsd_systemctl',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## All of the rules required to administrate ## an apcupsd environment ## @@ -170,7 +167,6 @@ interface(`apcupsd_admin',` type apcupsd_log_t, apcupsd_lock_t; type apcupsd_var_run_t; type apcupsd_initrc_exec_t; -<<<<<<< HEAD type apcupsd_unit_file_t; ') @@ -181,13 +177,6 @@ interface(`apcupsd_admin',` allow $1 apcupsd_t:process ptrace; ') -======= - ') - - allow $1 apcupsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, apcupsd_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 apcupsd_initrc_exec_t system_r; @@ -204,11 +193,8 @@ interface(`apcupsd_admin',` files_list_pids($1) admin_pattern($1, apcupsd_var_run_t) -<<<<<<< HEAD apcupsd_systemctl($1) admin_pattern($1, apcupsd_unit_file_t) allow $1 apcupsd_unit_file_t:service all_service_perms; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/arpwatch.if b/arpwatch.if index df26f57..06a516f 100644 --- a/arpwatch.if +++ b/arpwatch.if @@ -115,7 +115,6 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',` ######################################## ## -<<<<<<< HEAD ## Execute arpwatch server in the arpwatch domain. ## ## @@ -139,8 +138,6 @@ interface(`arpwatch_systemctl',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## All of the rules required to administrate ## an arpwatch environment ## @@ -161,7 +158,6 @@ interface(`arpwatch_admin',` type arpwatch_t, arpwatch_tmp_t; type arpwatch_data_t, arpwatch_var_run_t; type arpwatch_initrc_exec_t; -<<<<<<< HEAD type arpwatch_unit_file_t; ') @@ -172,13 +168,6 @@ interface(`arpwatch_admin',` allow $1 arpwatch_t:process ptrace; ') -======= - ') - - allow $1 arpwatch_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, arpwatch_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 arpwatch_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 arpwatch_initrc_exec_t system_r; @@ -192,11 +181,8 @@ interface(`arpwatch_admin',` files_list_pids($1) admin_pattern($1, arpwatch_var_run_t) -<<<<<<< HEAD arpwatch_systemctl($1) admin_pattern($1, arpwatch_unit_file_t) allow $1 arpwatch_unit_file_t:service all_service_perms; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/asterisk.te b/asterisk.te index 1b02605..8ba2e55 100644 --- a/asterisk.te +++ b/asterisk.te @@ -78,7 +78,6 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t) files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file) -<<<<<<< HEAD manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) @@ -152,13 +151,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t) userdom_dontaudit_search_user_home_dirs(asterisk_t) optional_policy(` -<<<<<<< HEAD alsa_read_rw_config(asterisk_t) ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 mysql_stream_connect(asterisk_t) ') diff --git a/bugzilla.if b/bugzilla.if index 515b345..954e726 100644 --- a/bugzilla.if +++ b/bugzilla.if @@ -58,7 +58,6 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',` interface(`bugzilla_admin',` gen_require(` type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t; -<<<<<<< HEAD type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t; type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t; ') @@ -72,14 +71,6 @@ interface(`bugzilla_admin',` files_list_tmp($1) admin_pattern($1, httpd_bugzilla_tmp_t) -======= - type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t; - type httpd_bugzilla_htaccess_t; - ') - - allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms }; - ps_process_pattern($1, httpd_bugzilla_script_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_list_var_lib(httpd_bugzilla_script_t) diff --git a/ccs.fc b/ccs.fc index 7ee8b7b..bc4f6e7 100644 --- a/ccs.fc +++ b/ccs.fc @@ -2,10 +2,7 @@ /sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0) -<<<<<<< HEAD /usr/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0) /var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0) diff --git a/colord.if b/colord.if index 400dadb..fa2c3cb 100644 --- a/colord.if +++ b/colord.if @@ -57,7 +57,6 @@ interface(`colord_read_lib_files',` files_search_var_lib($1) read_files_pattern($1, colord_var_lib_t, colord_var_lib_t) ') -<<<<<<< HEAD ######################################## ## @@ -81,5 +80,3 @@ interface(`colord_systemctl',` ps_process_pattern($1, colord_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/cron.te b/cron.te index 2b2ea1f..4545fb1 100644 --- a/cron.te +++ b/cron.te @@ -1,4 +1,4 @@ -policy_module(cron, 2.4.0) +policy_module(cron, 2.2.1) gen_require(` class passwd rootok; @@ -10,18 +10,18 @@ gen_require(` # ## -##

-## Allow system cron jobs to relabel filesystem -## for restoring file contexts. -##

+##

+## Allow system cron jobs to relabel filesystem +## for restoring file contexts. +##

## gen_tunable(cron_can_relabel, false) ## -##

-## Enable extra rules in the cron domain -## to support fcron. -##

+##

+## Enable extra rules in the cron domain +## to support fcron. +##

## gen_tunable(fcron_crond, false) @@ -102,10 +102,6 @@ files_lock_file(system_cronjob_lock_t) type system_cronjob_tmp_t alias system_crond_tmp_t; files_tmp_file(system_cronjob_tmp_t) -ifdef(`enable_mcs',` - init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) -') - type unconfined_cronjob_t; domain_type(unconfined_cronjob_t) domain_cron_exemption_target(unconfined_cronjob_t) @@ -145,7 +141,7 @@ selinux_compute_create_context(admin_crontab_t) selinux_compute_relabel_context(admin_crontab_t) selinux_compute_user_contexts(admin_crontab_t) -tunable_policy(`fcron_crond', ` +tunable_policy(`fcron_crond',` # fcron wants an instant update of a crontab change for the administrator # also crontab does a security check for crontab -u allow admin_crontab_t self:process setfscreate; @@ -580,13 +576,10 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD networkmanager_dbus_chat(system_cronjob_t) ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 postfix_read_config(system_cronjob_t) ') @@ -595,11 +588,7 @@ optional_policy(` prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) -<<<<<<< HEAD prelink_relabel_lib(system_cronjob_t) -======= - prelink_relabelfrom_lib(system_cronjob_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` @@ -614,10 +603,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) -<<<<<<< HEAD spamassassin_manage_home_client(system_cronjob_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` @@ -625,7 +611,6 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD systemd_dbus_chat_logind(system_cronjob_t) systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) ') @@ -638,9 +623,6 @@ optional_policy(` optional_policy(` unconfined_shell_domtrans(crond_t) unconfined_dbus_send(crond_t) -======= - unconfined_domain(system_cronjob_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') @@ -733,18 +715,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -<<<<<<< HEAD rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) allow crond_t user_cron_spool_t:file manage_lnk_file_perms; tunable_policy(`fcron_crond',` -======= -read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) - -tunable_policy(`fcron_crond', ` ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow crond_t user_cron_spool_t:file manage_file_perms; ') diff --git a/cyphesis.if b/cyphesis.if index 53e9d09..9d44538 100644 --- a/cyphesis.if +++ b/cyphesis.if @@ -5,15 +5,9 @@ ## Execute a domain transition to run cyphesis. ## ## -<<<<<<< HEAD -## -## Domain allowed to transition. -## -======= ## ## Domain allowed to transition. ## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`cyphesis_domtrans',` diff --git a/devicekit.if b/devicekit.if index 53f655f..aa049fc 100644 --- a/devicekit.if +++ b/devicekit.if @@ -20,7 +20,6 @@ interface(`devicekit_domtrans',` ######################################## ## -<<<<<<< HEAD ## Execute a domain transition to run devicekit_disk. ## ## diff --git a/dictd.if b/dictd.if index 6df1071..83a7ca5 100644 --- a/dictd.if +++ b/dictd.if @@ -38,16 +38,11 @@ interface(`dictd_admin',` type dictd_var_run_t, dictd_initrc_exec_t; ') -<<<<<<< HEAD allow $1 dictd_t:process signal_perms; ps_process_pattern($1, dictd_t) tunable_policy(`deny_ptrace',`',` allow $1 dictd_t:process ptrace; ') -======= - allow $1 dictd_t:process { ptrace signal_perms }; - ps_process_pattern($1, dictd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, dictd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/dictd.te b/dictd.te index bc7fa4a..ee10625 100644 --- a/dictd.te +++ b/dictd.te @@ -73,34 +73,15 @@ files_search_var_lib(dictd_t) # for checking for nscd files_dontaudit_search_pids(dictd_t) -<<<<<<< HEAD auth_use_nsswitch(dictd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 logging_send_syslog_msg(dictd_t) miscfiles_read_localization(dictd_t) -<<<<<<< HEAD userdom_dontaudit_use_unpriv_user_fds(dictd_t) optional_policy(` -======= -sysnet_read_config(dictd_t) - -userdom_dontaudit_use_unpriv_user_fds(dictd_t) - -optional_policy(` - nis_use_ypbind(dictd_t) -') - -optional_policy(` - nscd_socket_use(dictd_t) -') - -optional_policy(` ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 seutil_sigchld_newrole(dictd_t) ') diff --git a/dkim.fc b/dkim.fc index c5320b9..1820764 100644 --- a/dkim.fc +++ b/dkim.fc @@ -1,24 +1,15 @@ /etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) -<<<<<<< HEAD - -/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) -======= /etc/opendkim/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) /usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) /usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) /var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) /var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) /var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0) -<<<<<<< HEAD -/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) -======= /var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) /var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/fail2ban.if b/fail2ban.if index 8283ee2..b1b13b0 100644 --- a/fail2ban.if +++ b/fail2ban.if @@ -40,7 +40,6 @@ interface(`fail2ban_stream_connect',` ######################################## ## -<<<<<<< HEAD ## Read and write inherited temporary files. ## ## diff --git a/ftp.if b/ftp.if index 26e435c..6e75e3d 100644 --- a/ftp.if +++ b/ftp.if @@ -1,6 +1,5 @@ ## File transfer protocol service -<<<<<<< HEAD ###################################### ## ## Execute a domain transition to run ftpd. @@ -62,8 +61,6 @@ interface(`ftp_systemctl',` ps_process_pattern($1, ftpd_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ####################################### ## ## Allow domain dyntransition to sftpd_anon domain. @@ -238,7 +235,6 @@ interface(`ftp_admin',` type ftpd_etc_t, ftpd_lock_t; type ftpd_var_run_t, xferlog_t; type ftpd_initrc_exec_t; -<<<<<<< HEAD type ftpd_unit_file_t; ') @@ -247,12 +243,6 @@ interface(`ftp_admin',` tunable_policy(`deny_ptrace',`',` allow $1 ftpd_t:process ptrace; ') -======= - ') - - allow $1 ftpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, ftpd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, ftpd_initrc_exec_t) domain_system_change_exemption($1) @@ -278,11 +268,8 @@ interface(`ftp_admin',` logging_list_logs($1) admin_pattern($1, xferlog_t) -<<<<<<< HEAD ftp_systemctl($1) admin_pattern($1, ftpd_unit_file_t) allow $1 ftpd_unit_file_t:service all_service_perms; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/gpg.te b/gpg.te index 109d7d4..9cbbfd4 100644 --- a/gpg.te +++ b/gpg.te @@ -1,4 +1,4 @@ -policy_module(gpg, 2.5.1) +policy_module(gpg, 2.4.0) ######################################## # @@ -26,18 +26,22 @@ type gpg_t, gpgdomain; type gpg_exec_t; typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t }; typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; -userdom_user_application_domain(gpg_t, gpg_exec_t) +application_domain(gpg_t, gpg_exec_t) +ubac_constrained(gpg_t) +role system_r types gpg_t; type gpg_agent_t; type gpg_agent_exec_t; typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t }; typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t }; -userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t) +application_domain(gpg_agent_t, gpg_agent_exec_t) +ubac_constrained(gpg_agent_t) type gpg_agent_tmp_t; typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t }; typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t }; -userdom_user_tmp_file(gpg_agent_tmp_t) +files_tmp_file(gpg_agent_tmp_t) +ubac_constrained(gpg_agent_tmp_t) type gpg_secret_t; typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t }; @@ -48,25 +52,24 @@ type gpg_helper_t; type gpg_helper_exec_t; typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t }; typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t }; -userdom_user_application_domain(gpg_helper_t, gpg_helper_exec_t) +application_domain(gpg_helper_t, gpg_helper_exec_t) +ubac_constrained(gpg_helper_t) +role system_r types gpg_helper_t; type gpg_pinentry_t; type pinentry_exec_t; typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t }; typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }; - -<<<<<<< HEAD application_domain(gpg_pinentry_t, pinentry_exec_t) ubac_constrained(gpg_pinentry_t) type gpg_pinentry_tmp_t; -userdom_user_application_domain(gpg_pinentry_t, pinentry_exec_t) - -type gpg_pinentry_tmp_t; -userdom_user_tmp_file(gpg_pinentry_tmp_t) +files_tmp_file(gpg_pinentry_tmp_t) +ubac_constrained(gpg_pinentry_tmp_t) type gpg_pinentry_tmpfs_t; -userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t) +files_tmpfs_file(gpg_pinentry_tmpfs_t) +ubac_constrained(gpg_pinentry_tmpfs_t) type gpg_web_t; domain_type(gpg_web_t) @@ -165,6 +168,10 @@ optional_policy(` ') optional_policy(` + spamassassin_read_spamd_tmp_files(gpg_t) +') + +optional_policy(` xserver_use_xdm_fds(gpg_t) xserver_rw_xdm_pipes(gpg_t) ') diff --git a/kdumpgui.te b/kdumpgui.te index e0679c4..a085fbd 100644 --- a/kdumpgui.te +++ b/kdumpgui.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(kdumpgui, 1.0.1) -======= policy_module(kdumpgui, 1.1.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -12,13 +8,10 @@ policy_module(kdumpgui, 1.1.0) type kdumpgui_t; type kdumpgui_exec_t; dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) -<<<<<<< HEAD init_daemon_domain(kdumpgui_t, kdumpgui_exec_t) type kdumpgui_tmp_t; files_tmp_file(kdumpgui_tmp_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ###################################### # @@ -29,13 +22,10 @@ allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio }; allow kdumpgui_t self:fifo_file rw_fifo_file_perms; allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms; -<<<<<<< HEAD manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t) manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t) files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file }) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kernel_read_system_state(kdumpgui_t) kernel_read_network_state(kdumpgui_t) @@ -54,11 +44,8 @@ files_manage_etc_runtime_files(kdumpgui_t) files_etc_filetrans_etc_runtime(kdumpgui_t, file) files_read_usr_files(kdumpgui_t) -<<<<<<< HEAD fs_read_dos_files(kdumpgui_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 storage_raw_read_fixed_disk(kdumpgui_t) storage_raw_write_fixed_disk(kdumpgui_t) @@ -68,7 +55,6 @@ logging_send_syslog_msg(kdumpgui_t) miscfiles_read_localization(kdumpgui_t) -<<<<<<< HEAD mount_exec(kdumpgui_t) init_dontaudit_read_all_script_files(kdumpgui_t) @@ -83,10 +69,6 @@ optional_policy(` consoletype_exec(kdumpgui_t) ') -======= -init_dontaudit_read_all_script_files(kdumpgui_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` consoletype_exec(kdumpgui_t) ') @@ -98,10 +80,7 @@ optional_policy(` optional_policy(` kdump_manage_config(kdumpgui_t) kdump_initrc_domtrans(kdumpgui_t) -<<<<<<< HEAD kdump_systemctl(kdumpgui_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` diff --git a/kerneloops.if b/kerneloops.if index b8fb73d..8a98c76 100644 --- a/kerneloops.if +++ b/kerneloops.if @@ -5,25 +5,15 @@ ## Execute a domain transition to run kerneloops. ## ## -<<<<<<< HEAD -## -## Domain allowed to transition. -## -======= ## ## Domain allowed to transition. ## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`kerneloops_domtrans',` gen_require(` -<<<<<<< HEAD - type kerneloops_t, kerneloops_exec_t; -======= type kerneloops_t; type kerneloops_exec_t; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') domtrans_pattern($1, kerneloops_exec_t, kerneloops_t) @@ -109,7 +99,6 @@ interface(`kerneloops_manage_tmp_files',` # interface(`kerneloops_admin',` gen_require(` -<<<<<<< HEAD type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t; ') @@ -118,23 +107,12 @@ interface(`kerneloops_admin',` tunable_policy(`deny_ptrace',`',` allow $1 kerneloops_t:process ptrace; ') -======= - type kerneloops_t, kerneloops_initrc_exec_t; - type kerneloops_tmp_t; - ') - - allow $1 kerneloops_t:process { ptrace signal_perms }; - ps_process_pattern($1, kerneloops_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, kerneloops_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 kerneloops_initrc_exec_t system_r; allow $2 system_r; -<<<<<<< HEAD files_list_tmp($1) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 admin_pattern($1, kerneloops_tmp_t) ') diff --git a/mediawiki.if b/mediawiki.if index bdaef85..1c1d012 100644 --- a/mediawiki.if +++ b/mediawiki.if @@ -1,5 +1,4 @@ ## Mediawiki policy -<<<<<<< HEAD ####################################### ## @@ -39,5 +38,3 @@ interface(`mediawiki_delete_tmp_files',` delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/metadata.xml b/metadata.xml index 1fdffbd..71d9e25 100644 --- a/metadata.xml +++ b/metadata.xml @@ -1,8 +1 @@ -<<<<<<< HEAD - - Policy modules for system services, like cron, and network services, - like sshd. - -======= Contributed Reference Policy modules. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/mysql.if b/mysql.if index e30deac..404ed6d 100644 --- a/mysql.if +++ b/mysql.if @@ -18,7 +18,6 @@ interface(`mysql_domtrans',` domtrans_pattern($1, mysqld_exec_t, mysqld_t) ') -<<<<<<< HEAD ###################################### ## ## Execute MySQL in the caller domain. @@ -37,8 +36,6 @@ interface(`mysql_exec',` can_exec($1, mysqld_exec_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## ## ## Send a generic signal to MySQL. @@ -57,7 +54,6 @@ interface(`mysql_signal',` allow $1 mysqld_t:process signal; ') -<<<<<<< HEAD ####################################### ## ## Send a null signal to mysql. @@ -76,8 +72,6 @@ interface(`mysql_signull',` allow $1 mysqld_t:process signull; ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## ## ## Allow the specified domain to connect to postgresql with a tcp socket. @@ -115,10 +109,7 @@ interface(`mysql_stream_connect',` type mysqld_t, mysqld_var_run_t, mysqld_db_t; ') -<<<<<<< HEAD files_search_pids($1) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t) stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t) ') @@ -168,7 +159,6 @@ interface(`mysql_search_db',` ######################################## ## -<<<<<<< HEAD ## List the directories that contain MySQL ## database storage. ## @@ -189,8 +179,6 @@ interface(`mysql_list_db',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## Read and write to the MySQL database directory. ## ## @@ -321,20 +309,12 @@ interface(`mysql_write_log',` ') logging_search_logs($1) -<<<<<<< HEAD allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms }; -======= - allow $1 mysqld_log_t:file { write_file_perms setattr }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ###################################### ## -<<<<<<< HEAD ## Execute MySQL safe script in the mysql safe domain. -======= -## Execute MySQL server in the mysql domain. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -350,7 +330,6 @@ interface(`mysql_domtrans_mysql_safe',` domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t) ') -<<<<<<< HEAD ###################################### ## ## Execute MySQL_safe in the caller domain. @@ -369,8 +348,6 @@ interface(`mysql_safe_exec',` can_exec($1, mysqld_safe_exec_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ##################################### ## ## Read MySQL PID files. @@ -411,7 +388,6 @@ interface(`mysql_search_pid_files',` ######################################## ## -<<<<<<< HEAD ## Execute mysqld server in the mysqld domain. ## ## @@ -473,8 +449,6 @@ interface(`mysql_filetrans_named_content',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## All of the rules required to administrate an mysql environment ## ## @@ -491,7 +465,6 @@ interface(`mysql_filetrans_named_content',` # interface(`mysql_admin',` gen_require(` -<<<<<<< HEAD type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t; type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; type mysqld_etc_t; @@ -504,31 +477,17 @@ interface(`mysql_admin',` tunable_policy(`deny_ptrace',`',` allow $1 mysqld_t:process ptrace; ') -======= - type mysqld_t, mysqld_var_run_t; - type mysqld_tmp_t, mysqld_db_t; - type mysqld_etc_t, mysqld_log_t; - type mysqld_initrc_exec_t; - ') - - allow $1 mysqld_t:process { ptrace signal_perms }; - ps_process_pattern($1, mysqld_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, mysqld_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 mysqld_initrc_exec_t system_r; allow $2 system_r; -<<<<<<< HEAD files_list_pids($1) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 admin_pattern($1, mysqld_var_run_t) admin_pattern($1, mysqld_db_t) -<<<<<<< HEAD files_list_etc($1) admin_pattern($1, mysqld_etc_t) @@ -547,11 +506,4 @@ interface(`mysql_admin',` allow $1 mysqld_unit_file_t:service all_service_perms; mysql_stream_connect($1) -======= - admin_pattern($1, mysqld_etc_t) - - admin_pattern($1, mysqld_log_t) - - admin_pattern($1, mysqld_tmp_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/nslcd.if b/nslcd.if index f456cae..0398e70 100644 --- a/nslcd.if +++ b/nslcd.if @@ -5,15 +5,9 @@ ## Execute a domain transition to run nslcd. ## ## -<<<<<<< HEAD -## -## Domain allowed to transition. -## -======= ## ## Domain allowed to transition. ## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`nslcd_domtrans',` @@ -63,11 +57,7 @@ interface(`nslcd_read_pid_files',` ######################################## ## -<<<<<<< HEAD -## Connect to nslcd over a unix stream socket. -======= ## Connect to nslcd over an unix stream socket. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -103,7 +93,6 @@ interface(`nslcd_stream_connect',` # interface(`nslcd_admin',` gen_require(` -<<<<<<< HEAD type nslcd_t, nslcd_initrc_exec_t, nslcd_var_run_t; type nslcd_conf_t; ') @@ -113,14 +102,6 @@ interface(`nslcd_admin',` tunable_policy(`deny_ptrace',`',` allow $1 nslcd_t:process ptrace; ') -======= - type nslcd_t, nslcd_initrc_exec_t; - type nslcd_conf_t, nslcd_var_run_t; - ') - - ps_process_pattern($1, nslcd_t) - allow $1 nslcd_t:process { ptrace signal_perms }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # Allow nslcd_t to restart the apache service nslcd_initrc_domtrans($1) @@ -128,17 +109,9 @@ interface(`nslcd_admin',` role_transition $2 nslcd_initrc_exec_t system_r; allow $2 system_r; -<<<<<<< HEAD files_list_etc($1) admin_pattern($1, nslcd_conf_t) files_list_pids($1) admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) -======= - manage_files_pattern($1, nslcd_conf_t, nslcd_conf_t) - - manage_dirs_pattern($1, nslcd_var_run_t, nslcd_var_run_t) - manage_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t) - manage_lnk_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/nslcd.te b/nslcd.te index 1373467..bee3070 100644 --- a/nslcd.te +++ b/nslcd.te @@ -16,11 +16,7 @@ type nslcd_var_run_t; files_pid_file(nslcd_var_run_t) type nslcd_conf_t; -<<<<<<< HEAD files_config_file(nslcd_conf_t) -======= -files_type(nslcd_conf_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -28,11 +24,7 @@ files_type(nslcd_conf_t) # allow nslcd_t self:capability { setgid setuid dac_override }; -<<<<<<< HEAD allow nslcd_t self:process { setsched signal }; -======= -allow nslcd_t self:process signal; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow nslcd_t self:unix_stream_socket create_stream_socket_perms; allow nslcd_t nslcd_conf_t:file read_file_perms; @@ -45,18 +37,14 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) kernel_read_system_state(nslcd_t) files_read_etc_files(nslcd_t) -<<<<<<< HEAD files_read_usr_symlinks(nslcd_t) files_list_tmp(nslcd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 auth_use_nsswitch(nslcd_t) logging_send_syslog_msg(nslcd_t) miscfiles_read_localization(nslcd_t) -<<<<<<< HEAD userdom_read_user_tmp_files(nslcd_t) @@ -68,5 +56,3 @@ optional_policy(` ldap_stream_connect(nslcd_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/pyzor.fc b/pyzor.fc index 1664635..705196e 100644 --- a/pyzor.fc +++ b/pyzor.fc @@ -1,15 +1,10 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) -<<<<<<< HEAD /etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) /root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) /root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) -======= - -HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) diff --git a/pyzor.if b/pyzor.if index 1bb4750..2c411af 100644 --- a/pyzor.if +++ b/pyzor.if @@ -14,10 +14,7 @@ ## User domain for the role ## ## -<<<<<<< HEAD ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # interface(`pyzor_role',` gen_require(` @@ -32,14 +29,10 @@ interface(`pyzor_role',` # allow ps to show pyzor and allow the user to kill it ps_process_pattern($2, pyzor_t) -<<<<<<< HEAD allow $2 pyzor_t:process signal_perms; tunable_policy(`deny_ptrace',`',` allow $2 pyzor_t:process ptrace; ') -======= - allow $2 pyzor_t:process signal; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -99,7 +92,6 @@ interface(`pyzor_exec',` corecmd_search_bin($1) can_exec($1, pyzor_exec_t) ') -<<<<<<< HEAD ######################################## ## @@ -147,5 +139,3 @@ interface(`pyzor_admin',` files_list_var_lib($1) admin_pattern($1, pyzor_var_lib_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/pyzor.te b/pyzor.te index 2252b73..a272112 100644 --- a/pyzor.te +++ b/pyzor.te @@ -1,15 +1,10 @@ -<<<<<<< HEAD policy_module(pyzor, 2.1.0) -======= -policy_module(pyzor, 2.2.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # Declarations # -<<<<<<< HEAD ifdef(`distro_redhat',` gen_require(` type spamc_t, spamc_exec_t, spamd_t; @@ -66,40 +61,6 @@ ifdef(`distro_redhat',` type pyzord_log_t; logging_log_file(pyzord_log_t) ') -======= -type pyzor_t; -type pyzor_exec_t; -typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t }; -typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t }; -userdom_user_application_domain(pyzor_t, pyzor_exec_t) -role system_r types pyzor_t; - -type pyzor_etc_t; -files_type(pyzor_etc_t) - -type pyzor_home_t; -typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t }; -typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t }; -userdom_user_home_content(pyzor_home_t) - -type pyzor_tmp_t; -typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t }; -typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t }; -userdom_user_tmp_file(pyzor_tmp_t) - -type pyzor_var_lib_t; -typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t }; -typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t }; -files_type(pyzor_var_lib_t) -ubac_constrained(pyzor_var_lib_t) - -type pyzord_t; -type pyzord_exec_t; -init_daemon_domain(pyzord_t, pyzord_exec_t) - -type pyzord_log_t; -logging_log_file(pyzord_log_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -137,22 +98,16 @@ corenet_tcp_connect_http_port(pyzor_t) dev_read_urand(pyzor_t) -<<<<<<< HEAD fs_getattr_xattr_fs(pyzor_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_read_etc_files(pyzor_t) auth_use_nsswitch(pyzor_t) miscfiles_read_localization(pyzor_t) -<<<<<<< HEAD mta_read_queue(pyzor_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 userdom_dontaudit_search_user_home_dirs(pyzor_t) optional_policy(` @@ -182,13 +137,8 @@ allow pyzord_t pyzor_etc_t:dir list_dir_perms; can_exec(pyzord_t, pyzor_exec_t) manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) -<<<<<<< HEAD allow pyzord_t pyzord_log_t:dir setattr_dir_perms; logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir }) -======= -allow pyzord_t pyzord_log_t:dir setattr; -logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir } ) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kernel_read_kernel_sysctls(pyzord_t) kernel_read_system_state(pyzord_t) diff --git a/qemu.if b/qemu.if index c1400f5..da3a26d 100644 --- a/qemu.if +++ b/qemu.if @@ -76,11 +76,7 @@ template(`qemu_domain_template',` sysnet_read_config($1_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals($1_t) -======= - userdom_use_user_terminals($1_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 userdom_attach_admin_tun_iface($1_t) optional_policy(` @@ -102,7 +98,6 @@ template(`qemu_domain_template',` ') ') -<<<<<<< HEAD ######################################## ## ## Execute a domain transition to run qemu. @@ -119,50 +114,10 @@ interface(`qemu_domtrans',` ') domtrans_pattern($1, qemu_exec_t, qemu_t) -======= -####################################### -## -## The per role template for the qemu module. -## -## -##

