From d066f2aaf66352b71b301d2800b996b5663a8662 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 05 2012 14:52:40 +0000 Subject: Merge clean up for policies which start with d-e letter --- diff --git a/daemontools.if b/daemontools.if index 8d2c53c..0158314 100644 --- a/daemontools.if +++ b/daemontools.if @@ -210,7 +210,4 @@ interface(`daemontools_manage_svc',` allow $1 svc_svc_t:file manage_file_perms; allow $1 svc_svc_t:lnk_file { read create }; ') -<<<<<<< HEAD -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/daemontools.te b/daemontools.te index 5f99c75..18c3048 100644 --- a/daemontools.te +++ b/daemontools.te @@ -38,14 +38,10 @@ files_type(svc_svc_t) # multilog creates /service/*/log/status manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t) -<<<<<<< HEAD term_write_console(svc_multilog_t) init_use_fds(svc_multilog_t) init_dontaudit_use_script_fds(svc_multilog_t) -======= -init_use_fds(svc_multilog_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # writes to /var/log/*/* logging_manage_generic_logs(svc_multilog_t) @@ -76,11 +72,8 @@ dev_read_urand(svc_run_t) corecmd_exec_bin(svc_run_t) corecmd_exec_shell(svc_run_t) -<<<<<<< HEAD term_write_console(svc_run_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_read_etc_files(svc_run_t) files_read_etc_runtime_files(svc_run_t) files_search_pids(svc_run_t) @@ -111,37 +104,24 @@ allow svc_start_t self:unix_stream_socket create_socket_perms; can_exec(svc_start_t, svc_start_exec_t) -<<<<<<< HEAD mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kernel_read_kernel_sysctls(svc_start_t) kernel_read_system_state(svc_start_t) corecmd_exec_bin(svc_start_t) corecmd_exec_shell(svc_start_t) -<<<<<<< HEAD corenet_tcp_bind_generic_node(svc_start_t) corenet_tcp_bind_generic_port(svc_start_t) term_write_console(svc_start_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_read_etc_files(svc_start_t) files_read_etc_runtime_files(svc_start_t) files_search_var(svc_start_t) files_search_pids(svc_start_t) -<<<<<<< HEAD -logging_send_syslog_msg(svc_start_t) - -miscfiles_read_localization(svc_start_t) - -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 daemontools_domtrans_run(svc_start_t) daemontools_manage_svc(svc_start_t) diff --git a/dante.te b/dante.te index 14a1812..a29dcaa 100644 --- a/dante.te +++ b/dante.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(dante, 1.7.0) -======= policy_module(dante, 1.8.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -14,11 +10,7 @@ type dante_exec_t; init_daemon_domain(dante_t, dante_exec_t) type dante_conf_t; -<<<<<<< HEAD files_config_file(dante_conf_t) -======= -files_type(dante_conf_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type dante_var_run_t; files_pid_file(dante_var_run_t) @@ -54,12 +46,6 @@ corenet_udp_sendrecv_generic_node(dante_t) corenet_tcp_sendrecv_all_ports(dante_t) corenet_udp_sendrecv_all_ports(dante_t) corenet_tcp_bind_generic_node(dante_t) -<<<<<<< HEAD -#TODO: no portcons for this type -#allow dante_t socks_port_t:tcp_socket name_bind; -======= -corenet_tcp_bind_socks_port(dante_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dev_read_sysfs(dante_t) diff --git a/dbadm.te b/dbadm.te index 672d207..2adc35f 100644 --- a/dbadm.te +++ b/dbadm.te @@ -28,11 +28,7 @@ userdom_base_user_template(dbadm) # database admin local policy # -<<<<<<< HEAD allow dbadm_t self:capability { dac_override dac_read_search }; -======= -allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_dontaudit_search_all_dirs(dbadm_t) files_delete_generic_locks(dbadm_t) @@ -41,10 +37,7 @@ files_list_var(dbadm_t) selinux_get_enforce_mode(dbadm_t) logging_send_syslog_msg(dbadm_t) -<<<<<<< HEAD logging_send_audit_msgs(dbadm_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 userdom_dontaudit_search_user_home_dirs(dbadm_t) @@ -66,10 +59,7 @@ optional_policy(` optional_policy(` postgresql_admin(dbadm_t, dbadm_r) ') -<<<<<<< HEAD optional_policy(` sudo_role_template(dbadm, dbadm_r, dbadm_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/dbus.fc b/dbus.fc index e06a3bd..31f269b 100644 --- a/dbus.fc +++ b/dbus.fc @@ -2,16 +2,9 @@ /bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) -<<<<<<< HEAD -/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) - -/usr/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) - -/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) -/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) -======= ifdef(`distro_redhat',` /lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +/usr/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) ') /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) @@ -23,7 +16,6 @@ ifdef(`distro_debian',` ifdef(`distro_gentoo',` /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) ') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) diff --git a/dbus.if b/dbus.if index 1225d37..115133d 100644 --- a/dbus.if +++ b/dbus.if @@ -41,15 +41,9 @@ interface(`dbus_stub',` template(`dbus_role_template',` gen_require(` class dbus { send_msg acquire_svc }; -<<<<<<< HEAD attribute dbusd_unconfined, session_bus_type; type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; type $1_t; -======= - - attribute session_bus_type; - type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ############################## @@ -58,43 +52,21 @@ template(`dbus_role_template',` # type $1_dbusd_t, session_bus_type; -<<<<<<< HEAD application_domain($1_dbusd_t, dbusd_exec_t) ubac_constrained($1_dbusd_t) role $2 types $1_dbusd_t; userdom_home_manager($1_dbusd_t) -======= - domain_type($1_dbusd_t) - domain_entry_file($1_dbusd_t, dbusd_exec_t) - ubac_constrained($1_dbusd_t) - role $2 types $1_dbusd_t; - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ############################## # # Local policy # -<<<<<<< HEAD -======= - allow $1_dbusd_t self:process { getattr sigkill signal }; - dontaudit $1_dbusd_t self:process ptrace; - allow $1_dbusd_t self:file { getattr read write }; - allow $1_dbusd_t self:fifo_file rw_fifo_file_perms; - allow $1_dbusd_t self:dbus { send_msg acquire_svc }; - allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms; - allow $1_dbusd_t self:unix_dgram_socket create_socket_perms; - allow $1_dbusd_t self:tcp_socket create_stream_socket_perms; - allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms; - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # For connecting to the bus allow $3 $1_dbusd_t:unix_stream_socket connectto; # SE-DBus specific permissions -<<<<<<< HEAD allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc }; allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; @@ -115,95 +87,6 @@ template(`dbus_role_template',` allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; auth_use_nsswitch($1_dbusd_t) -======= - allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; - allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; - - allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; - read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) - read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) - - manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t) - manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t) - files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir }) - - domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) - allow $3 $1_dbusd_t:process { signull sigkill signal }; - - # cjp: this seems very broken - corecmd_bin_domtrans($1_dbusd_t, $3) - allow $1_dbusd_t $3:process sigkill; - allow $3 $1_dbusd_t:fd use; - allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; - allow $3 $1_dbusd_t:process sigchld; - - kernel_read_system_state($1_dbusd_t) - kernel_read_kernel_sysctls($1_dbusd_t) - - corecmd_list_bin($1_dbusd_t) - corecmd_read_bin_symlinks($1_dbusd_t) - corecmd_read_bin_files($1_dbusd_t) - corecmd_read_bin_pipes($1_dbusd_t) - corecmd_read_bin_sockets($1_dbusd_t) - - corenet_all_recvfrom_unlabeled($1_dbusd_t) - corenet_all_recvfrom_netlabel($1_dbusd_t) - corenet_tcp_sendrecv_generic_if($1_dbusd_t) - corenet_tcp_sendrecv_generic_node($1_dbusd_t) - corenet_tcp_sendrecv_all_ports($1_dbusd_t) - corenet_tcp_bind_generic_node($1_dbusd_t) - corenet_tcp_bind_reserved_port($1_dbusd_t) - - dev_read_urand($1_dbusd_t) - - domain_use_interactive_fds($1_dbusd_t) - domain_read_all_domains_state($1_dbusd_t) - - files_read_etc_files($1_dbusd_t) - files_list_home($1_dbusd_t) - files_read_usr_files($1_dbusd_t) - files_dontaudit_search_var($1_dbusd_t) - - fs_getattr_romfs($1_dbusd_t) - fs_getattr_xattr_fs($1_dbusd_t) - fs_list_inotifyfs($1_dbusd_t) - fs_dontaudit_list_nfs($1_dbusd_t) - - selinux_get_fs_mount($1_dbusd_t) - selinux_validate_context($1_dbusd_t) - selinux_compute_access_vector($1_dbusd_t) - selinux_compute_create_context($1_dbusd_t) - selinux_compute_relabel_context($1_dbusd_t) - selinux_compute_user_contexts($1_dbusd_t) - - auth_read_pam_console_data($1_dbusd_t) - auth_use_nsswitch($1_dbusd_t) - - logging_send_audit_msgs($1_dbusd_t) - logging_send_syslog_msg($1_dbusd_t) - - miscfiles_read_localization($1_dbusd_t) - - seutil_read_config($1_dbusd_t) - seutil_read_default_contexts($1_dbusd_t) - - term_use_all_terms($1_dbusd_t) - - userdom_read_user_home_content_files($1_dbusd_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; - ') - - optional_policy(` - hal_dbus_chat($1_dbusd_t) - ') - - optional_policy(` - xserver_use_xdm_fds($1_dbusd_t) - xserver_rw_xdm_pipes($1_dbusd_t) - ') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ####################################### @@ -222,19 +105,12 @@ interface(`dbus_system_bus_client',` type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; -<<<<<<< HEAD attribute dbusd_unconfined; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') # SE-DBus specific permissions allow $1 { system_dbusd_t self }:dbus send_msg; -<<<<<<< HEAD allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg; -======= - allow system_dbusd_t $1:dbus send_msg; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) @@ -247,7 +123,6 @@ interface(`dbus_system_bus_client',` ####################################### ## -<<<<<<< HEAD ## Creating connections to specified ## DBUS sessions. ## @@ -276,8 +151,6 @@ interface(`dbus_session_client',` ####################################### ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## Template for creating connections to ## a user DBUS. ## @@ -299,11 +172,7 @@ interface(`dbus_session_bus_client',` # For connecting to the bus allow $1 session_bus_type:unix_stream_socket connectto; -<<<<<<< HEAD allow session_bus_type $1:process sigkill; -======= - dontaudit $1 session_bus_type:fd use; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -408,14 +277,11 @@ interface(`dbus_connect_session_bus',` ## Allow a application domain to be started ## by the session dbus. ## -<<<<<<< HEAD ## ## ## User domain prefix to be used. ## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## Type to be used as a domain. @@ -430,7 +296,6 @@ interface(`dbus_connect_session_bus',` # interface(`dbus_session_domain',` gen_require(` -<<<<<<< HEAD type $1_dbusd_t; ') @@ -438,15 +303,6 @@ interface(`dbus_session_domain',` dbus_session_bus_client($3) dbus_connect_session_bus($3) -======= - attribute session_bus_type; - ') - - domtrans_pattern(session_bus_type, $2, $1) - - dbus_session_bus_client($1) - dbus_connect_session_bus($1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -525,22 +381,15 @@ interface(`dbus_system_bus_unconfined',` # interface(`dbus_system_domain',` gen_require(` -<<<<<<< HEAD attribute system_bus_type; type system_dbusd_t; role system_r; ') typeattribute $1 system_bus_type; -======= - type system_dbusd_t; - role system_r; - ') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 domain_type($1) domain_entry_file($1, $2) -<<<<<<< HEAD domtrans_pattern(system_dbusd_t, $2, $1) ') @@ -578,31 +427,11 @@ interface(`dbus_unconfined',` ') typeattribute $1 dbusd_unconfined; -======= - role system_r types $1; - - domtrans_pattern(system_dbusd_t, $2, $1) - - dbus_system_bus_client($1) - dbus_connect_system_bus($1) - - ps_process_pattern(system_dbusd_t, $1) - - userdom_read_all_users_state($1) - - ifdef(`hide_broken_symptoms', ` - dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; - ') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## ## -<<<<<<< HEAD ## Delete all dbus pid files -======= -## Use and inherit system DBUS file descriptors. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -610,7 +439,6 @@ interface(`dbus_unconfined',` ## ## # -<<<<<<< HEAD interface(`dbus_delete_pid_files',` gen_require(` type system_dbusd_var_run_t; @@ -618,25 +446,13 @@ interface(`dbus_delete_pid_files',` files_search_pids($1) delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) -======= -interface(`dbus_use_system_bus_fds',` - gen_require(` - type system_dbusd_t; - ') - - allow $1 system_dbusd_t:fd use; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## ## -<<<<<<< HEAD ## Do not audit attempts to connect to ## session bus types with a unix ## stream socket. -======= -## Dontaudit Read, and write system dbus TCP sockets. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -644,27 +460,16 @@ interface(`dbus_use_system_bus_fds',` ## ## # -<<<<<<< HEAD interface(`dbus_dontaudit_stream_connect_session_bus',` gen_require(` attribute session_bus_type; ') dontaudit $1 session_bus_type:unix_stream_socket connectto; -======= -interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` - gen_require(` - type system_dbusd_t; - ') - - allow $1 system_dbusd_t:tcp_socket { read write }; - allow $1 system_dbusd_t:fd use; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## ## -<<<<<<< HEAD ## Do not audit attempts to send dbus ## messages to session bus types. ## @@ -681,20 +486,4 @@ interface(`dbus_dontaudit_chat_session_bus',` ') dontaudit $1 session_bus_type:dbus send_msg; -======= -## Allow unconfined access to the system DBUS. -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_unconfined',` - gen_require(` - attribute dbusd_unconfined; - ') - - typeattribute $1 dbusd_unconfined; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/dbus.te b/dbus.te index 39f28c3..088e2ca 100644 --- a/dbus.te +++ b/dbus.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(dbus, 1.14.3) -======= policy_module(dbus, 1.16.2) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 gen_require(` class dbus all_dbus_perms; @@ -14,10 +10,7 @@ gen_require(` # attribute dbusd_unconfined; -<<<<<<< HEAD attribute system_bus_type; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 attribute session_bus_type; type dbusd_etc_t; @@ -30,12 +23,7 @@ typealias dbusd_exec_t alias system_dbusd_exec_t; type session_dbusd_tmp_t; typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t }; -<<<<<<< HEAD -files_tmp_file(session_dbusd_tmp_t) -ubac_constrained(session_dbusd_tmp_t) -======= userdom_user_tmp_file(session_dbusd_tmp_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type system_dbusd_t; init_system_domain(system_dbusd_t, dbusd_exec_t) @@ -48,10 +36,7 @@ files_type(system_dbusd_var_lib_t) type system_dbusd_var_run_t; files_pid_file(system_dbusd_var_run_t) -<<<<<<< HEAD init_sock_file(system_dbusd_var_run_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ifdef(`enable_mcs',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) @@ -68,15 +53,9 @@ ifdef(`enable_mls',` # dac_override: /var/run/dbus is owned by messagebus on Debian # cjp: dac_override should probably go in a distro_debian -<<<<<<< HEAD allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid }; dontaudit system_dbusd_t self:capability sys_tty_config; allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; -======= -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; -dontaudit system_dbusd_t self:capability sys_tty_config; -allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow system_dbusd_t self:fifo_file rw_fifo_file_perms; allow system_dbusd_t self:dbus { send_msg acquire_svc }; allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; @@ -96,16 +75,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) -<<<<<<< HEAD manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir }) -======= -manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) -manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) -files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kernel_read_system_state(system_dbusd_t) kernel_read_kernel_sysctls(system_dbusd_t) @@ -113,11 +86,8 @@ kernel_read_kernel_sysctls(system_dbusd_t) dev_read_urand(system_dbusd_t) dev_read_sysfs(system_dbusd_t) -<<<<<<< HEAD files_rw_inherited_non_security_files(system_dbusd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 fs_getattr_all_fs(system_dbusd_t) fs_list_inotifyfs(system_dbusd_t) fs_search_auto_mountpoints(system_dbusd_t) @@ -145,11 +115,8 @@ auth_read_pam_console_data(system_dbusd_t) corecmd_list_bin(system_dbusd_t) corecmd_read_bin_pipes(system_dbusd_t) corecmd_read_bin_sockets(system_dbusd_t) -<<<<<<< HEAD # needed for system-tools-backends corecmd_exec_shell(system_dbusd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 domain_use_interactive_fds(system_dbusd_t) domain_read_all_domains_state(system_dbusd_t) @@ -160,13 +127,9 @@ files_read_usr_files(system_dbusd_t) init_use_fds(system_dbusd_t) init_use_script_ptys(system_dbusd_t) -<<<<<<< HEAD init_bin_domtrans_spec(system_dbusd_t) init_domtrans_script(system_dbusd_t) init_rw_stream_sockets(system_dbusd_t) -======= -init_domtrans_script(system_dbusd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) @@ -181,17 +144,13 @@ seutil_sigchld_newrole(system_dbusd_t) userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) userdom_dontaudit_search_user_home_dirs(system_dbusd_t) -<<<<<<< HEAD userdom_home_reader(system_dbusd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` bind_domtrans(system_dbusd_t) ') optional_policy(` -<<<<<<< HEAD