-## This template creates a derived domains which are used -## for qemu web browser. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -template(`qemu_role',` - gen_require(` - type qemu_t, qemu_exec_t; - type qemu_config_t, qemu_config_exec_t; - ') - - role $1 types { qemu_t qemu_config_t }; - - domtrans_pattern($2, qemu_exec_t, qemu_t) - domtrans_pattern($2, qemu_config_exec_t, qemu_config_t) - allow qemu_t $2:process signull; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## ## -<<<<<<< HEAD ## Execute a qemu in the callers domain ## ## @@ -177,22 +132,6 @@ interface(`qemu_exec',` ') can_exec($1, qemu_exec_t) -======= -## Execute a domain transition to run qemu. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`qemu_domtrans',` - gen_require(` - type qemu_t, qemu_exec_t; - ') - - domtrans_pattern($1, qemu_exec_t, qemu_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -296,7 +235,6 @@ interface(`qemu_kill',` ######################################## ## -<<<<<<< HEAD ## Execute qemu_exec_t ## in the specified domain but do not ## do it automatically. This is an explicit @@ -354,22 +292,6 @@ interface(`qemu_unconfined_role',` ') role $1 types unconfined_qemu_t; role $1 types qemu_t; -======= -## Execute a domain transition to run qemu unconfined. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`qemu_domtrans_unconfined',` - gen_require(` - type unconfined_qemu_t, qemu_exec_t; - ') - - domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -407,7 +329,6 @@ interface(`qemu_manage_tmp_files',` manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) ') -<<<<<<< HEAD ######################################## ## @@ -427,5 +348,3 @@ interface(`qemu_entry_type',` domain_entry_file($1, qemu_exec_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/qemu.te b/qemu.te index 2222462..9505fce 100644 --- a/qemu.te +++ b/qemu.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(qemu, 1.5.1) -======= policy_module(qemu, 1.6.1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -44,13 +40,7 @@ gen_tunable(qemu_use_nfs, true) ## gen_tunable(qemu_use_usb, true) -<<<<<<< HEAD virt_domain_template(qemu) -======= -type qemu_exec_t; -virt_domain_template(qemu) -application_domain(qemu_t, qemu_exec_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 role system_r types qemu_t; ######################################## @@ -58,20 +48,12 @@ role system_r types qemu_t; # qemu local policy # -<<<<<<< HEAD -======= -can_exec(qemu_t, qemu_exec_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 storage_raw_write_removable_device(qemu_t) storage_raw_read_removable_device(qemu_t) userdom_search_user_home_content(qemu_t) userdom_read_user_tmpfs_files(qemu_t) -<<<<<<< HEAD userdom_stream_connect(qemu_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 tunable_policy(`qemu_full_network',` allow qemu_t self:udp_socket create_socket_perms; @@ -116,7 +98,6 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD tunable_policy(`qemu_use_cifs',` samba_domtrans_smbd(qemu_t) ') @@ -128,8 +109,6 @@ optional_policy(` optional_policy(` virt_manage_home_files(qemu_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 virt_manage_images(qemu_t) virt_append_log(qemu_t) ') @@ -142,21 +121,3 @@ optional_policy(` xserver_read_xdm_pid(qemu_t) xserver_stream_connect(qemu_t) ') -<<<<<<< HEAD -======= - -######################################## -# -# Unconfined qemu local policy -# - -optional_policy(` - type unconfined_qemu_t; - typealias unconfined_qemu_t alias qemu_unconfined_t; - application_type(unconfined_qemu_t) - unconfined_domain(unconfined_qemu_t) - - allow unconfined_qemu_t self:process { execstack execmem }; - allow unconfined_qemu_t qemu_exec_t:file execmod; -') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/qmail.fc b/qmail.fc index 84b6e7d..f988f51 100644 --- a/qmail.fc +++ b/qmail.fc @@ -17,10 +17,7 @@ /var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) /var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) -<<<<<<< HEAD /var/qmail/owners(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) diff --git a/qmail.if b/qmail.if index 6b5be18..c6dee66 100644 --- a/qmail.if +++ b/qmail.if @@ -62,23 +62,13 @@ interface(`qmail_domtrans_inject',` type qmail_inject_t, qmail_inject_exec_t; ') -<<<<<<< HEAD corecmd_search_bin($1) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t) ifdef(`distro_debian',` files_search_usr($1) -<<<<<<< HEAD ',` files_search_var($1) -======= - corecmd_search_bin($1) - ',` - files_search_var($1) - corecmd_search_bin($1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ') @@ -97,23 +87,13 @@ interface(`qmail_domtrans_queue',` type qmail_queue_t, qmail_queue_exec_t; ') -<<<<<<< HEAD corecmd_search_bin($1) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t) ifdef(`distro_debian',` files_search_usr($1) -<<<<<<< HEAD - ',` - files_search_var($1) -======= - corecmd_search_bin($1) ',` files_search_var($1) - corecmd_search_bin($1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ') @@ -167,7 +147,6 @@ interface(`qmail_smtpd_service_domain',` domtrans_pattern(qmail_smtpd_t, $2, $1) ') -<<<<<<< HEAD ######################################## ## @@ -224,5 +203,3 @@ interface(`qmail_rw_spool_pipes',` allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms; ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/qmail.te b/qmail.te index 26ab5b1..88e6f40 100644 --- a/qmail.te +++ b/qmail.te @@ -47,11 +47,7 @@ qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t) qmail_child_domain_template(qmail_splogger, qmail_start_t) type qmail_spool_t; -<<<<<<< HEAD files_spool_file(qmail_spool_t) -======= -files_type(qmail_spool_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type qmail_start_t; type qmail_start_exec_t; @@ -64,11 +60,7 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) ######################################## # # qmail-clean local policy -<<<<<<< HEAD # this component cleans up the queue directory -======= -# this component cleans up the queue directory ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) @@ -77,19 +69,11 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) ######################################## # # qmail-inject local policy -<<<<<<< HEAD # this component preprocesses mail from stdin and invokes qmail-queue # allow qmail_inject_t self:process signal_perms; allow qmail_inject_t self:fifo_file write_fifo_file_perms; -======= -# this component preprocesses mail from stdin and invokes qmail-queue -# - -allow qmail_inject_t self:fifo_file write_fifo_file_perms; -allow qmail_inject_t self:process signal_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow qmail_inject_t qmail_queue_exec_t:file read_file_perms; @@ -104,19 +88,11 @@ qmail_read_config(qmail_inject_t) ######################################## # # qmail-local local policy -<<<<<<< HEAD # this component delivers a mail message # allow qmail_local_t self:process signal_perms; allow qmail_local_t self:fifo_file write_file_perms; -======= -# this component delivers a mail message -# - -allow qmail_local_t self:fifo_file write_file_perms; -allow qmail_local_t self:process signal_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow qmail_local_t self:unix_stream_socket create_stream_socket_perms; manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) @@ -145,24 +121,17 @@ mta_append_spool(qmail_local_t) qmail_domtrans_queue(qmail_local_t) optional_policy(` -<<<<<<< HEAD uucp_domtrans(qmail_local_t) ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 spamassassin_domtrans_client(qmail_local_t) ') ######################################## # # qmail-lspawn local policy -<<<<<<< HEAD # this component schedules local deliveries -======= -# this component schedules local deliveries ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # allow qmail_lspawn_t self:capability { setuid setgid }; @@ -185,25 +154,15 @@ files_search_tmp(qmail_lspawn_t) ######################################## # # qmail-queue local policy -<<<<<<< HEAD # this component places a mail in a delivery queue, later to be processed by qmail-send -======= -# this component places a mail in a delivery queue, later to be processed by qmail-send ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # allow qmail_queue_t qmail_lspawn_t:fd use; allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms; -<<<<<<< HEAD allow qmail_queue_t qmail_smtpd_t:process sigchld; allow qmail_queue_t qmail_smtpd_t:fd use; allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms; -======= -allow qmail_queue_t qmail_smtpd_t:fd use; -allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms; -allow qmail_queue_t qmail_smtpd_t:process sigchld; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) @@ -220,11 +179,7 @@ optional_policy(` ######################################## # # qmail-remote local policy -<<<<<<< HEAD # this component sends mail via SMTP -======= -# this component sends mail via SMTP ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # allow qmail_remote_t self:tcp_socket create_socket_perms; @@ -251,11 +206,7 @@ sysnet_read_config(qmail_remote_t) ######################################## # # qmail-rspawn local policy -<<<<<<< HEAD # this component scedules remote deliveries -======= -# this component scedules remote deliveries ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # allow qmail_rspawn_t self:process signal_perms; @@ -270,11 +221,7 @@ corecmd_search_bin(qmail_rspawn_t) ######################################## # # qmail-send local policy -<<<<<<< HEAD # this component delivers mail messages from the queue -======= -# this component delivers mail messages from the queue ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # allow qmail_send_t self:process signal_perms; @@ -293,11 +240,7 @@ optional_policy(` ######################################## # # qmail-smtpd local policy -<<<<<<< HEAD # this component receives mails via SMTP -======= -# this component receives mails via SMTP ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # allow qmail_smtpd_t self:process signal_perms; @@ -326,11 +269,7 @@ optional_policy(` ######################################## # # splogger local policy -<<<<<<< HEAD # this component creates entries in syslog -======= -# this component creates entries in syslog ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # allow qmail_splogger_t self:unix_dgram_socket create_socket_perms; @@ -344,22 +283,13 @@ miscfiles_read_localization(qmail_splogger_t) ######################################## # # qmail-start local policy -<<<<<<< HEAD # this component starts up the mail delivery component -======= -# this component starts up the mail delivery component ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # allow qmail_start_t self:capability { setgid setuid }; dontaudit qmail_start_t self:capability sys_tty_config; -<<<<<<< HEAD allow qmail_start_t self:process signal_perms; allow qmail_start_t self:fifo_file rw_fifo_file_perms; -======= -allow qmail_start_t self:fifo_file rw_fifo_file_perms; -allow qmail_start_t self:process signal_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 can_exec(qmail_start_t, qmail_start_exec_t) @@ -377,11 +307,7 @@ optional_policy(` ######################################## # # tcp-env local policy -<<<<<<< HEAD # this component sets up TCP-related environment variables -======= -# this component sets up TCP-related environment variables ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms; diff --git a/qpid.fc b/qpid.fc index 1aefa17..f3b89e4 100644 --- a/qpid.fc +++ b/qpid.fc @@ -1,15 +1,8 @@ -<<<<<<< HEAD /usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0) /etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0) -======= -/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0) - -/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0) /var/run/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_run_t,s0) diff --git a/qpid.if b/qpid.if index 8b40e89..bedca3a 100644 --- a/qpid.if +++ b/qpid.if @@ -1,8 +1,4 @@ -<<<<<<< HEAD ## policy for qpidd -======= -## Apache QPID AMQP messaging server. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## ## @@ -22,15 +18,9 @@ interface(`qpidd_domtrans',` domtrans_pattern($1, qpidd_exec_t, qpidd_t) ') -<<<<<<< HEAD ######################################## ## ## Execute qpidd server in the qpidd domain. -======= -##################################### -## -## Allow read and write access to qpidd semaphores. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -38,30 +28,17 @@ interface(`qpidd_domtrans',` ## ## # -<<<<<<< HEAD interface(`qpidd_initrc_domtrans',` gen_require(` type qpidd_initrc_exec_t; ') init_labeled_script_domtrans($1, qpidd_initrc_exec_t) -======= -interface(`qpidd_rw_semaphores',` - gen_require(` - type qpidd_t; - ') - - allow $1 qpidd_t:sem rw_sem_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## ## -<<<<<<< HEAD ## Read qpidd PID files. -======= -## Read and write to qpidd shared memory. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -69,7 +46,6 @@ interface(`qpidd_rw_semaphores',` ## ## # -<<<<<<< HEAD interface(`qpidd_read_pid_files',` gen_require(` type qpidd_var_run_t; @@ -77,23 +53,11 @@ interface(`qpidd_read_pid_files',` files_search_pids($1) allow $1 qpidd_var_run_t:file read_file_perms; -======= -interface(`qpidd_rw_shm',` - gen_require(` - type qpidd_t; - ') - - allow $1 qpidd_t:shm rw_shm_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## ## -<<<<<<< HEAD ## Manage qpidd var_run files. -======= -## Execute qpidd server in the qpidd domain. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -101,7 +65,6 @@ interface(`qpidd_rw_shm',` ## ## # -<<<<<<< HEAD interface(`qpidd_manage_var_run',` gen_require(` type qpidd_var_run_t; @@ -111,23 +74,11 @@ interface(`qpidd_manage_var_run',` manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t) manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) -======= -interface(`qpidd_initrc_domtrans',` - gen_require(` - type qpidd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, qpidd_initrc_exec_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## ## -<<<<<<< HEAD ## Search qpidd lib directories. -======= -## Read qpidd PID files. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -135,7 +86,6 @@ interface(`qpidd_initrc_domtrans',` ## ## # -<<<<<<< HEAD interface(`qpidd_search_lib',` gen_require(` type qpidd_var_lib_t; @@ -143,24 +93,11 @@ interface(`qpidd_search_lib',` allow $1 qpidd_var_lib_t:dir search_dir_perms; files_search_var_lib($1) -======= -interface(`qpidd_read_pid_files',` - gen_require(` - type qpidd_var_run_t; - ') - - files_search_pids($1) - allow $1 qpidd_var_run_t:file read_file_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## ## -<<<<<<< HEAD ## Read qpidd lib files. -======= -## Search qpidd lib directories. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -168,32 +105,19 @@ interface(`qpidd_read_pid_files',` ## ## # -<<<<<<< HEAD interface(`qpidd_read_lib_files',` -======= -interface(`qpidd_search_lib',` ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 gen_require(` type qpidd_var_lib_t; ') -<<<<<<< HEAD files_search_var_lib($1) read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) -======= - allow $1 qpidd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## ## -<<<<<<< HEAD ## Create, read, write, and delete ## qpidd lib files. -======= -## Read qpidd lib files. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -201,31 +125,18 @@ interface(`qpidd_search_lib',` ## ## # -<<<<<<< HEAD interface(`qpidd_manage_lib_files',` -======= -interface(`qpidd_read_lib_files',` ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 gen_require(` type qpidd_var_lib_t; ') files_search_var_lib($1) -<<<<<<< HEAD manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) -======= - read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## ## -<<<<<<< HEAD ## Manage qpidd var_lib files. -======= -## Create, read, write, and delete -## qpidd lib files. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -233,23 +144,15 @@ interface(`qpidd_read_lib_files',` ## ## # -<<<<<<< HEAD interface(`qpidd_manage_var_lib',` -======= -interface(`qpidd_manage_lib_files',` ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 gen_require(` type qpidd_var_lib_t; ') files_search_var_lib($1) -<<<<<<< HEAD manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) -======= - manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -274,16 +177,11 @@ interface(`qpidd_admin',` type qpidd_t, qpidd_initrc_exec_t; ') -<<<<<<< HEAD allow $1 qpidd_t:process signal_perms; ps_process_pattern($1, qpidd_t) tunable_policy(`deny_ptrace',`',` allow $1 qpidd_t:process ptrace; ') -======= - allow $1 qpidd_t:process { ptrace signal_perms }; - ps_process_pattern($1, qpidd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # Allow qpidd_t to restart the apache service qpidd_initrc_domtrans($1) @@ -291,7 +189,6 @@ interface(`qpidd_admin',` role_transition $2 qpidd_initrc_exec_t system_r; allow $2 system_r; -<<<<<<< HEAD qpidd_manage_var_run($1) qpidd_manage_var_lib($1) @@ -334,9 +231,4 @@ interface(`qpidd_rw_shm',` allow $1 qpidd_t:shm rw_shm_perms; fs_search_tmpfs($1) manage_files_pattern($1, qpidd_tmpfs_t, qpidd_tmpfs_t) -======= - admin_pattern($1, qpidd_var_lib_t) - - admin_pattern($1, qpidd_var_run_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/qpid.te b/qpid.te index 31f44b6..52cb067 100644 --- a/qpid.te +++ b/qpid.te @@ -12,23 +12,15 @@ init_daemon_domain(qpidd_t, qpidd_exec_t) type qpidd_initrc_exec_t; init_script_file(qpidd_initrc_exec_t) -<<<<<<< HEAD type qpidd_tmpfs_t; files_tmpfs_file(qpidd_tmpfs_t) -======= -type qpidd_var_lib_t; -files_type(qpidd_var_lib_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type qpidd_var_run_t; files_pid_file(qpidd_var_run_t) -<<<<<<< HEAD type qpidd_var_lib_t; files_type(qpidd_var_lib_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # qpidd local policy @@ -41,7 +33,6 @@ allow qpidd_t self:shm create_shm_perms; allow qpidd_t self:tcp_socket create_stream_socket_perms; allow qpidd_t self:unix_stream_socket create_stream_socket_perms; -<<<<<<< HEAD manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file }) @@ -52,21 +43,12 @@ files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir }) manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) -======= -manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) -manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) -files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir }) - -manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) -manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir }) kernel_read_system_state(qpidd_t) corenet_all_recvfrom_unlabeled(qpidd_t) corenet_all_recvfrom_netlabel(qpidd_t) -<<<<<<< HEAD corenet_tcp_bind_generic_node(qpidd_t) corenet_tcp_sendrecv_generic_if(qpidd_t) corenet_tcp_sendrecv_generic_node(qpidd_t) @@ -81,17 +63,6 @@ dev_read_urand(qpidd_t) files_read_etc_files(qpidd_t) files_read_usr_files(qpidd_t) -======= -corenet_tcp_sendrecv_generic_if(qpidd_t) -corenet_tcp_sendrecv_generic_node(qpidd_t) -corenet_tcp_sendrecv_all_ports(qpidd_t) -corenet_tcp_bind_generic_node(qpidd_t) -corenet_tcp_bind_amqp_port(qpidd_t) - -dev_read_urand(qpidd_t) - -files_read_etc_files(qpidd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 logging_send_syslog_msg(qpidd_t) @@ -102,11 +73,8 @@ sysnet_dns_name_resolve(qpidd_t) optional_policy(` corosync_stream_connect(qpidd_t) ') -<<<<<<< HEAD optional_policy(` matahari_manage_lib_files(qpidd_t) matahari_manage_pid_files(qpidd_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/quota.fc b/quota.fc index d127898..e63f9c6 100644 --- a/quota.fc +++ b/quota.fc @@ -1,8 +1,5 @@ HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) -<<<<<<< HEAD HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) @@ -12,27 +9,18 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) /sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) -<<<<<<< HEAD /usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) /var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) /var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) /var/spool/(.*/)?a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) -======= -/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) -/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) -/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ifdef(`distro_redhat',` /usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) ',` /sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) ') -<<<<<<< HEAD /usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0) /var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/quota.if b/quota.if index e2eb706..3fb8575 100644 --- a/quota.if +++ b/quota.if @@ -45,7 +45,6 @@ interface(`quota_run',` role $2 types quota_t; ') -<<<<<<< HEAD ####################################### ## ## Alow to read of filesystem quota data files. @@ -64,8 +63,6 @@ interface(`quota_read_db',` allow $1 quota_db_t:file read_file_perms; ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## ## ## Do not audit attempts to get the attributes @@ -88,7 +85,6 @@ interface(`quota_dontaudit_getattr_db',` ######################################## ## ## Create, read, write, and delete quota -<<<<<<< HEAD ## db files. ## ## @@ -108,8 +104,6 @@ interface(`quota_manage_db',` ######################################## ## ## Create, read, write, and delete quota -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## flag files. ## ## @@ -126,7 +120,6 @@ interface(`quota_manage_flags',` files_search_var_lib($1) manage_files_pattern($1, quota_flag_t, quota_flag_t) ') -<<<<<<< HEAD ######################################## ## @@ -183,5 +176,3 @@ interface(`quota_domtrans_nld',` corecmd_search_bin($1) domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/quota.te b/quota.te index 0502b5c..fdacc43 100644 --- a/quota.te +++ b/quota.te @@ -7,12 +7,8 @@ policy_module(quota, 1.5.0) type quota_t; type quota_exec_t; -<<<<<<< HEAD application_domain(quota_t, quota_exec_t) #init_system_domain(quota_t, quota_exec_t) -======= -init_system_domain(quota_t, quota_exec_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type quota_db_t; files_type(quota_db_t) @@ -20,7 +16,6 @@ files_type(quota_db_t) type quota_flag_t; files_type(quota_flag_t) -<<<<<<< HEAD type quota_nld_t; type quota_nld_exec_t; init_daemon_domain(quota_nld_t, quota_nld_exec_t) @@ -28,8 +23,6 @@ init_daemon_domain(quota_nld_t, quota_nld_exec_t) type quota_nld_var_run_t; files_pid_file(quota_nld_var_run_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # Local policy @@ -49,7 +42,6 @@ files_home_filetrans(quota_t, quota_db_t, file) files_usr_filetrans(quota_t, quota_db_t, file) files_var_filetrans(quota_t, quota_db_t, file) files_spool_filetrans(quota_t, quota_db_t, file) -<<<<<<< HEAD userdom_user_home_dir_filetrans(quota_t, quota_db_t, file) optional_policy(` @@ -57,8 +49,6 @@ optional_policy(` mta_spool_filetrans(quota_t, quota_db_t, file) mta_spool_filetrans_queue(quota_t, quota_db_t, file) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kernel_list_proc(quota_t) kernel_read_proc_symlinks(quota_t) @@ -97,11 +87,7 @@ init_use_script_ptys(quota_t) logging_send_syslog_msg(quota_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(quota_t) -======= -userdom_use_user_terminals(quota_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 userdom_dontaudit_use_unpriv_user_fds(quota_t) optional_policy(` @@ -111,7 +97,6 @@ optional_policy(` optional_policy(` udev_read_db(quota_t) ') -<<<<<<< HEAD ####################################### # diff --git a/radvd.if b/radvd.if index bd15166..7b00e1e 100644 --- a/radvd.if +++ b/radvd.if @@ -19,7 +19,6 @@ # interface(`radvd_admin',` gen_require(` -<<<<<<< HEAD type radvd_t, radvd_etc_t, radvd_initrc_exec_t; type radvd_var_run_t; ') @@ -29,14 +28,6 @@ interface(`radvd_admin',` tunable_policy(`deny_ptrace',`',` allow $1 radvd_t:process ptrace; ') -======= - type radvd_t, radvd_etc_t; - type radvd_var_run_t, radvd_initrc_exec_t; - ') - - allow $1 radvd_t:process { ptrace signal_perms }; - ps_process_pattern($1, radvd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, radvd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rdisc.fc b/rdisc.fc index 495cb8e..a7e4bc7 100644 --- a/rdisc.fc +++ b/rdisc.fc @@ -1,7 +1,4 @@ /sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) -<<<<<<< HEAD /usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/resmgr.fc b/resmgr.fc index c9eb9e4..a888eb9 100644 --- a/resmgr.fc +++ b/resmgr.fc @@ -2,11 +2,7 @@ /etc/resmgr\.conf -- gen_context(system_u:object_r:resmgrd_etc_t,s0) /sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0) - -<<<<<<< HEAD /usr/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0) /var/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0) diff --git a/resmgr.if b/resmgr.if index d4d7f86..eabdd78 100644 --- a/resmgr.if +++ b/resmgr.if @@ -16,12 +16,6 @@ interface(`resmgr_stream_connect',` type resmgrd_var_run_t, resmgrd_t; ') -<<<<<<< HEAD files_search_pids($1) stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t) -======= - allow $1 resmgrd_t:unix_stream_socket connectto; - allow $1 resmgrd_var_run_t:sock_file { getattr write }; - files_search_pids($1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/roundup.if b/roundup.if index b499ce6..e07c2ff 100644 --- a/roundup.if +++ b/roundup.if @@ -23,16 +23,11 @@ interface(`roundup_admin',` type roundup_initrc_exec_t; ') -<<<<<<< HEAD allow $1 roundup_t:process signal_perms; ps_process_pattern($1, roundup_t) tunable_policy(`deny_ptrace',`',` allow $1 roundup_t:process ptrace; ') -======= - allow $1 roundup_t:process { ptrace signal_perms }; - ps_process_pattern($1, roundup_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, roundup_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rwho.if b/rwho.if index cc9afd9..886a45e 100644 --- a/rwho.if +++ b/rwho.if @@ -5,15 +5,9 @@ ## Execute a domain transition to run rwho. ## ## -<<<<<<< HEAD -## -## Domain allowed to transition. -## -======= ## ## Domain allowed to transition. ## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`rwho_domtrans',` @@ -144,16 +138,11 @@ interface(`rwho_admin',` type rwho_initrc_exec_t; ') -<<<<<<< HEAD allow $1 rwho_t:process signal_perms; ps_process_pattern($1, rwho_t) tunable_policy(`deny_ptrace',`',` allow $1 rwho_t:process ptrace; ') -======= - allow $1 rwho_t:process { ptrace signal_perms }; - ps_process_pattern($1, rwho_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, rwho_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rwho.te b/rwho.te index 035beaa..36b4903 100644 --- a/rwho.te +++ b/rwho.te @@ -16,11 +16,7 @@ type rwho_log_t; files_type(rwho_log_t) type rwho_spool_t; -<<<<<<< HEAD files_spool_file(rwho_spool_t) -======= -files_type(rwho_spool_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -28,10 +24,7 @@ files_type(rwho_spool_t) # allow rwho_t self:capability sys_chroot; -<<<<<<< HEAD allow rwho_t self:process signal; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow rwho_t self:unix_dgram_socket create; allow rwho_t self:fifo_file rw_file_perms; allow rwho_t self:unix_stream_socket create_stream_socket_perms; @@ -63,7 +56,6 @@ files_read_etc_files(rwho_t) init_read_utmp(rwho_t) init_dontaudit_write_utmp(rwho_t) -<<<<<<< HEAD logging_send_syslog_msg(rwho_t) miscfiles_read_localization(rwho_t) @@ -71,8 +63,3 @@ miscfiles_read_localization(rwho_t) sysnet_dns_name_resolve(rwho_t) userdom_getattr_user_terminals(rwho_t) -======= -miscfiles_read_localization(rwho_t) - -sysnet_dns_name_resolve(rwho_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/samba.fc b/samba.fc index 70607e0..5c02dec 100644 --- a/samba.fc +++ b/samba.fc @@ -14,11 +14,8 @@ # # /usr # -<<<<<<< HEAD /usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) /usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) @@ -41,12 +38,9 @@ /var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) -<<<<<<< HEAD /var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) /var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) @@ -62,10 +56,7 @@ /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) /var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) -<<<<<<< HEAD ifndef(`enable_mls',` /var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/samba.if b/samba.if index a29a1f2..f9a546d 100644 --- a/samba.if +++ b/samba.if @@ -42,7 +42,6 @@ interface(`samba_signal_nmbd',` ######################################## ## -<<<<<<< HEAD ## Connect to nmbd. ## ## @@ -62,8 +61,6 @@ interface(`samba_stream_connect_nmbd',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## Execute samba server in the samba domain. ## ## @@ -82,7 +79,6 @@ interface(`samba_initrc_domtrans',` ######################################## ## -<<<<<<< HEAD ## Execute samba server in the samba domain. ## ## @@ -106,8 +102,6 @@ interface(`samba_systemctl',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## Execute samba net in the samba_net domain. ## ## @@ -127,7 +121,6 @@ interface(`samba_domtrans_net',` ######################################## ## -<<<<<<< HEAD ## Execute samba net in the samba_unconfined_net domain. ## ## @@ -147,8 +140,6 @@ interface(`samba_domtrans_unconfined_net',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## Execute samba net in the samba_net domain, and ## allow the specified role the samba_net domain. ## @@ -173,7 +164,6 @@ interface(`samba_run_net',` role $2 types samba_net_t; ') -<<<<<<< HEAD ####################################### ## ## The role for the samba module. @@ -219,8 +209,6 @@ interface(`samba_run_unconfined_net',` role $2 types samba_unconfined_net_t; ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## ## ## Execute smbmount in the smbmount domain. @@ -445,10 +433,7 @@ interface(`samba_search_var',` type samba_var_t; ') -<<<<<<< HEAD -======= files_search_var($1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_search_var_lib($1) allow $1 samba_var_t:dir search_dir_perms; ') @@ -469,10 +454,7 @@ interface(`samba_read_var_files',` type samba_var_t; ') -<<<<<<< HEAD -======= files_search_var($1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_search_var_lib($1) read_files_pattern($1, samba_var_t, samba_var_t) ') @@ -512,10 +494,7 @@ interface(`samba_rw_var_files',` type samba_var_t; ') -<<<<<<< HEAD -======= files_search_var($1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_search_var_lib($1) rw_files_pattern($1, samba_var_t, samba_var_t) ') @@ -536,15 +515,10 @@ interface(`samba_manage_var_files',` type samba_var_t; ') -<<<<<<< HEAD files_search_var_lib($1) - manage_files_pattern($1, samba_var_t, samba_var_t) - manage_lnk_files_pattern($1, samba_var_t, samba_var_t) -======= - files_search_var($1) files_search_var_lib($1) manage_files_pattern($1, samba_var_t, samba_var_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 + manage_lnk_files_pattern($1, samba_var_t, samba_var_t) ') ######################################## @@ -552,25 +526,15 @@ interface(`samba_manage_var_files',` ## Execute a domain transition to run smbcontrol. ## ## -<<<<<<< HEAD -## -## Domain allowed to transition. -## -======= ## ## Domain allowed to transition. ## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`samba_domtrans_smbcontrol',` gen_require(` -<<<<<<< HEAD - type smbcontrol_t, smbcontrol_exec_t; -======= type smbcontrol_t; type smbcontrol_exec_t; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) @@ -707,10 +671,7 @@ interface(`samba_domtrans_winbind_helper',` ') domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) -<<<<<<< HEAD allow $1 winbind_helper_t:process signal; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -776,10 +737,7 @@ interface(`samba_stream_connect_winbind',` files_search_pids($1) allow $1 samba_var_t:dir search_dir_perms; stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t) -<<<<<<< HEAD samba_read_config($1) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ifndef(`distro_redhat',` gen_require(` @@ -795,7 +753,6 @@ interface(`samba_stream_connect_winbind',` ######################################## ## -<<<<<<< HEAD ## Create a set of derived types for apache ## web content. ## @@ -827,8 +784,6 @@ template(`samba_helper_template',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## All of the rules required to administrate ## an samba environment ## @@ -846,7 +801,6 @@ template(`samba_helper_template',` # interface(`samba_admin',` gen_require(` -<<<<<<< HEAD type nmbd_t, nmbd_var_run_t, smbd_var_run_t; type smbd_t, smbd_tmp_t, samba_secrets_t; type samba_initrc_exec_t, samba_log_t, samba_var_t; @@ -874,35 +828,6 @@ interface(`samba_admin',` samba_run_winbind_helper($1, $2) samba_run_smbmount($1, $2) samba_run_net($1, $2) -======= - type nmbd_t, nmbd_var_run_t; - type smbd_t, smbd_tmp_t; - type smbd_var_run_t; - type smbd_spool_t; - - type samba_log_t, samba_var_t; - type samba_etc_t, samba_share_t; - type samba_secrets_t; - - type swat_var_run_t, swat_tmp_t; - - type winbind_var_run_t, winbind_tmp_t; - type winbind_log_t; - - type samba_initrc_exec_t; - ') - - allow $1 smbd_t:process { ptrace signal_perms }; - ps_process_pattern($1, smbd_t) - - allow $1 nmbd_t:process { ptrace signal_perms }; - ps_process_pattern($1, nmbd_t) - - samba_run_smbcontrol($1, $2, $3) - samba_run_winbind_helper($1, $2, $3) - samba_run_smbmount($1, $2, $3) - samba_run_net($1, $2, $3) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, samba_initrc_exec_t) domain_system_change_exemption($1) @@ -924,12 +849,9 @@ interface(`samba_admin',` admin_pattern($1, samba_var_t) files_list_var($1) -<<<<<<< HEAD -======= admin_pattern($1, smbd_spool_t) files_list_spool($1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 admin_pattern($1, smbd_var_run_t) files_list_pids($1) @@ -945,12 +867,9 @@ interface(`samba_admin',` admin_pattern($1, winbind_tmp_t) admin_pattern($1, winbind_var_run_t) -<<<<<<< HEAD admin_pattern($1, samba_unconfined_script_exec_t) samba_systemctl($1) admin_pattern($1, samba_unit_file_t) allow $1 samba_unit_file_t:service all_service_perms; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/samba.te b/samba.te index 48a0211..7c750b2 100644 --- a/samba.te +++ b/samba.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(samba, 1.13.0) -======= policy_module(samba, 1.14.1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ################################# # @@ -29,18 +25,13 @@ gen_tunable(samba_create_home_dirs, false) ##

## Allow samba to act as the domain controller, add users, ## groups and change passwords. -<<<<<<< HEAD -## -======= ## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ##

## gen_tunable(samba_domain_controller, false) ## ##

-<<<<<<< HEAD ## Allow samba to act as a portmapper ## ##

@@ -49,8 +40,6 @@ gen_tunable(samba_portmapper, false) ## ##

-======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## Allow samba to share users home directories. ##

## @@ -104,12 +93,9 @@ files_config_file(samba_etc_t) type samba_initrc_exec_t; init_script_file(samba_initrc_exec_t) -<<<<<<< HEAD type samba_unit_file_t; systemd_unit_file(samba_unit_file_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type samba_log_t; logging_log_file(samba_log_t) @@ -177,12 +163,9 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t) type winbind_log_t; logging_log_file(winbind_log_t) -<<<<<<< HEAD -======= type winbind_tmp_t; files_tmp_file(winbind_tmp_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type winbind_var_run_t; files_pid_file(winbind_var_run_t) @@ -209,10 +192,7 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir }) manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t) manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) -<<<<<<< HEAD -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kernel_read_proc_symlinks(samba_net_t) kernel_read_system_state(samba_net_t) @@ -242,7 +222,6 @@ auth_manage_cache(samba_net_t) logging_send_syslog_msg(samba_net_t) -<<<<<<< HEAD miscfiles_read_localization(samba_net_t) samba_read_var_files(samba_net_t) @@ -258,36 +237,20 @@ optional_policy(` ') optional_policy(` -======= -miscfiles_read_localization(samba_net_t) - -samba_read_var_files(samba_net_t) - -userdom_use_user_terminals(samba_net_t) -userdom_list_user_home_dirs(samba_net_t) - -optional_policy(` ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 pcscd_read_pub_files(samba_net_t) ') optional_policy(` kerberos_use(samba_net_t) -<<<<<<< HEAD kerberos_etc_filetrans_keytab(samba_net_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## # # smbd Local policy # -<<<<<<< HEAD + allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search }; -======= -allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; @@ -305,13 +268,9 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow smbd_t nmbd_t:process { signal signull }; -<<<<<<< HEAD allow winbind_t smbd_var_run_t:dir search_dir_perms; allow smbd_t nmbd_var_run_t:file rw_file_perms; stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) -======= -allow smbd_t nmbd_var_run_t:file rw_file_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow smbd_t samba_etc_t:file { rw_file_perms setattr }; @@ -326,20 +285,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) manage_files_pattern(smbd_t, samba_share_t, samba_share_t) manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) -<<<<<<< HEAD allow smbd_t samba_share_t:filesystem { getattr quotaget }; -======= -allow smbd_t samba_share_t:filesystem getattr; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) manage_files_pattern(smbd_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) -<<<<<<< HEAD files_var_filetrans(smbd_t, samba_var_t, dir) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow smbd_t smbcontrol_t:process { signal signull }; @@ -350,11 +302,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) -<<<<<<< HEAD files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file }) -======= -files_pid_filetrans(smbd_t, smbd_var_run_t, file) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow smbd_t swat_t:process signal; @@ -391,10 +339,7 @@ corenet_tcp_connect_smbd_port(smbd_t) dev_read_sysfs(smbd_t) dev_read_urand(smbd_t) -<<<<<<< HEAD dev_dontaudit_write_urand(smbd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dev_getattr_mtrr_dev(smbd_t) dev_dontaudit_getattr_usbfs_dirs(smbd_t) # For redhat bug 566984 @@ -402,27 +347,18 @@ dev_getattr_all_blk_files(smbd_t) dev_getattr_all_chr_files(smbd_t) fs_getattr_all_fs(smbd_t) -<<<<<<< HEAD fs_getattr_all_dirs(smbd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 fs_get_xattr_fs_quotas(smbd_t) fs_search_auto_mountpoints(smbd_t) fs_getattr_rpc_dirs(smbd_t) fs_list_inotifyfs(smbd_t) -<<<<<<< HEAD fs_get_all_fs_quotas(smbd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 auth_use_nsswitch(smbd_t) auth_domtrans_chk_passwd(smbd_t) auth_domtrans_upd_passwd(smbd_t) auth_manage_cache(smbd_t) -<<<<<<< HEAD auth_write_login_records(smbd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 domain_use_interactive_fds(smbd_t) domain_dontaudit_list_all_domains_state(smbd_t) @@ -434,10 +370,7 @@ files_read_usr_files(smbd_t) files_search_spool(smbd_t) # smbd seems to getattr all mountpoints files_dontaudit_getattr_all_dirs(smbd_t) -<<<<<<< HEAD files_dontaudit_list_all_mountpoints(smbd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # Allow samba to list mnt_t for potential mounted dirs files_list_mnt(smbd_t) @@ -449,11 +382,8 @@ logging_send_syslog_msg(smbd_t) miscfiles_read_localization(smbd_t) miscfiles_read_public_files(smbd_t) -<<<<<<< HEAD sysnet_use_ldap(smbd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 userdom_use_unpriv_users_fds(smbd_t) userdom_search_user_home_content(smbd_t) userdom_signal_all_users(smbd_t) @@ -470,14 +400,11 @@ ifdef(`hide_broken_symptoms', ` tunable_policy(`allow_smbd_anon_write',` miscfiles_manage_public_files(smbd_t) -<<<<<<< HEAD ') tunable_policy(`samba_portmapper',` corenet_tcp_bind_epmap_port(smbd_t) corenet_tcp_bind_all_unreserved_ports(smbd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') tunable_policy(`samba_domain_controller',` @@ -493,16 +420,7 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` -<<<<<<< HEAD userdom_manage_user_home_content(smbd_t) -======= - userdom_manage_user_home_content_dirs(smbd_t) - userdom_manage_user_home_content_files(smbd_t) - userdom_manage_user_home_content_symlinks(smbd_t) - userdom_manage_user_home_content_sockets(smbd_t) - userdom_manage_user_home_content_pipes(smbd_t) - userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file }) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') # Support Samba sharing of NFS mount points @@ -523,14 +441,11 @@ tunable_policy(`samba_share_fusefs',` ') optional_policy(` -<<<<<<< HEAD ctdbd_stream_connect(smbd_t) ctdbd_manage_lib_files(smbd_t) ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 cups_read_rw_config(smbd_t) cups_stream_connect(smbd_t) ') @@ -541,14 +456,11 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD ldap_stream_connect(smbd_t) dirsrv_stream_connect(smbd_t) ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 lpd_exec_lpr(smbd_t) ') @@ -572,8 +484,8 @@ optional_policy(` tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) -<<<<<<< HEAD ') + userdom_home_filetrans_user_home_dir(smbd_t) tunable_policy(`samba_export_all_ro',` @@ -592,28 +504,6 @@ tunable_policy(`samba_export_all_rw',` userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) -======= - userdom_home_filetrans_user_home_dir(smbd_t) -') - -tunable_policy(`samba_export_all_ro',` - fs_read_noxattr_fs_files(smbd_t) - files_list_non_auth_dirs(smbd_t) - files_read_non_auth_files(smbd_t) - fs_read_noxattr_fs_files(nmbd_t) - files_list_non_auth_dirs(nmbd_t) - files_read_non_auth_files(nmbd_t) -') - -tunable_policy(`samba_export_all_rw',` - fs_read_noxattr_fs_files(smbd_t) - files_manage_non_auth_files(smbd_t) - fs_read_noxattr_fs_files(nmbd_t) - files_manage_non_auth_files(nmbd_t) - userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) -') - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # nmbd Local policy @@ -633,15 +523,10 @@ allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -<<<<<<< HEAD manage_dirs_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file sock_file }) -======= -manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -files_pid_filetrans(nmbd_t, nmbd_var_run_t, file) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) @@ -711,7 +596,6 @@ optional_policy(` # smbcontrol local policy # -<<<<<<< HEAD allow smbcontrol_t self:process signal; # internal communication is often done using fifo and unix sockets. @@ -727,20 +611,6 @@ read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t) allow smbcontrol_t winbind_t:process { signal signull }; files_search_var_lib(smbcontrol_t) -======= -# internal communication is often done using fifo and unix sockets. -allow smbcontrol_t self:fifo_file rw_file_perms; -allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; - -allow smbcontrol_t nmbd_t:process { signal signull }; - -allow smbcontrol_t nmbd_var_run_t:file { read lock }; - -allow smbcontrol_t smbd_t:process signal; - -allow smbcontrol_t winbind_t:process { signal signull }; - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) @@ -748,18 +618,14 @@ samba_read_winbind_pid(smbcontrol_t) domain_use_interactive_fds(smbcontrol_t) -<<<<<<< HEAD dev_read_urand(smbcontrol_t) term_use_console(smbcontrol_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_read_etc_files(smbcontrol_t) miscfiles_read_localization(smbcontrol_t) -<<<<<<< HEAD sysnet_use_ldap(smbcontrol_t) userdom_use_inherited_user_terminals(smbcontrol_t) @@ -767,9 +633,6 @@ userdom_use_inherited_user_terminals(smbcontrol_t) optional_policy(` ctdbd_stream_connect(smbcontrol_t) ') -======= -userdom_use_user_terminals(smbcontrol_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -788,11 +651,7 @@ allow smbmount_t samba_etc_t:file read_file_perms; can_exec(smbmount_t, smbmount_exec_t) -<<<<<<< HEAD allow smbmount_t samba_log_t:dir list_dir_perms; -======= -allow smbmount_t samba_log_t:dir list_dir_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow smbmount_t samba_log_t:file manage_file_perms; allow smbmount_t samba_secrets_t:file manage_file_perms; @@ -839,33 +698,21 @@ auth_use_nsswitch(smbmount_t) miscfiles_read_localization(smbmount_t) -<<<<<<< HEAD -======= -mount_use_fds(smbmount_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 locallogin_use_fds(smbmount_t) logging_search_logs(smbmount_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(smbmount_t) -======= -userdom_use_user_terminals(smbmount_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 userdom_use_all_users_fds(smbmount_t) optional_policy(` cups_read_rw_config(smbmount_t) ') -<<<<<<< HEAD optional_policy(` mount_use_fds(smbmount_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # SWAT Local policy @@ -886,12 +733,8 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; -<<<<<<< HEAD read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t) stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) -======= -allow swat_t smbd_var_run_t:file { lock unlink }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow swat_t smbd_port_t:tcp_socket name_bind; @@ -906,20 +749,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) -<<<<<<< HEAD files_list_var_lib(swat_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow swat_t smbd_exec_t:file mmap_file_perms ; allow swat_t smbd_t:process signull; allow swat_t smbd_var_run_t:file read_file_perms; -<<<<<<< HEAD allow swat_t smbd_var_run_t:file { lock unlink }; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) @@ -932,10 +769,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; -<<<<<<< HEAD read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; @@ -978,17 +812,12 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) -<<<<<<< HEAD sysnet_use_ldap(swat_t) miscfiles_read_localization(swat_t) userdom_dontaudit_search_admin_dir(swat_t) -======= -miscfiles_read_localization(swat_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) @@ -1018,12 +847,8 @@ allow winbind_t self:udp_socket create_socket_perms; allow winbind_t nmbd_t:process { signal signull }; -<<<<<<< HEAD allow winbind_t smbd_var_run_t:dir search_dir_perms; read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t) -======= -allow winbind_t nmbd_var_run_t:file read_file_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) @@ -1046,7 +871,6 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) -<<<<<<< HEAD userdom_manage_user_tmp_dirs(winbind_t) userdom_manage_user_tmp_files(winbind_t) userdom_tmp_filetrans_user_tmp(winbind_t, { file dir }) @@ -1057,17 +881,6 @@ manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) files_pid_filetrans(winbind_t, winbind_var_run_t, { file dir }) kernel_read_network_state(winbind_t) -======= -manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) -manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) -manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) -files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir }) - -manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) -manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) -files_pid_filetrans(winbind_t, winbind_var_run_t, file) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) @@ -1086,10 +899,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) -<<<<<<< HEAD corenet_tcp_connect_smbd_port(winbind_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) @@ -1107,20 +917,14 @@ domain_use_interactive_fds(winbind_t) files_read_etc_files(winbind_t) files_read_usr_symlinks(winbind_t) -<<<<<<< HEAD files_list_var_lib(winbind_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 logging_send_syslog_msg(winbind_t) miscfiles_read_localization(winbind_t) -<<<<<<< HEAD miscfiles_read_generic_certs(winbind_t) sysnet_use_ldap(winbind_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) @@ -1130,15 +934,11 @@ userdom_manage_user_home_content_pipes(winbind_t) userdom_manage_user_home_content_sockets(winbind_t) userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) -<<<<<<< HEAD - optional_policy(` ctdbd_stream_connect(winbind_t) ctdbd_manage_lib_files(winbind_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` kerberos_use(winbind_t) ') @@ -1178,15 +978,10 @@ auth_use_nsswitch(winbind_helper_t) logging_send_syslog_msg(winbind_helper_t) -<<<<<<< HEAD miscfiles_read_localization(winbind_helper_t) userdom_use_inherited_user_terminals(winbind_helper_t) -======= -miscfiles_read_localization(winbind_helper_t) -userdom_use_user_terminals(winbind_helper_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` apache_append_log(winbind_helper_t) @@ -1204,7 +999,6 @@ optional_policy(` # optional_policy(` -<<<<<<< HEAD type samba_unconfined_net_t; domain_type(samba_unconfined_net_t) domain_entry_file(samba_unconfined_net_t, samba_net_exec_t) @@ -1235,21 +1029,4 @@ tunable_policy(`samba_run_unconfined',` domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) ',` can_exec(smbd_t, samba_unconfined_script_exec_t) -======= - type samba_unconfined_script_t; - type samba_unconfined_script_exec_t; - domain_type(samba_unconfined_script_t) - domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t) - corecmd_shell_entry_type(samba_unconfined_script_t) - role system_r types samba_unconfined_script_t; - - allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; - allow smbd_t samba_unconfined_script_exec_t:file ioctl; - - unconfined_domain(samba_unconfined_script_t) - - tunable_policy(`samba_run_unconfined',` - domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) - ') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/sambagui.te b/sambagui.te index ce092ae..ba62525 100644 --- a/sambagui.te +++ b/sambagui.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(sambagui, 1.0.1) -======= policy_module(sambagui, 1.1.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -31,29 +27,20 @@ corecmd_exec_bin(sambagui_t) dev_dontaudit_read_urand(sambagui_t) -<<<<<<< HEAD files_read_usr_files(sambagui_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_read_etc_files(sambagui_t) files_search_var_lib(sambagui_t) files_read_usr_files(sambagui_t) auth_use_nsswitch(sambagui_t) -<<<<<<< HEAD auth_dontaudit_read_shadow(sambagui_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 logging_send_syslog_msg(sambagui_t) miscfiles_read_localization(sambagui_t) -<<<<<<< HEAD sysnet_use_ldap(sambagui_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` consoletype_exec(sambagui_t) ') @@ -73,10 +60,7 @@ optional_policy(` samba_manage_var_files(sambagui_t) samba_read_secrets(sambagui_t) samba_initrc_domtrans(sambagui_t) -<<<<<<< HEAD samba_systemctl(sambagui_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 samba_domtrans_smbd(sambagui_t) samba_domtrans_nmbd(sambagui_t) ') diff --git a/samhain.if b/samhain.if index 28856a5..2b601a5 100644 --- a/samhain.if +++ b/samhain.if @@ -271,7 +271,6 @@ interface(`samhain_admin',` type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t; ') -<<<<<<< HEAD allow $1 samhain_t:process signal_perms; ps_process_pattern($1, samhain_t) tunable_policy(`deny_ptrace',`',` @@ -280,12 +279,6 @@ interface(`samhain_admin',` ') allow $1 samhaind_t:process signal_perms; -======= - allow $1 samhain_t:process { ptrace signal_perms }; - ps_process_pattern($1, samhain_t) - - allow $1 samhaind_t:process { ptrace signal_perms }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ps_process_pattern($1, samhaind_t) files_list_var_lib($1) diff --git a/samhain.te b/samhain.te index 87fdd8e..778d18b 100644 --- a/samhain.te +++ b/samhain.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(samhain, 1.0.1) -======= policy_module(samhain, 1.1.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -59,11 +55,7 @@ domain_use_interactive_fds(samhain_t) seutil_sigchld_newrole(samhain_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(samhain_t) -======= -userdom_use_user_terminals(samhain_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # diff --git a/sanlock.fc b/sanlock.fc index c4ac3de..630960e 100644 --- a/sanlock.fc +++ b/sanlock.fc @@ -1,7 +1,4 @@ -<<<<<<< HEAD -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0) /var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0) diff --git a/sanlock.if b/sanlock.if index c6fb5e8..3eb745d 100644 --- a/sanlock.if +++ b/sanlock.if @@ -1,7 +1,4 @@ -<<<<<<< HEAD -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## policy for sanlock ######################################## @@ -22,10 +19,7 @@ interface(`sanlock_domtrans',` domtrans_pattern($1, sanlock_exec_t, sanlock_t) ') -<<<<<<< HEAD -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## ## ## Execute sanlock server in the sanlock domain. @@ -65,7 +59,6 @@ interface(`sanlock_manage_pid_files',` ######################################## ## -<<<<<<< HEAD ## Connect to sanlock over a unix stream socket. ## ## @@ -81,23 +74,6 @@ interface(`sanlock_stream_connect',` files_search_pids($1) stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t) -======= -## Connect to sanlock over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`sanlock_stream_connect',` - gen_require(` - type sanlock_t, sanlock_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -125,19 +101,13 @@ interface(`sanlock_admin',` allow $1 sanlock_t:process signal_perms; ps_process_pattern($1, sanlock_t) -<<<<<<< HEAD tunable_policy(`deny_ptrace',`',` allow $1 sanlock_t:process ptrace; ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 sanlock_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 sanlock_initrc_exec_t system_r; allow $2 system_r; -<<<<<<< HEAD -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/sanlock.te b/sanlock.te index 57e788f..d5d96e7 100644 --- a/sanlock.te +++ b/sanlock.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD policy_module(sanlock,1.0.0) -======= -policy_module(sanlock, 1.0.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -10,28 +6,16 @@ policy_module(sanlock, 1.0.0) # ## -<<<<<<< HEAD ##