gnome_exec_gconf(system_dbusd_t) gnome_read_inherited_home_icc_data_files(system_dbusd_t) ') @@ -206,8 +165,6 @@ optional_policy(` ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 policykit_dbus_chat(system_dbusd_t) policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) @@ -218,7 +175,6 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD systemd_use_fds_logind(system_dbusd_t) systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) ') @@ -369,20 +325,11 @@ optional_policy(` xserver_append_xdm_home_files(session_bus_type) ') -======= - udev_read_db(system_dbusd_t) -') - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # Unconfined access to this module # -<<<<<<< HEAD + allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms; allow session_bus_type dbusd_unconfined:dbus send_msg; -======= - -allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/dcc.fc b/dcc.fc index a0b40ad..29773e7 100644 --- a/dcc.fc +++ b/dcc.fc @@ -10,17 +10,12 @@ /usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) /usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) -<<<<<<< HEAD -/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) -/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) -======= ifdef(`distro_debian',` /usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) /usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) /usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) /usr/sbin/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) ') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) /var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) @@ -28,11 +23,8 @@ ifdef(`distro_debian',` /var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0) /var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) /var/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0) -<<<<<<< HEAD -======= ifdef(`distro_redhat',` /var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) /var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) ') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/dcc.if b/dcc.if index bbd1167..bf65e7d 100644 --- a/dcc.if +++ b/dcc.if @@ -168,10 +168,6 @@ interface(`dcc_stream_connect_dccifd',` type dcc_var_t, dccifd_var_run_t, dccifd_t; ') -<<<<<<< HEAD files_search_pids($1) -======= - files_search_var($1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t) ') diff --git a/dcc.te b/dcc.te index d6e587e..b309a53 100644 --- a/dcc.te +++ b/dcc.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(dcc, 1.10.0) -======= policy_module(dcc, 1.11.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -40,11 +36,7 @@ type dcc_var_t; files_type(dcc_var_t) type dcc_var_run_t; -<<<<<<< HEAD files_pid_file(dcc_var_run_t) -======= -files_type(dcc_var_run_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type dccd_t; type dccd_exec_t; @@ -118,11 +110,7 @@ logging_send_syslog_msg(cdcc_t) miscfiles_read_localization(cdcc_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(cdcc_t) -======= -userdom_use_user_terminals(cdcc_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -164,11 +152,7 @@ logging_send_syslog_msg(dcc_client_t) miscfiles_read_localization(dcc_client_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(dcc_client_t) -======= -userdom_use_user_terminals(dcc_client_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` amavis_read_spool_files(dcc_client_t) @@ -213,11 +197,7 @@ logging_send_syslog_msg(dcc_dbclean_t) miscfiles_read_localization(dcc_dbclean_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(dcc_dbclean_t) -======= -userdom_use_user_terminals(dcc_dbclean_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # diff --git a/ddclient.if b/ddclient.if index 1e10aeb..64742c6 100644 --- a/ddclient.if +++ b/ddclient.if @@ -64,7 +64,6 @@ interface(`ddclient_run',` interface(`ddclient_admin',` gen_require(` type ddclient_t, ddclient_etc_t, ddclient_log_t; -<<<<<<< HEAD type ddclient_var_t, ddclient_var_lib_t, ddclient_initrc_exec_t; type ddclient_var_run_t; ') @@ -76,15 +75,6 @@ interface(`ddclient_admin',` allow $1 ddclient_t:process ptrace; ') -======= - type ddclient_var_t, ddclient_var_lib_t; - type ddclient_var_run_t, ddclient_initrc_exec_t; - ') - - allow $1 ddclient_t:process { ptrace signal_perms }; - ps_process_pattern($1, ddclient_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, ddclient_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 ddclient_initrc_exec_t system_r; diff --git a/ddclient.te b/ddclient.te index 8b206c6..f744997 100644 --- a/ddclient.te +++ b/ddclient.te @@ -18,12 +18,9 @@ init_script_file(ddclient_initrc_exec_t) type ddclient_log_t; logging_log_file(ddclient_log_t) -<<<<<<< HEAD type ddclient_tmp_t; files_tmp_file(ddclient_tmp_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type ddclient_var_t; files_type(ddclient_var_t) @@ -43,25 +40,17 @@ allow ddclient_t self:process signal_perms; allow ddclient_t self:fifo_file rw_fifo_file_perms; allow ddclient_t self:tcp_socket create_socket_perms; allow ddclient_t self:udp_socket create_socket_perms; -<<<<<<< HEAD allow ddclient_t self:netlink_route_socket r_netlink_socket_perms; read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) -======= - -allow ddclient_t ddclient_etc_t:file read_file_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow ddclient_t ddclient_log_t:file manage_file_perms; logging_log_filetrans(ddclient_t, ddclient_log_t, file) -<<<<<<< HEAD manage_files_pattern(ddclient_t, ddclient_tmp_t, ddclient_tmp_t) files_tmp_filetrans(ddclient_t, ddclient_tmp_t, { file }) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) @@ -81,10 +70,7 @@ kernel_read_software_raid_state(ddclient_t) kernel_getattr_core_if(ddclient_t) kernel_getattr_message_if(ddclient_t) kernel_read_kernel_sysctls(ddclient_t) -<<<<<<< HEAD kernel_search_network_sysctl(ddclient_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corecmd_exec_shell(ddclient_t) corecmd_exec_bin(ddclient_t) @@ -97,11 +83,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t) corenet_udp_sendrecv_generic_node(ddclient_t) corenet_tcp_sendrecv_all_ports(ddclient_t) corenet_udp_sendrecv_all_ports(ddclient_t) -<<<<<<< HEAD corenet_tcp_bind_generic_node(ddclient_t) corenet_udp_bind_generic_node(ddclient_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corenet_tcp_connect_all_ports(ddclient_t) corenet_sendrecv_all_client_packets(ddclient_t) @@ -117,20 +100,14 @@ files_read_usr_files(ddclient_t) fs_getattr_all_fs(ddclient_t) fs_search_auto_mountpoints(ddclient_t) -<<<<<<< HEAD auth_read_passwd(ddclient_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 logging_send_syslog_msg(ddclient_t) miscfiles_read_localization(ddclient_t) -<<<<<<< HEAD mta_send_mail(ddclient_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 sysnet_exec_ifconfig(ddclient_t) sysnet_read_config(ddclient_t) diff --git a/ddcprobe.te b/ddcprobe.te index b465cb3..3cbfffb 100644 --- a/ddcprobe.te +++ b/ddcprobe.te @@ -42,7 +42,6 @@ libs_read_lib_files(ddcprobe_t) miscfiles_read_localization(ddcprobe_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(ddcprobe_t) userdom_use_all_users_fds(ddcprobe_t) @@ -54,12 +53,3 @@ optional_policy(` optional_policy(` modutils_read_module_deps(ddcprobe_t) ') -======= -modutils_read_module_deps(ddcprobe_t) - -userdom_use_user_terminals(ddcprobe_t) -userdom_use_all_users_fds(ddcprobe_t) - -#reh why? this does not seem even necessary to function properly -kudzu_getattr_exec_files(ddcprobe_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/denyhosts.if b/denyhosts.if index 2198d4c..b5e9376 100644 --- a/denyhosts.if +++ b/denyhosts.if @@ -13,21 +13,12 @@ ## Execute a domain transition to run denyhosts. ## ## -<<<<<<< HEAD -## -## Domain allowed to transition. -## -## -# -interface(`denyhosts_domtrans',` -======= ## ## Domain allowed to transition. ## ## # interface(`denyhosts_domtrans', ` ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 gen_require(` type denyhosts_t, denyhosts_exec_t; ') @@ -45,11 +36,7 @@ interface(`denyhosts_domtrans', ` ## ## # -<<<<<<< HEAD -interface(`denyhosts_initrc_domtrans',` -======= interface(`denyhosts_initrc_domtrans', ` ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 gen_require(` type denyhosts_initrc_exec_t; ') @@ -72,20 +59,14 @@ interface(`denyhosts_initrc_domtrans', ` ## Role allowed access. ## ## -<<<<<<< HEAD ## # -interface(`denyhosts_admin',` -======= -# interface(`denyhosts_admin', ` ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 gen_require(` type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t; type denyhosts_var_log_t, denyhosts_initrc_exec_t; ') -<<<<<<< HEAD allow $1 denyhosts_t:process signal_perms; ps_process_pattern($1, denyhosts_t) @@ -93,17 +74,11 @@ interface(`denyhosts_admin', ` allow $1 denyhosts_t:process ptrace; ') -======= - allow $1 denyhosts_t:process { ptrace signal_perms }; - ps_process_pattern($1, denyhosts_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 denyhosts_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 denyhosts_initrc_exec_t system_r; allow $2 system_r; -<<<<<<< HEAD files_list_var_lib($1) admin_pattern($1, denyhosts_var_lib_t) @@ -111,14 +86,5 @@ interface(`denyhosts_admin', ` admin_pattern($1, denyhosts_var_log_t) files_list_locks($1) -======= - files_search_var_lib($1) - admin_pattern($1, denyhosts_var_lib_t) - - logging_search_logs($1) - admin_pattern($1, denyhosts_var_log_t) - - files_search_locks($1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 admin_pattern($1, denyhosts_var_lock_t) ') diff --git a/denyhosts.te b/denyhosts.te index a3f866d..02f4190 100644 --- a/denyhosts.te +++ b/denyhosts.te @@ -25,13 +25,10 @@ logging_log_file(denyhosts_var_log_t) # # DenyHosts personal policy. # -<<<<<<< HEAD # Bug #588563 allow denyhosts_t self:capability sys_tty_config; allow denyhosts_t self:fifo_file rw_fifo_file_perms; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms; allow denyhosts_t self:tcp_socket create_socket_perms; allow denyhosts_t self:udp_socket create_socket_perms; @@ -49,16 +46,11 @@ read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file) -<<<<<<< HEAD kernel_read_network_state(denyhosts_t) kernel_read_system_state(denyhosts_t) kernel_read_network_state(denyhosts_t) corecmd_exec_shell(denyhosts_t) -======= -kernel_read_system_state(denyhosts_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corecmd_exec_bin(denyhosts_t) corenet_all_recvfrom_unlabeled(denyhosts_t) @@ -67,16 +59,12 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t) corenet_tcp_sendrecv_generic_node(denyhosts_t) corenet_tcp_bind_generic_node(denyhosts_t) corenet_tcp_connect_smtp_port(denyhosts_t) -<<<<<<< HEAD corenet_tcp_connect_sype_port(denyhosts_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corenet_sendrecv_smtp_client_packets(denyhosts_t) dev_read_urand(denyhosts_t) files_read_etc_files(denyhosts_t) -<<<<<<< HEAD files_read_usr_files(denyhosts_t) auth_use_nsswitch(denyhosts_t) @@ -88,24 +76,13 @@ logging_send_syslog_msg(denyhosts_t) miscfiles_read_localization(denyhosts_t) sysnet_dns_name_resolve(denyhosts_t) -======= - -# /var/log/secure -logging_read_generic_logs(denyhosts_t) - -miscfiles_read_localization(denyhosts_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 sysnet_manage_config(denyhosts_t) sysnet_etc_filetrans_config(denyhosts_t) optional_policy(` cron_system_entry(denyhosts_t, denyhosts_exec_t) ') -<<<<<<< HEAD optional_policy(` gnome_dontaudit_search_config(denyhosts_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/devicekit.fc b/devicekit.fc index c2e85cd..e5de842 100644 --- a/devicekit.fc +++ b/devicekit.fc @@ -1,12 +1,9 @@ -<<<<<<< HEAD /lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) /lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) /usr/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) /usr/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) -======= /usr/lib/udisks/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) /usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) @@ -14,7 +11,6 @@ /usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) /usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) -<<<<<<< HEAD /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) /var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) /var/lib/udisks.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) @@ -27,17 +23,4 @@ /var/run/pm-utils(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) /var/run/udisks.* gen_context(system_u:object_r:devicekit_var_run_t,s0) -======= -ifdef(`distro_debian',` -/usr/lib/upower/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) -') - -/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) -/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) -/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) - -/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --git a/devicekit.if b/devicekit.if index 6252b8b..53f655f 100644 --- a/devicekit.if +++ b/devicekit.if @@ -5,15 +5,9 @@ ## Execute a domain transition to run devicekit. ## ## -<<<<<<< HEAD -## -## Domain allowed to transition. -## -======= ## ## Domain allowed to transition. ## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`devicekit_domtrans',` @@ -45,8 +39,6 @@ interface(`devicekit_domtrans_disk',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## Send to devicekit over a unix domain ## datagram socket. ## @@ -108,7 +100,6 @@ interface(`devicekit_dbus_chat_disk',` ######################################## ## -<<<<<<< HEAD ## Use file descriptors for devicekit_disk. ## ## @@ -148,8 +139,6 @@ interface(`devicekit_dontaudit_dbus_chat_disk',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## Send signal devicekit power ## ## @@ -187,7 +176,6 @@ interface(`devicekit_dbus_chat_power',` allow devicekit_power_t $1:dbus send_msg; ') -<<<<<<< HEAD ####################################### ## ## Append inherited devicekit log files. @@ -244,8 +232,6 @@ interface(`devicekit_read_state_power',` ps_process_pattern($1, devicekit_power_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## ## ## Read devicekit PID files. @@ -267,7 +253,6 @@ interface(`devicekit_read_pid_files',` ######################################## ## -<<<<<<< HEAD ## Do not audit attempts to read ## devicekit PID files. ## @@ -289,17 +274,12 @@ interface(`devicekit_dontaudit_read_pid_files',` ######################################## ## ## Manage devicekit PID files. -======= -## All of the rules required to administrate -## an devicekit environment ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## ## Domain allowed access. ## ## -<<<<<<< HEAD # interface(`devicekit_manage_pid_files',` gen_require(` @@ -360,16 +340,6 @@ interface(`devicekit_manage_log_files',` ## ## ## Domain allowed access. -======= -## -## -## The role to be allowed to manage the devicekit domain. -## -## -## -## -## The type of the user terminal. ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## ## ## @@ -380,7 +350,6 @@ interface(`devicekit_admin',` type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; ') -<<<<<<< HEAD allow $1 devicekit_t:process signal_perms; ps_process_pattern($1, devicekit_t) tunable_policy(`deny_ptrace',`',` @@ -423,23 +392,4 @@ interface(`devicekit_filetrans_named_content',` files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils") #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log") #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") -======= - allow $1 devicekit_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, devicekit_t) - - allow $1 devicekit_disk_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, devicekit_disk_t) - - allow $1 devicekit_power_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, devicekit_power_t) - - admin_pattern($1, devicekit_tmp_t) - files_search_tmp($1) - - admin_pattern($1, devicekit_var_lib_t) - files_search_var_lib($1) - - admin_pattern($1, devicekit_var_run_t) - files_search_pids($1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/devicekit.te b/devicekit.te index 3c4d802..76770cd 100644 --- a/devicekit.te +++ b/devicekit.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(devicekit, 1.1.0) -======= policy_module(devicekit, 1.2.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -12,26 +8,17 @@ policy_module(devicekit, 1.2.0) type devicekit_t; type devicekit_exec_t; dbus_system_domain(devicekit_t, devicekit_exec_t) -<<<<<<< HEAD init_daemon_domain(devicekit_t, devicekit_exec_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type devicekit_power_t; type devicekit_power_exec_t; dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) -<<<<<<< HEAD init_daemon_domain(devicekit_power_t, devicekit_power_exec_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type devicekit_disk_t; type devicekit_disk_exec_t; dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) -<<<<<<< HEAD init_daemon_domain(devicekit_disk_t, devicekit_disk_exec_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type devicekit_tmp_t; files_tmp_file(devicekit_tmp_t) @@ -42,12 +29,9 @@ files_pid_file(devicekit_var_run_t) type devicekit_var_lib_t; files_type(devicekit_var_lib_t) -<<<<<<< HEAD type devicekit_var_log_t; logging_log_file(devicekit_var_log_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # DeviceKit local policy @@ -84,12 +68,8 @@ optional_policy(` # DeviceKit disk local policy # -<<<<<<< HEAD allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_rawio }; -======= -allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow devicekit_disk_t self:process { getsched signal_perms }; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -102,7 +82,6 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) -<<<<<<< HEAD allow devicekit_disk_t devicekit_var_run_t:dir mounton; manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) @@ -111,12 +90,6 @@ files_filetrans_named_content(devicekit_disk_t) kernel_list_unlabeled(devicekit_disk_t) kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t) -======= -manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) -manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) -files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir }) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kernel_getattr_message_if(devicekit_disk_t) kernel_read_fs_sysctls(devicekit_disk_t) kernel_read_network_state(devicekit_disk_t) @@ -135,10 +108,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t) dev_manage_generic_files(devicekit_disk_t) dev_getattr_all_chr_files(devicekit_disk_t) dev_getattr_mtrr_dev(devicekit_disk_t) -<<<<<<< HEAD dev_rw_generic_blk_files(devicekit_disk_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 domain_getattr_all_pipes(devicekit_disk_t) domain_getattr_all_sockets(devicekit_disk_t) @@ -147,25 +117,17 @@ domain_read_all_domains_state(devicekit_disk_t) files_dontaudit_read_all_symlinks(devicekit_disk_t) files_getattr_all_sockets(devicekit_disk_t) -<<<<<<< HEAD files_getattr_all_dirs(devicekit_disk_t) files_getattr_all_files(devicekit_disk_t) files_getattr_all_pipes(devicekit_disk_t) files_manage_boot_dirs(devicekit_disk_t) -======= -files_getattr_all_mountpoints(devicekit_disk_t) -files_getattr_all_files(devicekit_disk_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_manage_isid_type_dirs(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) files_read_etc_files(devicekit_disk_t) files_read_etc_runtime_files(devicekit_disk_t) files_read_usr_files(devicekit_disk_t) -<<<<<<< HEAD fs_getattr_all_fs(devicekit_disk_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 fs_list_inotifyfs(devicekit_disk_t) fs_manage_fusefs_dirs(devicekit_disk_t) fs_mount_all_fs(devicekit_disk_t) @@ -180,27 +142,17 @@ storage_raw_write_fixed_disk(devicekit_disk_t) storage_raw_read_removable_device(devicekit_disk_t) storage_raw_write_removable_device(devicekit_disk_t) -<<<<<<< HEAD term_use_all_inherited_terms(devicekit_disk_t) auth_use_nsswitch(devicekit_disk_t) logging_send_syslog_msg(devicekit_disk_t) -======= -term_use_all_terms(devicekit_disk_t) - -auth_use_nsswitch(devicekit_disk_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 miscfiles_read_localization(devicekit_disk_t) userdom_read_all_users_state(devicekit_disk_t) userdom_search_user_home_dirs(devicekit_disk_t) -<<<<<<< HEAD userdom_manage_user_tmp_dirs(devicekit_disk_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` dbus_system_bus_client(devicekit_disk_t) @@ -236,13 +188,10 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD systemd_read_logind_sessions_files(devicekit_disk_t) ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 udev_domtrans(devicekit_disk_t) udev_read_db(devicekit_disk_t) ') @@ -251,32 +200,23 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') -<<<<<<< HEAD optional_policy(` unconfined_domain(devicekit_t) unconfined_domain(devicekit_power_t) unconfined_domain(devicekit_disk_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # DeviceKit-Power local policy # -<<<<<<< HEAD allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice }; allow devicekit_power_t self:process { getsched signal_perms }; -======= -allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; -allow devicekit_power_t self:process getsched; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms; -<<<<<<< HEAD manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t) logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) @@ -284,13 +224,10 @@ manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir }) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) -<<<<<<< HEAD manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t) logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) @@ -299,42 +236,26 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, dir) kernel_read_fs_sysctls(devicekit_power_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kernel_read_network_state(devicekit_power_t) kernel_read_system_state(devicekit_power_t) kernel_rw_hotplug_sysctls(devicekit_power_t) kernel_rw_kernel_sysctl(devicekit_power_t) -<<<<<<< HEAD kernel_rw_vm_sysctls(devicekit_power_t) kernel_search_debugfs(devicekit_power_t) kernel_write_proc_files(devicekit_power_t) kernel_setsched(devicekit_power_t) -======= -kernel_search_debugfs(devicekit_power_t) -kernel_write_proc_files(devicekit_power_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) -<<<<<<< HEAD domain_read_all_domains_state(devicekit_power_t) dev_read_input(devicekit_power_t) dev_read_urand(devicekit_power_t) -======= -consoletype_exec(devicekit_power_t) - -domain_read_all_domains_state(devicekit_power_t) - -dev_read_input(devicekit_power_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_generic_chr_files(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) -<<<<<<< HEAD dev_read_rand(devicekit_power_t) dev_getattr_all_chr_files(devicekit_power_t) @@ -348,31 +269,16 @@ fs_list_inotifyfs(devicekit_power_t) fs_getattr_all_fs(devicekit_power_t) term_use_all_inherited_terms(devicekit_power_t) -======= - -files_read_kernel_img(devicekit_power_t) -files_read_etc_files(devicekit_power_t) -files_read_usr_files(devicekit_power_t) - -fs_list_inotifyfs(devicekit_power_t) - -term_use_all_terms(devicekit_power_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 auth_use_nsswitch(devicekit_power_t) miscfiles_read_localization(devicekit_power_t) -<<<<<<< HEAD seutil_exec_setfiles(devicekit_power_t) sysnet_read_config(devicekit_power_t) sysnet_domtrans_ifconfig(devicekit_power_t) sysnet_domtrans_dhcpc(devicekit_power_t) -======= -sysnet_read_config(devicekit_power_t) -sysnet_domtrans_ifconfig(devicekit_power_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 userdom_read_all_users_state(devicekit_power_t) @@ -381,16 +287,12 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD consoletype_exec(devicekit_power_t) ') optional_policy(` cron_initrc_domtrans(devicekit_power_t) cron_systemctl(devicekit_power_t) -======= - cron_initrc_domtrans(devicekit_power_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` @@ -416,29 +318,21 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD gnome_manage_home_config(devicekit_power_t) ') optional_policy(` hal_domtrans_mac(devicekit_power_t) -======= - hal_domtrans_mac(devicekit_power_t) - hal_manage_log(devicekit_power_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 hal_manage_pid_dirs(devicekit_power_t) hal_manage_pid_files(devicekit_power_t) hal_dbus_chat(devicekit_power_t) ') optional_policy(` -<<<<<<< HEAD networkmanager_domtrans(devicekit_power_t) ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 policykit_dbus_chat(devicekit_power_t) policykit_domtrans_auth(devicekit_power_t) policykit_read_lib(devicekit_power_t) @@ -446,7 +340,6 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD modutils_domtrans_insmod(devicekit_power_t) ') @@ -459,13 +352,10 @@ optional_policy(` ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 udev_read_db(devicekit_power_t) ') optional_policy(` -<<<<<<< HEAD usbmuxd_stream_connect(devicekit_power_t) ') @@ -477,7 +367,5 @@ optional_policy(` corenet_tcp_connect_xserver_port(devicekit_power_t) xserver_stream_connect(devicekit_power_t) ') -======= vbetool_domtrans(devicekit_power_t) ') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/dhcp.fc b/dhcp.fc index 2c855f8..9553bcf 100644 --- a/dhcp.fc +++ b/dhcp.fc @@ -1,18 +1,10 @@ -<<<<<<< HEAD /etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) /usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0) -======= -/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) /var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0) /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) -<<<<<<< HEAD /var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) -======= -/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/dhcp.if b/dhcp.if index 6de349d..2ab8a14 100644 --- a/dhcp.if +++ b/dhcp.if @@ -36,11 +36,7 @@ interface(`dhcpd_setattr_state_files',` ') sysnet_search_dhcp_state($1) -<<<<<<< HEAD allow $1 dhcpd_state_t:file setattr_file_perms; -======= - allow $1 dhcpd_state_t:file setattr; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -64,7 +60,6 @@ interface(`dhcpd_initrc_domtrans',` ######################################## ## -<<<<<<< HEAD ## Execute dhcpd server in the dhcpd domain. ## ## @@ -89,8 +84,6 @@ interface(`dhcpd_systemctl',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## All of the rules required to administrate ## an dhcp environment ## @@ -108,7 +101,6 @@ interface(`dhcpd_systemctl',` # interface(`dhcpd_admin',` gen_require(` -<<<<<<< HEAD type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t; type dhcpd_var_run_t, dhcpd_initrc_exec_t; type dhcpd_unit_file_t; @@ -119,14 +111,6 @@ interface(`dhcpd_admin',` tunable_policy(`deny_ptrace',`',` allow $1 dhcpd_t:process ptrace; ') -======= - type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t; - type dhcpd_var_run_t, dhcpd_initrc_exec_t; - ') - - allow $1 dhcpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, dhcpd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) domain_system_change_exemption($1) @@ -140,11 +124,8 @@ interface(`dhcpd_admin',` files_list_pids($1) admin_pattern($1, dhcpd_var_run_t) -<<<<<<< HEAD dhcpd_systemctl($1) admin_pattern($1, dhcpd_unit_file_t) allow $1 dhcpd_unit_file_t:service all_service_perms; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/dhcp.te b/dhcp.te index a2966fc..efcb3b8 100644 --- a/dhcp.te +++ b/dhcp.te @@ -1,16 +1,10 @@ -<<<<<<< HEAD -policy_module(dhcp, 1.9.0) -======= policy_module(dhcp, 1.9.2) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # Declarations # -<<<<<<< HEAD -======= ## ##