## Allow confined virtual guests to manage nfs files ##

-======= -##

-## Allow confined virtual guests to manage nfs files -##

->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## gen_tunable(sanlock_use_nfs, false) ## -<<<<<<< HEAD ##

## Allow confined virtual guests to manage cifs files ##

-======= -##

-## Allow confined virtual guests to manage cifs files -##

->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## gen_tunable(sanlock_use_samba, false) @@ -62,10 +46,7 @@ ifdef(`enable_mls',` # allow sanlock_t self:capability { sys_nice ipc_lock }; allow sanlock_t self:process { setsched signull }; -<<<<<<< HEAD -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow sanlock_t self:fifo_file rw_fifo_file_perms; allow sanlock_t self:unix_stream_socket create_stream_socket_perms; @@ -87,11 +68,8 @@ storage_raw_rw_fixed_disk(sanlock_t) dev_read_urand(sanlock_t) -<<<<<<< HEAD auth_use_nsswitch(sanlock_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_read_utmp(sanlock_t) init_dontaudit_write_utmp(sanlock_t) @@ -100,7 +78,6 @@ logging_send_syslog_msg(sanlock_t) miscfiles_read_localization(sanlock_t) tunable_policy(`sanlock_use_nfs',` -<<<<<<< HEAD fs_manage_nfs_dirs(sanlock_t) fs_manage_nfs_files(sanlock_t) fs_manage_nfs_named_sockets(sanlock_t) @@ -122,21 +99,4 @@ optional_policy(` virt_kill_svirt(sanlock_t) virt_manage_lib_files(sanlock_t) virt_signal_svirt(sanlock_t) -======= - fs_manage_nfs_dirs(sanlock_t) - fs_manage_nfs_files(sanlock_t) - fs_manage_nfs_named_sockets(sanlock_t) - fs_read_nfs_symlinks(sanlock_t) -') - -tunable_policy(`sanlock_use_samba',` - fs_manage_cifs_dirs(sanlock_t) - fs_manage_cifs_files(sanlock_t) - fs_manage_cifs_named_sockets(sanlock_t) - fs_read_cifs_symlinks(sanlock_t) -') - -optional_policy(` - virt_manage_lib_files(sanlock_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/sasl.if b/sasl.if index 21a6114..3e6a93f 100644 --- a/sasl.if +++ b/sasl.if @@ -38,7 +38,6 @@ interface(`sasl_connect',` # interface(`sasl_admin',` gen_require(` -<<<<<<< HEAD type saslauthd_t, saslauthd_var_run_t; type saslauthd_initrc_exec_t; ') @@ -48,26 +47,12 @@ interface(`sasl_admin',` tunable_policy(`deny_ptrace',`',` allow $1 saslauthd_t:process ptrace; ') -======= - type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t; - type saslauthd_initrc_exec_t; - ') - - allow $1 saslauthd_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, saslauthd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 saslauthd_initrc_exec_t system_r; allow $2 system_r; -<<<<<<< HEAD -======= - files_list_tmp($1) - admin_pattern($1, saslauthd_tmp_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_list_pids($1) admin_pattern($1, saslauthd_var_run_t) ') diff --git a/sasl.te b/sasl.te index d451595..7f7983a 100644 --- a/sasl.te +++ b/sasl.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(sasl, 1.13.1) -======= policy_module(sasl, 1.14.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -23,12 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t) type saslauthd_initrc_exec_t; init_script_file(saslauthd_initrc_exec_t) -<<<<<<< HEAD -======= -type saslauthd_tmp_t; -files_tmp_file(saslauthd_tmp_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type saslauthd_var_run_t; files_pid_file(saslauthd_var_run_t) @@ -45,7 +35,6 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms; allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; allow saslauthd_t self:tcp_socket create_socket_perms; -<<<<<<< HEAD kerberos_tmp_filetrans_host_rcache(saslauthd_t) manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) @@ -59,18 +48,6 @@ kernel_rw_afs_state(saslauthd_t) #577519 corecmd_exec_bin(saslauthd_t) -======= -allow saslauthd_t saslauthd_tmp_t:dir setattr; -manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t) -files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file) - -manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) -manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) -files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, file) - -kernel_read_kernel_sysctls(saslauthd_t) -kernel_read_system_state(saslauthd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corenet_all_recvfrom_unlabeled(saslauthd_t) corenet_all_recvfrom_netlabel(saslauthd_t) @@ -78,10 +55,7 @@ corenet_tcp_sendrecv_generic_if(saslauthd_t) corenet_tcp_sendrecv_generic_node(saslauthd_t) corenet_tcp_sendrecv_all_ports(saslauthd_t) corenet_tcp_connect_pop_port(saslauthd_t) -<<<<<<< HEAD corenet_tcp_connect_zarafa_port(saslauthd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corenet_sendrecv_pop_client_packets(saslauthd_t) dev_read_urand(saslauthd_t) @@ -121,10 +95,7 @@ tunable_policy(`allow_saslauthd_read_shadow',` optional_policy(` kerberos_keytab_template(saslauthd, saslauthd_t) -<<<<<<< HEAD #kerberos_manage_host_rcache(saslauthd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` diff --git a/sblim.fc b/sblim.fc index e9b5afc..17a8a85 100644 --- a/sblim.fc +++ b/sblim.fc @@ -1,12 +1,5 @@ -<<<<<<< HEAD - -/usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0) - -/usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0) -======= /usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0) /usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0) diff --git a/sblim.if b/sblim.if index ca21262..fdb665a 100644 --- a/sblim.if +++ b/sblim.if @@ -1,7 +1,3 @@ -<<<<<<< HEAD - -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## policy for SBLIM Gatherer ######################################## @@ -9,15 +5,9 @@ ## Transition to gatherd. ## ## -<<<<<<< HEAD -## -## Domain allowed to transition. -## -======= ## ## Domain allowed to transition. ## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`sblim_domtrans_gatherd',` @@ -29,10 +19,6 @@ interface(`sblim_domtrans_gatherd',` domtrans_pattern($1, sblim_gatherd_exec_t, sblim_gatherd_t) ') -<<<<<<< HEAD - -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## ## ## Read gatherd PID files. @@ -52,10 +38,6 @@ interface(`sblim_read_pid_files',` allow $1 sblim_var_run_t:file read_file_perms; ') -<<<<<<< HEAD - -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## ## ## All of the rules required to administrate @@ -66,15 +48,7 @@ interface(`sblim_read_pid_files',` ## Domain allowed access. ## ## -<<<<<<< HEAD -======= -## -## -## Role allowed access. -## -## ## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # interface(`sblim_admin',` gen_require(` @@ -85,23 +59,15 @@ interface(`sblim_admin',` allow $1 sblim_gatherd_t:process signal_perms; ps_process_pattern($1, sblim_gatherd_t) -<<<<<<< HEAD + tunable_policy(`deny_ptrace',`',` allow $1 sblim_gatherd_t:process ptrace; allow $1 sblim_reposd_t:process ptrace; ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow $1 sblim_reposd_t:process signal_perms; ps_process_pattern($1, sblim_reposd_t) files_search_pids($1) admin_pattern($1, sblim_var_run_t) -<<<<<<< HEAD - -') - -======= ') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/sblim.te b/sblim.te index 3e44719..d23d1c8 100644 --- a/sblim.te +++ b/sblim.te @@ -64,20 +64,12 @@ optional_policy(` optional_policy(` virt_stream_connect(sblim_gatherd_t) -<<<<<<< HEAD virt_getattr_exec(sblim_gatherd_t) ') optional_policy(` - xen_stream_connect(sblim_gatherd_t) - xen_stream_connect_xenstore(sblim_gatherd_t) -======= -') - -optional_policy(` xen_stream_connect(sblim_gatherd_t) xen_stream_connect_xenstore(sblim_gatherd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ####################################### diff --git a/screen.fc b/screen.fc index 31453e9..b73334e 100644 --- a/screen.fc +++ b/screen.fc @@ -1,29 +1,19 @@ # # /home # -HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) -<<<<<<< HEAD HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) /root/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # # /usr # /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) -<<<<<<< HEAD /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # # /var # /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) -<<<<<<< HEAD /var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/screen.if b/screen.if index 20bae3b..3ef87b4 100644 --- a/screen.if +++ b/screen.if @@ -25,10 +25,7 @@ template(`screen_role_template',` gen_require(` type screen_exec_t, screen_tmp_t; type screen_home_t, screen_var_run_t; -<<<<<<< HEAD attribute screen_domain; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -36,7 +33,6 @@ template(`screen_role_template',` # Declarations # -<<<<<<< HEAD type $1_screen_t, screen_domain; application_domain($1_screen_t, screen_exec_t) domain_interactive_fd($1_screen_t) @@ -44,58 +40,13 @@ template(`screen_role_template',` role $2 types $1_screen_t; userdom_home_reader($1_screen_t) -======= - type $1_screen_t; - userdom_user_application_domain($1_screen_t, screen_exec_t) - domain_interactive_fd($1_screen_t) - role $2 types $1_screen_t; - - ######################################## - # - # Local policy - # - - allow $1_screen_t self:capability { setuid setgid fsetid }; - allow $1_screen_t self:process signal_perms; - allow $1_screen_t self:fifo_file rw_fifo_file_perms; - allow $1_screen_t self:tcp_socket create_stream_socket_perms; - allow $1_screen_t self:udp_socket create_socket_perms; - # Internal screen networking - allow $1_screen_t self:fd use; - allow $1_screen_t self:unix_stream_socket { create_socket_perms connectto }; - allow $1_screen_t self:unix_dgram_socket create_socket_perms; - - manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) - manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) - manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) - files_tmp_filetrans($1_screen_t, screen_tmp_t, { file dir }) - - # Create fifo - manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) - manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) - manage_sock_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) - files_pid_filetrans($1_screen_t, screen_var_run_t, dir) - - allow $1_screen_t screen_home_t:dir list_dir_perms; - manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t) - manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t) - userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir) - read_files_pattern($1_screen_t, screen_home_t, screen_home_t) - read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t) - - allow $1_screen_t $3:process signal; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 domtrans_pattern($3, screen_exec_t, $1_screen_t) allow $3 $1_screen_t:process { signal sigchld }; dontaudit $3 $1_screen_t:unix_stream_socket { read write }; -<<<<<<< HEAD allow $1_screen_t $3:unix_stream_socket { connectto }; allow $1_screen_t $3:process signal; ps_process_pattern($1_screen_t, $3) -======= - allow $1_screen_t $3:process signal; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_fifo_files_pattern($3, screen_home_t, screen_home_t) manage_dirs_pattern($3, screen_home_t, screen_home_t) @@ -106,92 +57,23 @@ template(`screen_role_template',` relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) -<<<<<<< HEAD manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) -======= - manage_files_pattern($3, screen_var_run_t, screen_var_run_t) - manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t) - manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) - - kernel_read_system_state($1_screen_t) - kernel_read_kernel_sysctls($1_screen_t) - - corecmd_list_bin($1_screen_t) - corecmd_read_bin_files($1_screen_t) - corecmd_read_bin_symlinks($1_screen_t) - corecmd_read_bin_pipes($1_screen_t) - corecmd_read_bin_sockets($1_screen_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # Revert to the user domain when a shell is executed. corecmd_shell_domtrans($1_screen_t, $3) corecmd_bin_domtrans($1_screen_t, $3) -<<<<<<< HEAD - auth_domtrans_chk_passwd($1_screen_t) - auth_use_nsswitch($1_screen_t) - - userdom_user_home_domtrans($1_screen_t, $3) - - tunable_policy(`use_samba_home_dirs',` - fs_cifs_domtrans($1_screen_t, $3) -======= - corenet_all_recvfrom_unlabeled($1_screen_t) - corenet_all_recvfrom_netlabel($1_screen_t) - corenet_tcp_sendrecv_generic_if($1_screen_t) - corenet_udp_sendrecv_generic_if($1_screen_t) - corenet_tcp_sendrecv_generic_node($1_screen_t) - corenet_udp_sendrecv_generic_node($1_screen_t) - corenet_tcp_sendrecv_all_ports($1_screen_t) - corenet_udp_sendrecv_all_ports($1_screen_t) - corenet_tcp_connect_all_ports($1_screen_t) - - dev_dontaudit_getattr_all_chr_files($1_screen_t) - dev_dontaudit_getattr_all_blk_files($1_screen_t) - # for SSP - dev_read_urand($1_screen_t) - - domain_use_interactive_fds($1_screen_t) - - files_search_tmp($1_screen_t) - files_search_home($1_screen_t) - files_list_home($1_screen_t) - files_read_usr_files($1_screen_t) - files_read_etc_files($1_screen_t) - - fs_search_auto_mountpoints($1_screen_t) - fs_getattr_xattr_fs($1_screen_t) - auth_domtrans_chk_passwd($1_screen_t) auth_use_nsswitch($1_screen_t) - auth_dontaudit_read_shadow($1_screen_t) - auth_dontaudit_exec_utempter($1_screen_t) - - # Write to utmp. - init_rw_utmp($1_screen_t) - - logging_send_syslog_msg($1_screen_t) - miscfiles_read_localization($1_screen_t) - - seutil_read_config($1_screen_t) - - userdom_use_user_terminals($1_screen_t) - userdom_create_user_pty($1_screen_t) userdom_user_home_domtrans($1_screen_t, $3) - userdom_setattr_user_ptys($1_screen_t) - userdom_setattr_user_ttys($1_screen_t) tunable_policy(`use_samba_home_dirs',` fs_cifs_domtrans($1_screen_t, $3) - fs_read_cifs_symlinks($1_screen_t) - fs_list_cifs($1_screen_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') tunable_policy(`use_nfs_home_dirs',` fs_nfs_domtrans($1_screen_t, $3) -<<<<<<< HEAD ') ') @@ -213,9 +95,3 @@ interface(`screen_exec',` can_exec($1, screen_exec_t) ') -======= - fs_list_nfs($1_screen_t) - fs_read_nfs_symlinks($1_screen_t) - ') -') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/screen.te b/screen.te index c3dc4e0..13d933c 100644 --- a/screen.te +++ b/screen.te @@ -1,19 +1,12 @@ -<<<<<<< HEAD -policy_module(screen, 2.3.1) -======= policy_module(screen, 2.5.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # Declarations # -<<<<<<< HEAD attribute screen_domain; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type screen_exec_t; application_executable_file(screen_exec_t) @@ -25,19 +18,13 @@ userdom_user_home_content(screen_home_t) type screen_tmp_t; typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t }; typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t }; -<<<<<<< HEAD -files_tmp_file(screen_tmp_t) -ubac_constrained(screen_tmp_t) -======= userdom_user_tmp_file(screen_tmp_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type screen_var_run_t; typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t }; typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t }; files_pid_file(screen_var_run_t) ubac_constrained(screen_var_run_t) -<<<<<<< HEAD ######################################## # @@ -127,5 +114,3 @@ userdom_create_user_pty(screen_domain) userdom_setattr_user_ptys(screen_domain) userdom_setattr_user_ttys(screen_domain) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/sectoolm.te b/sectoolm.te index a9bf178..c761721 100644 --- a/sectoolm.te +++ b/sectoolm.te @@ -8,10 +8,7 @@ policy_module(sectoolm, 1.0.0) type sectoolm_t; type sectoolm_exec_t; dbus_system_domain(sectoolm_t, sectoolm_exec_t) -<<<<<<< HEAD init_daemon_domain(sectoolm_t, sectoolm_exec_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type sectool_var_lib_t; files_type(sectool_var_lib_t) @@ -27,11 +24,7 @@ files_tmp_file(sectool_tmp_t) # sectool local policy # -<<<<<<< HEAD allow sectoolm_t self:capability { dac_override net_admin sys_nice }; -======= -allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow sectoolm_t self:process { getcap getsched signull setsched }; dontaudit sectoolm_t self:process { execstack execmem }; allow sectoolm_t self:fifo_file rw_fifo_file_perms; @@ -78,15 +71,6 @@ application_exec_all(sectoolm_t) auth_use_nsswitch(sectoolm_t) -<<<<<<< HEAD -======= -# tests related to network -hostname_exec(sectoolm_t) - -# tests related to network -iptables_domtrans(sectoolm_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 libs_exec_ld_so(sectoolm_t) logging_send_syslog_msg(sectoolm_t) @@ -95,7 +79,6 @@ logging_send_syslog_msg(sectoolm_t) sysnet_domtrans_ifconfig(sectoolm_t) userdom_manage_user_tmp_sockets(sectoolm_t) -<<<<<<< HEAD userdom_dgram_send(sectoolm_t) optional_policy(` @@ -107,8 +90,6 @@ optional_policy(` # tests related to network iptables_domtrans(sectoolm_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` mount_exec(sectoolm_t) diff --git a/sendmail.fc b/sendmail.fc index 7080a18..ef4199b 100644 --- a/sendmail.fc +++ b/sendmail.fc @@ -1,9 +1,6 @@ -<<<<<<< HEAD /etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0) /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) diff --git a/sendmail.if b/sendmail.if index bff6863..ca74cd9 100644 --- a/sendmail.if +++ b/sendmail.if @@ -51,7 +51,6 @@ interface(`sendmail_domtrans',` ') mta_sendmail_domtrans($1, sendmail_t) -<<<<<<< HEAD ') ####################################### @@ -70,12 +69,6 @@ interface(`sendmail_initrc_domtrans',` ') init_labeled_script_domtrans($1, sendmail_initrc_exec_t) -======= - - allow sendmail_t $1:fd use; - allow sendmail_t $1:fifo_file rw_file_perms; - allow sendmail_t $1:process sigchld; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -173,11 +166,7 @@ interface(`sendmail_rw_unix_stream_sockets',` type sendmail_t; ') -<<<<<<< HEAD allow $1 sendmail_t:unix_stream_socket rw_socket_perms; -======= - allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -196,11 +185,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',` type sendmail_t; ') -<<<<<<< HEAD dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms; -======= - dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -324,7 +309,6 @@ interface(`sendmail_run_unconfined',` sendmail_domtrans_unconfined($1) role $2 types unconfined_sendmail_t; ') -<<<<<<< HEAD ######################################## ## @@ -395,5 +379,3 @@ interface(`sendmail_admin',` files_list_spool($1) admin_pattern($1, mail_spool_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/sendmail.te b/sendmail.te index b284b3f..e2f2d7d 100644 --- a/sendmail.te +++ b/sendmail.te @@ -19,14 +19,8 @@ mta_sendmail_mailserver(sendmail_t) mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) -<<<<<<< HEAD type sendmail_initrc_exec_t; init_script_file(sendmail_initrc_exec_t) -======= -type unconfined_sendmail_t; -application_domain(unconfined_sendmail_t, sendmail_exec_t) -role system_r types unconfined_sendmail_t; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -89,20 +83,14 @@ files_read_usr_files(sendmail_t) files_search_spool(sendmail_t) # for piping mail to a command files_read_etc_runtime_files(sendmail_t) -<<<<<<< HEAD files_read_all_tmp_files(sendmail_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_use_fds(sendmail_t) init_use_script_ptys(sendmail_t) # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console init_read_utmp(sendmail_t) init_dontaudit_write_utmp(sendmail_t) -<<<<<<< HEAD init_rw_script_tmp_files(sendmail_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 auth_use_nsswitch(sendmail_t) @@ -116,11 +104,7 @@ miscfiles_read_generic_certs(sendmail_t) miscfiles_read_localization(sendmail_t) userdom_dontaudit_use_unpriv_user_fds(sendmail_t) -<<<<<<< HEAD userdom_read_user_home_content_files(sendmail_t) -======= -userdom_dontaudit_search_user_home_dirs(sendmail_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 mta_read_config(sendmail_t) mta_etc_filetrans_aliases(sendmail_t) @@ -132,13 +116,10 @@ mta_manage_spool(sendmail_t) mta_sendmail_exec(sendmail_t) optional_policy(` -<<<<<<< HEAD cfengine_dontaudit_write_log(sendmail_t) ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 cron_read_pipes(sendmail_t) ') @@ -152,7 +133,6 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD dovecot_write_inherited_tmp_files(sendmail_t) ') @@ -161,9 +141,6 @@ optional_policy(` exim_manage_spool_files(sendmail_t) exim_manage_spool_dirs(sendmail_t) exim_read_log(sendmail_t) -======= - exim_domtrans(sendmail_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` @@ -184,13 +161,9 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD postfix_domtrans_postdrop(sendmail_t) postfix_domtrans_master(sendmail_t) postfix_domtrans_postqueue(sendmail_t) -======= - postfix_domtrans_master(sendmail_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) ') @@ -209,7 +182,6 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD spamd_stream_connect(sendmail_t) ') @@ -219,22 +191,4 @@ optional_policy(` optional_policy(` uucp_domtrans_uux(sendmail_t) -======= - udev_read_db(sendmail_t) -') - -optional_policy(` - uucp_domtrans_uux(sendmail_t) -') - -######################################## -# -# Unconfined sendmail local policy -# Allow unconfined domain to run newalias and have transitions work -# - -optional_policy(` - mta_etc_filetrans_aliases(unconfined_sendmail_t) - unconfined_domain(unconfined_sendmail_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/setroubleshoot.if b/setroubleshoot.if index 1fa7212..039b0c8 100644 --- a/setroubleshoot.if +++ b/setroubleshoot.if @@ -2,11 +2,7 @@ ######################################## ## -<<<<<<< HEAD ## Connect to setroubleshootd over a unix stream socket. -======= -## Connect to setroubleshootd over an unix stream socket. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -27,11 +23,7 @@ interface(`setroubleshoot_stream_connect',` ######################################## ## ## Dontaudit attempts to connect to setroubleshootd -<<<<<<< HEAD ## over a unix stream socket. -======= -## over an unix stream socket. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -113,7 +105,6 @@ interface(`setroubleshoot_dbus_chat_fixit',` ######################################## ## -<<<<<<< HEAD ## Dontaudit read/write to a setroubleshoot leaked sockets. ## ## @@ -133,8 +124,6 @@ interface(`setroubleshoot_fixit_dontaudit_leaks',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## All of the rules required to administrate ## an setroubleshoot environment ## @@ -147,7 +136,6 @@ interface(`setroubleshoot_fixit_dontaudit_leaks',` # interface(`setroubleshoot_admin',` gen_require(` -<<<<<<< HEAD type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t; type setroubleshoot_var_lib_t; ') @@ -160,17 +148,6 @@ interface(`setroubleshoot_admin',` logging_list_logs($1) admin_pattern($1, setroubleshoot_var_log_t) -======= - type setroubleshootd_t, setroubleshoot_log_t; - type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; - ') - - allow $1 setroubleshootd_t:process { ptrace signal_perms }; - ps_process_pattern($1, setroubleshootd_t) - - logging_list_logs($1) - admin_pattern($1, setroubleshoot_log_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) diff --git a/setroubleshoot.te b/setroubleshoot.te index e04b440..e010142 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te @@ -13,10 +13,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) type setroubleshoot_fixit_t; type setroubleshoot_fixit_exec_t; dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) -<<<<<<< HEAD init_daemon_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type setroubleshoot_var_lib_t; files_type(setroubleshoot_var_lib_t) @@ -34,15 +31,10 @@ files_pid_file(setroubleshoot_var_run_t) # setroubleshootd local policy # -<<<<<<< HEAD allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config }; allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; # if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run allow setroubleshootd_t self:process { execmem execstack }; -======= -allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config }; -allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -60,33 +52,21 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir }) # pid file -<<<<<<< HEAD manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file dir }) -======= -manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file }) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kernel_read_kernel_sysctls(setroubleshootd_t) kernel_read_system_state(setroubleshootd_t) kernel_read_net_sysctls(setroubleshootd_t) kernel_read_network_state(setroubleshootd_t) -<<<<<<< HEAD kernel_dontaudit_list_all_proc(setroubleshootd_t) kernel_read_unlabeled_state(setroubleshootd_t) corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) corecmd_read_all_executables(setroubleshootd_t) -======= - -corecmd_exec_bin(setroubleshootd_t) -corecmd_exec_shell(setroubleshootd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corenet_all_recvfrom_unlabeled(setroubleshootd_t) corenet_all_recvfrom_netlabel(setroubleshootd_t) @@ -112,10 +92,7 @@ files_getattr_all_files(setroubleshootd_t) files_getattr_all_pipes(setroubleshootd_t) files_getattr_all_sockets(setroubleshootd_t) files_read_all_symlinks(setroubleshootd_t) -<<<<<<< HEAD files_read_mnt_files(setroubleshootd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 fs_getattr_all_dirs(setroubleshootd_t) fs_getattr_all_files(setroubleshootd_t) @@ -126,10 +103,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t) selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) -<<<<<<< HEAD selinux_read_policy(setroubleshootd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 term_dontaudit_use_all_ptys(setroubleshootd_t) term_dontaudit_use_all_ttys(setroubleshootd_t) @@ -139,11 +113,8 @@ auth_use_nsswitch(setroubleshootd_t) init_read_utmp(setroubleshootd_t) init_dontaudit_write_utmp(setroubleshootd_t) -<<<<<<< HEAD libs_exec_ld_so(setroubleshootd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 miscfiles_read_localization(setroubleshootd_t) locallogin_dontaudit_use_fds(setroubleshootd_t) @@ -152,11 +123,6 @@ logging_send_audit_msgs(setroubleshootd_t) logging_send_syslog_msg(setroubleshootd_t) logging_stream_connect_dispatcher(setroubleshootd_t) -<<<<<<< HEAD -======= -modutils_read_module_config(setroubleshootd_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 seutil_read_config(setroubleshootd_t) seutil_read_file_contexts(setroubleshootd_t) seutil_read_bin_policy(setroubleshootd_t) @@ -164,7 +130,6 @@ seutil_read_bin_policy(setroubleshootd_t) userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` -<<<<<<< HEAD locate_read_lib_files(setroubleshootd_t) ') @@ -177,16 +142,11 @@ optional_policy(` ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ') optional_policy(` -<<<<<<< HEAD rpm_exec(setroubleshootd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) @@ -213,15 +173,11 @@ kernel_read_system_state(setroubleshoot_fixit_t) corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) -<<<<<<< HEAD dev_read_sysfs(setroubleshoot_fixit_t) dev_read_urand(setroubleshoot_fixit_t) seutil_domtrans_setfiles(setroubleshoot_fixit_t) seutil_domtrans_setsebool(setroubleshoot_fixit_t) -======= -seutil_domtrans_setfiles(setroubleshoot_fixit_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_read_usr_files(setroubleshoot_fixit_t) files_read_etc_files(setroubleshoot_fixit_t) @@ -234,7 +190,6 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) miscfiles_read_localization(setroubleshoot_fixit_t) -<<<<<<< HEAD userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t) userdom_signull_unpriv_users(setroubleshoot_fixit_t) @@ -242,8 +197,6 @@ optional_policy(` gnome_dontaudit_search_config(setroubleshoot_fixit_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` rpm_signull(setroubleshoot_fixit_t) rpm_read_db(setroubleshoot_fixit_t) diff --git a/shorewall.fc b/shorewall.fc index de56445..4a5b930 100644 --- a/shorewall.fc +++ b/shorewall.fc @@ -7,12 +7,9 @@ /sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0) /sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0) -<<<<<<< HEAD /usr/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0) /usr/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) /var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) diff --git a/shorewall.if b/shorewall.if index 11c1700..d5ce40a 100644 --- a/shorewall.if +++ b/shorewall.if @@ -55,14 +55,9 @@ interface(`shorewall_read_config',` read_files_pattern($1, shorewall_etc_t, shorewall_etc_t) ') -<<<<<<< HEAD ###################################### ## ## Read shorewall /var/lib files. -======= -####################################### -## -## Read shorewall PID files. ## ## ## @@ -70,54 +65,9 @@ interface(`shorewall_read_config',` ## ## # -interface(`shorewall_read_pid_files',` - gen_require(` - type shorewall_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) -') - -####################################### -## -## Read and write shorewall PID files. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 -## -## -## -## Domain allowed access. -## -## -# -<<<<<<< HEAD -interface(`shorewall_read_lib_files',` - gen_require(` - type shorewall_var_lib_t; -======= -interface(`shorewall_rw_pid_files',` - gen_require(` - type shorewall_var_run_t; - ') - - files_search_pids($1) - rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) -') - -###################################### -## -## Read shorewall /var/lib files. -## -## -## -## Domain allowed access. -## -## -# interface(`shorewall_read_lib_files',` gen_require(` - type shorewall_t; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 + type shorewall_var_lib_t; ') files_search_var_lib($1) @@ -127,21 +77,12 @@ interface(`shorewall_read_lib_files',` ####################################### ## -<<<<<<< HEAD -## Read and write shorewall /var/lib files. -## -## -## -## Domain allowed access. -## -======= ## Read and write shorewall /var/lib files. ## ## ## ## Domain allowed access. ## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`shorewall_rw_lib_files',` @@ -198,16 +139,11 @@ interface(`shorewall_admin',` type shorewall_tmp_t, shorewall_etc_t; ') -<<<<<<< HEAD allow $1 shorewall_t:process signal_perms; ps_process_pattern($1, shorewall_t) tunable_policy(`deny_ptrace',`',` allow $1 shorewall_t:process ptrace; ') -======= - allow $1 shorewall_t:process { ptrace signal_perms }; - ps_process_pattern($1, shorewall_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, shorewall_initrc_exec_t) domain_system_change_exemption($1) diff --git a/shorewall.te b/shorewall.te index 7387a0e..7b0d35f 100644 --- a/shorewall.te +++ b/shorewall.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(shorewall, 1.2.1) -======= policy_module(shorewall, 1.3.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -41,11 +37,7 @@ logging_log_file(shorewall_log_t) # shorewall local policy # -<<<<<<< HEAD allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice }; -======= -allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dontaudit shorewall_t self:capability sys_tty_config; allow shorewall_t self:fifo_file rw_fifo_file_perms; @@ -67,12 +59,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file }) -<<<<<<< HEAD allow shorewall_t shorewall_var_lib_t:file entrypoint; allow shorewall_t shorewall_initrc_exec_t:file read_file_perms; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow shorewall_t shorewall_initrc_exec_t:file read_file_perms; @@ -97,21 +86,15 @@ fs_getattr_all_fs(shorewall_t) init_rw_utmp(shorewall_t) -<<<<<<< HEAD logging_read_generic_logs(shorewall_t) logging_send_syslog_msg(shorewall_t) auth_use_nsswitch(shorewall_t) -======= -logging_send_syslog_msg(shorewall_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 miscfiles_read_localization(shorewall_t) sysnet_domtrans_ifconfig(shorewall_t) -<<<<<<< HEAD userdom_dontaudit_list_admin_dir(shorewall_t) userdom_use_inherited_user_ttys(shorewall_t) userdom_use_inherited_user_ptys(shorewall_t) @@ -119,9 +102,6 @@ userdom_use_inherited_user_ptys(shorewall_t) optional_policy(` brctl_domtrans(shorewall_t) ') -======= -userdom_dontaudit_list_user_home_dirs(shorewall_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` hostname_exec(shorewall_t) diff --git a/shutdown.fc b/shutdown.fc index cd418b3..e317fbe 100644 --- a/shutdown.fc +++ b/shutdown.fc @@ -2,8 +2,6 @@ /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) -<<<<<<< HEAD - /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) @@ -11,8 +9,3 @@ /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) /var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) -======= -/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) - -/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/shutdown.if b/shutdown.if index a1e1e02..b66057c 100644 --- a/shutdown.if +++ b/shutdown.if @@ -18,7 +18,6 @@ interface(`shutdown_domtrans',` corecmd_search_bin($1) domtrans_pattern($1, shutdown_exec_t, shutdown_t) -<<<<<<< HEAD init_reboot($1) init_halt($1) @@ -31,11 +30,6 @@ interface(`shutdown_domtrans',` ifdef(`hide_broken_symptoms', ` dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms; -======= - ifdef(`hide_broken_symptoms', ` - dontaudit shutdown_t $1:socket_class_set { read write }; - dontaudit shutdown_t $1:fifo_file { read write }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ') @@ -66,7 +60,6 @@ interface(`shutdown_run',` ######################################## ## -<<<<<<< HEAD ## Role access for shutdown ## ## @@ -134,8 +127,6 @@ interface(`shutdown_dbus_chat',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## Get attributes of shutdown executable. ## ## diff --git a/shutdown.te b/shutdown.te index 0a69245..d3528a0 100644 --- a/shutdown.te +++ b/shutdown.te @@ -7,10 +7,7 @@ policy_module(shutdown, 1.1.0) type shutdown_t; type shutdown_exec_t; -<<<<<<< HEAD init_system_domain(shutdown_t, shutdown_exec_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 application_domain(shutdown_t, shutdown_exec_t) role system_r types shutdown_t; @@ -25,13 +22,8 @@ files_pid_file(shutdown_var_run_t) # shutdown local policy # -<<<<<<< HEAD allow shutdown_t self:capability { dac_override kill setuid sys_nice sys_tty_config }; allow shutdown_t self:process { fork setsched signal signull }; -======= -allow shutdown_t self:capability { dac_override kill setuid sys_tty_config }; -allow shutdown_t self:process { fork signal signull }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow shutdown_t self:fifo_file manage_fifo_file_perms; allow shutdown_t self:unix_stream_socket create_stream_socket_perms; @@ -42,35 +34,22 @@ files_etc_filetrans(shutdown_t, shutdown_etc_t, file) manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t) files_pid_filetrans(shutdown_t, shutdown_var_run_t, file) -<<<<<<< HEAD kernel_read_system_state(shutdown_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 domain_use_interactive_fds(shutdown_t) files_read_etc_files(shutdown_t) files_read_generic_pids(shutdown_t) -<<<<<<< HEAD files_delete_boot_flag(shutdown_t) mls_file_write_to_clearance(shutdown_t) term_use_all_inherited_terms(shutdown_t) -======= - -term_use_all_terms(shutdown_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 auth_use_nsswitch(shutdown_t) auth_write_login_records(shutdown_t) -<<<<<<< HEAD init_rw_utmp(shutdown_t) -======= -init_dontaudit_write_utmp(shutdown_t) -init_read_utmp(shutdown_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_stream_connect(shutdown_t) init_telinit(shutdown_t) @@ -80,19 +59,15 @@ logging_send_audit_msgs(shutdown_t) miscfiles_read_localization(shutdown_t) optional_policy(` -<<<<<<< HEAD cron_system_entry(shutdown_t, shutdown_exec_t) ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dbus_system_bus_client(shutdown_t) dbus_connect_system_bus(shutdown_t) ') optional_policy(` -<<<<<<< HEAD oddjob_dontaudit_rw_fifo_file(shutdown_t) oddjob_sigchld(shutdown_t) ') @@ -104,7 +79,4 @@ optional_policy(` optional_policy(` xserver_dontaudit_write_log(shutdown_t) xserver_xdm_append_log(shutdown_t) -======= - xserver_dontaudit_write_log(shutdown_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/slocate.te b/slocate.te index ad62b2d..a225c02 100644 --- a/slocate.te +++ b/slocate.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(slocate, 1.10.1) -======= policy_module(slocate, 1.11.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ################################# # diff --git a/slrnpull.te b/slrnpull.te index 2edd5dc..92eecec 100644 --- a/slrnpull.te +++ b/slrnpull.te @@ -13,11 +13,7 @@ type slrnpull_var_run_t; files_pid_file(slrnpull_var_run_t) type slrnpull_spool_t; -<<<<<<< HEAD files_spool_file(slrnpull_spool_t) -======= -files_type(slrnpull_spool_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type slrnpull_log_t; logging_log_file(slrnpull_log_t) diff --git a/smartmon.if b/smartmon.if index 0bbbef8..145adbd 100644 --- a/smartmon.if +++ b/smartmon.if @@ -15,10 +15,7 @@ interface(`smartmon_read_tmp_files',` type fsdaemon_tmp_t; ') -<<<<<<< HEAD files_search_tmp($1) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow $1 fsdaemon_tmp_t:file read_file_perms; ') @@ -45,16 +42,11 @@ interface(`smartmon_admin',` type fsdaemon_initrc_exec_t; ') -<<<<<<< HEAD allow $1 fsdaemon_t:process signal_perms; ps_process_pattern($1, fsdaemon_t) tunable_policy(`deny_ptrace',`',` allow $1 smartmon_t:process ptrace; ') -======= - allow $1 fsdaemon_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, fsdaemon_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) domain_system_change_exemption($1) diff --git a/smartmon.te b/smartmon.te index 5f726a1..c79f584 100644 --- a/smartmon.te +++ b/smartmon.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(smartmon, 1.10.1) -======= -policy_module(smartmon, 1.11.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 +policy_module(smartmon, 1.14.0) ######################################## # @@ -39,11 +35,7 @@ ifdef(`enable_mls',` # Local policy # -<<<<<<< HEAD allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin }; -======= -allow fsdaemon_t self:capability { setpcap setgid sys_rawio sys_admin }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dontaudit fsdaemon_t self:capability sys_tty_config; allow fsdaemon_t self:process { getcap setcap signal_perms }; allow fsdaemon_t self:fifo_file rw_fifo_file_perms; @@ -60,10 +52,7 @@ manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t) files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file) kernel_read_kernel_sysctls(fsdaemon_t) -<<<<<<< HEAD kernel_read_network_state(fsdaemon_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kernel_read_software_raid_state(fsdaemon_t) kernel_read_system_state(fsdaemon_t) @@ -85,22 +74,15 @@ files_read_etc_runtime_files(fsdaemon_t) files_read_usr_files(fsdaemon_t) # for config files_read_etc_files(fsdaemon_t) -<<<<<<< HEAD files_read_usr_files(fsdaemon_t) fs_getattr_all_fs(fsdaemon_t) fs_search_auto_mountpoints(fsdaemon_t) fs_read_removable_files(fsdaemon_t) -======= - -fs_getattr_all_fs(fsdaemon_t) -fs_search_auto_mountpoints(fsdaemon_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 mls_file_read_all_levels(fsdaemon_t) #mls_rangetrans_target(fsdaemon_t) -<<<<<<< HEAD storage_create_fixed_disk_dev(fsdaemon_t) storage_dev_filetrans_named_fixed_disk(fsdaemon_t) storage_raw_read_fixed_disk(fsdaemon_t) @@ -117,14 +99,6 @@ auth_read_passwd(fsdaemon_t) init_read_utmp(fsdaemon_t) -======= -storage_raw_read_fixed_disk(fsdaemon_t) -storage_raw_write_fixed_disk(fsdaemon_t) -storage_raw_read_removable_device(fsdaemon_t) - -term_dontaudit_search_ptys(fsdaemon_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 libs_exec_ld_so(fsdaemon_t) libs_exec_lib_files(fsdaemon_t) diff --git a/smokeping.if b/smokeping.if index f3557b7..017b923 100644 --- a/smokeping.if +++ b/smokeping.if @@ -153,16 +153,11 @@ interface(`smokeping_admin',` type smokeping_t, smokeping_initrc_exec_t; ') -<<<<<<< HEAD allow $1 smokeping_t:process signal_perms; ps_process_pattern($1, smokeping_t) tunable_policy(`deny_ptrace',`',` allow $1 smokeping_t:process ptrace; ') -======= - allow $1 smokeping_t:process { ptrace signal_perms }; - ps_process_pattern($1, smokeping_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 smokeping_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/smokeping.te b/smokeping.te index 4c8b2d0..740994a 100644 --- a/smokeping.te +++ b/smokeping.te @@ -23,11 +23,7 @@ files_type(smokeping_var_lib_t) # smokeping local policy # -<<<<<<< HEAD -dontaudit smokeping_t self:capability { dac_read_search dac_override }; -======= dontaudit smokeping_t self:capability { dac_read_search dac_override }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow smokeping_t self:fifo_file rw_fifo_file_perms; allow smokeping_t self:udp_socket create_socket_perms; allow smokeping_t self:unix_stream_socket create_stream_socket_perms; diff --git a/smoltclient.te b/smoltclient.te index 496971b..2efc0d7 100644 --- a/smoltclient.te +++ b/smoltclient.te @@ -8,10 +8,6 @@ policy_module(smoltclient, 1.1.0) type smoltclient_t; type smoltclient_exec_t; application_domain(smoltclient_t, smoltclient_exec_t) -<<<<<<< HEAD -======= -cron_system_entry(smoltclient_t, smoltclient_exec_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type smoltclient_tmp_t; files_tmp_file(smoltclient_tmp_t) @@ -42,10 +38,7 @@ corecmd_exec_shell(smoltclient_t) corenet_tcp_connect_http_port(smoltclient_t) dev_read_sysfs(smoltclient_t) -<<<<<<< HEAD dev_read_urand(smoltclient_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 fs_getattr_all_fs(smoltclient_t) fs_getattr_all_dirs(smoltclient_t) @@ -53,17 +46,13 @@ fs_list_auto_mountpoints(smoltclient_t) files_getattr_generic_locks(smoltclient_t) files_read_etc_files(smoltclient_t) -<<<<<<< HEAD files_read_etc_runtime_files(smoltclient_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_read_usr_files(smoltclient_t) auth_use_nsswitch(smoltclient_t) logging_send_syslog_msg(smoltclient_t) -<<<<<<< HEAD miscfiles_read_hwdata(smoltclient_t) miscfiles_read_localization(smoltclient_t) @@ -76,11 +65,6 @@ optional_policy(` ') optional_policy(` -======= -miscfiles_read_localization(smoltclient_t) - -optional_policy(` ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dbus_system_bus_client(smoltclient_t) ') diff --git a/snmp.fc b/snmp.fc index ff2b2dd..0a802f7 100644 --- a/snmp.fc +++ b/snmp.fc @@ -18,13 +18,8 @@ /var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0) -<<<<<<< HEAD /var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) -/var/run/net-snmpd?(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) -======= -/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 +/var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff --git a/snmp.if b/snmp.if index c0b4ae2..f1343b7 100644 --- a/snmp.if +++ b/snmp.if @@ -11,21 +11,12 @@ ## # interface(`snmp_stream_connect',` -<<<<<<< HEAD gen_require(` type snmpd_t, snmpd_var_lib_t; ') files_search_var_lib($1) stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t) -======= - gen_require(` - type snmpd_t, snmpd_var_lib_t; - ') - - files_search_var_lib($1) - stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -71,16 +62,12 @@ interface(`snmp_read_snmp_var_lib_files',` type snmpd_var_lib_t; ') -<<<<<<< HEAD files_search_var_lib($1) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow $1 snmpd_var_lib_t:dir list_dir_perms; read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) ') -<<<<<<< HEAD ####################################### ## ## Read snmpd libraries directories @@ -139,8 +126,6 @@ interface(`snmp_manage_var_lib_files',` manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## ## ## dontaudit Read snmpd libraries. @@ -155,16 +140,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',` gen_require(` type snmpd_var_lib_t; ') -<<<<<<< HEAD dontaudit $1 snmpd_var_lib_t:dir list_dir_perms; dontaudit $1 snmpd_var_lib_t:file read_file_perms; dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms; -======= - dontaudit $1 snmpd_var_lib_t:dir list_dir_perms; - dontaudit $1 snmpd_var_lib_t:file read_file_perms; - dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -204,7 +183,6 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',` # interface(`snmp_admin',` gen_require(` -<<<<<<< HEAD type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t; type snmpd_var_lib_t, snmpd_var_run_t; ') @@ -214,15 +192,6 @@ interface(`snmp_admin',` tunable_policy(`deny_ptrace',`',` allow $1 snmpd_t:process ptrace; ') -======= - type snmpd_t, snmpd_log_t; - type snmpd_var_lib_t, snmpd_var_run_t; - type snmpd_initrc_exec_t; - ') - - allow $1 snmpd_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, snmpd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/snmp.te b/snmp.te index d4ad0a4..7580a6a 100644 --- a/snmp.te +++ b/snmp.te @@ -1,17 +1,10 @@ -<<<<<<< HEAD -policy_module(snmp, 1.11.0) -======= policy_module(snmp, 1.12.1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # Declarations # -<<<<<<< HEAD -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type snmpd_t; type snmpd_exec_t; init_daemon_domain(snmpd_t, snmpd_exec_t) @@ -32,22 +25,14 @@ files_type(snmpd_var_lib_t) # # Local policy # -<<<<<<< HEAD allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config }; -======= -allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; allow snmpd_t self:unix_dgram_socket create_socket_perms; -<<<<<<< HEAD allow snmpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -======= -allow snmpd_t self:unix_stream_socket create_stream_socket_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow snmpd_t self:tcp_socket create_stream_socket_perms; allow snmpd_t self:udp_socket connected_stream_socket_perms; @@ -59,32 +44,19 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file) files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file }) -<<<<<<< HEAD files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, { dir file }) manage_dirs_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) files_pid_filetrans(snmpd_t, snmpd_var_run_t, { file dir }) -======= -files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file) - -manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) -files_pid_filetrans(snmpd_t, snmpd_var_run_t, file) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kernel_read_device_sysctls(snmpd_t) kernel_read_kernel_sysctls(snmpd_t) kernel_read_fs_sysctls(snmpd_t) kernel_read_net_sysctls(snmpd_t) -<<<<<<< HEAD kernel_read_network_state(snmpd_t) kernel_read_proc_symlinks(snmpd_t) kernel_read_all_proc(snmpd_t) -======= -kernel_read_proc_symlinks(snmpd_t) -kernel_read_system_state(snmpd_t) -kernel_read_network_state(snmpd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corecmd_exec_bin(snmpd_t) corecmd_exec_shell(snmpd_t) @@ -115,10 +87,6 @@ dev_getattr_usbfs_dirs(snmpd_t) domain_use_interactive_fds(snmpd_t) domain_signull_all_domains(snmpd_t) domain_read_all_domains_state(snmpd_t) -<<<<<<< HEAD -======= -domain_dontaudit_ptrace_all_domains(snmpd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 domain_exec_all_entry_files(snmpd_t) files_read_etc_files(snmpd_t) @@ -129,7 +97,6 @@ files_search_home(snmpd_t) fs_getattr_all_dirs(snmpd_t) fs_getattr_all_fs(snmpd_t) fs_search_auto_mountpoints(snmpd_t) -<<<<<<< HEAD files_search_all_mountpoints(snmpd_t) storage_dontaudit_read_fixed_disk(snmpd_t) @@ -143,17 +110,6 @@ init_read_utmp(snmpd_t) init_dontaudit_write_utmp(snmpd_t) # need write to /var/run/systemd/notify init_write_pid_socket(snmpd_t) -======= - -storage_dontaudit_read_fixed_disk(snmpd_t) -storage_dontaudit_read_removable_device(snmpd_t) - -auth_use_nsswitch(snmpd_t) -files_list_non_auth_dirs(snmpd_t) - -init_read_utmp(snmpd_t) -init_dontaudit_write_utmp(snmpd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 logging_send_syslog_msg(snmpd_t) @@ -166,11 +122,7 @@ sysnet_read_config(snmpd_t) userdom_dontaudit_use_unpriv_user_fds(snmpd_t) userdom_dontaudit_search_user_home_dirs(snmpd_t) -<<<<<<< HEAD ifdef(`distro_redhat',` -======= -ifdef(`distro_redhat', ` ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` rpm_read_db(snmpd_t) rpm_dontaudit_manage_db(snmpd_t) @@ -195,13 +147,10 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD ricci_stream_connect_modclusterd(snmpd_t) ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 rpc_search_nfs_state_data(snmpd_t) ') diff --git a/snort.if b/snort.if index 336794f..0eb909b 100644 --- a/snort.if +++ b/snort.if @@ -5,15 +5,9 @@ ## Execute a domain transition to run snort. ## ## -<<<<<<< HEAD -## -## Domain allowed to transition. -## -======= ## ## Domain allowed to transition. ## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`snort_domtrans',` @@ -47,16 +41,11 @@ interface(`snort_admin',` type snort_etc_t, snort_initrc_exec_t; ') -<<<<<<< HEAD allow $1 snort_t:process signal_perms; ps_process_pattern($1, snort_t) tunable_policy(`deny_ptrace',`',` allow $1 snort_t:process ptrace; ') -======= - allow $1 snort_t:process { ptrace signal_perms }; - ps_process_pattern($1, snort_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, snort_initrc_exec_t) domain_system_change_exemption($1) @@ -64,7 +53,6 @@ interface(`snort_admin',` allow $2 system_r; admin_pattern($1, snort_etc_t) -<<<<<<< HEAD files_list_etc($1) admin_pattern($1, snort_log_t) @@ -72,13 +60,4 @@ interface(`snort_admin',` admin_pattern($1, snort_var_run_t) files_list_pids($1) -======= - files_search_etc($1) - - admin_pattern($1, snort_log_t) - logging_search_logs($1) - - admin_pattern($1, snort_var_run_t) - files_search_pids($1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/snort.te b/snort.te index e08427c..735c400 100644 --- a/snort.te +++ b/snort.te @@ -32,29 +32,17 @@ files_pid_file(snort_var_run_t) allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; dontaudit snort_t self:capability sys_tty_config; allow snort_t self:process signal_perms; -<<<<<<< HEAD allow snort_t self:netlink_route_socket create_netlink_socket_perms; -======= -allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow snort_t self:tcp_socket create_stream_socket_perms; allow snort_t self:udp_socket create_socket_perms; allow snort_t self:packet_socket create_socket_perms; allow snort_t self:socket create_socket_perms; # Snort IPS node. unverified. -<<<<<<< HEAD allow snort_t self:netlink_firewall_socket create_socket_perms; allow snort_t snort_etc_t:dir list_dir_perms; allow snort_t snort_etc_t:file read_file_perms; allow snort_t snort_etc_t:lnk_file read_lnk_file_perms; -======= -allow snort_t self:netlink_firewall_socket { bind create getattr }; - -allow snort_t snort_etc_t:dir list_dir_perms; -allow snort_t snort_etc_t:file read_file_perms; -allow snort_t snort_etc_t:lnk_file { getattr read }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_files_pattern(snort_t, snort_log_t, snort_log_t) create_dirs_pattern(snort_t, snort_log_t, snort_log_t) diff --git a/sosreport.fc b/sosreport.fc index 4f0c481..050f521 100644 --- a/sosreport.fc +++ b/sosreport.fc @@ -1,6 +1,3 @@ /usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0) -<<<<<<< HEAD /.ismount-test-file -- gen_context(system_u:object_r:sosreport_tmp_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/sosreport.if b/sosreport.if index 58f0fd5..f64bd93 100644 --- a/sosreport.if +++ b/sosreport.if @@ -106,11 +106,7 @@ interface(`sosreport_append_tmp_files',` type sosreport_tmp_t; ') -<<<<<<< HEAD allow $1 sosreport_tmp_t:file append_inherited_file_perms; -======= - append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## diff --git a/sosreport.te b/sosreport.te index db45fed..1a8e3bc 100644 --- a/sosreport.te +++ b/sosreport.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(sosreport, 1.0.0) -======= policy_module(sosreport, 1.1.1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -25,11 +21,7 @@ files_tmpfs_file(sosreport_tmpfs_t) # sosreport local policy # -<<<<<<< HEAD allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override }; -======= -allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow sosreport_t self:process { setsched signull }; allow sosreport_t self:fifo_file rw_fifo_file_perms; allow sosreport_t self:tcp_socket create_stream_socket_perms; @@ -82,26 +74,17 @@ files_read_all_symlinks(sosreport_t) # for blkid.tab files_manage_etc_runtime_files(sosreport_t) files_etc_filetrans_etc_runtime(sosreport_t, file) -<<<<<<< HEAD files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file") -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 fs_getattr_all_fs(sosreport_t) fs_list_inotifyfs(sosreport_t) -<<<<<<< HEAD storage_dontaudit_read_fixed_disk(sosreport_t) storage_dontaudit_read_removable_device(sosreport_t) # some config files do not have configfile attribute # sosreport needs to read various files on system files_read_non_security_files(sosreport_t) -======= -# some config files do not have configfile attribute -# sosreport needs to read various files on system -files_read_non_auth_files(sosreport_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 auth_use_nsswitch(sosreport_t) init_domtrans_script(sosreport_t) @@ -113,20 +96,11 @@ logging_send_syslog_msg(sosreport_t) miscfiles_read_localization(sosreport_t) -<<<<<<< HEAD -======= -# needed by modinfo -modutils_read_module_deps(sosreport_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 sysnet_read_config(sosreport_t) optional_policy(` abrt_manage_pid_files(sosreport_t) -<<<<<<< HEAD abrt_manage_cache(sosreport_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` @@ -138,14 +112,11 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD # needed by modinfo modutils_read_module_deps(sosreport_t) ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 fstools_domtrans(sosreport_t) ') diff --git a/soundserver.if b/soundserver.if index c7c2eb9..1b07ed4 100644 --- a/soundserver.if +++ b/soundserver.if @@ -33,7 +33,6 @@ interface(`soundserver_tcp_connect',` # interface(`soundserver_admin',` gen_require(` -<<<<<<< HEAD type soundd_t, soundd_etc_t, soundd_initrc_exec_t; type soundd_tmp_t, soundd_var_run_t; ') @@ -43,15 +42,6 @@ interface(`soundserver_admin',` tunable_policy(`deny_ptrace',`',` allow $1 soundd_t:process ptrace; ') -======= - type soundd_t, soundd_etc_t; - type soundd_tmp_t, soundd_var_run_t; - type soundd_initrc_exec_t; - ') - - allow $1 soundd_t:process { ptrace signal_perms }; - ps_process_pattern($1, soundd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, soundd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/spamassassin.fc b/spamassassin.fc index c0493b8..21f3e07 100644 --- a/spamassassin.fc +++ b/spamassassin.fc @@ -1,4 +1,3 @@ -<<<<<<< HEAD HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) /root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -20,24 +19,11 @@ HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) /var/log/spamd\.log -- gen_context(system_u:object_r:spamd_log_t,s0) /var/log/mimedefang -- gen_context(system_u:object_r:spamd_log_t,s0) -======= -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) - -/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) -/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) -/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) -/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) - -/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) - -/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -<<<<<<< HEAD /var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) /var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) @@ -50,5 +36,3 @@ HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) /var/lib/razor(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) /var/log/razor-agent\.log -- gen_context(system_u:object_r:spamd_log_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/spamassassin.if b/spamassassin.if index 9a69b49..82fc7f6 100644 --- a/spamassassin.if +++ b/spamassassin.if @@ -14,10 +14,7 @@ ## User domain for the role ## ## -<<<<<<< HEAD ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # interface(`spamassassin_role',` gen_require(` @@ -29,7 +26,6 @@ interface(`spamassassin_role',` role $1 types { spamc_t spamassassin_t }; domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) -<<<<<<< HEAD allow $2 spamassassin_t:process signal_perms; ps_process_pattern($2, spamassassin_t) @@ -37,11 +33,6 @@ interface(`spamassassin_role',` domtrans_pattern($2, spamc_exec_t, spamc_t) allow $2 spamc_t:process signal_perms; -======= - ps_process_pattern($2, spamassassin_t) - - domtrans_pattern($2, spamc_exec_t, spamc_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ps_process_pattern($2, spamc_t) manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) @@ -69,10 +60,6 @@ interface(`spamassassin_exec',` ') can_exec($1, spamassassin_exec_t) -<<<<<<< HEAD -======= - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -128,7 +115,6 @@ interface(`spamassassin_domtrans_client',` ') domtrans_pattern($1, spamc_exec_t, spamc_t) -<<<<<<< HEAD allow $1 spamc_exec_t:file ioctl; ') @@ -190,8 +176,6 @@ interface(`spamassassin_read_home_client',` list_dirs_pattern($1, spamc_home_t, spamc_home_t) read_files_pattern($1, spamc_home_t, spamc_home_t) read_lnk_files_pattern($1, spamc_home_t, spamc_home_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -247,13 +231,9 @@ interface(`spamassassin_read_lib_files',` ') files_search_var_lib($1) -<<<<<<< HEAD list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t) read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) read_lnk_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) -======= - read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -291,10 +271,7 @@ interface(`spamassassin_read_spamd_tmp_files',` type spamd_tmp_t; ') -<<<<<<< HEAD files_search_tmp($1) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow $1 spamd_tmp_t:file read_file_perms; ') @@ -314,7 +291,6 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` type spamd_tmp_t; ') -<<<<<<< HEAD dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms; ') @@ -405,7 +381,4 @@ interface(`spamassassin_spamd_admin',` files_list_pids($1) admin_pattern($1, spamd_var_run_t) -======= - dontaudit $1 spamd_tmp_t:sock_file getattr; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/spamassassin.te b/spamassassin.te index 4997277..b012a5c 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(spamassassin, 2.4.0) -======= policy_module(spamassassin, 2.5.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -10,20 +6,13 @@ policy_module(spamassassin, 2.5.0) # ## -<<<<<<< HEAD ##

## Allow user spamassassin clients to use the network. ##

-======= -##

-## Allow user spamassassin clients to use the network. -##

->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## gen_tunable(spamassassin_can_network, false) ## -<<<<<<< HEAD ##

## Allow spamd to read/write user home directories. ##

@@ -96,46 +85,11 @@ type spamd_update_exec_t; application_domain(spamd_update_t, spamd_update_exec_t) cron_system_entry(spamd_update_t, spamd_update_exec_t) role system_r types spamd_update_t; -======= -##

-## Allow spamd to read/write user home directories. -##

-## -gen_tunable(spamd_enable_home_dirs, true) - -type spamassassin_t; -type spamassassin_exec_t; -typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; -typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t }; -userdom_user_application_domain(spamassassin_t, spamassassin_exec_t) - -type spamassassin_home_t; -typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; -typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; -userdom_user_home_content(spamassassin_home_t) - -type spamassassin_tmp_t; -typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; -typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; -userdom_user_tmp_file(spamassassin_tmp_t) - -type spamc_t; -type spamc_exec_t; -typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t }; -typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t }; -userdom_user_application_domain(spamc_t, spamc_exec_t) - -type spamc_tmp_t; -typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; -typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; -userdom_user_tmp_file(spamc_tmp_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type spamd_t; type spamd_exec_t; init_daemon_domain(spamd_t, spamd_exec_t) -<<<<<<< HEAD type spamd_compiled_t; files_type(spamd_compiled_t) @@ -147,10 +101,6 @@ logging_log_file(spamd_log_t) type spamd_spool_t; files_spool_file(spamd_spool_t) -======= -type spamd_spool_t; -files_type(spamd_spool_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type spamd_tmp_t; files_tmp_file(spamd_tmp_t) @@ -197,20 +147,14 @@ manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) -<<<<<<< HEAD userdom_home_manager(spamassassin_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kernel_read_kernel_sysctls(spamassassin_t) dev_read_urand(spamassassin_t) fs_search_auto_mountpoints(spamassassin_t) -<<<<<<< HEAD fs_getattr_all_fs(spamassassin_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # this should probably be removed corecmd_list_bin(spamassassin_t) @@ -251,12 +195,9 @@ tunable_policy(`spamassassin_can_network',` corenet_udp_sendrecv_all_ports(spamassassin_t) corenet_tcp_connect_all_ports(spamassassin_t) corenet_sendrecv_all_client_packets(spamassassin_t) -<<<<<<< HEAD corenet_udp_bind_generic_node(spamassassin_t) corenet_udp_bind_generic_port(spamassassin_t) corenet_dontaudit_udp_bind_all_ports(spamassassin_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 sysnet_read_config(spamassassin_t) ') @@ -267,21 +208,6 @@ tunable_policy(`spamd_enable_home_dirs',` userdom_manage_user_home_content_symlinks(spamd_t) ') -<<<<<<< HEAD -======= -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(spamassassin_t) - fs_manage_nfs_files(spamassassin_t) - fs_manage_nfs_symlinks(spamassassin_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(spamassassin_t) - fs_manage_cifs_files(spamassassin_t) - fs_manage_cifs_symlinks(spamassassin_t) -') - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` # Write pid file and socket in ~/.evolution/cache/tmp evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) @@ -296,11 +222,8 @@ optional_policy(` optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) -<<<<<<< HEAD sendmail_dontaudit_rw_unix_stream_sockets(spamassassin_t) sendmail_dontaudit_rw_tcp_sockets(spamassassin_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -323,16 +246,12 @@ allow spamc_t self:unix_stream_socket connectto; allow spamc_t self:tcp_socket create_stream_socket_perms; allow spamc_t self:udp_socket create_socket_perms; -<<<<<<< HEAD can_exec(spamc_t, spamc_exec_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir }) -<<<<<<< HEAD manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t) manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t) manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t) @@ -353,13 +272,6 @@ kernel_read_kernel_sysctls(spamc_t) kernel_read_system_state(spamc_t) corecmd_exec_bin(spamc_t) -======= -# Allow connecting to a local spamd -allow spamc_t spamd_t:unix_stream_socket connectto; -allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; - -kernel_read_kernel_sysctls(spamc_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) @@ -371,10 +283,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t) corenet_udp_sendrecv_all_ports(spamc_t) corenet_tcp_connect_all_ports(spamc_t) corenet_sendrecv_all_client_packets(spamc_t) -<<<<<<< HEAD corenet_tcp_connect_spamd_port(spamc_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 fs_search_auto_mountpoints(spamc_t) @@ -393,7 +302,6 @@ files_read_usr_files(spamc_t) files_dontaudit_search_var(spamc_t) # cjp: this may be removable: files_list_home(spamc_t) -<<<<<<< HEAD files_list_var_lib(spamc_t) fs_search_auto_mountpoints(spamc_t) @@ -402,11 +310,6 @@ logging_send_syslog_msg(spamc_t) auth_use_nsswitch(spamc_t) -======= - -logging_send_syslog_msg(spamc_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: @@ -414,30 +317,22 @@ seutil_read_config(spamc_t) sysnet_read_config(spamc_t) -<<<<<<< HEAD userdom_home_manager(spamc_t) optional_policy(` abrt_stream_connect(spamc_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` # Allow connection to spamd socket above evolution_stream_connect(spamc_t) ') optional_policy(` -<<<<<<< HEAD -======= - # Needed for pyzor/razor called from spamd ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 milter_manage_spamass_state(spamc_t) ') optional_policy(` -<<<<<<< HEAD postfix_domtrans_postdrop(spamc_t) postfix_search_spool(spamc_t) postfix_rw_local_pipes(spamc_t) @@ -451,18 +346,6 @@ optional_policy(` sendmail_stub(spamc_t) sendmail_rw_pipes(spamc_t) sendmail_dontaudit_rw_tcp_sockets(spamc_t) -======= - nis_use_ypbind(spamc_t) -') - -optional_policy(` - nscd_socket_use(spamc_t) -') - -optional_policy(` - mta_read_config(spamc_t) - sendmail_stub(spamc_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -474,11 +357,7 @@ optional_policy(` # setuids to the user running spamc. Comment this if you are not # using this ability. -<<<<<<< HEAD allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config }; -======= -allow spamd_t self:capability { setuid setgid dac_override sys_tty_config }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; @@ -494,7 +373,6 @@ allow spamd_t self:unix_dgram_socket sendto; allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; -<<<<<<< HEAD can_exec(spamd_t, spamd_compiled_t) manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) @@ -506,12 +384,6 @@ logging_log_filetrans(spamd_t, spamd_log_t, file) manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -======= -allow spamd_t self:netlink_route_socket r_netlink_socket_perms; - -manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) @@ -520,7 +392,6 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; -<<<<<<< HEAD manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) @@ -530,13 +401,6 @@ manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) can_exec(spamd_t, spamd_exec_t) -======= -read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) - -manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) -manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) -files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) @@ -585,16 +449,12 @@ files_read_var_lib_files(spamd_t) init_dontaudit_rw_utmp(spamd_t) -<<<<<<< HEAD auth_use_nsswitch(spamd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 logging_send_syslog_msg(spamd_t) miscfiles_read_localization(spamd_t) -<<<<<<< HEAD userdom_use_unpriv_users_fds(spamd_t) userdom_search_user_home_dirs(spamd_t) userdom_home_manager(spamd_t) @@ -606,21 +466,6 @@ optional_policy(` optional_policy(` exim_manage_spool_dirs(spamd_t) exim_manage_spool_files(spamd_t) -======= -sysnet_read_config(spamd_t) -sysnet_use_ldap(spamd_t) -sysnet_dns_name_resolve(spamd_t) - -userdom_use_unpriv_users_fds(spamd_t) -userdom_search_user_home_dirs(spamd_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files(spamd_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(spamd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` @@ -636,13 +481,9 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD dcc_domtrans_cdcc(spamd_t) dcc_domtrans_client(spamd_t) dcc_signal_client(spamd_t) -======= - dcc_domtrans_client(spamd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dcc_stream_connect_dccifd(spamd_t) ') @@ -651,36 +492,17 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD mysql_tcp_connect(spamd_t) -======= - corenet_tcp_connect_mysqld_port(spamd_t) - corenet_sendrecv_mysqld_client_packets(spamd_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 mysql_search_db(spamd_t) mysql_stream_connect(spamd_t) ') optional_policy(` -<<<<<<< HEAD -======= - nis_use_ypbind(spamd_t) -') - -optional_policy(` ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 postfix_read_config(spamd_t) ') optional_policy(` -<<<<<<< HEAD postgresql_tcp_connect(spamd_t) -======= - corenet_tcp_connect_postgresql_port(spamd_t) - corenet_sendrecv_postgresql_client_packets(spamd_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 postgresql_stream_connect(spamd_t) ') @@ -691,13 +513,10 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) -<<<<<<< HEAD razor_read_lib_files(spamd_t) tunable_policy(`spamd_enable_home_dirs',` razor_manage_user_home_files(spamd_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` @@ -705,10 +524,7 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD mta_send_mail(spamd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 sendmail_stub(spamd_t) mta_read_config(spamd_t) ') @@ -716,7 +532,6 @@ optional_policy(` optional_policy(` udev_read_db(spamd_t) ') -<<<<<<< HEAD ######################################## # @@ -765,5 +580,3 @@ optional_policy(` gpg_domtrans(spamd_update_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/squid.if b/squid.if index ae7a552..c7614d7 100644 --- a/squid.if +++ b/squid.if @@ -71,11 +71,7 @@ interface(`squid_rw_stream_sockets',` type squid_t; ') -<<<<<<< HEAD allow $1 squid_t:unix_stream_socket rw_socket_perms; -======= - allow $1 squid_t:unix_stream_socket { getattr read write }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -87,10 +83,6 @@ interface(`squid_rw_stream_sockets',` ## Domain to not audit. ## ## -<<<<<<< HEAD -======= -## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # interface(`squid_dontaudit_search_cache',` gen_require(` @@ -214,7 +206,6 @@ interface(`squid_use',` interface(`squid_admin',` gen_require(` type squid_t, squid_cache_t, squid_conf_t; -<<<<<<< HEAD type squid_log_t, squid_var_run_t, squid_initrc_exec_t; ') @@ -223,14 +214,6 @@ interface(`squid_admin',` tunable_policy(`deny_ptrace',`',` allow $1 squid_t:process ptrace; ') -======= - type squid_log_t, squid_var_run_t; - type squid_initrc_exec_t; - ') - - allow $1 squid_t:process { ptrace signal_perms }; - ps_process_pattern($1, squid_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, squid_initrc_exec_t) domain_system_change_exemption($1) diff --git a/squid.te b/squid.te index 8fba964..e5f4599 100644 --- a/squid.te +++ b/squid.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(squid, 1.10.0) -======= policy_module(squid, 1.10.1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -10,30 +6,17 @@ policy_module(squid, 1.10.1) # ## -<<<<<<< HEAD -##

-## Allow squid to connect to all ports, not just -## HTTP, FTP, and Gopher ports. -##

-======= ##

## Allow squid to connect to all ports, not just ## HTTP, FTP, and Gopher ports. ##

->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## gen_tunable(squid_connect_any, false) ## -<<<<<<< HEAD -##