## Allow DHCP daemon to use LDAP backends @@ -18,7 +12,6 @@ policy_module(dhcp, 1.9.2) ## gen_tunable(dhcpd_use_ldap, false) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type dhcpd_t; type dhcpd_exec_t; init_daemon_domain(dhcpd_t, dhcpd_exec_t) @@ -26,12 +19,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t) type dhcpd_initrc_exec_t; init_script_file(dhcpd_initrc_exec_t) -<<<<<<< HEAD type dhcpd_unit_file_t; systemd_unit_file(dhcpd_unit_file_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type dhcpd_state_t; files_type(dhcpd_state_t) @@ -46,15 +36,9 @@ files_pid_file(dhcpd_var_run_t) # Local policy # -<<<<<<< HEAD allow dhcpd_t self:capability { dac_override sys_chroot net_raw setgid setuid sys_resource }; dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; allow dhcpd_t self:process { getcap setcap signal_perms }; -======= -allow dhcpd_t self:capability { net_raw sys_resource }; -dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; -allow dhcpd_t self:process signal_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow dhcpd_t self:fifo_file rw_fifo_file_perms; allow dhcpd_t self:unix_dgram_socket create_socket_perms; allow dhcpd_t self:unix_stream_socket create_socket_perms; @@ -99,11 +83,7 @@ corenet_tcp_connect_all_ports(dhcpd_t) corenet_sendrecv_dhcpd_server_packets(dhcpd_t) corenet_sendrecv_pxe_server_packets(dhcpd_t) corenet_sendrecv_all_client_packets(dhcpd_t) -<<<<<<< HEAD corenet_dontaudit_udp_bind_all_reserved_ports(dhcpd_t) -======= -# Needed to detect open number of interfaces (common/discover.c::begin_iface_scan) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corenet_udp_bind_all_unreserved_ports(dhcpd_t) dev_read_sysfs(dhcpd_t) @@ -133,11 +113,14 @@ sysnet_read_dhcp_config(dhcpd_t) userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) userdom_dontaudit_search_user_home_dirs(dhcpd_t) +tunable_policy(`dhcpd_use_ldap',` + sysnet_use_ldap(dhcpd_t) +') + ifdef(`distro_gentoo',` allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; ') -<<<<<<< HEAD optional_policy(` # used for dynamic DNS bind_read_dnssec_keys(dhcpd_t) @@ -145,15 +128,11 @@ optional_policy(` optional_policy(` cobbler_dontaudit_rw_log(dhcpd_t) -======= -tunable_policy(`dhcpd_use_ldap',` - sysnet_use_ldap(dhcpd_t) -') + optional_policy(` # used for dynamic DNS bind_read_dnssec_keys(dhcpd_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` diff --git a/djbdns.te b/djbdns.te index 35b2d32..62fbae1 100644 --- a/djbdns.te +++ b/djbdns.te @@ -23,12 +23,9 @@ djbdns_daemontools_domain_template(tinydns) # Local policy for axfrdns component # -<<<<<<< HEAD -======= daemontools_ipc_domain(djbdns_axfrdns_t) daemontools_read_svc(djbdns_axfrdns_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot }; allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms; @@ -42,12 +39,9 @@ allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms; files_search_var(djbdns_axfrdns_t) -<<<<<<< HEAD daemontools_ipc_domain(djbdns_axfrdns_t) daemontools_read_svc(djbdns_axfrdns_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t) ######################################## diff --git a/dkim.te b/dkim.te index 299d6df..cc1199e 100644 --- a/dkim.te +++ b/dkim.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(dkim, 1.0.0) -======= policy_module(dkim, 1.1.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -21,10 +17,7 @@ files_type(dkim_milter_private_key_t) # allow dkim_milter_t self:capability { setgid setuid }; -<<<<<<< HEAD -======= allow dkim_milter_t self:process signal; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) @@ -33,10 +26,7 @@ kernel_read_kernel_sysctls(dkim_milter_t) dev_read_urand(dkim_milter_t) files_read_etc_files(dkim_milter_t) -<<<<<<< HEAD -======= files_search_spool(dkim_milter_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 sysnet_dns_name_resolve(dkim_milter_t) diff --git a/dmidecode.te b/dmidecode.te index bed149a..5db989e 100644 --- a/dmidecode.te +++ b/dmidecode.te @@ -27,8 +27,4 @@ files_list_usr(dmidecode_t) locallogin_use_fds(dmidecode_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(dmidecode_t) -======= -userdom_use_user_terminals(dmidecode_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/dnsmasq.fc b/dnsmasq.fc index 58ecdc5..3d5ca2b 100644 --- a/dnsmasq.fc +++ b/dnsmasq.fc @@ -1,21 +1,14 @@ /etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0) /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) -<<<<<<< HEAD /usr/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) -<<<<<<< HEAD /var/log/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0) -======= -/var/log/dnsmasq\.log gen_context(system_u:object_r:dnsmasq_var_log_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff --git a/dnsmasq.if b/dnsmasq.if index 73e590f..9b48f71 100644 --- a/dnsmasq.if +++ b/dnsmasq.if @@ -10,10 +10,6 @@ ##

## # -<<<<<<< HEAD -======= -# ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 interface(`dnsmasq_domtrans',` gen_require(` type dnsmasq_exec_t, dnsmasq_t; @@ -23,7 +19,6 @@ interface(`dnsmasq_domtrans',` domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t) ') -<<<<<<< HEAD ####################################### ## ## Execute dnsmasq server in the caller domain. @@ -42,8 +37,6 @@ interface(`dnsmasq_exec',` can_exec($1, dnsmasq_exec_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## ## ## Execute the dnsmasq init script in the init script domain. @@ -65,7 +58,6 @@ interface(`dnsmasq_initrc_domtrans',` ######################################## ## -<<<<<<< HEAD ## Execute dnsmasq server in the dnsmasq domain. ## ## @@ -89,8 +81,6 @@ interface(`dnsmasq_systemctl',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## Send dnsmasq a signal ## ## @@ -151,15 +141,9 @@ interface(`dnsmasq_kill',` ## Read dnsmasq config files. ## ## -<<<<<<< HEAD -## -## Domain allowed access. -## -======= ## ## Domain allowed access. ## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`dnsmasq_read_config',` @@ -176,15 +160,9 @@ interface(`dnsmasq_read_config',` ## Write to dnsmasq config files. ## ## -<<<<<<< HEAD -## -## Domain allowed access. -## -======= ## ## Domain allowed access. ## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`dnsmasq_write_config',` @@ -206,19 +184,12 @@ interface(`dnsmasq_write_config',` ## ## # -<<<<<<< HEAD -======= -# ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 interface(`dnsmasq_delete_pid_files',` gen_require(` type dnsmasq_var_run_t; ') -<<<<<<< HEAD files_search_pids($1) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ') @@ -232,25 +203,17 @@ interface(`dnsmasq_delete_pid_files',` ## ## # -<<<<<<< HEAD -======= -# ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 interface(`dnsmasq_read_pid_files',` gen_require(` type dnsmasq_var_run_t; ') -<<<<<<< HEAD files_search_pids($1) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ') ######################################## ## -<<<<<<< HEAD ## Create dnsmasq pid dirs ## ## @@ -314,8 +277,6 @@ interface(`dnsmasq_filetrans_named_content',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## All of the rules required to administrate ## an dnsmasq environment ## @@ -335,7 +296,6 @@ interface(`dnsmasq_admin',` gen_require(` type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; type dnsmasq_initrc_exec_t; -<<<<<<< HEAD type dnsmasq_unit_file_t; ') @@ -344,12 +304,6 @@ interface(`dnsmasq_admin',` tunable_policy(`deny_ptrace',`',` allow $1 dnsmasq_t:process ptrace; ') -======= - ') - - allow $1 dnsmasq_t:process { ptrace signal_perms }; - ps_process_pattern($1, dnsmasq_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) domain_system_change_exemption($1) @@ -361,11 +315,8 @@ interface(`dnsmasq_admin',` files_list_pids($1) admin_pattern($1, dnsmasq_var_run_t) -<<<<<<< HEAD dnsmasq_systemctl($1) admin_pattern($1, dnsmasq_unit_file_t) allow $1 dnsmasq_unit_file_t:service all_service_perms; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/dnsmasq.te b/dnsmasq.te index f93777b..1a2a666 100644 --- a/dnsmasq.te +++ b/dnsmasq.te @@ -24,12 +24,9 @@ logging_log_file(dnsmasq_var_log_t) type dnsmasq_var_run_t; files_pid_file(dnsmasq_var_run_t) -<<<<<<< HEAD type dnsmasq_unit_file_t; systemd_unit_file(dnsmasq_unit_file_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # Local