-## Allow squid to run as a transparent proxy (TPROXY) -##

-======= ##

## Allow squid to run as a transparent proxy (TPROXY) ##

->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## gen_tunable(squid_use_tproxy, false) @@ -46,11 +29,7 @@ type squid_cache_t; files_type(squid_cache_t) type squid_conf_t; -<<<<<<< HEAD files_config_file(squid_conf_t) -======= -files_type(squid_conf_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type squid_initrc_exec_t; init_script_file(squid_initrc_exec_t) @@ -61,12 +40,9 @@ logging_log_file(squid_log_t) type squid_tmpfs_t; files_tmpfs_file(squid_tmpfs_t) -<<<<<<< HEAD type squid_tmp_t; files_tmp_file(squid_tmp_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type squid_var_run_t; files_pid_file(squid_var_run_t) @@ -112,22 +88,16 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir }) manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) -<<<<<<< HEAD manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t) manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t) files_tmp_filetrans(squid_t, squid_tmp_t, { file dir }) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t) files_pid_filetrans(squid_t, squid_var_run_t, file) kernel_read_kernel_sysctls(squid_t) kernel_read_system_state(squid_t) -<<<<<<< HEAD kernel_read_network_state(squid_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_dontaudit_getattr_boot_dirs(squid_t) @@ -207,12 +177,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t) tunable_policy(`squid_connect_any',` corenet_tcp_connect_all_ports(squid_t) corenet_tcp_bind_all_ports(squid_t) -<<<<<<< HEAD corenet_sendrecv_all_client_packets(squid_t) corenet_sendrecv_all_server_packets(squid_t) -======= - corenet_sendrecv_all_packets(squid_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') tunable_policy(`squid_use_tproxy',` @@ -228,10 +194,7 @@ optional_policy(` corenet_all_recvfrom_unlabeled(httpd_squid_script_t) corenet_all_recvfrom_netlabel(httpd_squid_script_t) corenet_tcp_connect_http_cache_port(httpd_squid_script_t) -<<<<<<< HEAD corenet_tcp_connect_squid_port(httpd_squid_script_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 sysnet_dns_name_resolve(httpd_squid_script_t) @@ -253,10 +216,7 @@ optional_policy(` optional_policy(` udev_read_db(squid_t) ') -<<<<<<< HEAD optional_policy(` kerberos_manage_host_rcache(squid_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/sssd.fc b/sssd.fc index ffc1181..4bc00ea 100644 --- a/sssd.fc +++ b/sssd.fc @@ -4,11 +4,8 @@ /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) -<<<<<<< HEAD /var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) /var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) diff --git a/sssd.if b/sssd.if index 8dee9a0..e1095f0 100644 --- a/sssd.if +++ b/sssd.if @@ -5,15 +5,9 @@ ## Execute a domain transition to run sssd. ## ## -<<<<<<< HEAD ## ## Domain allowed to transition. ## -======= -## -## Domain allowed to transition. -## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`sssd_domtrans',` @@ -95,10 +89,7 @@ interface(`sssd_manage_pids',` type sssd_var_run_t; ') -<<<<<<< HEAD files_search_pids($1) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t) manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t) ') @@ -138,10 +129,6 @@ interface(`sssd_dontaudit_search_lib',` ') dontaudit $1 sssd_var_lib_t:dir search_dir_perms; -<<<<<<< HEAD -======= - files_search_var_lib($1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -161,10 +148,7 @@ interface(`sssd_read_lib_files',` files_search_var_lib($1) read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) -<<<<<<< HEAD read_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -185,10 +169,7 @@ interface(`sssd_manage_lib_files',` files_search_var_lib($1) manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) -<<<<<<< HEAD manage_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -214,11 +195,7 @@ interface(`sssd_dbus_chat',` ######################################## ## -<<<<<<< HEAD ## Connect to sssd over a unix stream socket. -======= -## Connect to sssd over an unix stream socket. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -250,19 +227,10 @@ interface(`sssd_stream_connect',` ## The role to be allowed to manage the sssd domain. ## ## -<<<<<<< HEAD -======= -## -## -## The type of the user terminal. -## -## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`sssd_admin',` gen_require(` -<<<<<<< HEAD type sssd_t, sssd_public_t, sssd_initrc_exec_t; ') @@ -271,14 +239,6 @@ interface(`sssd_admin',` tunable_policy(`deny_ptrace',`',` allow $1 sssd_t:process ptrace; ') -======= - type sssd_t, sssd_public_t; - type sssd_initrc_exec_t; - ') - - allow $1 sssd_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, sssd_t, sssd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff --git a/sssd.te b/sssd.te index df967be..1dfa5ce 100644 --- a/sssd.te +++ b/sssd.te @@ -17,10 +17,7 @@ files_pid_file(sssd_public_t) type sssd_var_lib_t; files_type(sssd_var_lib_t) -<<<<<<< HEAD mls_trusted_object(sssd_var_lib_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type sssd_var_log_t; logging_log_file(sssd_var_log_t) @@ -32,17 +29,11 @@ files_pid_file(sssd_var_run_t) # # sssd local policy # -<<<<<<< HEAD allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource }; allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit }; allow sssd_t self:fifo_file rw_fifo_file_perms; allow sssd_t self:key manage_key_perms; -======= -allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid }; -allow sssd_t self:process { setfscreate setsched sigkill signal getsched }; -allow sssd_t self:fifo_file rw_file_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) @@ -50,14 +41,9 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -<<<<<<< HEAD manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir }) -======= -manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } ) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) logging_log_filetrans(sssd_t, sssd_var_log_t, file) @@ -66,7 +52,6 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) -<<<<<<< HEAD kernel_read_network_state(sssd_t) kernel_read_system_state(sssd_t) @@ -77,26 +62,15 @@ corecmd_exec_bin(sssd_t) dev_read_urand(sssd_t) dev_read_sysfs(sssd_t) -======= -kernel_read_system_state(sssd_t) - -corecmd_exec_bin(sssd_t) - -dev_read_urand(sssd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 domain_read_all_domains_state(sssd_t) domain_obj_id_change_exemption(sssd_t) files_list_tmp(sssd_t) files_read_etc_files(sssd_t) -<<<<<<< HEAD files_read_etc_runtime_files(sssd_t) files_read_usr_files(sssd_t) files_list_var_lib(sssd_t) -======= -files_read_usr_files(sssd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 fs_list_inotifyfs(sssd_t) @@ -105,7 +79,6 @@ selinux_validate_context(sssd_t) seutil_read_file_contexts(sssd_t) mls_file_read_to_clearance(sssd_t) -<<<<<<< HEAD mls_socket_read_to_clearance(sssd_t) mls_socket_write_to_clearance(sssd_t) mls_trusted_object(sssd_t) @@ -114,12 +87,6 @@ mls_trusted_object(sssd_t) auth_domtrans_chk_passwd(sssd_t) auth_domtrans_upd_passwd(sssd_t) auth_manage_cache(sssd_t) -======= - -auth_use_nsswitch(sssd_t) -auth_domtrans_chk_passwd(sssd_t) -auth_domtrans_upd_passwd(sssd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_read_utmp(sssd_t) @@ -127,15 +94,12 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_localization(sssd_t) -<<<<<<< HEAD miscfiles_read_generic_certs(sssd_t) sysnet_dns_name_resolve(sssd_t) sysnet_use_ldap(sssd_t) userdom_manage_tmp_role(system_r, sssd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` dbus_system_bus_client(sssd_t) @@ -144,7 +108,6 @@ optional_policy(` optional_policy(` kerberos_manage_host_rcache(sssd_t) -<<<<<<< HEAD kerberos_read_home_content(sssd_t) ') @@ -160,6 +123,3 @@ userdom_home_reader(sssd_t) -======= -') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/stunnel.if b/stunnel.if index 2728249..6073656 100644 --- a/stunnel.if +++ b/stunnel.if @@ -20,10 +20,6 @@ interface(`stunnel_service_domain',` type stunnel_t; ') -<<<<<<< HEAD - domtrans_pattern(stunnel_t, $2, $1) -======= domtrans_pattern(stunnel_t,$2,$1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow $1 stunnel_t:tcp_socket rw_socket_perms; ') diff --git a/stunnel.te b/stunnel.te index a6f85c3..dd0efe6 100644 --- a/stunnel.te +++ b/stunnel.te @@ -6,11 +6,6 @@ policy_module(stunnel, 1.10.0) # type stunnel_t; -<<<<<<< HEAD -type stunnel_exec_t; -init_daemon_domain(stunnel_t, stunnel_exec_t) -inetd_tcp_service_domain(stunnel_t, stunnel_exec_t) -======= domain_type(stunnel_t) role system_r types stunnel_t; @@ -22,7 +17,6 @@ ifdef(`distro_gentoo',` ',` inetd_tcp_service_domain(stunnel_t, stunnel_exec_t) ') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type stunnel_etc_t; files_config_file(stunnel_etc_t) @@ -46,11 +40,7 @@ allow stunnel_t self:udp_socket create_socket_perms; allow stunnel_t stunnel_etc_t:dir list_dir_perms; allow stunnel_t stunnel_etc_t:file read_file_perms; -<<<<<<< HEAD allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms; -======= -allow stunnel_t stunnel_etc_t:lnk_file { getattr read }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) @@ -87,11 +77,7 @@ miscfiles_read_localization(stunnel_t) sysnet_read_config(stunnel_t) -<<<<<<< HEAD -ifdef(`distro_gentoo',` -======= ifdef(`distro_gentoo', ` ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dontaudit stunnel_t self:capability sys_tty_config; allow stunnel_t self:udp_socket create_socket_perms; @@ -134,8 +120,5 @@ ifdef(`distro_gentoo', ` gen_require(` type stunnel_port_t; ') -<<<<<<< HEAD -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow stunnel_t stunnel_port_t:tcp_socket name_bind; diff --git a/sxid.te b/sxid.te index b809b0f..bc5b962 100644 --- a/sxid.te +++ b/sxid.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(sxid, 1.5.0) -======= policy_module(sxid, 1.6.1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -70,11 +66,7 @@ fs_list_all(sxid_t) term_dontaudit_use_console(sxid_t) -<<<<<<< HEAD files_read_non_security_files(sxid_t) -======= -files_read_non_auth_files(sxid_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 auth_dontaudit_getattr_shadow(sxid_t) init_use_fds(sxid_t) @@ -84,16 +76,10 @@ logging_send_syslog_msg(sxid_t) miscfiles_read_localization(sxid_t) -<<<<<<< HEAD -======= -mount_exec(sxid_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 sysnet_read_config(sxid_t) userdom_dontaudit_use_unpriv_user_fds(sxid_t) -<<<<<<< HEAD optional_policy(` cron_system_entry(sxid_t, sxid_exec_t) ') @@ -101,9 +87,6 @@ optional_policy(` optional_policy(` mount_exec(sxid_t) ') -======= -cron_system_entry(sxid_t, sxid_exec_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` mta_send_mail(sxid_t) diff --git a/sysstat.fc b/sysstat.fc index d24c959..5d0e77b 100644 --- a/sysstat.fc +++ b/sysstat.fc @@ -1,13 +1,7 @@ -<<<<<<< HEAD -/usr/lib/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) -/usr/lib/sa/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) -/usr/lib/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) -======= /usr/lib/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) /usr/lib/sa/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) /usr/lib/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) /var/log/sa(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) diff --git a/sysstat.te b/sysstat.te index 2bbc085..1404284 100644 --- a/sysstat.te +++ b/sysstat.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(sysstat, 1.6.0) -======= policy_module(sysstat, 1.6.1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -12,10 +8,7 @@ policy_module(sysstat, 1.6.1) type sysstat_t; type sysstat_exec_t; init_system_domain(sysstat_t, sysstat_exec_t) -<<<<<<< HEAD -======= role system_r types sysstat_t; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type sysstat_log_t; logging_log_file(sysstat_log_t) @@ -25,12 +18,7 @@ logging_log_file(sysstat_log_t) # Local policy # -<<<<<<< HEAD allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config }; -======= -allow sysstat_t self:capability { dac_override sys_resource sys_tty_config }; -dontaudit sysstat_t self:capability sys_admin; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow sysstat_t self:fifo_file rw_fifo_file_perms; can_exec(sysstat_t, sysstat_exec_t) @@ -47,10 +35,7 @@ kernel_read_kernel_sysctls(sysstat_t) kernel_read_fs_sysctls(sysstat_t) kernel_read_rpc_sysctls(sysstat_t) -<<<<<<< HEAD corecmd_exec_shell(sysstat_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corecmd_exec_bin(sysstat_t) dev_read_urand(sysstat_t) @@ -66,23 +51,16 @@ fs_getattr_xattr_fs(sysstat_t) fs_list_inotifyfs(sysstat_t) term_use_console(sysstat_t) -<<<<<<< HEAD term_use_all_inherited_terms(sysstat_t) -======= -term_use_all_terms(sysstat_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_use_fds(sysstat_t) locallogin_use_fds(sysstat_t) -<<<<<<< HEAD auth_use_nsswitch(sysstat_t) logging_send_syslog_msg(sysstat_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 miscfiles_read_localization(sysstat_t) userdom_dontaudit_list_user_home_dirs(sysstat_t) @@ -90,10 +68,4 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t) optional_policy(` cron_system_entry(sysstat_t, sysstat_exec_t) ') -<<<<<<< HEAD -======= -optional_policy(` - logging_send_syslog_msg(sysstat_t) -') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/tcpd.te b/tcpd.te index b5c8bf5..7038b55 100644 --- a/tcpd.te +++ b/tcpd.te @@ -7,10 +7,7 @@ policy_module(tcpd, 1.4.0) type tcpd_t; type tcpd_exec_t; inetd_tcp_service_domain(tcpd_t, tcpd_exec_t) -<<<<<<< HEAD -======= role system_r types tcpd_t; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type tcpd_tmp_t; files_tmp_file(tcpd_tmp_t) diff --git a/tcsd.if b/tcsd.if index b1b4d23..4e518cf 100644 --- a/tcsd.if +++ b/tcsd.if @@ -137,16 +137,11 @@ interface(`tcsd_admin',` type tcsd_var_lib_t; ') -<<<<<<< HEAD allow $1 tcsd_t:process signal_perms; ps_process_pattern($1, tcsd_t) tunable_policy(`deny_ptrace',`',` allow $1 tcsd_t:process ptrace; ') -======= - allow $1 tcsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, tcsd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 tcsd_initrc_domtrans($1) domain_system_change_exemption($1) @@ -155,8 +150,4 @@ interface(`tcsd_admin',` files_search_var_lib($1) admin_pattern($1, tcsd_var_lib_t) -<<<<<<< HEAD - -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/tcsd.te b/tcsd.te index 81f6030..ee9f3c6 100644 --- a/tcsd.te +++ b/tcsd.te @@ -29,19 +29,13 @@ manage_dirs_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t) manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t) files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, { file dir }) -<<<<<<< HEAD -======= # Accept connections on the TCS port over loopback. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corenet_all_recvfrom_unlabeled(tcsd_t) corenet_tcp_bind_generic_node(tcsd_t) corenet_tcp_bind_tcs_port(tcsd_t) dev_read_urand(tcsd_t) -<<<<<<< HEAD -======= # Access /dev/tpm0. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dev_rw_tpm(tcsd_t) files_read_etc_files(tcsd_t) diff --git a/telepathy.fc b/telepathy.fc index 8f4b6c3..a275bd6 100644 --- a/telepathy.fc +++ b/telepathy.fc @@ -1,5 +1,4 @@ HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0) -<<<<<<< HEAD HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0) HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0) HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) @@ -7,12 +6,6 @@ HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_ca HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0) HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_data_home_t,s0) HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t, s0) -======= -HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0) -HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) -HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) -HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0) HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0) diff --git a/telepathy.if b/telepathy.if index 9eb65ed..d49274d 100644 --- a/telepathy.if +++ b/telepathy.if @@ -11,10 +11,6 @@ ## ## # -<<<<<<< HEAD -======= -# ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 template(`telepathy_domain_template',` gen_require(` attribute telepathy_domain; @@ -23,7 +19,6 @@ template(`telepathy_domain_template',` type telepathy_$1_t, telepathy_domain; type telepathy_$1_exec_t, telepathy_executable; -<<<<<<< HEAD application_domain(telepathy_$1_t, telepathy_$1_exec_t) ubac_constrained(telepathy_$1_t) auth_use_nsswitch(telepathy_$1_t) @@ -32,23 +27,12 @@ template(`telepathy_domain_template',` files_tmp_file(telepathy_$1_tmp_t) ubac_constrained(telepathy_$1_tmp_t) -======= - userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t) - - type telepathy_$1_tmp_t; - userdom_user_tmp_file(telepathy_$1_tmp_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ####################################### ## -<<<<<<< HEAD ## Role access for telepathy domains ## that executes via dbus-session -======= -## Role access for telepathy domains -### that executes via dbus-session ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -60,7 +44,6 @@ template(`telepathy_domain_template',` ## The type of the user domain. ## ## -<<<<<<< HEAD ## ## ## User domain prefix to be used. @@ -68,10 +51,6 @@ template(`telepathy_domain_template',` ## # template(`telepathy_role',` -======= -# -template(`telepathy_role', ` ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 gen_require(` attribute telepathy_domain; type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t; @@ -102,11 +81,8 @@ template(`telepathy_role', ` dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t) dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t) -<<<<<<< HEAD telepathy_dbus_chat($2) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -153,14 +129,6 @@ interface(`telepathy_gabble_dbus_chat', ` ## ## Read telepathy mission control state. ## -<<<<<<< HEAD -======= -## -## -## Prefix to be used. -## -## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## Domain allowed access. @@ -200,11 +168,7 @@ interface(`telepathy_msn_stream_connect', ` ## Stream connect to Telepathy Salut ## ## -<<<<<<< HEAD ## -======= -## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## Domain allowed access. ## ## @@ -217,7 +181,6 @@ interface(`telepathy_salut_stream_connect', ` stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t) files_search_tmp($1) ') -<<<<<<< HEAD ####################################### ## @@ -326,5 +289,3 @@ interface(`telepathy_filetrans_home_content',` gnome_data_filetrans($1, telepathy_logger_data_home_t, dir, "TpLogger") gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy") ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/telepathy.te b/telepathy.te index a4ba7f6..e498634 100644 --- a/telepathy.te +++ b/telepathy.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(telepathy, 1.0.1) -======= policy_module(telepathy, 1.2.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -11,16 +7,16 @@ policy_module(telepathy, 1.2.0) ## ##

-## Allow the Telepathy connection managers -## to connect to any generic TCP port. +## Allow the Telepathy connection managers +## to connect to any generic TCP port. ##

## gen_tunable(telepathy_tcp_connect_generic_network_ports, false) ## ##

-## Allow the Telepathy connection managers -## to connect to any network port. +## Allow the Telepathy connection managers +## to connect to any network port. ##

## gen_tunable(telepathy_connect_all_ports, false) @@ -30,24 +26,18 @@ attribute telepathy_executable; telepathy_domain_template(gabble) -<<<<<<< HEAD type telepathy_cache_home_t; userdom_user_home_content(telepathy_cache_home_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type telepathy_gabble_cache_home_t; userdom_user_home_content(telepathy_gabble_cache_home_t) telepathy_domain_template(idle) telepathy_domain_template(logger) -<<<<<<< HEAD type telepathy_data_home_t; userdom_user_home_content(telepathy_data_home_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type telepathy_logger_cache_home_t; userdom_user_home_content(telepathy_logger_cache_home_t) @@ -59,12 +49,9 @@ telepathy_domain_template(mission_control) type telepathy_mission_control_home_t; userdom_user_home_content(telepathy_mission_control_home_t) -<<<<<<< HEAD type telepathy_mission_control_data_home_t; userdom_user_home_content(telepathy_mission_control_data_home_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type telepathy_mission_control_cache_home_t; userdom_user_home_content(telepathy_mission_control_cache_home_t) @@ -89,7 +76,6 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file }) -<<<<<<< HEAD # ~/.cache/telepathy/gabble/caps-cache.db-journal optional_policy(` manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) @@ -99,8 +85,6 @@ optional_policy(` gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corenet_all_recvfrom_netlabel(telepathy_gabble_t) corenet_all_recvfrom_unlabeled(telepathy_gabble_t) corenet_tcp_sendrecv_generic_if(telepathy_gabble_t) @@ -132,7 +116,6 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` corenet_sendrecv_generic_client_packets(telepathy_gabble_t) ') -<<<<<<< HEAD userdom_home_manager(telepathy_gabble_t) optional_policy(` @@ -141,20 +124,6 @@ optional_policy(` optional_policy(` gnome_manage_home_config(telepathy_gabble_t) -======= -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(telepathy_gabble_t) - fs_manage_nfs_files(telepathy_gabble_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(telepathy_gabble_t) - fs_manage_cifs_files(telepathy_gabble_t) -') - -optional_policy(` - dbus_system_bus_client(telepathy_gabble_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ####################################### @@ -192,7 +161,6 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` allow telepathy_logger_t self:unix_stream_socket create_socket_perms; -<<<<<<< HEAD manage_dirs_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir) @@ -200,12 +168,6 @@ filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_c manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir) -======= -manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) - -manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) -manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_read_etc_files(telepathy_logger_t) files_read_usr_files(telepathy_logger_t) @@ -213,37 +175,22 @@ files_search_pids(telepathy_logger_t) fs_getattr_all_fs(telepathy_logger_t) -<<<<<<< HEAD userdom_home_manager(telepathy_logger_t) optional_policy(` # ~/.config/dconf/user gnome_manage_home_config(telepathy_logger_t) -======= -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(telepathy_logger_t) - fs_manage_nfs_files(telepathy_logger_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(telepathy_logger_t) - fs_manage_cifs_files(telepathy_logger_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ####################################### # # Telepathy Mission-Control local policy. # -<<<<<<< HEAD allow telepathy_mission_control_t self:process setsched; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file }) -<<<<<<< HEAD userdom_search_user_home_dirs(telepathy_mission_control_t) manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t }) @@ -251,14 +198,11 @@ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, { dir file }) gnome_data_filetrans(telepathy_mission_control_t, telepathy_data_home_t, dir) gnome_manage_home_config(telepathy_mission_control_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dev_read_rand(telepathy_mission_control_t) fs_getattr_all_fs(telepathy_mission_control_t) -<<<<<<< HEAD files_list_tmp(telepathy_mission_control_t) files_read_etc_files(telepathy_mission_control_t) files_read_usr_files(telepathy_mission_control_t) @@ -283,19 +227,6 @@ optional_policy(` optional_policy(` manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t) gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file) -======= -files_read_etc_files(telepathy_mission_control_t) -files_read_usr_files(telepathy_mission_control_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(telepathy_mission_control_t) - fs_manage_nfs_files(telepathy_mission_control_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(telepathy_mission_control_t) - fs_manage_cifs_files(telepathy_mission_control_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ####################################### @@ -309,16 +240,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect }; manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) -<<<<<<< HEAD exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) userdom_dontaudit_setattr_user_tmp(telepathy_msn_t) can_exec(telepathy_msn_t, telepathy_msn_tmp_t) -======= -files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) -userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corenet_all_recvfrom_netlabel(telepathy_msn_t) corenet_all_recvfrom_unlabeled(telepathy_msn_t) @@ -340,11 +266,8 @@ corecmd_read_bin_symlinks(telepathy_msn_t) files_read_etc_files(telepathy_msn_t) files_read_usr_files(telepathy_msn_t) -<<<<<<< HEAD init_read_state(telepathy_msn_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 libs_exec_ldconfig(telepathy_msn_t) logging_send_syslog_msg(telepathy_msn_t) @@ -363,13 +286,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` ') optional_policy(` -<<<<<<< HEAD gnome_read_gconf_home_files(telepathy_msn_t) ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dbus_system_bus_client(telepathy_msn_t) optional_policy(` @@ -485,26 +405,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms; allow telepathy_domain self:tcp_socket create_socket_perms; allow telepathy_domain self:udp_socket create_socket_perms; -<<<<<<< HEAD manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t) gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy") -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dev_read_urand(telepathy_domain) kernel_read_system_state(telepathy_domain) -<<<<<<< HEAD fs_getattr_all_fs(telepathy_domain) fs_search_auto_mountpoints(telepathy_domain) -======= -fs_search_auto_mountpoints(telepathy_domain) - -auth_use_nsswitch(telepathy_domain) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 miscfiles_read_localization(telepathy_domain) optional_policy(` @@ -512,7 +422,6 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD gnome_read_generic_cache_files(telepathy_domain) gnome_write_generic_cache_files(telepathy_domain) ') @@ -533,7 +442,3 @@ optional_policy(` role unconfined_r types telepathy_domain; ') -======= - xserver_rw_xdm_pipes(telepathy_domain) -') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/telnet.if b/telnet.if index b31188c..e4119f7 100644 --- a/telnet.if +++ b/telnet.if @@ -1,5 +1,4 @@ ## Telnet daemon -<<<<<<< HEAD ######################################## ## @@ -18,5 +17,3 @@ interface(`telnet_use_ptys',` allow $1 telnetd_devpts_t:chr_file rw_inherited_term_perms; ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/telnet.te b/telnet.te index c63a2b8..50163e0 100644 --- a/telnet.te +++ b/telnet.te @@ -8,10 +8,7 @@ policy_module(telnet, 1.10.0) type telnetd_t; type telnetd_exec_t; inetd_service_domain(telnetd_t, telnetd_exec_t) -<<<<<<< HEAD -======= role system_r types telnetd_t; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type telnetd_devpts_t; #, userpty_type; term_login_pty(telnetd_devpts_t) @@ -27,33 +24,21 @@ files_pid_file(telnetd_var_run_t) # Local policy # -<<<<<<< HEAD allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; -======= -allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow telnetd_t self:process signal_perms; allow telnetd_t self:fifo_file rw_fifo_file_perms; allow telnetd_t self:tcp_socket connected_stream_socket_perms; allow telnetd_t self:udp_socket create_socket_perms; # for identd; cjp: this should probably only be inetd_child rules? allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -<<<<<<< HEAD allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; -======= -allow telnetd_t self:capability { setuid setgid }; -allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 term_create_pty(telnetd_t, telnetd_devpts_t) manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) -<<<<<<< HEAD -======= files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir }) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t) files_pid_filetrans(telnetd_t, telnetd_var_run_t, file) @@ -85,11 +70,8 @@ corecmd_search_bin(telnetd_t) files_read_usr_files(telnetd_t) files_read_etc_files(telnetd_t) files_read_etc_runtime_files(telnetd_t) -<<<<<<< HEAD -======= # for identd; cjp: this should probably only be inetd_child rules? files_search_home(telnetd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_rw_utmp(telnetd_t) @@ -99,22 +81,10 @@ miscfiles_read_localization(telnetd_t) seutil_read_config(telnetd_t) -<<<<<<< HEAD userdom_search_user_home_dirs(telnetd_t) userdom_setattr_user_ptys(telnetd_t) userdom_manage_user_tmp_files(telnetd_t) userdom_tmp_filetrans_user_tmp(telnetd_t, file) -======= -remotelogin_domtrans(telnetd_t) - -userdom_search_user_home_dirs(telnetd_t) -userdom_setattr_user_ptys(telnetd_t) - -optional_policy(` - kerberos_keytab_template(telnetd, telnetd_t) - kerberos_manage_host_rcache(telnetd_t) -') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 tunable_policy(`use_nfs_home_dirs',` fs_search_nfs(telnetd_t) @@ -123,7 +93,6 @@ tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_samba_home_dirs',` fs_search_cifs(telnetd_t) ') -<<<<<<< HEAD optional_policy(` kerberos_keytab_template(telnetd, telnetd_t) @@ -133,5 +102,3 @@ optional_policy(` optional_policy(` remotelogin_domtrans(telnetd_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/tftp.fc b/tftp.fc index a0c05a4..621f343 100644 --- a/tftp.fc +++ b/tftp.fc @@ -1,7 +1,4 @@ -<<<<<<< HEAD /etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_etc_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) /usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) diff --git a/tftp.if b/tftp.if index 7d4686d..cab8c77 100644 --- a/tftp.if +++ b/tftp.if @@ -13,7 +13,6 @@ interface(`tftp_read_content',` gen_require(` type tftpdir_t; -<<<<<<< HEAD type tftpdir_rw_t; ') @@ -41,11 +40,6 @@ interface(`tftp_search_rw_content',` search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) files_search_var_lib($1) -======= - ') - - read_files_pattern($1, tftpdir_t, tftpdir_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -70,7 +64,6 @@ interface(`tftp_manage_rw_content',` ######################################## ## -<<<<<<< HEAD ## Read tftp config files. ## ## @@ -156,8 +149,6 @@ interface(`tftp_filetrans_named_content',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## All of the rules required to administrate ## an tftp environment ## @@ -173,7 +164,6 @@ interface(`tftp_admin',` type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; ') -<<<<<<< HEAD allow $1 tftpd_t:process signal_perms; ps_process_pattern($1, tftpd_t) tunable_policy(`deny_ptrace',`',` @@ -181,20 +171,13 @@ interface(`tftp_admin',` ') files_list_var_lib($1) -======= - allow $1 tftpd_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, tftpd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 admin_pattern($1, tftpdir_rw_t) admin_pattern($1, tftpdir_t) files_list_pids($1) admin_pattern($1, tftpd_var_run_t) -<<<<<<< HEAD tftp_manage_config($1) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/tftp.te b/tftp.te index 91cd56a..4ee4bd3 100644 --- a/tftp.te +++ b/tftp.te @@ -6,17 +6,10 @@ policy_module(tftp, 1.12.0) # ## -<<<<<<< HEAD -##

-## Allow tftp to modify public files -## used for public file transfer services. -##