policy @@ -54,7 +51,6 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t) logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file) -<<<<<<< HEAD manage_dirs_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) @@ -63,13 +59,6 @@ kernel_read_kernel_sysctls(dnsmasq_t) kernel_read_system_state(dnsmasq_t) kernel_read_network_state(dnsmasq_t) kernel_request_load_module(dnsmasq_t) -======= -manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) -files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file) - -kernel_read_kernel_sysctls(dnsmasq_t) -kernel_read_system_state(dnsmasq_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corenet_all_recvfrom_unlabeled(dnsmasq_t) corenet_all_recvfrom_netlabel(dnsmasq_t) @@ -105,11 +94,8 @@ logging_send_syslog_msg(dnsmasq_t) miscfiles_read_localization(dnsmasq_t) -<<<<<<< HEAD sysnet_dns_name_resolve(dnsmasq_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) userdom_dontaudit_search_user_home_dirs(dnsmasq_t) @@ -118,7 +104,6 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD cron_manage_pid_files(dnsmasq_t) ') @@ -133,9 +118,6 @@ optional_policy(` optional_policy(` ppp_read_pid_files(dnsmasq_t) -======= - dbus_system_bus_client(dnsmasq_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` @@ -152,11 +134,7 @@ optional_policy(` optional_policy(` virt_manage_lib_files(dnsmasq_t) -<<<<<<< HEAD virt_read_lib_files(dnsmasq_t) virt_read_pid_files(dnsmasq_t) virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) -======= - virt_read_pid_files(dnsmasq_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/dovecot.fc b/dovecot.fc index 3f712b7..ed55d7c 100644 --- a/dovecot.fc +++ b/dovecot.fc @@ -9,14 +9,11 @@ /etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) /etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) -<<<<<<< HEAD -======= # Debian uses /etc/dovecot/ ifdef(`distro_debian',` /etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) ') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # # /usr # @@ -27,20 +24,13 @@ ifdef(`distro_debian',` ifdef(`distro_debian', ` /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -<<<<<<< HEAD /usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ifdef(`distro_redhat', ` /usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) /usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -<<<<<<< HEAD -/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -======= /usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) ') @@ -48,10 +38,7 @@ ifdef(`distro_redhat', ` # /var # /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) -<<<<<<< HEAD /var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) diff --git a/dovecot.if b/dovecot.if index 9241529..df96c0d 100644 --- a/dovecot.if +++ b/dovecot.if @@ -1,6 +1,5 @@ ## Dovecot POP and IMAP mail server -<<<<<<< HEAD ####################################### ## ## Connect to dovecot unix domain stream socket. @@ -20,8 +19,6 @@ interface(`dovecot_stream_connect',` stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## ## ## Connect to dovecot auth unix domain stream socket. @@ -31,20 +28,14 @@ interface(`dovecot_stream_connect',` ## Domain allowed access. ## ## -<<<<<<< HEAD -======= ## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # interface(`dovecot_stream_connect_auth',` gen_require(` type dovecot_auth_t, dovecot_var_run_t; ') -<<<<<<< HEAD files_search_pids($1) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t) ') @@ -81,10 +72,7 @@ interface(`dovecot_manage_spool',` type dovecot_spool_t; ') -<<<<<<< HEAD files_search_spool($1) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t) manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t) ') @@ -107,7 +95,6 @@ interface(`dovecot_dontaudit_unlink_lib_files',` dontaudit $1 dovecot_var_lib_t:file unlink; ') -<<<<<<< HEAD ###################################### ## ## Allow attempts to write inherited @@ -127,8 +114,6 @@ interface(`dovecot_write_inherited_tmp_files',` allow $1 dovecot_tmp_t:file write; ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## ## ## All of the rules required to administrate @@ -148,7 +133,6 @@ interface(`dovecot_write_inherited_tmp_files',` # interface(`dovecot_admin',` gen_require(` -<<<<<<< HEAD type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t; type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t; type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t; @@ -160,18 +144,6 @@ interface(`dovecot_admin',` tunable_policy(`deny_ptrace',`',` allow $1 dovecot_t:process ptrace; ') -======= - type dovecot_t, dovecot_etc_t, dovecot_log_t; - type dovecot_spool_t, dovecot_var_lib_t; - type dovecot_var_run_t; - - type dovecot_cert_t, dovecot_passwd_t; - type dovecot_initrc_exec_t; - ') - - allow $1 dovecot_t:process { ptrace signal_perms }; - ps_process_pattern($1, dovecot_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_labeled_script_domtrans($1, dovecot_initrc_exec_t) domain_system_change_exemption($1) @@ -181,16 +153,11 @@ interface(`dovecot_admin',` files_list_etc($1) admin_pattern($1, dovecot_etc_t) -<<<<<<< HEAD files_list_tmp($1) admin_pattern($1, dovecot_auth_tmp_t) admin_pattern($1, dovecot_tmp_t) admin_pattern($1, dovecot_keytab_t) -======= - logging_list_logs($1) - admin_pattern($1, dovecot_log_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_list_spool($1) admin_pattern($1, dovecot_spool_t) @@ -198,12 +165,9 @@ interface(`dovecot_admin',` files_list_var_lib($1) admin_pattern($1, dovecot_var_lib_t) -<<<<<<< HEAD logging_search_logs($1) admin_pattern($1, dovecot_var_log_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_list_pids($1) admin_pattern($1, dovecot_var_run_t) diff --git a/dovecot.te b/dovecot.te index 9813e32..ef8b0d7 100644 --- a/dovecot.te +++ b/dovecot.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(dovecot, 1.12.1) -======= policy_module(dovecot, 1.14.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -22,11 +18,7 @@ type dovecot_auth_tmp_t; files_tmp_file(dovecot_auth_tmp_t) type dovecot_cert_t; -<<<<<<< HEAD miscfiles_cert_type(dovecot_cert_t) -======= -files_type(dovecot_cert_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type dovecot_deliver_t; type dovecot_deliver_exec_t; @@ -34,12 +26,9 @@ domain_type(dovecot_deliver_t) domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) role system_r types dovecot_deliver_t; -<<<<<<< HEAD type dovecot_deliver_tmp_t; files_tmp_file(dovecot_deliver_tmp_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type dovecot_etc_t; files_config_file(dovecot_etc_t) @@ -50,11 +39,7 @@ type dovecot_passwd_t; files_type(dovecot_passwd_t) type dovecot_spool_t; -<<<<<<< HEAD files_spool_file(dovecot_spool_t) -======= -files_type(dovecot_spool_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type dovecot_tmp_t; files_tmp_file(dovecot_tmp_t) @@ -74,15 +59,9 @@ files_pid_file(dovecot_var_run_t) # dovecot local policy # -<<<<<<< HEAD allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot }; dontaudit dovecot_t self:capability sys_tty_config; allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched }; -======= -allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot }; -dontaudit dovecot_t self:capability sys_tty_config; -allow dovecot_t self:process { setrlimit signal_perms getcap setcap }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow dovecot_t self:fifo_file rw_fifo_file_perms; allow dovecot_t self:tcp_socket create_stream_socket_perms; allow dovecot_t self:unix_dgram_socket create_socket_perms; @@ -96,13 +75,9 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms; read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) -<<<<<<< HEAD allow dovecot_t dovecot_etc_t:dir list_dir_perms; read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t) read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t) -======= -allow dovecot_t dovecot_etc_t:file read_file_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_search_etc(dovecot_t) can_exec(dovecot_t, dovecot_exec_t) @@ -124,19 +99,12 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) -<<<<<<< HEAD manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file }) -======= -manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -files_pid_filetrans(dovecot_t, dovecot_var_run_t, file) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kernel_read_kernel_sysctls(dovecot_t) kernel_read_system_state(dovecot_t) @@ -149,10 +117,7 @@ corenet_tcp_sendrecv_all_ports(dovecot_t) corenet_tcp_bind_generic_node(dovecot_t) corenet_tcp_bind_mail_port(dovecot_t) corenet_tcp_bind_pop_port(dovecot_t) -<<<<<<< HEAD corenet_tcp_bind_lmtp_port(dovecot_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corenet_tcp_bind_sieve_port(dovecot_t) corenet_tcp_connect_all_ports(dovecot_t) corenet_tcp_connect_postgresql_port(dovecot_t) @@ -178,10 +143,7 @@ files_dontaudit_list_default(dovecot_t) # Dovecot now has quota support and it uses getmntent() to