-======= ##

## Allow tftp to modify public files ## used for public file transfer services. ##

->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## gen_tunable(tftp_anon_write, false) @@ -33,40 +26,26 @@ files_type(tftpdir_t) type tftpdir_rw_t; files_type(tftpdir_rw_t) -<<<<<<< HEAD type tftpd_etc_t; files_config_file(tftpd_etc_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # Local policy # allow tftpd_t self:capability { setgid setuid sys_chroot }; -<<<<<<< HEAD dontaudit tftpd_t self:capability sys_tty_config; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow tftpd_t self:tcp_socket create_stream_socket_perms; allow tftpd_t self:udp_socket create_socket_perms; allow tftpd_t self:unix_dgram_socket create_socket_perms; allow tftpd_t self:unix_stream_socket create_stream_socket_perms; -<<<<<<< HEAD allow tftpd_t tftpdir_t:dir list_dir_perms; allow tftpd_t tftpdir_t:file read_file_perms; allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms; read_files_pattern(tftpd_t, tftpd_etc_t, tftpd_etc_t) -======= -dontaudit tftpd_t self:capability sys_tty_config; - -allow tftpd_t tftpdir_t:dir list_dir_perms; -allow tftpd_t tftpdir_t:file read_file_perms; -allow tftpd_t tftpdir_t:lnk_file { getattr read }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) @@ -120,13 +99,10 @@ tunable_policy(`tftp_anon_write',` ') optional_policy(` -<<<<<<< HEAD cobbler_read_lib_files(tftpd_t) ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 inetd_udp_service_domain(tftpd_t, tftpd_exec_t) ') diff --git a/tgtd.fc b/tgtd.fc index 1db4d90..4847b43 100644 --- a/tgtd.fc +++ b/tgtd.fc @@ -1,7 +1,4 @@ /etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0) /usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0) /var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) -<<<<<<< HEAD /var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/tgtd.te b/tgtd.te index 9d230e8..cdeafc5 100644 --- a/tgtd.te +++ b/tgtd.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(tgtd, 1.1.1) -======= policy_module(tgtd, 1.2.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -25,12 +21,9 @@ files_tmpfs_file(tgtd_tmpfs_t) type tgtd_var_lib_t; files_type(tgtd_var_lib_t) -<<<<<<< HEAD type tgtd_var_run_t; files_pid_file(tgtd_var_run_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # TGTD personal policy. @@ -39,11 +32,7 @@ files_pid_file(tgtd_var_run_t) allow tgtd_t self:capability sys_resource; allow tgtd_t self:process { setrlimit signal }; allow tgtd_t self:fifo_file rw_fifo_file_perms; -<<<<<<< HEAD allow tgtd_t self:netlink_route_socket create_netlink_socket_perms; -======= -allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow tgtd_t self:shm create_shm_perms; allow tgtd_t self:sem create_sem_perms; allow tgtd_t self:tcp_socket create_stream_socket_perms; @@ -60,15 +49,12 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file }) -<<<<<<< HEAD manage_dirs_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t) manage_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t) manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t) files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file }) kernel_read_system_state(tgtd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kernel_read_fs_sysctls(tgtd_t) corenet_all_recvfrom_netlabel(tgtd_t) @@ -80,26 +66,18 @@ corenet_tcp_bind_generic_node(tgtd_t) corenet_tcp_bind_iscsi_port(tgtd_t) corenet_sendrecv_iscsi_server_packets(tgtd_t) -<<<<<<< HEAD dev_read_sysfs(tgtd_t) files_read_etc_files(tgtd_t) fs_read_anon_inodefs_files(tgtd_t) -======= -files_read_etc_files(tgtd_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 storage_manage_fixed_disk(tgtd_t) logging_send_syslog_msg(tgtd_t) miscfiles_read_localization(tgtd_t) -<<<<<<< HEAD optional_policy(` iscsi_manage_semaphores(tgtd_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/thunderbird.te b/thunderbird.te index d533d98..204ac7e 100644 --- a/thunderbird.te +++ b/thunderbird.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(thunderbird, 2.2.0) -======= policy_module(thunderbird, 2.3.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -13,12 +9,7 @@ type thunderbird_t; type thunderbird_exec_t; typealias thunderbird_t alias { user_thunderbird_t staff_thunderbird_t sysadm_thunderbird_t }; typealias thunderbird_t alias { auditadm_thunderbird_t secadm_thunderbird_t }; -<<<<<<< HEAD -application_domain(thunderbird_t, thunderbird_exec_t) -ubac_constrained(thunderbird_t) -======= userdom_user_application_domain(thunderbird_t, thunderbird_exec_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type thunderbird_home_t; typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t }; @@ -28,12 +19,7 @@ userdom_user_home_content(thunderbird_home_t) type thunderbird_tmpfs_t; typealias thunderbird_tmpfs_t alias { user_thunderbird_tmpfs_t staff_thunderbird_tmpfs_t sysadm_thunderbird_tmpfs_t }; typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t secadm_thunderbird_tmpfs_t }; -<<<<<<< HEAD -files_tmpfs_file(thunderbird_tmpfs_t) -ubac_constrained(thunderbird_tmpfs_t) -======= userdom_user_tmpfs_file(thunderbird_tmpfs_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -126,21 +112,7 @@ xserver_read_xdm_tmp_files(thunderbird_t) xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t) # Access ~/.thunderbird -<<<<<<< HEAD userdom_home_manager(thunderbird_t) -======= -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(thunderbird_t) - fs_manage_nfs_files(thunderbird_t) - fs_manage_nfs_symlinks(thunderbird_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(thunderbird_t) - fs_manage_cifs_files(thunderbird_t) - fs_manage_cifs_symlinks(thunderbird_t) -') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 tunable_policy(`mail_read_content && use_nfs_home_dirs',` files_list_home(thunderbird_t) diff --git a/tmpreaper.fc b/tmpreaper.fc index 0295891..fcc10e8 100644 --- a/tmpreaper.fc +++ b/tmpreaper.fc @@ -1,10 +1,7 @@ -<<<<<<< HEAD -======= ifdef(`distro_debian',` /etc/init\.d/mountall-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) /etc/init\.d/mountnfs-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) ') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) /usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) diff --git a/tmpreaper.te b/tmpreaper.te index 53d34f8..3d3f88a 100644 --- a/tmpreaper.te +++ b/tmpreaper.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(tmpreaper, 1.5.0) -======= policy_module(tmpreaper, 1.6.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -11,10 +7,7 @@ policy_module(tmpreaper, 1.6.0) type tmpreaper_t; type tmpreaper_exec_t; -<<<<<<< HEAD init_system_domain(tmpreaper_t, tmpreaper_exec_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 application_domain(tmpreaper_t, tmpreaper_exec_t) role system_r types tmpreaper_t; @@ -26,23 +19,16 @@ role system_r types tmpreaper_t; allow tmpreaper_t self:process { fork sigchld }; allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; -<<<<<<< HEAD kernel_read_system_state(tmpreaper_t) dev_read_urand(tmpreaper_t) fs_getattr_xattr_fs(tmpreaper_t) fs_list_all(tmpreaper_t) -======= -dev_read_urand(tmpreaper_t) - -fs_getattr_xattr_fs(tmpreaper_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_read_etc_files(tmpreaper_t) files_read_var_lib_files(tmpreaper_t) files_purge_tmp(tmpreaper_t) -<<<<<<< HEAD files_delete_all_non_security_files(tmpreaper_t) # why does it need setattr? files_setattr_all_tmp_dirs(tmpreaper_t) @@ -57,22 +43,11 @@ mls_file_write_all_levels(tmpreaper_t) auth_use_nsswitch(tmpreaper_t) -======= -# why does it need setattr? -files_setattr_all_tmp_dirs(tmpreaper_t) -files_getattr_all_dirs(tmpreaper_t) -files_getattr_all_files(tmpreaper_t) - -mls_file_read_all_levels(tmpreaper_t) -mls_file_write_all_levels(tmpreaper_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 logging_send_syslog_msg(tmpreaper_t) miscfiles_read_localization(tmpreaper_t) miscfiles_delete_man_pages(tmpreaper_t) -<<<<<<< HEAD optional_policy(` cron_system_entry(tmpreaper_t, tmpreaper_exec_t) ') @@ -84,15 +59,6 @@ ifdef(`distro_redhat',` userdom_delete_all_user_home_content_sock_files(tmpreaper_t) userdom_delete_all_user_home_content_symlinks(tmpreaper_t) userdom_setattr_all_user_home_content_dirs(tmpreaper_t) -======= -cron_system_entry(tmpreaper_t, tmpreaper_exec_t) - -ifdef(`distro_redhat',` - userdom_list_user_home_content(tmpreaper_t) - userdom_delete_user_home_content_dirs(tmpreaper_t) - userdom_delete_user_home_content_files(tmpreaper_t) - userdom_delete_user_home_content_symlinks(tmpreaper_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` @@ -100,13 +66,9 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD apache_delete_sys_content_rw(tmpreaper_t) apache_list_cache(tmpreaper_t) apache_delete_cache_dirs(tmpreaper_t) -======= - apache_list_cache(tmpreaper_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 apache_delete_cache_files(tmpreaper_t) apache_setattr_cache_dirs(tmpreaper_t) ') @@ -120,7 +82,6 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD sandbox_list(tmpreaper_t) sandbox_delete_dirs(tmpreaper_t) sandbox_delete_files(tmpreaper_t) @@ -130,11 +91,4 @@ optional_policy(` optional_policy(` rpm_manage_cache(tmpreaper_t) -======= - rpm_manage_cache(tmpreaper_t) -') - -optional_policy(` - unconfined_domain(tmpreaper_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/tor.fc b/tor.fc index 8984710..6752bc3 100644 --- a/tor.fc +++ b/tor.fc @@ -4,11 +4,8 @@ /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) -<<<<<<< HEAD /usr/lib/systemd/system/tor.* -- gen_context(system_u:object_r:tor_unit_file_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) diff --git a/tor.if b/tor.if index 73a9adc..26f16dd 100644 --- a/tor.if +++ b/tor.if @@ -18,7 +18,6 @@ interface(`tor_domtrans',` domtrans_pattern($1, tor_exec_t, tor_t) ') -<<<<<<< HEAD ####################################### ## ## Execute tor server in the tor domain. @@ -43,8 +42,6 @@ interface(`tor_systemctl',` ps_process_pattern($1, tor_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## ## ## All of the rules required to administrate @@ -67,7 +64,6 @@ interface(`tor_admin',` type tor_t, tor_var_log_t, tor_etc_t; type tor_var_lib_t, tor_var_run_t; type tor_initrc_exec_t; -<<<<<<< HEAD type tor_unit_file_t; ') @@ -76,12 +72,6 @@ interface(`tor_admin',` tunable_policy(`deny_ptrace',`',` allow $1 tor_t:process ptrace; ') -======= - ') - - allow $1 tor_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, tor_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, tor_initrc_exec_t) domain_system_change_exemption($1) @@ -99,7 +89,6 @@ interface(`tor_admin',` files_list_pids($1) admin_pattern($1, tor_var_run_t) -<<<<<<< HEAD tor_systemctl($1) admin_pattern($1, tor_unit_file_t) @@ -109,6 +98,4 @@ interface(`tor_admin',` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/tor.te b/tor.te index 73738c0..799fac3 100644 --- a/tor.te +++ b/tor.te @@ -36,22 +36,16 @@ logging_log_file(tor_var_log_t) type tor_var_run_t; files_pid_file(tor_var_run_t) -<<<<<<< HEAD type tor_unit_file_t; systemd_unit_file(tor_unit_file_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # tor local policy # allow tor_t self:capability { setgid setuid sys_tty_config }; -<<<<<<< HEAD allow tor_t self:process signal; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow tor_t self:fifo_file rw_fifo_file_perms; allow tor_t self:unix_stream_socket create_stream_socket_perms; allow tor_t self:netlink_route_socket r_netlink_socket_perms; @@ -97,10 +91,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t) corenet_tcp_bind_generic_node(tor_t) corenet_udp_bind_generic_node(tor_t) corenet_tcp_bind_tor_port(tor_t) -<<<<<<< HEAD corenet_tcp_bind_tor_socks_port(tor_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corenet_udp_bind_dns_port(tor_t) corenet_sendrecv_tor_server_packets(tor_t) corenet_sendrecv_dns_server_packets(tor_t) @@ -109,17 +100,11 @@ corenet_tcp_connect_all_ports(tor_t) corenet_sendrecv_all_client_packets(tor_t) # ... especially including port 80 and other privileged ports corenet_tcp_connect_all_reserved_ports(tor_t) -<<<<<<< HEAD corenet_udp_bind_dns_port(tor_t) # tor uses crypto and needs random dev_read_urand(tor_t) dev_read_sysfs(tor_t) -======= - -# tor uses crypto and needs random -dev_read_urand(tor_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 domain_use_interactive_fds(tor_t) diff --git a/tripwire.te b/tripwire.te index 90586b4..a8e786b 100644 --- a/tripwire.te +++ b/tripwire.te @@ -80,11 +80,7 @@ files_getattr_all_sockets(tripwire_t) logging_send_syslog_msg(tripwire_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(tripwire_t) -======= -userdom_use_user_terminals(tripwire_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` cron_system_entry(tripwire_t, tripwire_exec_t) @@ -105,11 +101,7 @@ logging_send_syslog_msg(twadmin_t) miscfiles_read_localization(twadmin_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(twadmin_t) -======= -userdom_use_user_terminals(twadmin_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -135,11 +127,7 @@ logging_send_syslog_msg(twprint_t) miscfiles_read_localization(twprint_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(twprint_t) -======= -userdom_use_user_terminals(twprint_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -155,8 +143,4 @@ logging_send_syslog_msg(siggen_t) miscfiles_read_localization(siggen_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(siggen_t) -======= -userdom_use_user_terminals(siggen_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/tuned.fc b/tuned.fc index f6bd8dd..8488152 100644 --- a/tuned.fc +++ b/tuned.fc @@ -1,18 +1,12 @@ /etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0) -<<<<<<< HEAD /etc/tuned(/.)? gen_context(system_u:object_r:tuned_etc_t,s0) /etc/tuned/active_profile -- gen_context(system_u:object_r:tuned_rw_etc_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0) /var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0) /var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0) -<<<<<<< HEAD /var/run/tuned(/.*)? gen_context(system_u:object_r:tuned_var_run_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0) diff --git a/tuned.if b/tuned.if index ec64d27..a04f013 100644 --- a/tuned.if +++ b/tuned.if @@ -5,15 +5,9 @@ ## Execute a domain transition to run tuned. ## ## -<<<<<<< HEAD ## ## Domain allowed to transition. ## -======= -## -## Domain allowed to transition. -## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`tuned_domtrans',` @@ -118,7 +112,6 @@ interface(`tuned_initrc_domtrans',` # interface(`tuned_admin',` gen_require(` -<<<<<<< HEAD type tuned_t, tuned_var_run_t, tuned_initrc_exec_t; ') @@ -127,24 +120,12 @@ interface(`tuned_admin',` tunable_policy(`deny_ptrace',`',` allow $1 tuned_t:process ptrace; ') -======= - type tuned_t, tuned_var_run_t; - type tuned_initrc_exec_t; - ') - - allow $1 tuned_t:process { ptrace signal_perms }; - ps_process_pattern($1, tuned_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 tuned_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; allow $2 system_r; -<<<<<<< HEAD files_list_pids($1) -======= - files_search_pids($1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 admin_pattern($1, tuned_var_run_t) ') diff --git a/tuned.te b/tuned.te index cd3c970..da20967 100644 --- a/tuned.te +++ b/tuned.te @@ -12,15 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t) type tuned_initrc_exec_t; init_script_file(tuned_initrc_exec_t) -<<<<<<< HEAD type tuned_etc_t; files_config_file(tuned_etc_t) type tuned_rw_etc_t; files_config_file(tuned_rw_etc_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type tuned_log_t; logging_log_file(tuned_log_t) @@ -32,7 +29,6 @@ files_pid_file(tuned_var_run_t) # tuned local policy # -<<<<<<< HEAD allow tuned_t self:process signal; dontaudit tuned_t self:capability { dac_override sys_tty_config }; @@ -50,24 +46,13 @@ logging_log_filetrans(tuned_t, tuned_log_t, file, "tuned.log") manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file }) -======= -dontaudit tuned_t self:capability { dac_override sys_tty_config }; - -manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) -manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t) -logging_log_filetrans(tuned_t, tuned_log_t, file) - -manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) -files_pid_filetrans(tuned_t, tuned_var_run_t, file) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corecmd_exec_shell(tuned_t) corecmd_exec_bin(tuned_t) kernel_read_system_state(tuned_t) kernel_read_network_state(tuned_t) -<<<<<<< HEAD -kernel_rw_kernel_sysctls(tuned_t) +kernel_read_kernel_sysctls(tuned_t) kernel_rw_hotplug_sysctls(tuned_t) kernel_rw_vm_sysctls(tuned_t) @@ -76,11 +61,6 @@ dev_getattr_all_chr_files(tuned_t) dev_dontaudit_getattr_all(tuned_t) dev_read_urand(tuned_t) dev_rw_sysfs(tuned_t) -======= - -dev_read_urand(tuned_t) -dev_read_sysfs(tuned_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # to allow cpu tuning dev_rw_netcontrol(tuned_t) @@ -88,13 +68,10 @@ files_read_etc_files(tuned_t) files_read_usr_files(tuned_t) files_dontaudit_search_home(tuned_t) -<<<<<<< HEAD fs_getattr_xattr_fs(tuned_t) auth_use_nsswitch(tuned_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 logging_send_syslog_msg(tuned_t) miscfiles_read_localization(tuned_t) @@ -106,7 +83,6 @@ optional_policy(` fstools_domtrans(tuned_t) ') -<<<<<<< HEAD optional_policy(` gnome_dontaudit_search_config(tuned_t) ') @@ -115,8 +91,6 @@ optional_policy(` mount_domtrans(tuned_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # to allow network interface tuning optional_policy(` sysnet_domtrans_ifconfig(tuned_t) diff --git a/tvtime.te b/tvtime.te index edb9b30..951cee6 100644 --- a/tvtime.te +++ b/tvtime.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(tvtime, 2.1.0) -======= policy_module(tvtime, 2.2.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -13,12 +9,7 @@ type tvtime_t; type tvtime_exec_t; typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t }; typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t }; -<<<<<<< HEAD -application_domain(tvtime_t, tvtime_exec_t) -ubac_constrained(tvtime_t) -======= userdom_user_application_domain(tvtime_t, tvtime_exec_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type tvtime_home_t alias tvtime_rw_t; typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t }; @@ -28,22 +19,12 @@ userdom_user_home_content(tvtime_home_t) type tvtime_tmp_t; typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t }; typealias tvtime_tmp_t alias { auditadm_tvtime_tmp_t secadm_tvtime_tmp_t }; -<<<<<<< HEAD -files_tmp_file(tvtime_tmp_t) -ubac_constrained(tvtime_tmp_t) -======= userdom_user_tmp_file(tvtime_tmp_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type tvtime_tmpfs_t; typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t }; typealias tvtime_tmpfs_t alias { auditadm_tvtime_tmpfs_t secadm_tvtime_tmpfs_t }; -<<<<<<< HEAD -files_tmpfs_file(tvtime_tmpfs_t) -ubac_constrained(tvtime_tmpfs_t) -======= userdom_user_tmpfs_file(tvtime_tmpfs_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -89,28 +70,11 @@ fs_search_auto_mountpoints(tvtime_t) miscfiles_read_localization(tvtime_t) miscfiles_read_fonts(tvtime_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(tvtime_t) userdom_read_user_home_content_files(tvtime_t) # X access, Home files userdom_home_manager(tvtime_t) -======= -userdom_use_user_terminals(tvtime_t) -userdom_read_user_home_content_files(tvtime_t) - -# X access, Home files -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(tvtime_t) - fs_manage_nfs_files(tvtime_t) - fs_manage_nfs_symlinks(tvtime_t) -') -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(tvtime_t) - fs_manage_cifs_files(tvtime_t) - fs_manage_cifs_symlinks(tvtime_t) -') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t) diff --git a/tzdata.te b/tzdata.te index 2d74fb5..834a56d 100644 --- a/tzdata.te +++ b/tzdata.te @@ -15,11 +15,7 @@ application_domain(tzdata_t, tzdata_exec_t) # tzdata local policy # -<<<<<<< HEAD files_read_config_files(tzdata_t) -======= -files_read_etc_files(tzdata_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_search_spool(tzdata_t) fs_getattr_xattr_fs(tzdata_t) @@ -32,11 +28,7 @@ miscfiles_read_localization(tzdata_t) miscfiles_manage_localization(tzdata_t) miscfiles_etc_filetrans_localization(tzdata_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(tzdata_t) -======= -userdom_use_user_terminals(tzdata_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # tzdata looks for /var/spool/postfix/etc/localtime. optional_policy(` diff --git a/ucspitcp.if b/ucspitcp.if index b5621c3..bf82170 100644 --- a/ucspitcp.if +++ b/ucspitcp.if @@ -20,11 +20,7 @@ ## ## # -<<<<<<< HEAD -interface(`ucspitcp_service_domain',` -======= interface(`ucspitcp_service_domain', ` ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 gen_require(` type ucspitcp_t; role system_r; @@ -35,12 +31,5 @@ interface(`ucspitcp_service_domain', ` role system_r types $1; -<<<<<<< HEAD domtrans_pattern(ucspitcp_t, $2, $1) -======= - domain_auto_trans(ucspitcp_t, $2, $1) - allow $1 ucspitcp_t:fd use; - allow $1 ucspitcp_t:process sigchld; - allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/ucspitcp.te b/ucspitcp.te index c4fb437..2fde184 100644 --- a/ucspitcp.te +++ b/ucspitcp.te @@ -8,18 +8,12 @@ policy_module(ucspitcp, 1.3.0) type rblsmtpd_t; type rblsmtpd_exec_t; init_system_domain(rblsmtpd_t, rblsmtpd_exec_t) -<<<<<<< HEAD -======= role system_r types rblsmtpd_t; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type ucspitcp_t; type ucspitcp_exec_t; init_system_domain(ucspitcp_t, ucspitcp_exec_t) -<<<<<<< HEAD -======= role system_r types ucspitcp_t; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -95,12 +89,7 @@ sysnet_read_config(ucspitcp_t) optional_policy(` daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t) -<<<<<<< HEAD daemontools_sigchld_run(ucspitcp_t) daemontools_read_svc(ucspitcp_t) ') -======= - daemontools_read_svc(ucspitcp_t) -') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/ulogd.fc b/ulogd.fc index ddf7350..831b4a3 100644 --- a/ulogd.fc +++ b/ulogd.fc @@ -1,11 +1,7 @@ /etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0) /etc/ulogd.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0) -<<<<<<< HEAD -/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0) -======= /usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0) /var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0) diff --git a/ulogd.if b/ulogd.if index 96013aa..a05cd68 100644 --- a/ulogd.if +++ b/ulogd.if @@ -123,16 +123,11 @@ interface(`ulogd_admin',` type ulogd_var_log_t, ulogd_initrc_exec_t; ') -<<<<<<< HEAD allow $1 ulogd_t:process signal_perms; ps_process_pattern($1, ulogd_t) tunable_policy(`deny_ptrace',`',` allow $1 ulogd_t:process ptrace; ') -======= - allow $1 ulogd_t:process { ptrace signal_perms }; - ps_process_pattern($1, ulogd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, ulogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/ulogd.te b/ulogd.te index ff7b304..70f687a 100644 --- a/ulogd.te +++ b/ulogd.te @@ -11,11 +11,7 @@ init_daemon_domain(ulogd_t, ulogd_exec_t) # config files type ulogd_etc_t; -<<<<<<< HEAD files_config_file(ulogd_etc_t) -======= -files_type(ulogd_etc_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type ulogd_initrc_exec_t; init_script_file(ulogd_initrc_exec_t) @@ -33,7 +29,6 @@ logging_log_file(ulogd_var_log_t) # ulogd local policy # -<<<<<<< HEAD allow ulogd_t self:capability { net_admin sys_nice }; allow ulogd_t self:process { setsched }; allow ulogd_t self:netlink_nflog_socket create_socket_perms; @@ -41,10 +36,6 @@ allow ulogd_t self:netlink_route_socket r_netlink_socket_perms; allow ulogd_t self:netlink_socket create_socket_perms; allow ulogd_t self:tcp_socket { create_stream_socket_perms connect }; allow ulogd_t self:udp_socket create_socket_perms; -======= -allow ulogd_t self:capability net_admin; -allow ulogd_t self:netlink_nflog_socket create_socket_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # config files read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) diff --git a/uml.if b/uml.if index d2ef68f..ddb34f1 100644 --- a/uml.if +++ b/uml.if @@ -31,15 +31,9 @@ interface(`uml_role',` allow $2 uml_t:unix_dgram_socket sendto; allow uml_t $2:unix_dgram_socket sendto; -<<<<<<< HEAD # allow ps, signal ps_process_pattern($2, uml_t) allow $2 uml_t:process signal_perms; -======= - # allow ps, ptrace, signal - ps_process_pattern($2, uml_t) - allow $2 uml_t:process { ptrace signal_perms }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow $2 uml_ro_t:dir list_dir_perms; read_files_pattern($2, uml_ro_t, uml_ro_t) diff --git a/uml.te b/uml.te index 2eeabad..28c5b63 100644 --- a/uml.te +++ b/uml.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(uml, 2.1.0) -======= policy_module(uml, 2.2.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -13,12 +9,7 @@ type uml_t; type uml_exec_t; typealias uml_t alias { user_uml_t staff_uml_t sysadm_uml_t }; typealias uml_t alias { auditadm_uml_t secadm_uml_t }; -<<<<<<< HEAD -application_domain(uml_t, uml_exec_t) -ubac_constrained(uml_t) -======= userdom_user_application_domain(uml_t, uml_exec_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type uml_ro_t; typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t }; @@ -33,22 +24,12 @@ userdom_user_home_content(uml_rw_t) type uml_tmp_t; typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t }; typealias uml_tmp_t alias { auditadm_uml_tmp_t secadm_uml_tmp_t }; -<<<<<<< HEAD -files_tmp_file(uml_tmp_t) -ubac_constrained(uml_tmp_t) -======= userdom_user_tmp_file(uml_tmp_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type uml_tmpfs_t; typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t }; typealias uml_tmpfs_t alias { auditadm_uml_tmpfs_t secadm_uml_tmpfs_t }; -<<<<<<< HEAD -files_tmpfs_file(uml_tmpfs_t) -ubac_constrained(uml_tmpfs_t) -======= userdom_user_tmpfs_file(uml_tmpfs_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type uml_devpts_t; typealias uml_devpts_t alias { user_uml_devpts_t staff_uml_devpts_t sysadm_uml_devpts_t }; @@ -69,11 +50,7 @@ files_pid_file(uml_switch_var_run_t) # allow uml_t self:fifo_file rw_fifo_file_perms; -<<<<<<< HEAD allow uml_t self:process signal_perms; -======= -allow uml_t self:process { signal_perms ptrace }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow uml_t self:unix_stream_socket create_stream_socket_perms; allow uml_t self:unix_dgram_socket create_socket_perms; # Use the network. @@ -154,11 +131,7 @@ seutil_use_newrole_fds(uml_t) # Use the network. sysnet_read_config(uml_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(uml_t) -======= -userdom_use_user_terminals(uml_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 userdom_attach_admin_tun_iface(uml_t) optional_policy(` diff --git a/updfstab.te b/updfstab.te index 7713581..46c2a9a 100644 --- a/updfstab.te +++ b/updfstab.te @@ -78,14 +78,8 @@ seutil_read_file_contexts(updfstab_t) userdom_dontaudit_search_user_home_content(updfstab_t) userdom_dontaudit_use_unpriv_user_fds(updfstab_t) -<<<<<<< HEAD auth_use_nsswitch(updfstab_t) auth_domtrans_pam_console(updfstab_t) -======= -optional_policy(` - auth_domtrans_pam_console(updfstab_t) -') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` init_dbus_chat_script(updfstab_t) @@ -109,13 +103,10 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD -======= nscd_socket_use(updfstab_t) ') optional_policy(` ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 seutil_sigchld_newrole(updfstab_t) ') diff --git a/uptime.te b/uptime.te index 8d820fd..1f8f768 100644 --- a/uptime.te +++ b/uptime.te @@ -13,11 +13,7 @@ type uptimed_etc_t alias etc_uptimed_t; files_config_file(uptimed_etc_t) type uptimed_spool_t; -<<<<<<< HEAD files_spool_file(uptimed_spool_t) -======= -files_type(uptimed_spool_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type uptimed_var_run_t; files_pid_file(uptimed_var_run_t) @@ -29,11 +25,7 @@ files_pid_file(uptimed_var_run_t) dontaudit uptimed_t self:capability sys_tty_config; allow uptimed_t self:process signal_perms; -<<<<<<< HEAD allow uptimed_t self:fifo_file write_fifo_file_perms; -======= -allow uptimed_t self:fifo_file write_file_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow uptimed_t uptimed_etc_t:file read_file_perms; files_search_etc(uptimed_t) diff --git a/usbmodules.te b/usbmodules.te index 6da62eb..f04565f 100644 --- a/usbmodules.te +++ b/usbmodules.te @@ -34,13 +34,7 @@ init_use_fds(usbmodules_t) miscfiles_read_hwdata(usbmodules_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(usbmodules_t) -======= -modutils_read_module_deps(usbmodules_t) - -userdom_use_user_terminals(usbmodules_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` hotplug_read_config(usbmodules_t) @@ -49,10 +43,7 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(usbmodules_t) ') -<<<<<<< HEAD optional_policy(` modutils_read_module_deps(usbmodules_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/usbmuxd.te b/usbmuxd.te index 7657b1d..34ffbfd 100644 --- a/usbmuxd.te +++ b/usbmuxd.te @@ -40,10 +40,7 @@ miscfiles_read_localization(usbmuxd_t) auth_use_nsswitch(usbmuxd_t) logging_send_syslog_msg(usbmuxd_t) -<<<<<<< HEAD optional_policy(` virt_dontaudit_read_chr_dev(usbmuxd_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/userhelper.fc b/userhelper.fc index 95d00ab..cd83b89 100644 --- a/userhelper.fc +++ b/userhelper.fc @@ -7,7 +7,4 @@ # /usr # /usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) -<<<<<<< HEAD /usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/userhelper.if b/userhelper.if index ce74d30..821bcea 100644 --- a/userhelper.if +++ b/userhelper.if @@ -25,10 +25,7 @@ template(`userhelper_role_template',` gen_require(` attribute userhelper_type; type userhelper_exec_t, userhelper_conf_t; -<<<<<<< HEAD class dbus send_msg; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -37,19 +34,11 @@ template(`userhelper_role_template',` # type $1_userhelper_t, userhelper_type; -<<<<<<< HEAD - application_domain($1_userhelper_t, userhelper_exec_t) -======= userdom_user_application_domain($1_userhelper_t, userhelper_exec_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 domain_role_change_exemption($1_userhelper_t) domain_obj_id_change_exemption($1_userhelper_t) domain_interactive_fd($1_userhelper_t) domain_subj_id_change_exemption($1_userhelper_t) -<<<<<<< HEAD - ubac_constrained($1_userhelper_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 role $2 types $1_userhelper_t; ######################################## @@ -133,12 +122,9 @@ template(`userhelper_role_template',` auth_manage_pam_pid($1_userhelper_t) auth_manage_var_auth($1_userhelper_t) auth_search_pam_console_data($1_userhelper_t) -<<<<<<< HEAD auth_use_nsswitch($1_userhelper_t) logging_send_syslog_msg($1_userhelper_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # Inherit descriptors from the current session. init_use_fds($1_userhelper_t) @@ -163,21 +149,6 @@ template(`userhelper_role_template',` ') optional_policy(` -<<<<<<< HEAD -======= - logging_send_syslog_msg($1_userhelper_t) - ') - - optional_policy(` - nis_use_ypbind($1_userhelper_t) - ') - - optional_policy(` - nscd_socket_use($1_userhelper_t) - ') - - optional_policy(` ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 tunable_policy(`! secure_mode',` #if we are not in secure mode then we can transition to sysadm_t sysadm_bin_spec_domtrans($1_userhelper_t) @@ -276,7 +247,6 @@ interface(`userhelper_exec',` can_exec($1, userhelper_exec_t) ') -<<<<<<< HEAD ####################################### ## @@ -362,5 +332,3 @@ interface(`userhelper_exec_console',` can_exec($1, consolehelper_exec_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/userhelper.te b/userhelper.te index a09fd66..390de9e 100644 --- a/userhelper.te +++ b/userhelper.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(userhelper, 1.6.0) -======= policy_module(userhelper, 1.7.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -10,17 +6,13 @@ policy_module(userhelper, 1.7.0) # attribute userhelper_type; -<<<<<<< HEAD attribute consolehelper_domain; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type userhelper_conf_t; files_type(userhelper_conf_t) type userhelper_exec_t; application_executable_file(userhelper_exec_t) -<<<<<<< HEAD type consolehelper_exec_t; application_executable_file(consolehelper_exec_t) @@ -92,5 +84,3 @@ tunable_policy(`use_samba_home_dirs',` files_search_mnt(consolehelper_domain) fs_search_cifs(consolehelper_domain) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/usernetctl.if b/usernetctl.if index 2122912..d45c715 100644 --- a/usernetctl.if +++ b/usernetctl.if @@ -37,32 +37,9 @@ interface(`usernetctl_domtrans',` # interface(`usernetctl_run',` gen_require(` -<<<<<<< HEAD - type usernetctl_t; - ') - - usernetctl_domtrans($1) - role $2 types usernetctl_t; - - sysnet_run_ifconfig(usernetctl_t, $2) - sysnet_run_dhcpc(usernetctl_t, $2) - - optional_policy(` - iptables_run(usernetctl_t, $2) - ') - - optional_policy(` - modutils_run_insmod(usernetctl_t, $2) - ') - - optional_policy(` - ppp_run(usernetctl_t, $2) - ') -======= attribute_role usernetctl_roles; ') usernetctl_domtrans($1) roleattribute $2 usernetctl_roles; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/usernetctl.te b/usernetctl.te index 3fd41aa..5525411 100644 --- a/usernetctl.te +++ b/usernetctl.te @@ -1,27 +1,17 @@ -<<<<<<< HEAD -policy_module(usernetctl, 1.5.0) -======= policy_module(usernetctl, 1.6.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # Declarations # -<<<<<<< HEAD -======= attribute_role usernetctl_roles; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type usernetctl_t; type usernetctl_exec_t; application_domain(usernetctl_t, usernetctl_exec_t) domain_interactive_fd(usernetctl_t) -<<<<<<< HEAD -======= role usernetctl_roles types usernetctl_t; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -70,21 +60,14 @@ miscfiles_read_localization(usernetctl_t) seutil_read_config(usernetctl_t) sysnet_read_config(usernetctl_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(usernetctl_t) -optional_policy(` - consoletype_exec(usernetctl_t) -======= sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) -userdom_use_user_terminals(usernetctl_t) - optional_policy(` consoletype_run(usernetctl_t, usernetctl_roles) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` @@ -92,10 +75,6 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD - nis_use_ypbind(usernetctl_t) -') -======= iptables_run(usernetctl_t, usernetctl_roles) ') diff --git a/uucp.if b/uucp.if index e06ebbf..8f8ac45 100644 --- a/uucp.if +++ b/uucp.if @@ -99,16 +99,11 @@ interface(`uucp_admin',` type uucpd_var_run_t; ') -<<<<<<< HEAD allow $1 uucpd_t:process signal_perms; ps_process_pattern($1, uucpd_t) tunable_policy(`deny_ptrace',`',` allow $1 uucpd_t:process ptrace; ') -======= - allow $1 uucpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, uucpd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 logging_list_logs($1) admin_pattern($1, uucpd_log_t) diff --git a/uucp.te b/uucp.te index 85b8ac4..fef39c0 100644 --- a/uucp.te +++ b/uucp.te @@ -24,11 +24,7 @@ type uucpd_ro_t; files_type(uucpd_ro_t) type uucpd_spool_t; -<<<<<<< HEAD files_spool_file(uucpd_spool_t) -======= -files_type(uucpd_spool_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type uucpd_log_t; logging_log_file(uucpd_log_t) @@ -129,11 +125,8 @@ optional_policy(` allow uux_t self:capability { setuid setgid }; allow uux_t self:fifo_file write_fifo_file_perms; -<<<<<<< HEAD domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 uucp_append_log(uux_t) uucp_manage_spool(uux_t) @@ -154,9 +147,10 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD - postfix_rw_master_pipes(uux_t) -======= nscd_socket_use(uux_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') + +optional_policy(` + postfix_rw_master_pipes(uux_t) +') + diff --git a/uuidd.fc b/uuidd.fc index b131c1f..d810232 100644 --- a/uuidd.fc +++ b/uuidd.fc @@ -1,9 +1,5 @@ -<<<<<<< HEAD /etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0) -======= -/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0) diff --git a/uuidd.if b/uuidd.if index 9b01d2d..879a5cb 100644 --- a/uuidd.if +++ b/uuidd.if @@ -113,10 +113,6 @@ interface(`uuidd_manage_lib_dirs',` manage_dirs_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) ') -<<<<<<< HEAD - -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## ## ## Read uuidd PID files. @@ -138,11 +134,7 @@ interface(`uuidd_read_pid_files',` ######################################## ## -<<<<<<< HEAD -## Connect to uuidd over a unix stream socket. -======= ## Connect to uuidd over an unix stream socket. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -184,12 +176,9 @@ interface(`uuidd_admin',` allow $1 uuidd_t:process signal_perms; ps_process_pattern($1, uuidd_t) -<<<<<<< HEAD tunable_policy(`deny_ptrace',`',` allow $1 uuidd_t:process ptrace; ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 uuidd_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/uwimap.te b/uwimap.te index f902ec8..46d9811 100644 --- a/uwimap.te +++ b/uwimap.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(uwimap, 1.8.0) -======= policy_module(uwimap, 1.9.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -12,10 +8,6 @@ policy_module(uwimap, 1.9.0) type imapd_t; type imapd_exec_t; init_daemon_domain(imapd_t, imapd_exec_t) -<<<<<<< HEAD -inetd_tcp_service_domain(imapd_t, imapd_exec_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type imapd_tmp_t; files_tmp_file(imapd_tmp_t) @@ -90,13 +82,10 @@ userdom_user_home_dir_filetrans_user_home_content(imapd_t, { dir file lnk_file f mta_rw_spool(imapd_t) optional_policy(` -<<<<<<< HEAD -======= inetd_tcp_service_domain(imapd_t, imapd_exec_t) ') optional_policy(` ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 seutil_sigchld_newrole(imapd_t) ') diff --git a/varnishd.if b/varnishd.if index a5d50a7..7a665ff 100644 --- a/varnishd.if +++ b/varnishd.if @@ -155,16 +155,11 @@ interface(`varnishd_admin_varnishlog',` type varnishlog_var_run_t; ') -<<<<<<< HEAD allow $1 varnishlog_t:process signal_perms; ps_process_pattern($1, varnishlog_t) tunable_policy(`deny_ptrace',`',` allow $1 varnishd_t:process ptrace; ') -======= - allow $1 varnishlog_t:process { ptrace signal_perms }; - ps_process_pattern($1, varnishlog_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, varnishlog_initrc_exec_t) domain_system_change_exemption($1) @@ -202,16 +197,11 @@ interface(`varnishd_admin',` type varnishd_initrc_exec_t; ') -<<<<<<< HEAD allow $1 varnishd_t:process signal_perms; ps_process_pattern($1, varnishd_t) tunable_policy(`deny_ptrace',`',` allow $1 varnishd_t:process ptrace; ') -======= - allow $1 varnishd_t:process { ptrace signal_perms }; - ps_process_pattern($1, varnishd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, varnishd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/varnishd.te b/varnishd.te index 1d3d6ad..e830a59 100644 --- a/varnishd.te +++ b/varnishd.te @@ -6,17 +6,10 @@ policy_module(varnishd, 1.2.0) # ## -<<<<<<< HEAD -##

-## Allow varnishd to connect to all ports, -## not just HTTP. -##

-======= ##

## Allow varnishd to connect to all ports, ## not just HTTP. ##

->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## gen_tunable(varnishd_connect_any, false) @@ -28,11 +21,7 @@ type varnishd_initrc_exec_t; init_script_file(varnishd_initrc_exec_t) type varnishd_etc_t; -<<<<<<< HEAD files_config_file(varnishd_etc_t) -======= -files_type(varnishd_etc_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type varnishd_tmp_t; files_tmp_file(varnishd_tmp_t) @@ -54,11 +43,7 @@ type varnishlog_var_run_t; files_pid_file(varnishlog_var_run_t) type varnishlog_log_t; -<<<<<<< HEAD logging_log_file(varnishlog_log_t) -======= -files_type(varnishlog_log_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -102,11 +87,8 @@ corenet_tcp_connect_http_port(varnishd_t) dev_read_urand(varnishd_t) -<<<<<<< HEAD files_read_usr_files(varnishd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 fs_getattr_all_fs(varnishd_t) auth_use_nsswitch(varnishd_t) diff --git a/vdagent.fc b/vdagent.fc index c69703d..21c5f41 100644 --- a/vdagent.fc +++ b/vdagent.fc @@ -1,17 +1,7 @@ /usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0) -<<<<<<< HEAD -/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0) -======= /var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0) /var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0) /var/run/spice-vdagentd.\pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0) -<<<<<<< HEAD - - - -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/vdagent.if b/vdagent.if index a008e7d..b708678 100644 --- a/vdagent.if +++ b/vdagent.if @@ -1,7 +1,3 @@ -<<<<<<< HEAD - -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## policy for vdagent ######################################## @@ -9,15 +5,9 @@ ## Execute a domain transition to run vdagent. ## ## -<<<<<<< HEAD -## -## Domain allowed access. -## -======= ## ## Domain allowed access. ## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`vdagent_domtrans',` @@ -30,7 +20,6 @@ interface(`vdagent_domtrans',` ##################################### ## -<<<<<<< HEAD ## Getattr on vdagent executable. ## ## @@ -45,27 +34,10 @@ interface(`vdagent_getattr_exec_files',` ') allow $1 vdagent_exec_t:file getattr; -======= -## Getattr on vdagent executable. -## -## -## -## Domain allowed access. -## -## -# -interface(`vdagent_getattr_exec_files',` - gen_require(` - type vdagent_exec_t; - ') - - allow $1 vdagent_exec_t:file getattr; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ####################################### ## -<<<<<<< HEAD ## Get the attributes of vdagent logs. ## ## @@ -81,23 +53,6 @@ interface(`vdagent_getattr_log',` logging_search_logs($1) allow $1 vdagent_log_t:file getattr_file_perms; -======= -## Get the attributes of vdagent logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`vdagent_getattr_log',` - gen_require(` - type vdagent_log_t; - ') - - logging_search_logs($1) - allow $1 vdagent_log_t:file getattr_file_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -121,7 +76,6 @@ interface(`vdagent_read_pid_files',` ##################################### ## -<<<<<<< HEAD ## Connect to vdagent over a unix domain ## stream socket. ## @@ -138,24 +92,6 @@ interface(`vdagent_stream_connect',` files_search_pids($1) stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t) -======= -## Connect to vdagent over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`vdagent_stream_connect',` - gen_require(` - type vdagent_var_run_t, vdagent_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -168,15 +104,6 @@ interface(`vdagent_stream_connect',` ## Domain allowed access. ## ## -<<<<<<< HEAD -======= -## -## -## Role allowed access. -## -## -## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # interface(`vdagent_admin',` gen_require(` @@ -185,12 +112,9 @@ interface(`vdagent_admin',` allow $1 vdagent_t:process signal_perms; ps_process_pattern($1, vdagent_t) -<<<<<<< HEAD tunable_policy(`deny_ptrace',`',` allow $1 vdagent_t:process ptrace; ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_search_pids($1) admin_pattern($1, vdagent_var_run_t) diff --git a/vdagent.te b/vdagent.te index 7070096..187ed62 100644 --- a/vdagent.te +++ b/vdagent.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(vdagent,1.0.0) -======= policy_module(vdagent, 1.0.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -25,10 +21,7 @@ logging_log_file(vdagent_log_t) # dontaudit vdagent_t self:capability sys_admin; -<<<<<<< HEAD allow vdagent_t self:process signal; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow vdagent_t self:fifo_file rw_fifo_file_perms; allow vdagent_t self:unix_stream_socket create_stream_socket_perms; @@ -40,11 +33,7 @@ files_pid_filetrans(vdagent_t, vdagent_var_run_t, { dir file sock_file }) manage_dirs_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) manage_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) -<<<<<<< HEAD logging_log_filetrans(vdagent_t, vdagent_log_t, { file }) -======= -logging_log_filetrans(vdagent_t, vdagent_log_t, file) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dev_rw_input_dev(vdagent_t) dev_read_sysfs(vdagent_t) @@ -52,7 +41,6 @@ dev_dontaudit_write_mtrr(vdagent_t) files_read_etc_files(vdagent_t) -<<<<<<< HEAD init_read_state(vdagent_t) systemd_read_logind_sessions_files(vdagent_t) @@ -62,8 +50,6 @@ term_use_virtio_console(vdagent_t) userdom_read_all_users_state(vdagent_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 miscfiles_read_localization(vdagent_t) optional_policy(` @@ -73,7 +59,3 @@ optional_policy(` optional_policy(` dbus_system_bus_client(vdagent_t) ') -<<<<<<< HEAD - -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/vhostmd.if b/vhostmd.if index 44d0f28..8af4bce 100644 --- a/vhostmd.if +++ b/vhostmd.if @@ -5,15 +5,9 @@ ## Execute a domain transition to run vhostmd. ## ## -<<<<<<< HEAD -## -## Domain allowed to transition. -## -======= ## ## Domain allowed to transition. ## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`vhostmd_domtrans',` @@ -58,11 +52,7 @@ interface(`vhostmd_read_tmpfs_files',` ') allow $1 vhostmd_tmpfs_t:file read_file_perms; -<<<<<<< HEAD fs_search_tmpfs($1) -======= - files_search_tmp($1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -100,11 +90,7 @@ interface(`vhostmd_rw_tmpfs_files',` ') rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) -<<<<<<< HEAD fs_search_tmpfs($1) -======= - files_search_tmp($1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -123,11 +109,7 @@ interface(`vhostmd_manage_tmpfs_files',` ') manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) -<<<<<<< HEAD fs_search_tmpfs($1) -======= - files_search_tmp($1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -164,21 +146,13 @@ interface(`vhostmd_manage_pid_files',` type vhostmd_var_run_t; ') -<<<<<<< HEAD files_search_pids($1) manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) -======= - manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## ## -<<<<<<< HEAD -## Connect to vhostmd over a unix domain stream socket. -======= ## Connect to vhostmd over an unix domain stream socket. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -198,11 +172,7 @@ interface(`vhostmd_stream_connect',` ####################################### ## ## Dontaudit read and write to vhostmd -<<<<<<< HEAD -## over a unix domain stream socket. -======= ## over an unix domain stream socket. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -240,16 +210,11 @@ interface(`vhostmd_admin',` type vhostmd_t, vhostmd_initrc_exec_t; ') -<<<<<<< HEAD allow $1 vhostmd_t:process signal_perms; ps_process_pattern($1, vhostmd_t) tunable_policy(`deny_ptrace',`',` allow $1 vhostmd_t:process ptrace; ') -======= - allow $1 vhostmd_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, vhostmd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 vhostmd_initrc_domtrans($1) domain_system_change_exemption($1) @@ -259,8 +224,4 @@ interface(`vhostmd_admin',` vhostmd_manage_tmpfs_files($1) vhostmd_manage_pid_files($1) -<<<<<<< HEAD -======= - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/vhostmd.te b/vhostmd.te index b27e70a..803eea6 100644 --- a/vhostmd.te +++ b/vhostmd.te @@ -24,13 +24,8 @@ files_pid_file(vhostmd_var_run_t) # allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid }; -<<<<<<< HEAD allow vhostmd_t self:process { setsched getsched signal }; allow vhostmd_t self:fifo_file rw_fifo_file_perms; -======= -allow vhostmd_t self:process { setsched getsched }; -allow vhostmd_t self:fifo_file rw_file_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) @@ -40,10 +35,7 @@ manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir }) -<<<<<<< HEAD kernel_read_kernel_sysctls(vhostmd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kernel_read_system_state(vhostmd_t) kernel_read_network_state(vhostmd_t) kernel_write_xen_state(vhostmd_t) @@ -53,7 +45,6 @@ corecmd_exec_shell(vhostmd_t) corenet_tcp_connect_soundd_port(vhostmd_t) -<<<<<<< HEAD dev_read_rand(vhostmd_t) dev_read_urand(vhostmd_t) dev_read_sysfs(vhostmd_t) @@ -64,11 +55,6 @@ files_read_etc_files(vhostmd_t) files_read_usr_files(vhostmd_t) dev_read_rand(vhostmd_t) -======= -files_read_etc_files(vhostmd_t) -files_read_usr_files(vhostmd_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dev_read_sysfs(vhostmd_t) auth_use_nsswitch(vhostmd_t) @@ -88,10 +74,7 @@ optional_policy(` optional_policy(` virt_stream_connect(vhostmd_t) -<<<<<<< HEAD virt_write_content(vhostmd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` diff --git a/virt.fc b/virt.fc index 82d3bb0..5072bd7 100644 --- a/virt.fc +++ b/virt.fc @@ -1,12 +1,7 @@ -<<<<<<< HEAD HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) HOME_DIR/.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -======= -HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) /etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) @@ -19,7 +14,6 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) -<<<<<<< HEAD /usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) /usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0) @@ -29,17 +23,11 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) /var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) -======= -/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) - -/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) /var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) /var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) /var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -<<<<<<< HEAD /var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) /var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) @@ -72,12 +60,3 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) -======= -/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) - -/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) - -/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/virt.if b/virt.if index 9b18493..85b7d8b 100644 --- a/virt.if +++ b/virt.if @@ -13,7 +13,6 @@ # template(`virt_domain_template',` gen_require(` -<<<<<<< HEAD attribute virt_image_type, virt_domain; attribute virt_tmpfs_type; attribute virt_ptynode; @@ -28,61 +27,31 @@ template(`virt_domain_template',` role system_r types $1_t; type $1_devpts_t, virt_ptynode; -======= - type virtd_t; - attribute virt_image_type; - attribute virt_domain; - ') - - type $1_t, virt_domain; - domain_type($1_t) - domain_user_exemption_target($1_t) - role system_r types $1_t; - - type $1_devpts_t; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 term_pty($1_devpts_t) type $1_tmp_t; files_tmp_file($1_tmp_t) -<<<<<<< HEAD type $1_tmpfs_t, virt_tmpfs_type; -======= - type $1_tmpfs_t; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_tmpfs_file($1_tmpfs_t) type $1_image_t, virt_image_type; files_type($1_image_t) dev_node($1_image_t) -<<<<<<< HEAD dev_associate_sysfs($1_image_t) auth_use_nsswitch($1_t) allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; -======= - - type $1_var_run_t; - files_pid_file($1_var_run_t) - - allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 term_create_pty($1_t, $1_devpts_t) manage_dirs_pattern($1_t, $1_image_t, $1_image_t) manage_files_pattern($1_t, $1_image_t, $1_image_t) -<<<<<<< HEAD manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t) read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) rw_chr_files_pattern($1_t, $1_image_t, $1_image_t) rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) fs_hugetlbfs_filetrans($1_t, $1_image_t, file) -======= - read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) - rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) @@ -94,21 +63,6 @@ template(`virt_domain_template',` manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) -<<<<<<< HEAD -======= - stream_connect_pattern(virtd_t, $1_var_run_t, $1_var_run_t, virt_domain) - manage_dirs_pattern(virtd_t, $1_var_run_t, $1_var_run_t) - manage_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t) - manage_sock_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t) - - manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - files_pid_filetrans($1_t, $1_var_run_t, { dir file }) - stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` xserver_rw_shm($1_t) ') @@ -136,7 +90,6 @@ interface(`virt_image',` dev_node($1) ') -<<<<<<< HEAD ####################################### ## ## Getattr on virt executable. @@ -155,22 +108,14 @@ interface(`virt_getattr_exec',` allow $1 virtd_exec_t:file getattr; ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## ## ## Execute a domain transition to run virt. ## ## -<<<<<<< HEAD ## ## Domain allowed to transition. ## -======= -## -## Domain allowed to transition. -## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`virt_domtrans',` @@ -181,7 +126,6 @@ interface(`virt_domtrans',` domtrans_pattern($1, virtd_exec_t, virtd_t) ') -<<<<<<< HEAD ######################################## ## ## Transition to virt_qmf. @@ -221,11 +165,6 @@ interface(`virt_domtrans_bridgehelper',` ####################################### ## ## Connect to virt over a unix domain stream socket. -======= -####################################### -## -## Connect to virt over an unix domain stream socket. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -273,21 +212,13 @@ interface(`virt_attach_tun_iface',` # interface(`virt_read_config',` gen_require(` -<<<<<<< HEAD type virt_etc_t, virt_etc_rw_t; -======= - type virt_etc_t; - type virt_etc_rw_t; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') files_search_etc($1) read_files_pattern($1, virt_etc_t, virt_etc_t) read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -<<<<<<< HEAD read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -302,21 +233,13 @@ interface(`virt_read_config',` # interface(`virt_manage_config',` gen_require(` -<<<<<<< HEAD type virt_etc_t, virt_etc_rw_t; -======= - type virt_etc_t; - type virt_etc_rw_t; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') files_search_etc($1) manage_files_pattern($1, virt_etc_t, virt_etc_t) manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -<<<<<<< HEAD manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -356,7 +279,6 @@ interface(`virt_read_content',` ######################################## ## -<<<<<<< HEAD ## Allow domain to write virt image files ## ## @@ -375,8 +297,6 @@ interface(`virt_write_content',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## Read virt PID files. ## ## @@ -396,7 +316,6 @@ interface(`virt_read_pid_files',` ######################################## ## -<<<<<<< HEAD ## Manage virt pid directories. ## ## @@ -419,8 +338,6 @@ interface(`virt_manage_pid_dirs',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## Manage virt pid files. ## ## @@ -432,15 +349,11 @@ interface(`virt_manage_pid_dirs',` interface(`virt_manage_pid_files',` gen_require(` type virt_var_run_t; -<<<<<<< HEAD type virt_lxc_var_run_t; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') files_search_pids($1) manage_files_pattern($1, virt_var_run_t, virt_var_run_t) -<<<<<<< HEAD manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t) ') @@ -472,8 +385,6 @@ interface(`virt_pid_filetrans',` ') filetrans_pattern($1, virt_var_run_t, $2, $3, $4) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -517,7 +428,6 @@ interface(`virt_read_lib_files',` ######################################## ## -<<<<<<< HEAD ## Dontaudit inherited read virt lib files. ## ## @@ -536,8 +446,6 @@ interface(`virt_dontaudit_read_lib_files',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## Create, read, write, and delete ## virt lib files. ## @@ -582,15 +490,9 @@ interface(`virt_read_log',` ## virt log files. ## ## -<<<<<<< HEAD ## ## Domain allowed access. ## -======= -## -## Domain allowed access. -## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`virt_append_log',` @@ -624,7 +526,6 @@ interface(`virt_manage_log',` ######################################## ## -<<<<<<< HEAD ## Allow domain to search virt image direcories ## ## @@ -644,8 +545,6 @@ interface(`virt_search_images',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## Allow domain to read virt image files ## ## @@ -666,10 +565,7 @@ interface(`virt_read_images',` read_files_pattern($1, virt_image_type, virt_image_type) read_lnk_files_pattern($1, virt_image_type, virt_image_type) read_blk_files_pattern($1, virt_image_type, virt_image_type) -<<<<<<< HEAD read_chr_files_pattern($1, virt_image_type, virt_image_type) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 tunable_policy(`virt_use_nfs',` fs_list_nfs($1) @@ -686,7 +582,6 @@ interface(`virt_read_images',` ######################################## ## -<<<<<<< HEAD ## Allow domain to read virt blk image files ## ## @@ -705,8 +600,6 @@ interface(`virt_read_blk_images',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## Create, read, write, and delete ## svirt cache files. ## @@ -716,7 +609,6 @@ interface(`virt_read_blk_images',` ## ## # -<<<<<<< HEAD interface(`virt_manage_cache',` gen_require(` type virt_cache_t; @@ -726,17 +618,6 @@ interface(`virt_manage_cache',` manage_dirs_pattern($1, virt_cache_t, virt_cache_t) manage_files_pattern($1, virt_cache_t, virt_cache_t) manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) -======= -interface(`virt_manage_svirt_cache',` - gen_require(` - type svirt_cache_t; - ') - - files_search_var($1) - manage_dirs_pattern($1, svirt_cache_t, svirt_cache_t) - manage_files_pattern($1, svirt_cache_t, svirt_cache_t) - manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -761,10 +642,7 @@ interface(`virt_manage_images',` manage_files_pattern($1, virt_image_type, virt_image_type) read_lnk_files_pattern($1, virt_image_type, virt_image_type) rw_blk_files_pattern($1, virt_image_type, virt_image_type) -<<<<<<< HEAD rw_chr_files_pattern($1, virt_image_type, virt_image_type) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs($1) @@ -799,7 +677,6 @@ interface(`virt_manage_images',` interface(`virt_admin',` gen_require(` type virtd_t, virtd_initrc_exec_t; -<<<<<<< HEAD attribute virt_domain; type virt_lxc_t; ') @@ -813,12 +690,6 @@ interface(`virt_admin',` allow $1 virt_lxc_t:process signal_perms; ps_process_pattern($1, virt_lxc_t) -======= - ') - - allow $1 virtd_t:process { ptrace signal_perms }; - ps_process_pattern($1, virtd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, virtd_initrc_exec_t) domain_system_change_exemption($1) @@ -830,7 +701,6 @@ interface(`virt_admin',` virt_manage_lib_files($1) virt_manage_log($1) -<<<<<<< HEAD virt_manage_images($1) @@ -1075,6 +945,4 @@ interface(`virt_filetrans_named_content',` ') files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/virt.te b/virt.te index aa0df64..6713ab0 100644 --- a/virt.te +++ b/virt.te @@ -1,92 +1,56 @@ -<<<<<<< HEAD -policy_module(virt, 1.4.0) -======= policy_module(virt, 1.4.2) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # Declarations # -<<<<<<< HEAD attribute virsh_transition_domain; attribute virt_ptynode; ## -##

-## Allow confined virtual guests to use serial/parallel communication ports -##

-======= -## ##

-## Allow virt to use serial/parallell communication ports +## Allow confined virtual guests to use serial/parallel communication ports ##

->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## gen_tunable(virt_use_comm, false) ## -<<<<<<< HEAD -##

-## Allow confined virtual guests to use executable memory and executable stack -##

+##

+## Allow confined virtual guests to use executable memory and executable stack +##

## gen_tunable(virt_use_execmem, false) ## -##

-## Allow confined virtual guests to read fuse files -##

-======= ##

-## Allow virt to read fuse files +## Allow confined virtual guests to read fuse files ##

->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## gen_tunable(virt_use_fusefs, false) ## -<<<<<<< HEAD -##

-## Allow confined virtual guests to manage nfs files -##

-======= ##

-## Allow virt to manage nfs files +## Allow confined virtual guests to manage nfs files ##

->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## gen_tunable(virt_use_nfs, false) ## -<<<<<<< HEAD -##

-## Allow confined virtual guests to manage cifs files -##

-======= ##

-## Allow virt to manage cifs files +## Allow confined virtual guests to manage cifs files ##

->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## gen_tunable(virt_use_samba, false) ## -<<<<<<< HEAD -##

-## Allow confined virtual guests to manage device configuration, (pci) -##

-======= ##

-## Allow virt to manage device configuration, (pci) +## Allow confined virtual guests to manage device configuration, (pci) ##

->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## gen_tunable(virt_use_sysfs, false) ## -<<<<<<< HEAD ##

## Allow confined virtual guests to interact with the sanlock ##

@@ -94,27 +58,21 @@ gen_tunable(virt_use_sysfs, false) gen_tunable(virt_use_sanlock, false) ## -##

-## Allow confined virtual guests to interact with the xserver -##

+##

+## Allow confined virtual guests to interact with the xserver +##

## gen_tunable(virt_use_xserver, false) ## -##

-## Allow confined virtual guests to use usb devices -##

-======= ##

-## Allow virt to use usb devices +## Allow confined virtual guests to use usb devices ##

->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## gen_tunable(virt_use_usb, true) virt_domain_template(svirt) role system_r types svirt_t; -<<<<<<< HEAD typealias svirt_t alias qemu_t; virt_domain_template(svirt_prot_exec) @@ -128,14 +86,6 @@ type qemu_exec_t; type virt_cache_t alias svirt_cache_t; files_type(virt_cache_t) -======= - -type svirt_cache_t; -files_type(svirt_cache_t) - -attribute virt_domain; -attribute virt_image_type; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type virt_etc_t; files_config_file(virt_etc_t) @@ -143,7 +93,6 @@ files_config_file(virt_etc_t) type virt_etc_rw_t; files_type(virt_etc_rw_t) -<<<<<<< HEAD type virt_home_t; userdom_user_home_content(virt_home_t) @@ -154,41 +103,24 @@ userdom_user_home_content(svirt_home_t) type virt_image_t; # customizable virt_image(virt_image_t) files_mountpoint(virt_image_t) -======= -# virt Image files -type virt_image_t; # customizable -virt_image(virt_image_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # virt Image files type virt_content_t; # customizable virt_image(virt_content_t) userdom_user_home_content(virt_content_t) -<<<<<<< HEAD type virt_tmp_t; files_tmp_file(virt_tmp_t) type virt_log_t; logging_log_file(virt_log_t) mls_trusted_object(virt_log_t) -======= -type virt_log_t; -logging_log_file(virt_log_t) - -type virt_tmp_t; -files_tmp_file(virt_tmp_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type virt_var_run_t; files_pid_file(virt_var_run_t) type virt_var_lib_t; -<<<<<<< HEAD files_mountpoint(virt_var_lib_t) -======= -files_type(virt_var_lib_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type virtd_t; type virtd_exec_t; @@ -199,14 +131,11 @@ domain_subj_id_change_exemption(virtd_t) type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) -<<<<<<< HEAD type qemu_var_run_t; typealias qemu_var_run_t alias svirt_var_run_t; files_pid_file(qemu_var_run_t) mls_trusted_object(qemu_var_run_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') @@ -215,7 +144,6 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') -<<<<<<< HEAD type virt_qmf_t; type virt_qmf_exec_t; init_daemon_domain(virt_qmf_t, virt_qmf_exec_t) @@ -245,8 +173,6 @@ typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t; type svirt_lxc_file_t; files_mountpoint(svirt_lxc_file_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # svirt local policy @@ -254,22 +180,12 @@ files_mountpoint(svirt_lxc_file_t) allow svirt_t self:udp_socket create_socket_perms; -<<<<<<< HEAD -======= -manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t) -manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t) -files_var_filetrans(svirt_t, svirt_cache_t, { file dir }) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t) allow svirt_t svirt_image_t:dir search_dir_perms; manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t) manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t) -<<<<<<< HEAD manage_fifo_files_pattern(svirt_t, svirt_image_t, svirt_image_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) @@ -287,7 +203,6 @@ corenet_tcp_connect_all_ports(svirt_t) dev_list_sysfs(svirt_t) -<<<<<<< HEAD fs_getattr_xattr_fs(svirt_t) userdom_search_user_home_content(svirt_t) @@ -299,11 +214,6 @@ manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, { dir sock_file file }) stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) -======= -userdom_search_user_home_content(svirt_t) -userdom_read_user_home_content_symlinks(svirt_t) -userdom_read_all_users_state(svirt_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 tunable_policy(`virt_use_comm',` term_use_unallocated_ttys(svirt_t) @@ -318,21 +228,15 @@ tunable_policy(`virt_use_fusefs',` tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) -<<<<<<< HEAD fs_manage_nfs_named_sockets(svirt_t) fs_read_nfs_symlinks(svirt_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') tunable_policy(`virt_use_samba',` fs_manage_cifs_dirs(svirt_t) fs_manage_cifs_files(svirt_t) -<<<<<<< HEAD fs_manage_cifs_named_sockets(svirt_t) fs_read_cifs_symlinks(virtd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') tunable_policy(`virt_use_sysfs',` @@ -341,16 +245,12 @@ tunable_policy(`virt_use_sysfs',` tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) -<<<<<<< HEAD dev_read_sysfs(svirt_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 fs_manage_dos_dirs(svirt_t) fs_manage_dos_files(svirt_t) ') optional_policy(` -<<<<<<< HEAD tunable_policy(`virt_use_sanlock',` sanlock_stream_connect(svirt_t) ') @@ -367,8 +267,6 @@ optional_policy(` ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 xen_rw_image_files(svirt_t) ') @@ -377,7 +275,6 @@ optional_policy(` # virtd local policy # -<<<<<<< HEAD allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; ifdef(`hide_broken_symptoms',` @@ -396,25 +293,11 @@ allow virtd_t self:netlink_route_socket create_netlink_socket_perms; manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t) manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t) -======= -allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched }; - -allow virtd_t self:fifo_file rw_fifo_file_perms; -allow virtd_t self:unix_stream_socket create_stream_socket_perms; -allow virtd_t self:tcp_socket create_stream_socket_perms; -allow virtd_t self:tun_socket create_socket_perms; -allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; - -manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t) -manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) manage_files_pattern(virtd_t, virt_content_t, virt_content_t) allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; -<<<<<<< HEAD allow virt_domain virtd_t:fd use; dontaudit virt_domain virtd_t:unix_stream_socket { read write }; @@ -427,8 +310,6 @@ manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain) filetrans_pattern(virtd_t, virt_var_run_t, qemu_var_run_t, dir, "qemu") -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) @@ -439,7 +320,6 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) -<<<<<<< HEAD manage_chr_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -447,28 +327,16 @@ allow virtd_t virt_image_type:file relabel_file_perms; allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; allow virtd_t virt_ptynode:chr_file rw_term_perms; -======= -manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) -allow virtd_t virt_image_type:file { relabelfrom relabelto }; -allow virtd_t virt_image_type:blk_file { relabelfrom relabelto }; - -manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) -manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -logging_log_filetrans(virtd_t, virt_log_t, { file dir }) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t) manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t) files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir }) can_exec(virtd_t, virt_tmp_t) -<<<<<<< HEAD manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) logging_log_filetrans(virtd_t, virt_log_t, { file dir }) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) @@ -479,7 +347,6 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) -<<<<<<< HEAD manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") @@ -489,11 +356,6 @@ kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) kernel_read_kernel_sysctls(virtd_t) -======= -kernel_read_system_state(virtd_t) -kernel_read_network_state(virtd_t) -kernel_rw_net_sysctls(virtd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) @@ -513,48 +375,32 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) -<<<<<<< HEAD dev_read_urand(virtd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dev_read_rand(virtd_t) dev_rw_kvm(virtd_t) dev_getattr_all_chr_files(virtd_t) dev_rw_mtrr(virtd_t) -<<<<<<< HEAD dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # Init script handling domain_use_interactive_fds(virtd_t) domain_read_all_domains_state(virtd_t) -<<<<<<< HEAD domain_read_all_domains_state(virtd_t) files_read_usr_files(virtd_t) files_read_etc_files(virtd_t) files_read_usr_files(virtd_t) -======= - -files_read_usr_files(virtd_t) -files_read_etc_files(virtd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_read_etc_runtime_files(virtd_t) files_search_all(virtd_t) files_read_kernel_modules(virtd_t) files_read_usr_src_files(virtd_t) -<<<<<<< HEAD files_relabelto_system_conf_files(virtd_t) files_relabelfrom_system_conf_files(virtd_t) # Manages /etc/sysconfig/system-config-firewall files_manage_system_conf_files(virtd_t) -======= -files_manage_etc_files(virtd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) @@ -562,7 +408,6 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) -<<<<<<< HEAD fs_manage_hugetlbfs_dirs(virtd_t) fs_rw_hugetlbfs_files(virtd_t) @@ -575,8 +420,6 @@ mls_net_write_within_range(virtd_t) mls_socket_write_to_clearance(virtd_t) mls_socket_read_to_clearance(virtd_t) mls_rangetrans_source(virtd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 mcs_process_set_categories(virtd_t) @@ -591,11 +434,8 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) -<<<<<<< HEAD init_dbus_chat(virtd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 miscfiles_read_localization(virtd_t) miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) @@ -605,7 +445,6 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) -<<<<<<< HEAD logging_send_audit_msgs(virtd_t) selinux_validate_context(virtd_t) @@ -620,20 +459,10 @@ sysnet_domtrans_ifconfig(virtd_t) sysnet_read_config(virtd_t) userdom_list_admin_dir(virtd_t) -======= - -seutil_read_config(virtd_t) -seutil_read_default_contexts(virtd_t) - -sysnet_domtrans_ifconfig(virtd_t) -sysnet_read_config(virtd_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 userdom_getattr_all_users(virtd_t) userdom_list_user_home_content(virtd_t) userdom_read_all_users_state(virtd_t) userdom_read_user_home_content_files(virtd_t) -<<<<<<< HEAD userdom_relabel_user_home_files(virtd_t) userdom_setattr_user_home_content_files(virtd_t) manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t) @@ -642,8 +471,6 @@ manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t) manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t) #userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file }) virt_filetrans_home_content(virtd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) @@ -662,13 +489,10 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD consoletype_exec(virtd_t) ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dbus_system_bus_client(virtd_t) optional_policy(` @@ -682,7 +506,6 @@ optional_policy(` optional_policy(` hal_dbus_chat(virtd_t) ') -<<<<<<< HEAD optional_policy(` networkmanager_dbus_chat(virtd_t) @@ -691,8 +514,6 @@ optional_policy(` optional_policy(` dmidecode_domtrans(virtd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` @@ -701,20 +522,14 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_read_pid_files(virtd_t) dnsmasq_signull(virtd_t) -<<<<<<< HEAD dnsmasq_create_pid_dirs(virtd_t) dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t); -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` iptables_domtrans(virtd_t) iptables_initrc_domtrans(virtd_t) -<<<<<<< HEAD iptables_systemctl(virtd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) @@ -729,15 +544,12 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD # Run mount in the mount_t domain. mount_domtrans(virtd_t) mount_signal(virtd_t) ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 policykit_dbus_chat(virtd_t) policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) @@ -745,19 +557,11 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD qemu_exec(virtd_t) ') optional_policy(` sanlock_stream_connect(virtd_t) -======= - qemu_domtrans(virtd_t) - qemu_read_state(virtd_t) - qemu_signal(virtd_t) - qemu_kill(virtd_t) - qemu_setsched(virtd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` @@ -787,20 +591,13 @@ optional_policy(` # virtual domains common policy # -<<<<<<< HEAD allow virt_domain self:process { signal getsched signull }; allow virt_domain self:fifo_file rw_fifo_file_perms; -======= -allow virt_domain self:capability { dac_read_search dac_override kill }; -allow virt_domain self:process { execmem execstack signal getsched signull }; -allow virt_domain self:fifo_file rw_file_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow virt_domain self:shm create_shm_perms; allow virt_domain self:unix_stream_socket create_stream_socket_perms; allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; allow virt_domain self:tcp_socket create_stream_socket_perms; -<<<<<<< HEAD manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) files_var_filetrans(virt_domain, virt_cache_t, { file dir }) @@ -816,19 +613,14 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; dontaudit virt_domain virt_tmpfs_type:file { read write }; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) kernel_read_system_state(virt_domain) -<<<<<<< HEAD fs_getattr_xattr_fs(virt_domain) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corecmd_exec_bin(virt_domain) corecmd_exec_shell(virt_domain) @@ -839,19 +631,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain) corenet_tcp_sendrecv_all_ports(virt_domain) corenet_tcp_bind_generic_node(virt_domain) corenet_tcp_bind_vnc_port(virt_domain) -<<<<<<< HEAD corenet_tcp_bind_virt_migration_port(virt_domain) corenet_tcp_connect_virt_migration_port(virt_domain) corenet_rw_inherited_tun_tap_dev(virt_domain) dev_getattr_fs(virt_domain) dev_read_generic_symlinks(virt_domain) -======= -corenet_rw_tun_tap_dev(virt_domain) -corenet_tcp_bind_virt_migration_port(virt_domain) -corenet_tcp_connect_virt_migration_port(virt_domain) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) @@ -859,19 +644,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) -<<<<<<< HEAD dev_rw_inherited_vhost(virt_domain) domain_use_interactive_fds(virt_domain) -files_read_config_files(virt_domain) -files_read_mnt_symlinks(virt_domain) -======= - -domain_use_interactive_fds(virt_domain) - files_read_etc_files(virt_domain) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 +files_read_mnt_symlinks(virt_domain) files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) @@ -879,7 +657,6 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) -<<<<<<< HEAD fs_getattr_hugetlbfs(virt_domain) fs_rw_inherited_nfs_files(virt_domain) fs_rw_inherited_cifs_files(virt_domain) @@ -890,48 +667,32 @@ miscfiles_read_public_files(virt_domain) storage_raw_read_removable_device(virt_domain) term_use_all_inherited_terms(virt_domain) -======= - -term_use_all_terms(virt_domain) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) term_use_ptmx(virt_domain) -<<<<<<< HEAD -======= -auth_use_nsswitch(virt_domain) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 logging_send_syslog_msg(virt_domain) miscfiles_read_localization(virt_domain) -<<<<<<< HEAD tunable_policy(`virt_use_execmem',` allow virt_domain self:process { execmem execstack }; ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` ptchown_domtrans(virt_domain) ') optional_policy(` -<<<<<<< HEAD pulseaudio_dontaudit_exec(virt_domain) ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 virt_read_config(virt_domain) virt_read_lib_files(virt_domain) virt_read_content(virt_domain) virt_stream_connect(virt_domain) ') -<<<<<<< HEAD ######################################## # @@ -1321,5 +1082,3 @@ corenet_rw_tun_tap_dev(virt_bridgehelper_t) files_read_etc_files(virt_bridgehelper_t) userdom_use_inherited_user_ptys(virt_bridgehelper_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/vlock.te b/vlock.te index f578148..9e5625e 100644 --- a/vlock.te +++ b/vlock.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(vlock, 1.0.1) -======= policy_module(vlock, 1.1.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -54,8 +50,4 @@ logging_send_syslog_msg(vlock_t) miscfiles_read_localization(vlock_t) userdom_dontaudit_search_user_home_dirs(vlock_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(vlock_t) -======= -userdom_use_user_terminals(vlock_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/vmware.te b/vmware.te index 72b647a..482db56 100644 --- a/vmware.te +++ b/vmware.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(vmware, 2.3.1) -======= policy_module(vmware, 2.5.1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -14,12 +10,7 @@ type vmware_t; type vmware_exec_t; typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t }; typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t }; -<<<<<<< HEAD -application_domain(vmware_t, vmware_exec_t) -ubac_constrained(vmware_t) -======= userdom_user_application_domain(vmware_t, vmware_exec_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type vmware_conf_t; typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t sysadm_vmware_conf_t }; @@ -40,12 +31,7 @@ type vmware_host_pid_t alias vmware_var_run_t; files_pid_file(vmware_host_pid_t) type vmware_host_tmp_t; -<<<<<<< HEAD -files_tmp_file(vmware_host_tmp_t) -ubac_constrained(vmware_host_tmp_t) -======= userdom_user_tmp_file(vmware_host_tmp_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type vmware_log_t; typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t }; @@ -66,22 +52,12 @@ files_type(vmware_sys_conf_t) type vmware_tmp_t; typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t }; typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t }; -<<<<<<< HEAD -files_tmp_file(vmware_tmp_t) -ubac_constrained(vmware_tmp_t) -======= userdom_user_tmp_file(vmware_tmp_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type vmware_tmpfs_t; typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t }; typealias vmware_tmpfs_t alias { auditadm_vmware_tmpfs_t secadm_vmware_tmpfs_t }; -<<<<<<< HEAD -files_tmpfs_file(vmware_tmpfs_t) -ubac_constrained(vmware_tmpfs_t) -======= userdom_user_tmpfs_file(vmware_tmpfs_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ifdef(`enable_mcs',` init_ranged_daemon_domain(vmware_host_t, vmware_host_exec_t, s0 - mcs_systemhigh) @@ -92,11 +68,7 @@ ifdef(`enable_mcs',` # VMWare host local policy # -<<<<<<< HEAD allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_override }; -======= -allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dontaudit vmware_host_t self:capability sys_tty_config; allow vmware_host_t self:process { execstack execmem signal_perms }; allow vmware_host_t self:fifo_file rw_fifo_file_perms; @@ -150,10 +122,7 @@ dev_getattr_all_blk_files(vmware_host_t) dev_read_sysfs(vmware_host_t) dev_read_urand(vmware_host_t) dev_rw_vmware(vmware_host_t) -<<<<<<< HEAD dev_rw_generic_chr_files(vmware_host_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 domain_use_interactive_fds(vmware_host_t) domain_dontaudit_read_all_domains_state(vmware_host_t) @@ -161,11 +130,7 @@ domain_dontaudit_read_all_domains_state(vmware_host_t) files_list_tmp(vmware_host_t) files_read_etc_files(vmware_host_t) files_read_etc_runtime_files(vmware_host_t) -<<<<<<< HEAD files_read_usr_files(vmware_host_t) -======= -files_read_usr_files(vmware_host_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 fs_getattr_all_fs(vmware_host_t) fs_search_auto_mountpoints(vmware_host_t) @@ -184,11 +149,7 @@ logging_send_syslog_msg(vmware_host_t) miscfiles_read_localization(vmware_host_t) sysnet_dns_name_resolve(vmware_host_t) -<<<<<<< HEAD -sysnet_domtrans_ifconfig(vmware_host_t) -======= sysnet_domtrans_ifconfig(vmware_host_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 userdom_dontaudit_use_unpriv_user_fds(vmware_host_t) userdom_dontaudit_search_user_home_dirs(vmware_host_t) @@ -197,7 +158,6 @@ netutils_domtrans_ping(vmware_host_t) optional_policy(` hostname_exec(vmware_host_t) -<<<<<<< HEAD ') optional_policy(` @@ -214,12 +174,6 @@ optional_policy(` optional_policy(` shutdown_domtrans(vmware_host_t) -======= -') - -optional_policy(` - modutils_domtrans_insmod(vmware_host_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` @@ -330,11 +284,7 @@ libs_read_lib_files(vmware_t) miscfiles_read_localization(vmware_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(vmware_t) -======= -userdom_use_user_terminals(vmware_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 userdom_list_user_home_dirs(vmware_t) # cjp: why? userdom_read_user_home_content_files(vmware_t) diff --git a/vnstatd.fc b/vnstatd.fc index a1293ea..11533cc 100644 --- a/vnstatd.fc +++ b/vnstatd.fc @@ -1,7 +1,3 @@ -<<<<<<< HEAD - -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0) /usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0) diff --git a/vnstatd.if b/vnstatd.if index f7553ba..958de01 100644 --- a/vnstatd.if +++ b/vnstatd.if @@ -113,10 +113,6 @@ interface(`vnstatd_manage_lib_files',` manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) ') -<<<<<<< HEAD - -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## ## ## All of the rules required to administrate @@ -139,16 +135,11 @@ interface(`vnstatd_admin',` type vnstatd_t, vnstatd_var_lib_t; ') -<<<<<<< HEAD allow $1 vnstatd_t:process signal_perms; ps_process_pattern($1, vnstatd_t) tunable_policy(`deny_ptrace',`',` allow $1 vnstatd_t:process ptrace; ') -======= - allow $1 vnstatd_t:process { ptrace signal_perms }; - ps_process_pattern($1, vnstatd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_list_var_lib($1) admin_pattern($1, vnstatd_var_lib_t) diff --git a/vnstatd.te b/vnstatd.te index fbef4a9..275409f 100644 --- a/vnstatd.te +++ b/vnstatd.te @@ -28,7 +28,6 @@ allow vnstatd_t self:process signal; allow vnstatd_t self:fifo_file rw_fifo_file_perms; allow vnstatd_t self:unix_stream_socket create_stream_socket_perms; -<<<<<<< HEAD manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file }) @@ -36,11 +35,6 @@ files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file }) manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, dir) -======= -manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file }) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) @@ -72,15 +66,9 @@ allow vnstat_t self:process signal; allow vnstat_t self:fifo_file rw_fifo_file_perms; allow vnstat_t self:unix_stream_socket create_stream_socket_perms; -<<<<<<< HEAD files_search_var_lib(vnstat_t) manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -======= -manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file }) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kernel_read_network_state(vnstat_t) kernel_read_system_state(vnstat_t) diff --git a/vpn.if b/vpn.if index 7a08025..7b93e07 100644 --- a/vpn.if +++ b/vpn.if @@ -37,20 +37,11 @@ interface(`vpn_domtrans',` # interface(`vpn_run',` gen_require(` -<<<<<<< HEAD - type vpnc_t; - ') - - vpn_domtrans($1) - role $2 types vpnc_t; - sysnet_run_ifconfig(vpnc_t, $2) -======= attribute_role vpnc_roles; ') vpn_domtrans($1) roleattribute $2 vpnc_roles; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## diff --git a/vpn.te b/vpn.te index baa8a2b..99fd457 100644 --- a/vpn.te +++ b/vpn.te @@ -1,28 +1,18 @@ -<<<<<<< HEAD -policy_module(vpn, 1.14.0) -======= policy_module(vpn, 1.15.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # Declarations # -<<<<<<< HEAD -type vpnc_t; -type vpnc_exec_t; -init_system_domain(vpnc_t, vpnc_exec_t) -application_domain(vpnc_t, vpnc_exec_t) -======= attribute_role vpnc_roles; roleattribute system_r vpnc_roles; type vpnc_t; type vpnc_exec_t; +init_system_domain(vpnc_t, vpnc_exec_t) application_domain(vpnc_t, vpnc_exec_t) role vpnc_roles types vpnc_t; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type vpnc_tmp_t; files_tmp_file(vpnc_tmp_t) @@ -35,11 +25,7 @@ files_pid_file(vpnc_var_run_t) # Local policy # -<<<<<<< HEAD allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw setuid }; -======= -allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow vpnc_t self:process { getsched signal }; allow vpnc_t self:fifo_file rw_fifo_file_perms; allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; @@ -95,13 +81,8 @@ domain_use_interactive_fds(vpnc_t) fs_getattr_xattr_fs(vpnc_t) fs_getattr_tmpfs(vpnc_t) -<<<<<<< HEAD term_use_all_inherited_ptys(vpnc_t) term_use_all_inherited_ttys(vpnc_t) -======= -term_use_all_ptys(vpnc_t) -term_use_all_ttys(vpnc_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corecmd_exec_all_executables(vpnc_t) @@ -112,11 +93,8 @@ files_dontaudit_search_home(vpnc_t) auth_use_nsswitch(vpnc_t) -<<<<<<< HEAD init_dontaudit_use_fds(vpnc_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 libs_exec_ld_so(vpnc_t) libs_exec_lib_files(vpnc_t) @@ -130,20 +108,13 @@ miscfiles_read_localization(vpnc_t) seutil_dontaudit_search_config(vpnc_t) seutil_use_newrole_fds(vpnc_t) -<<<<<<< HEAD -======= sysnet_run_ifconfig(vpnc_t, vpnc_roles) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 sysnet_etc_filetrans_config(vpnc_t) sysnet_manage_config(vpnc_t) userdom_use_all_users_fds(vpnc_t) -<<<<<<< HEAD userdom_read_home_certs(vpnc_t) userdom_search_admin_dir(vpnc_t) -======= -userdom_dontaudit_search_user_home_content(vpnc_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` dbus_system_bus_client(vpnc_t) diff --git a/w3c.te b/w3c.te index 6644466..f4c4c1b 100644 --- a/w3c.te +++ b/w3c.te @@ -7,24 +7,18 @@ policy_module(w3c, 1.0.0) apache_content_template(w3c_validator) -<<<<<<< HEAD type httpd_w3c_validator_tmp_t; files_tmp_file(httpd_w3c_validator_tmp_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # Local policy # -<<<<<<< HEAD manage_dirs_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t) manage_files_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t) files_tmp_filetrans(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, { file dir }) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) @@ -35,8 +29,5 @@ corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) miscfiles_read_generic_certs(httpd_w3c_validator_script_t) sysnet_dns_name_resolve(httpd_w3c_validator_script_t) -<<<<<<< HEAD apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/webadm.te b/webadm.te index 85dacff..e0f21c3 100644 --- a/webadm.te +++ b/webadm.te @@ -28,11 +28,7 @@ userdom_base_user_template(webadm) # webadmin local policy # -<<<<<<< HEAD allow webadm_t self:capability { dac_override dac_read_search kill sys_nice }; -======= -allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_dontaudit_search_all_dirs(webadm_t) files_manage_generic_locks(webadm_t) @@ -42,10 +38,6 @@ selinux_get_enforce_mode(webadm_t) seutil_domtrans_setfiles(webadm_t) logging_send_syslog_msg(webadm_t) -<<<<<<< HEAD -logging_send_audit_msgs(webadm_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 userdom_dontaudit_search_user_home_dirs(webadm_t) diff --git a/webalizer.fc b/webalizer.fc index 6b80bb1..2f40f21 100644 --- a/webalizer.fc +++ b/webalizer.fc @@ -2,10 +2,7 @@ # # /usr # -<<<<<<< HEAD -======= /usr/bin/awffull -- gen_context(system_u:object_r:webalizer_exec_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /usr/bin/webalizer -- gen_context(system_u:object_r:webalizer_exec_t,s0) # diff --git a/webalizer.te b/webalizer.te index aad9733..ecb9d3a 100644 --- a/webalizer.te +++ b/webalizer.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(webalizer, 1.10.1) -======= policy_module(webalizer, 1.12.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -79,18 +75,14 @@ files_read_etc_runtime_files(webalizer_t) logging_list_logs(webalizer_t) logging_send_syslog_msg(webalizer_t) -<<<<<<< HEAD auth_use_nsswitch(webalizer_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 miscfiles_read_localization(webalizer_t) miscfiles_read_public_files(webalizer_t) sysnet_dns_name_resolve(webalizer_t) sysnet_read_config(webalizer_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(webalizer_t) userdom_use_unpriv_users_fds(webalizer_t) userdom_dontaudit_search_user_home_content(webalizer_t) @@ -99,14 +91,6 @@ optional_policy(` apache_read_log(webalizer_t) apache_manage_sys_content(webalizer_t) ') -======= -userdom_use_user_terminals(webalizer_t) -userdom_use_unpriv_users_fds(webalizer_t) -userdom_dontaudit_search_user_home_content(webalizer_t) - -apache_read_log(webalizer_t) -apache_manage_sys_content(webalizer_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` cron_system_entry(webalizer_t, webalizer_exec_t) @@ -117,8 +101,6 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD -======= nis_use_ypbind(webalizer_t) ') @@ -127,6 +109,5 @@ optional_policy(` ') optional_policy(` ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 squid_read_log(webalizer_t) ') diff --git a/wine.fc b/wine.fc index 48eb9da..2666317 100644 --- a/wine.fc +++ b/wine.fc @@ -2,10 +2,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0) /opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) -<<<<<<< HEAD /opt/google/picasa(/.*)?/Picasa3/.*exe -- gen_context(system_u:object_r:wine_exec_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) /opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) /opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0) @@ -14,10 +11,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0) /opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) /opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0) /opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) -<<<<<<< HEAD /opt/teamviewer(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) diff --git a/wine.if b/wine.if index 9c668bb..00a98f1 100644 --- a/wine.if +++ b/wine.if @@ -29,22 +29,16 @@ # template(`wine_role',` gen_require(` -<<<<<<< HEAD type wine_t; type wine_home_t; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type wine_exec_t; ') role $1 types wine_t; domain_auto_trans($2, wine_exec_t, wine_t) -<<<<<<< HEAD # Unrestricted inheritance from the caller. allow $2 wine_t:process { noatsecure siginh rlimitinh }; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow wine_t $2:fd use; allow wine_t $2:process { sigchld signull }; allow wine_t $2:unix_stream_socket connectto; @@ -54,12 +48,7 @@ template(`wine_role',` allow $2 wine_t:process signal_perms; allow $2 wine_t:fd use; -<<<<<<< HEAD allow $2 wine_t:shm { associate getattr unix_read unix_write }; -======= - allow $2 wine_t:shm { associate getattr }; - allow $2 wine_t:shm { unix_read unix_write }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow $2 wine_t:unix_stream_socket connectto; # X access, Home files @@ -100,10 +89,7 @@ template(`wine_role',` # template(`wine_role_template',` gen_require(` -<<<<<<< HEAD type wine_t; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type wine_exec_t; ') @@ -114,20 +100,12 @@ template(`wine_role_template',` role $2 types $1_wine_t; allow $1_wine_t self:process { execmem execstack }; -<<<<<<< HEAD allow $3 $1_wine_t:process { getattr noatsecure signal_perms }; -======= - allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 domtrans_pattern($3, wine_exec_t, $1_wine_t) corecmd_bin_domtrans($1_wine_t, $1_t) userdom_unpriv_usertype($1, $1_wine_t) -<<<<<<< HEAD userdom_manage_tmpfs_role($2, $1_wine_t) -======= - userdom_manage_user_tmpfs_files($1_wine_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 domain_mmap_low($1_wine_t) @@ -135,13 +113,10 @@ template(`wine_role_template',` dontaudit $1_wine_t self:memprotect mmap_zero; ') -<<<<<<< HEAD tunable_policy(`wine_mmap_zero_ignore',` dontaudit $1_wine_t self:memprotect mmap_zero; ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` xserver_role($1_r, $1_wine_t) ') diff --git a/wine.te b/wine.te index 0df0cab..56fbcc2 100644 --- a/wine.te +++ b/wine.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(wine, 1.8.1) -======= policy_module(wine, 1.10.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -18,21 +14,11 @@ gen_tunable(wine_mmap_zero_ignore, false) type wine_t; type wine_exec_t; -<<<<<<< HEAD -application_domain(wine_t, wine_exec_t) -ubac_constrained(wine_t) -role system_r types wine_t; - -type wine_tmp_t; -files_tmp_file(wine_tmp_t) -ubac_constrained(wine_tmp_t) -======= userdom_user_application_domain(wine_t, wine_exec_t) role system_r types wine_t; type wine_tmp_t; userdom_user_tmp_file(wine_tmp_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -52,11 +38,7 @@ domain_mmap_low(wine_t) files_execmod_all_files(wine_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(wine_t) -======= -userdom_use_user_terminals(wine_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 tunable_policy(`wine_mmap_zero_ignore',` dontaudit wine_t self:memprotect mmap_zero; @@ -71,13 +53,10 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD rtkit_scheduled(wine_t) ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 unconfined_domain(wine_t) ') diff --git a/wireshark.te b/wireshark.te index b5e4e23..01473bc 100644 --- a/wireshark.te +++ b/wireshark.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(wireshark, 2.2.0) -======= policy_module(wireshark, 2.3.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -13,71 +9,41 @@ type wireshark_t; type wireshark_exec_t; typealias wireshark_t alias { user_wireshark_t staff_wireshark_t sysadm_wireshark_t }; typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t }; -<<<<<<< HEAD -application_domain(wireshark_t, wireshark_exec_t) -ubac_constrained(wireshark_t) -======= userdom_user_application_domain(wireshark_t, wireshark_exec_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type wireshark_home_t; typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t }; typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t }; -<<<<<<< HEAD -files_poly_member(wireshark_home_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 userdom_user_home_content(wireshark_home_t) type wireshark_tmp_t; typealias wireshark_tmp_t alias { user_wireshark_tmp_t staff_wireshark_tmp_t sysadm_wireshark_tmp_t }; typealias wireshark_tmp_t alias { auditadm_wireshark_tmp_t secadm_wireshark_tmp_t }; -<<<<<<< HEAD -files_tmp_file(wireshark_tmp_t) -ubac_constrained(wireshark_tmp_t) -======= userdom_user_tmp_file(wireshark_tmp_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type wireshark_tmpfs_t; typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t }; typealias wireshark_tmpfs_t alias { auditadm_wireshark_tmpfs_t secadm_wireshark_tmpfs_t }; -<<<<<<< HEAD -files_tmpfs_file(wireshark_tmpfs_t) -ubac_constrained(wireshark_tmpfs_t) -======= userdom_user_tmpfs_file(wireshark_tmpfs_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ############################## # # Local Policy # -<<<<<<< HEAD allow wireshark_t self:capability { net_admin net_raw }; -======= -allow wireshark_t self:capability { net_admin net_raw setgid }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow wireshark_t self:process { signal getsched }; allow wireshark_t self:fifo_file { getattr read write }; allow wireshark_t self:shm destroy; allow wireshark_t self:shm create_shm_perms; allow wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms }; -<<<<<<< HEAD allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read }; -======= -allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read write }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow wireshark_t self:tcp_socket create_socket_perms; allow wireshark_t self:udp_socket create_socket_perms; # Re-execute itself (why?) can_exec(wireshark_t, wireshark_exec_t) -<<<<<<< HEAD corecmd_search_bin(wireshark_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # /home/.wireshark manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) @@ -101,20 +67,13 @@ kernel_read_kernel_sysctls(wireshark_t) kernel_read_system_state(wireshark_t) kernel_read_sysctl(wireshark_t) -<<<<<<< HEAD -======= corecmd_exec_bin(wireshark_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 -corecmd_search_bin(wireshark_t) corenet_tcp_connect_generic_port(wireshark_t) corenet_tcp_sendrecv_generic_if(wireshark_t) -<<<<<<< HEAD -======= dev_read_rand(wireshark_t) dev_read_sysfs(wireshark_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dev_read_urand(wireshark_t) files_read_etc_files(wireshark_t) @@ -125,11 +84,8 @@ fs_search_auto_mountpoints(wireshark_t) libs_read_lib_files(wireshark_t) -<<<<<<< HEAD auth_use_nsswitch(wireshark_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 miscfiles_read_fonts(wireshark_t) miscfiles_read_localization(wireshark_t) @@ -138,28 +94,8 @@ seutil_use_newrole_fds(wireshark_t) sysnet_read_config(wireshark_t) userdom_manage_user_home_content_files(wireshark_t) -<<<<<<< HEAD userdom_home_manager(wireshark_t) -======= -userdom_use_user_ptys(wireshark_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(wireshark_t) - fs_manage_nfs_files(wireshark_t) - fs_manage_nfs_symlinks(wireshark_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(wireshark_t) - fs_manage_cifs_files(wireshark_t) - fs_manage_cifs_symlinks(wireshark_t) -') - -optional_policy(` - nscd_socket_use(wireshark_t) -') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # Manual transition from userhelper optional_policy(` diff --git a/wm.if b/wm.if index 700b51e..50c1a74 100644 --- a/wm.if +++ b/wm.if @@ -77,14 +77,11 @@ template(`wm_role_template',` miscfiles_read_fonts($1_wm_t) miscfiles_read_localization($1_wm_t) -<<<<<<< HEAD userdom_manage_home_role($2, $1_wm_t) userdom_manage_tmpfs_role($2, $1_wm_t) userdom_manage_tmp_role($2, $1_wm_t) userdom_exec_user_tmp_files($1_wm_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` dbus_system_bus_client($1_wm_t) dbus_session_bus_client($1_wm_t) diff --git a/wm.te b/wm.te index cd25e0d..19d447e 100644 --- a/wm.te +++ b/wm.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(wm, 1.1.1) -======= policy_module(wm, 1.2.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # diff --git a/xen.fc b/xen.fc index 89712df..f22f770 100644 --- a/xen.fc +++ b/xen.fc @@ -1,19 +1,10 @@ /dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) -<<<<<<< HEAD -======= -/usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0) /usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) /usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0) -<<<<<<< HEAD #/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0) -======= -/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ifdef(`distro_debian',` /usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) @@ -24,10 +15,7 @@ ifdef(`distro_debian',` /usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) /usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) /usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) -<<<<<<< HEAD /usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) ') diff --git a/xen.if b/xen.if index 9dc6bec..138efd8 100644 --- a/xen.if +++ b/xen.if @@ -55,7 +55,6 @@ interface(`xen_dontaudit_use_fds',` dontaudit $1 xend_t:fd use; ') -<<<<<<< HEAD ####################################### ## ## Read xend pid files. @@ -76,8 +75,6 @@ interface(`xen_read_pid_files_xenstored',` read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## ## ## Read xend image files. @@ -110,7 +107,6 @@ interface(`xen_read_image_files',` ## ## # -<<<<<<< HEAD interface(`xen_manage_image_dirs',` gen_require(` type xend_var_lib_t; @@ -131,8 +127,6 @@ interface(`xen_manage_image_dirs',` ## ## # -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 interface(`xen_rw_image_files',` gen_require(` type xen_image_t, xend_var_lib_t; @@ -207,11 +201,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',` ######################################## ## -<<<<<<< HEAD ## Connect to xenstored over a unix stream socket. -======= -## Connect to xenstored over an unix stream socket. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -230,11 +220,7 @@ interface(`xen_stream_connect_xenstore',` ######################################## ## -<<<<<<< HEAD ## Connect to xend over a unix domain stream socket. -======= -## Connect to xend over an unix domain stream socket. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -267,24 +253,15 @@ interface(`xen_stream_connect',` interface(`xen_domtrans_xm',` gen_require(` type xm_t, xm_exec_t; -<<<<<<< HEAD attribute virsh_transition_domain; ') typeattribute $1 virsh_transition_domain; -======= - ') - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 domtrans_pattern($1, xm_exec_t, xm_t) ') ######################################## ## -<<<<<<< HEAD ## Connect to xm over a unix stream socket. -======= -## Connect to xm over an unix stream socket. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -294,11 +271,7 @@ interface(`xen_domtrans_xm',` # interface(`xen_stream_connect_xm',` gen_require(` -<<<<<<< HEAD type xm_t, xenstored_var_run_t; -======= - type xm_t; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') files_search_pids($1) diff --git a/xen.te b/xen.te index 91af925..1282d4c 100644 --- a/xen.te +++ b/xen.te @@ -1,17 +1,10 @@ -<<<<<<< HEAD -policy_module(xen, 1.10.1) -======= policy_module(xen, 1.11.1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # Declarations # -<<<<<<< HEAD attribute xm_transition_domain; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ##

@@ -73,10 +66,7 @@ type xen_image_t; # customizable files_type(xen_image_t) # xen_image_t can be assigned to blk devices dev_node(xen_image_t) -<<<<<<< HEAD virt_image(xen_image_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type xenctl_t; files_type(xenctl_t) @@ -133,14 +123,6 @@ init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) type xenconsoled_var_run_t; files_pid_file(xenconsoled_var_run_t) -<<<<<<< HEAD -======= -type xm_t; -type xm_exec_t; -domain_type(xm_t) -init_system_domain(xm_t, xm_exec_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # blktap local policy @@ -185,13 +167,10 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) # # qemu-dm local policy # -<<<<<<< HEAD # TODO: This part of policy should be removed # qemu-dm should run in xend_t domain -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # Do we need to allow execution of qemu-dm? tunable_policy(`xend_run_qemu',` allow qemu_dm_t self:capability sys_resource; @@ -230,7 +209,6 @@ tunable_policy(`xend_run_qemu',` # xend local policy # -<<<<<<< HEAD allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw }; allow xend_t self:process { signal sigkill }; @@ -238,12 +216,6 @@ allow xend_t self:process { signal sigkill }; allow xend_t self:capability sys_resource; allow xend_t self:process setrlimit; -======= -allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw }; -dontaudit xend_t self:capability { sys_ptrace }; -allow xend_t self:process { signal sigkill }; -dontaudit xend_t self:process ptrace; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # internal communication is often done using fifo and unix sockets. allow xend_t self:fifo_file rw_fifo_file_perms; allow xend_t self:unix_stream_socket create_stream_socket_perms; @@ -331,10 +303,6 @@ dev_rw_sysfs(xend_t) dev_rw_xen(xend_t) domain_dontaudit_read_all_domains_state(xend_t) -<<<<<<< HEAD -======= -domain_dontaudit_ptrace_all_domains(xend_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_read_etc_files(xend_t) files_read_kernel_symbol_table(xend_t) @@ -355,19 +323,9 @@ locallogin_dontaudit_use_fds(xend_t) logging_send_syslog_msg(xend_t) -<<<<<<< HEAD miscfiles_read_localization(xend_t) miscfiles_read_hwdata(xend_t) -======= -lvm_domtrans(xend_t) - -miscfiles_read_localization(xend_t) -miscfiles_read_hwdata(xend_t) - -mount_domtrans(xend_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 sysnet_domtrans_dhcpc(xend_t) sysnet_signal_dhcpc(xend_t) sysnet_domtrans_ifconfig(xend_t) @@ -380,11 +338,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t) xen_stream_connect_xenstore(xend_t) -<<<<<<< HEAD -======= -netutils_domtrans(xend_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` brctl_domtrans(xend_t) ') @@ -393,7 +346,6 @@ optional_policy(` consoletype_exec(xend_t) ') -<<<<<<< HEAD optional_policy(` lvm_domtrans(xend_t) ') @@ -411,8 +363,6 @@ optional_policy(` virt_read_config(xend_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # Xen console local policy @@ -438,11 +388,6 @@ dev_rw_xen(xenconsoled_t) dev_filetrans_xen(xenconsoled_t) dev_rw_sysfs(xenconsoled_t) -<<<<<<< HEAD -======= -domain_dontaudit_ptrace_all_domains(xenconsoled_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_read_etc_files(xenconsoled_t) files_read_usr_files(xenconsoled_t) @@ -480,16 +425,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) # pid file -<<<<<<< HEAD manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir }) -======= -manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) -manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) -files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file }) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # log files manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) @@ -516,17 +455,11 @@ files_read_etc_files(xenstored_t) files_read_usr_files(xenstored_t) -<<<<<<< HEAD fs_search_xenfs(xenstored_t) fs_manage_xenfs_files(xenstored_t) term_use_generic_ptys(xenstored_t) term_use_console(xenconsoled_t) -======= -fs_manage_xenfs_files(xenstored_t) - -term_use_generic_ptys(xenstored_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_use_fds(xenstored_t) init_use_script_ptys(xenstored_t) @@ -539,102 +472,9 @@ xen_append_log(xenstored_t) ######################################## # -<<<<<<< HEAD # SSH component local policy # optional_policy(` -======= -# xm local policy -# - -allow xm_t self:capability { dac_override ipc_lock sys_tty_config }; -allow xm_t self:process { getsched signal }; - -# internal communication is often done using fifo and unix sockets. -allow xm_t self:fifo_file rw_fifo_file_perms; -allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow xm_t self:tcp_socket create_stream_socket_perms; - -manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) -manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) -manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) -files_search_var_lib(xm_t) - -allow xm_t xen_image_t:dir rw_dir_perms; -allow xm_t xen_image_t:file read_file_perms; -allow xm_t xen_image_t:blk_file read_blk_file_perms; - -kernel_read_system_state(xm_t) -kernel_read_kernel_sysctls(xm_t) -kernel_read_sysctl(xm_t) -kernel_read_xen_state(xm_t) -kernel_write_xen_state(xm_t) - -corecmd_exec_bin(xm_t) -corecmd_exec_shell(xm_t) - -corenet_tcp_sendrecv_generic_if(xm_t) -corenet_tcp_sendrecv_generic_node(xm_t) -corenet_tcp_connect_soundd_port(xm_t) - -dev_read_urand(xm_t) -dev_read_sysfs(xm_t) - -files_read_etc_runtime_files(xm_t) -files_read_usr_files(xm_t) -files_list_mnt(xm_t) -# Some common macros (you might be able to remove some) -files_read_etc_files(xm_t) - -fs_getattr_all_fs(xm_t) -fs_manage_xenfs_dirs(xm_t) -fs_manage_xenfs_files(xm_t) - -term_use_all_terms(xm_t) - -init_stream_connect_script(xm_t) -init_rw_script_stream_sockets(xm_t) -init_use_fds(xm_t) - -miscfiles_read_localization(xm_t) - -sysnet_dns_name_resolve(xm_t) - -xen_append_log(xm_t) -xen_stream_connect(xm_t) -xen_stream_connect_xenstore(xm_t) - -optional_policy(` - dbus_system_bus_client(xm_t) - - optional_policy(` - hal_dbus_chat(xm_t) - ') -') - -optional_policy(` - virt_domtrans(xm_t) - virt_manage_images(xm_t) - virt_manage_config(xm_t) - virt_stream_connect(xm_t) -') - -######################################## -# -# SSH component local policy -# -optional_policy(` - ssh_basic_client_template(xm, xm_t, system_r) - - kernel_read_xen_state(xm_ssh_t) - kernel_write_xen_state(xm_ssh_t) - - files_search_tmp(xm_ssh_t) - - fs_manage_xenfs_dirs(xm_ssh_t) - fs_manage_xenfs_files(xm_ssh_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) @@ -647,11 +487,4 @@ optional_policy(` fs_manage_nfs_files(xend_t) fs_read_nfs_symlinks(xend_t) ') -<<<<<<< HEAD -======= - - optional_policy(` - unconfined_domain(xend_t) - ') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/xfs.if b/xfs.if index 9ad5225..aa6e5a8 100644 --- a/xfs.if +++ b/xfs.if @@ -1,8 +1,4 @@ -<<<<<<< HEAD -##

X Windows Font Server -======= ## X Windows Font Server ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## ## diff --git a/xguest.if b/xguest.if index e98d60b..d2234e3 100644 --- a/xguest.if +++ b/xguest.if @@ -1,8 +1,4 @@ -<<<<<<< HEAD -## Least privileged X user -======= ## Least privledge xwindows user role ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## ## diff --git a/xguest.te b/xguest.te index 0310424..e16a6c5 100644 --- a/xguest.te +++ b/xguest.te @@ -14,22 +14,14 @@ gen_tunable(xguest_mount_media, true) ## ##

-<<<<<<< HEAD ## Allow xguest users to configure Network Manager and connect to apache ports -======= -## Allow xguest to configure Network Manager ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ##

## gen_tunable(xguest_connect_network, true) ## ##

-<<<<<<< HEAD -## Allow xguest users to use blue tooth devices -======= ## Allow xguest to use blue tooth devices ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ##

## gen_tunable(xguest_use_bluetooth, true) @@ -37,19 +29,13 @@ gen_tunable(xguest_use_bluetooth, true) role xguest_r; userdom_restricted_xwindows_user_template(xguest) -<<<<<<< HEAD sysnet_dns_name_resolve(xguest_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # Local policy # -<<<<<<< HEAD -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ifndef(`enable_mls',` fs_exec_noxattr(xguest_t) @@ -64,7 +50,6 @@ ifndef(`enable_mls',` ') ') -<<<<<<< HEAD optional_policy(` # Dontaudit fusermount mount_dontaudit_exec_fusermount(xguest_t) @@ -76,17 +61,11 @@ tunable_policy(`allow_execstack',` allow xguest_t self:process execstack; ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # Allow mounting of file systems optional_policy(` tunable_policy(`xguest_mount_media',` kernel_read_fs_sysctls(xguest_t) -<<<<<<< HEAD kernel_request_load_module(xguest_t) -======= - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_dontaudit_getattr_boot_dirs(xguest_t) files_search_mnt(xguest_t) @@ -95,7 +74,6 @@ optional_policy(` fs_manage_noxattr_fs_dirs(xguest_t) fs_getattr_noxattr_fs(xguest_t) fs_read_noxattr_fs_symlinks(xguest_t) -<<<<<<< HEAD fs_mount_fusefs(xguest_t) auth_list_pam_console_data(xguest_t) @@ -105,18 +83,11 @@ optional_policy(` optional_policy(` tunable_policy(`xguest_use_bluetooth',` bluetooth_dbus_chat(xguest_t) -======= - - auth_list_pam_console_data(xguest_t) - - init_read_utmp(xguest_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ') optional_policy(` tunable_policy(`xguest_use_bluetooth',` -<<<<<<< HEAD blueman_dbus_chat(xguest_t) ') ') @@ -126,18 +97,11 @@ optional_policy(` chrome_role(xguest_r, xguest_t) ') -======= - bluetooth_dbus_chat(xguest_t) - ') -') - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` hal_dbus_chat(xguest_t) ') optional_policy(` -<<<<<<< HEAD apache_role(xguest_r, xguest_t) ') @@ -160,18 +124,10 @@ optional_policy(` optional_policy(` rhsmcertd_dontaudit_dbus_chat(xguest_t) -======= - java_role(xguest_r, xguest_t) -') - -optional_policy(` - mozilla_role(xguest_r, xguest_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` tunable_policy(`xguest_connect_network',` -<<<<<<< HEAD kernel_read_network_state(xguest_t) networkmanager_dbus_chat(xguest_t) @@ -225,12 +181,3 @@ optional_policy(` ') gen_user(xguest_u, user, xguest_r, s0, s0) -======= - networkmanager_dbus_chat(xguest_t) - corenet_tcp_connect_pulseaudio_port(xguest_t) - corenet_tcp_connect_ipp_port(xguest_t) - ') -') - -#gen_user(xguest_u,, xguest_r, s0, s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/xscreensaver.te b/xscreensaver.te index d9017b4..f6b4217 100644 --- a/xscreensaver.te +++ b/xscreensaver.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(xscreensaver, 1.0.0) -======= policy_module(xscreensaver, 1.1.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -11,19 +7,10 @@ policy_module(xscreensaver, 1.1.0) type xscreensaver_t; type xscreensaver_exec_t; -<<<<<<< HEAD -application_domain(xscreensaver_t, xscreensaver_exec_t) -ubac_constrained(xscreensaver_t) - -type xscreensaver_tmpfs_t; -files_tmpfs_file(xscreensaver_tmpfs_t) -ubac_constrained(xscreensaver_tmpfs_t) -======= userdom_user_application_domain(xscreensaver_t, xscreensaver_exec_t) type xscreensaver_tmpfs_t; userdom_user_tmpfs_file(xscreensaver_tmpfs_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -48,11 +35,7 @@ logging_send_syslog_msg(xscreensaver_t) miscfiles_read_localization(xscreensaver_t) -<<<<<<< HEAD userdom_use_inherited_user_ptys(xscreensaver_t) -======= -userdom_use_user_ptys(xscreensaver_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 #access to .icons and ~/.xscreensaver userdom_read_user_home_content_files(xscreensaver_t) diff --git a/yam.te b/yam.te index 2d22c78..26e5b2c 100644 --- a/yam.te +++ b/yam.te @@ -83,11 +83,8 @@ fs_search_auto_mountpoints(yam_t) # Content can also be on ISO image files. fs_read_iso9660_files(yam_t) -<<<<<<< HEAD auth_use_nsswitch(yam_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 logging_send_syslog_msg(yam_t) miscfiles_read_localization(yam_t) @@ -97,11 +94,7 @@ seutil_read_config(yam_t) sysnet_dns_name_resolve(yam_t) sysnet_read_config(yam_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(yam_t) -======= -userdom_use_user_terminals(yam_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 userdom_use_unpriv_users_fds(yam_t) # Reading dotfiles... # cjp: ? @@ -121,8 +114,6 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD -======= nis_use_ypbind(yam_t) ') @@ -131,6 +122,5 @@ optional_policy(` ') optional_policy(` ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 rsync_exec(yam_t) ') diff --git a/zabbix.fc b/zabbix.fc index 8dc9459..980c0df 100644 --- a/zabbix.fc +++ b/zabbix.fc @@ -1,17 +1,12 @@ /etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) -<<<<<<< HEAD /etc/rc\.d/init\.d/zabbix-server -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) - -/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) -/usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0) -/usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0) -/usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0) -======= -/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0) +/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0) /usr/(s)?bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) /usr/(s)?bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 +/usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0) /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) diff --git a/zabbix.if b/zabbix.if index 669dfda..38ce620 100644 --- a/zabbix.if +++ b/zabbix.if @@ -5,15 +5,9 @@ ## Execute a domain transition to run zabbix. ## ## -<<<<<<< HEAD -## -## Domain allowed to transition. -## -======= ## ## Domain allowed to transition. ## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`zabbix_domtrans',` @@ -67,7 +61,6 @@ interface(`zabbix_read_log',` ######################################## ## -<<<<<<< HEAD ## Allow the specified domain to read zabbix's tmp files. ## ## @@ -88,21 +81,13 @@ interface(`zabbix_read_tmp',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## Allow the specified domain to append ## zabbix log files. ## ## -<<<<<<< HEAD -## -## Domain allowed access. -## -======= ## ## Domain allowed access. ## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`zabbix_append_log',` @@ -145,11 +130,7 @@ interface(`zabbix_read_pid_files',` # interface(`zabbix_agent_tcp_connect',` gen_require(` -<<<<<<< HEAD type zabbix_t, zabbix_agent_t; -======= - type zabbix_agent_t; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') corenet_sendrecv_zabbix_agent_client_packets($1) @@ -181,16 +162,11 @@ interface(`zabbix_admin',` type zabbix_initrc_exec_t; ') -<<<<<<< HEAD allow $1 zabbix_t:process signal_perms; ps_process_pattern($1, zabbix_t) tunable_policy(`deny_ptrace',`',` allow $1 zabbix_t:process ptrace; ') -======= - allow $1 zabbix_t:process { ptrace signal_perms }; - ps_process_pattern($1, zabbix_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, zabbix_initrc_exec_t) domain_system_change_exemption($1) diff --git a/zabbix.te b/zabbix.te index 4e1f3d4..e5191a2 100644 --- a/zabbix.te +++ b/zabbix.te @@ -1,15 +1,10 @@ -<<<<<<< HEAD -policy_module(zabbix, 1.3.1) -======= policy_module(zabbix, 1.5.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # Declarations # -<<<<<<< HEAD ## ##

## Allow zabbix to connect to unreserved ports @@ -17,8 +12,6 @@ policy_module(zabbix, 1.5.0) ## gen_tunable(zabbix_can_network, false) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type zabbix_t; type zabbix_exec_t; init_daemon_domain(zabbix_t, zabbix_exec_t) @@ -37,13 +30,10 @@ init_script_file(zabbix_agent_initrc_exec_t) type zabbix_log_t; logging_log_file(zabbix_log_t) -<<<<<<< HEAD # tmp files type zabbix_tmp_t; files_tmp_file(zabbix_tmp_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # shared memory type zabbix_tmpfs_t; files_tmpfs_file(zabbix_tmpfs_t) @@ -57,23 +47,16 @@ files_pid_file(zabbix_var_run_t) # zabbix local policy # -<<<<<<< HEAD allow zabbix_t self:capability { dac_read_search dac_override setuid setgid }; allow zabbix_t self:process setsched; allow zabbix_t self:sem create_sem_perms; allow zabbix_t self:fifo_file rw_fifo_file_perms; -======= -allow zabbix_t self:capability { setuid setgid }; -allow zabbix_t self:fifo_file rw_file_perms; -allow zabbix_t self:process { setsched getsched signal }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow zabbix_t self:unix_stream_socket create_stream_socket_perms; allow zabbix_t self:sem create_sem_perms; allow zabbix_t self:shm create_shm_perms; allow zabbix_t self:tcp_socket create_stream_socket_perms; # log files -<<<<<<< HEAD allow zabbix_t zabbix_log_t:dir setattr_dir_perms; manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) logging_log_filetrans(zabbix_t, zabbix_log_t, file) @@ -83,12 +66,6 @@ manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) files_tmp_filetrans(zabbix_t, zabbix_tmp_t, { dir file }) -======= -allow zabbix_t zabbix_log_t:dir setattr; -manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -logging_log_filetrans(zabbix_t, zabbix_log_t, file) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # shared memory rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t) fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file) @@ -98,7 +75,6 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) -<<<<<<< HEAD kernel_read_system_state(zabbix_t) kernel_read_kernel_sysctls(zabbix_t) @@ -133,29 +109,12 @@ optional_policy(` optional_policy(` netutils_domtrans_ping(zabbix_t) -======= -corenet_tcp_bind_generic_node(zabbix_t) -corenet_tcp_bind_zabbix_port(zabbix_t) - -files_read_etc_files(zabbix_t) - -miscfiles_read_localization(zabbix_t) - -sysnet_dns_name_resolve(zabbix_t) - -zabbix_agent_tcp_connect(zabbix_t) - -optional_policy(` - mysql_stream_connect(zabbix_t) - mysql_tcp_connect(zabbix_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` postgresql_stream_connect(zabbix_t) ') -<<<<<<< HEAD optional_policy(` snmp_read_snmp_var_lib_dirs(zabbix_t) ') @@ -164,8 +123,6 @@ optional_policy(` sysnet_dns_name_resolve(zabbix_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # zabbix agent local policy @@ -223,7 +180,3 @@ sysnet_dns_name_resolve(zabbix_agent_t) # Network access to zabbix server zabbix_tcp_connect(zabbix_agent_t) -<<<<<<< HEAD - -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/zarafa.fc b/zarafa.fc index cbc1593..7436a1c 100644 --- a/zarafa.fc +++ b/zarafa.fc @@ -8,15 +8,10 @@ /usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0) /usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0) -<<<<<<< HEAD /var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) /var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) /var/log/zarafa/dagent\.log -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0) -======= -/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) /var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) /var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) @@ -25,17 +20,11 @@ /var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) /var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) -<<<<<<< HEAD /var/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0) /var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0) /var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0) /var/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) /var/run/zarafa-indexer\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) -======= -/var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0) -/var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0) -/var/run/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0) /var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0) /var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0) diff --git a/zarafa.if b/zarafa.if index 76e9eca..cb3a098 100644 --- a/zarafa.if +++ b/zarafa.if @@ -42,11 +42,8 @@ template(`zarafa_domain_template',` manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file }) -<<<<<<< HEAD auth_use_nsswitch(zarafa_$1_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ###################################### @@ -123,7 +120,6 @@ interface(`zarafa_stream_connect_server',` files_search_var_lib($1) stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) ') -<<<<<<< HEAD #################################### ##

@@ -146,5 +142,3 @@ interface(`zarafa_manage_lib_files',` manage_lnk_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/zarafa.te b/zarafa.te index 9e18f70..bd73b2a 100644 --- a/zarafa.te +++ b/zarafa.te @@ -18,13 +18,10 @@ files_config_file(zarafa_etc_t) zarafa_domain_template(gateway) zarafa_domain_template(ical) zarafa_domain_template(indexer) -<<<<<<< HEAD type zarafa_indexer_tmp_t; files_tmp_file(zarafa_indexer_tmp_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 zarafa_domain_template(monitor) zarafa_domain_template(server) @@ -64,7 +61,6 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t) corenet_tcp_bind_generic_node(zarafa_gateway_t) corenet_tcp_bind_pop_port(zarafa_gateway_t) -<<<<<<< HEAD ###################################### # # zarafa-indexer local policy @@ -80,8 +76,6 @@ manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ####################################### # # zarafa-ical local policy @@ -118,12 +112,8 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir }) manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) -<<<<<<< HEAD manage_lnk_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file }) -======= -files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir }) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t) @@ -137,10 +127,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t) files_read_usr_files(zarafa_server_t) -<<<<<<< HEAD -======= -logging_send_syslog_msg(zarafa_server_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 logging_send_audit_msgs(zarafa_server_t) sysnet_dns_name_resolve(zarafa_server_t) @@ -171,7 +157,6 @@ corenet_tcp_connect_smtp_port(zarafa_spooler_t) ######################################## # -<<<<<<< HEAD # zarafa_gateway local policy # @@ -198,8 +183,6 @@ allow zarafa_monitor_t self:capability chown; ######################################## # -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # zarafa domains local policy # @@ -214,20 +197,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t) -<<<<<<< HEAD dev_read_rand(zarafa_domain) dev_read_urand(zarafa_domain) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kernel_read_system_state(zarafa_domain) files_read_etc_files(zarafa_domain) -<<<<<<< HEAD logging_send_syslog_msg(zarafa_domain) -======= -auth_use_nsswitch(zarafa_domain) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 miscfiles_read_localization(zarafa_domain) diff --git a/zebra.if b/zebra.if index e4fea1e..ef64e73 100644 --- a/zebra.if +++ b/zebra.if @@ -24,11 +24,7 @@ interface(`zebra_read_config',` ######################################## ## -<<<<<<< HEAD -## Connect to zebra over a unix stream socket. -======= ## Connect to zebra over an unix stream socket. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -42,12 +38,7 @@ interface(`zebra_stream_connect',` ') files_search_pids($1) -<<<<<<< HEAD stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t) -======= - allow $1 zebra_var_run_t:sock_file write; - allow $1 zebra_t:unix_stream_socket connectto; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -70,7 +61,6 @@ interface(`zebra_stream_connect',` interface(`zebra_admin',` gen_require(` type zebra_t, zebra_tmp_t, zebra_log_t; -<<<<<<< HEAD type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t; ') @@ -79,14 +69,6 @@ interface(`zebra_admin',` tunable_policy(`deny_ptrace',`',` allow $1 zebra_t:process ptrace; ') -======= - type zebra_conf_t, zebra_var_run_t; - type zebra_initrc_exec_t; - ') - - allow $1 zebra_t:process { ptrace signal_perms }; - ps_process_pattern($1, zebra_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, zebra_initrc_exec_t) domain_system_change_exemption($1) diff --git a/zebra.te b/zebra.te index 314bb6e..76f5491 100644 --- a/zebra.te +++ b/zebra.te @@ -6,18 +6,11 @@ policy_module(zebra, 1.12.0) # ## -<<<<<<< HEAD -##

-## Allow zebra daemon to write it configuration files -##

-## -======= ##

## Allow zebra daemon to write it configuration files ##

## # ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 gen_tunable(allow_zebra_write_config, false) type zebra_t; @@ -25,11 +18,7 @@ type zebra_exec_t; init_daemon_domain(zebra_t, zebra_exec_t) type zebra_conf_t; -<<<<<<< HEAD files_config_file(zebra_conf_t) -======= -files_type(zebra_conf_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type zebra_initrc_exec_t; init_script_file(zebra_initrc_exec_t) @@ -63,11 +52,7 @@ allow zebra_t zebra_conf_t:dir list_dir_perms; read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) -<<<<<<< HEAD allow zebra_t zebra_log_t:dir setattr_dir_perms; -======= -allow zebra_t zebra_log_t:dir setattr; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t) manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t) logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir }) @@ -121,11 +106,8 @@ files_search_etc(zebra_t) files_read_etc_files(zebra_t) files_read_etc_runtime_files(zebra_t) -<<<<<<< HEAD auth_read_passwd(zebra_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 logging_send_syslog_msg(zebra_t) miscfiles_read_localization(zebra_t) diff --git a/zosremote.fc b/zosremote.fc index 921cf20..7a7fc61 100644 --- a/zosremote.fc +++ b/zosremote.fc @@ -1,6 +1,3 @@ /sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) -<<<<<<< HEAD /usr/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/zosremote.if b/zosremote.if index 99216e7..2a4f2cc 100644 --- a/zosremote.if +++ b/zosremote.if @@ -5,15 +5,9 @@ ## Execute a domain transition to run audispd-zos-remote. ## ## -<<<<<<< HEAD -## -## Domain allowed to transition. -## -======= ## ## Domain allowed to transition. ## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`zosremote_domtrans',` @@ -40,10 +34,7 @@ interface(`zosremote_domtrans',` ## Role allowed access. ## ## -<<<<<<< HEAD ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # interface(`zosremote_run',` gen_require(` diff --git a/zosremote.te b/zosremote.te index ae6817c..3d407c6 100644 --- a/zosremote.te +++ b/zosremote.te @@ -16,11 +16,7 @@ logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t) # allow zos_remote_t self:process signal; -<<<<<<< HEAD allow zos_remote_t self:fifo_file rw_fifo_file_perms; -======= -allow zos_remote_t self:fifo_file rw_file_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow zos_remote_t self:unix_stream_socket create_stream_socket_perms; files_read_etc_files(zos_remote_t)