find the mountpoints. files_read_etc_runtime_files(dovecot_t) files_search_all_mountpoints(dovecot_t) -<<<<<<< HEAD files_read_var_lib_files(dovecot_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_getattr_utmp(dovecot_t) @@ -192,10 +154,7 @@ logging_send_syslog_msg(dovecot_t) miscfiles_read_generic_certs(dovecot_t) miscfiles_read_localization(dovecot_t) -<<<<<<< HEAD userdom_home_manager(dovecot_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 userdom_dontaudit_use_unpriv_user_fds(dovecot_t) userdom_manage_user_home_content_dirs(dovecot_t) userdom_manage_user_home_content_files(dovecot_t) @@ -205,17 +164,13 @@ userdom_manage_user_home_content_sockets(dovecot_t) userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file }) mta_manage_spool(dovecot_t) -<<<<<<< HEAD mta_read_home_rw(dovecot_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 optional_policy(` kerberos_keytab_template(dovecot, dovecot_t) ') optional_policy(` -<<<<<<< HEAD gnome_manage_data(dovecot_t) ') @@ -225,20 +180,15 @@ optional_policy(` ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 postgresql_stream_connect(dovecot_t) ') optional_policy(` -<<<<<<< HEAD # Handle sieve scripts sendmail_domtrans(dovecot_t) ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 seutil_sigchld_newrole(dovecot_t) ') @@ -255,13 +205,8 @@ optional_policy(` # dovecot auth local policy # -<<<<<<< HEAD allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice }; allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap }; -======= -allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; -allow dovecot_auth_t self:process { signal_perms getcap setcap }; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; @@ -270,12 +215,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) -<<<<<<< HEAD read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t) read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) @@ -287,18 +229,12 @@ dovecot_stream_connect_auth(dovecot_auth_t) kernel_read_all_sysctls(dovecot_auth_t) kernel_read_system_state(dovecot_auth_t) -<<<<<<< HEAD corecmd_exec_bin(dovecot_auth_t) logging_send_audit_msgs(dovecot_auth_t) logging_send_syslog_msg(dovecot_auth_t) dev_search_sysfs(dovecot_auth_t) -======= -logging_send_audit_msgs(dovecot_auth_t) -logging_send_syslog_msg(dovecot_auth_t) - ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 dev_read_urand(dovecot_auth_t) auth_domtrans_chk_passwd(dovecot_auth_t) @@ -311,12 +247,8 @@ files_read_usr_files(dovecot_auth_t) files_read_usr_symlinks(dovecot_auth_t) files_read_var_lib_files(dovecot_auth_t) files_search_tmp(dovecot_auth_t) -<<<<<<< HEAD fs_getattr_xattr_fs(dovecot_auth_t) -======= -files_read_var_lib_files(dovecot_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_rw_utmp(dovecot_auth_t) @@ -336,11 +268,8 @@ optional_policy(` optional_policy(` mysql_search_db(dovecot_auth_t) mysql_stream_connect(dovecot_auth_t) -<<<<<<< HEAD mysql_read_config(dovecot_auth_t) mysql_tcp_connect(dovecot_auth_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` @@ -348,11 +277,8 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD postfix_manage_private_sockets(dovecot_auth_t) postfix_rw_master_pipes(dovecot_deliver_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 postfix_search_spool(dovecot_auth_t) ') @@ -360,16 +286,12 @@ optional_policy(` # # dovecot deliver local policy # -<<<<<<< HEAD allow dovecot_deliver_t self:fifo_file rw_fifo_file_perms; -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; allow dovecot_deliver_t dovecot_t:process signull; -<<<<<<< HEAD allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms; read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) @@ -387,30 +309,19 @@ read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t) dovecot_stream_connect(dovecot_deliver_t) can_exec(dovecot_deliver_t, dovecot_deliver_exec_t) -======= -allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; -allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kernel_read_all_sysctls(dovecot_deliver_t) kernel_read_system_state(dovecot_deliver_t) -<<<<<<< HEAD corecmd_exec_bin(dovecot_deliver_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_read_etc_files(dovecot_deliver_t) files_read_etc_runtime_files(dovecot_deliver_t) auth_use_nsswitch(dovecot_deliver_t) logging_send_syslog_msg(dovecot_deliver_t) -<<<<<<< HEAD logging_append_all_logs(dovecot_deliver_t) -======= -logging_search_logs(dovecot_auth_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 miscfiles_read_localization(dovecot_deliver_t) @@ -427,7 +338,6 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t) userdom_manage_user_home_content_sockets(dovecot_deliver_t) userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) -<<<<<<< HEAD userdom_home_manager(dovecot_deliver_t) optional_policy(` @@ -446,26 +356,4 @@ optional_policy(` optional_policy(` # Handle sieve scripts sendmail_domtrans(dovecot_deliver_t) -======= -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(dovecot_deliver_t) - fs_manage_nfs_files(dovecot_deliver_t) - fs_manage_nfs_symlinks(dovecot_deliver_t) - fs_manage_nfs_dirs(dovecot_t) - fs_manage_nfs_files(dovecot_t) - fs_manage_nfs_symlinks(dovecot_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(dovecot_deliver_t) - fs_manage_cifs_files(dovecot_deliver_t) - fs_manage_cifs_symlinks(dovecot_deliver_t) - fs_manage_cifs_dirs(dovecot_t) - fs_manage_cifs_files(dovecot_t) - fs_manage_cifs_symlinks(dovecot_t) -') - -optional_policy(` - mta_manage_spool(dovecot_deliver_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/dpkg.if b/dpkg.if index b485ec4..4d32b42 100644 --- a/dpkg.if +++ b/dpkg.if @@ -62,21 +62,11 @@ interface(`dpkg_domtrans_script',` # interface(`dpkg_run',` gen_require(` -<<<<<<< HEAD - type dpkg_t, dpkg_script_t; - ') - - dpkg_domtrans($1) - role $2 types dpkg_t; - role $2 types dpkg_script_t; - seutil_run_loadpolicy(dpkg_script_t, $2) -======= attribute_role dpkg_roles; ') dpkg_domtrans($1) roleattribute $2 dpkg_roles; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## diff --git a/dpkg.te b/dpkg.te index eb8f631..a1b8f92 100644 --- a/dpkg.te +++ b/dpkg.te @@ -1,20 +1,13 @@ -<<<<<<< HEAD -policy_module(dpkg, 1.7.0) -======= policy_module(dpkg, 1.9.1) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # Declarations # -<<<<<<< HEAD -======= attribute_role dpkg_roles; roleattribute system_r dpkg_roles; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type dpkg_t; type dpkg_exec_t; # dpkg can start/stop services @@ -24,19 +17,11 @@ domain_obj_id_change_exemption(dpkg_t) domain_role_change_exemption(dpkg_t) domain_system_change_exemption(dpkg_t) domain_interactive_fd(dpkg_t) -<<<<<<< HEAD -role system_r types dpkg_t; - -# lockfile -type dpkg_lock_t; -files_lock_file(dpkg_lock_t) -======= role dpkg_roles types dpkg_t; # lockfile type dpkg_lock_t; files_type(dpkg_lock_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type dpkg_tmp_t; files_tmp_file(dpkg_tmp_t) @@ -56,11 +41,7 @@ corecmd_shell_entry_type(dpkg_script_t) domain_obj_id_change_exemption(dpkg_script_t) domain_system_change_exemption(dpkg_script_t) domain_interactive_fd(dpkg_script_t) -<<<<<<< HEAD -role system_r types dpkg_script_t; -======= role dpkg_roles types dpkg_script_t; ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type dpkg_script_tmp_t; files_tmp_file(dpkg_script_tmp_t) @@ -162,13 +143,8 @@ storage_raw_write_fixed_disk(dpkg_t) # for installing kernel packages storage_raw_read_fixed_disk(dpkg_t) -<<<<<<< HEAD -auth_relabel_all_files_except_shadow(dpkg_t) -auth_manage_all_files_except_shadow(dpkg_t) -======= files_relabel_non_auth_files(dpkg_t) files_manage_non_auth_files(dpkg_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 auth_dontaudit_read_shadow(dpkg_t) files_exec_etc_files(dpkg_t) @@ -178,11 +154,7 @@ init_use_script_ptys(dpkg_t) libs_exec_ld_so(dpkg_t) libs_exec_lib_files(dpkg_t) -<<<<<<< HEAD -libs_domtrans_ldconfig(dpkg_t) -======= libs_run_ldconfig(dpkg_t, dpkg_roles) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 logging_send_syslog_msg(dpkg_t) @@ -192,11 +164,7 @@ seutil_manage_bin_policy(dpkg_t) sysnet_read_config(dpkg_t) -<<<<<<< HEAD -userdom_use_inherited_user_terminals(dpkg_t) -======= userdom_use_user_terminals(dpkg_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 userdom_use_unpriv_users_fds(dpkg_t) # transition to dpkg script: @@ -228,24 +196,6 @@ domain_signull_all_domains(dpkg_t) files_read_etc_runtime_files(dpkg_t) files_exec_usr_files(dpkg_t) miscfiles_read_localization(dpkg_t) -<<<<<<< HEAD -seutil_domtrans_loadpolicy(dpkg_t) -seutil_domtrans_setfiles(dpkg_t) -userdom_use_all_users_fds(dpkg_t) - -optional_policy(` - mta_send_mail(dpkg_t) -') - -optional_policy(` - modutils_domtrans_depmod(dpkg_t) - modutils_domtrans_insmod(dpkg_t) -') - -optional_policy(` - usermanage_domtrans_groupadd(dpkg_t) - usermanage_domtrans_useradd(dpkg_t) -======= modutils_run_depmod(dpkg_t, dpkg_roles) modutils_run_insmod(dpkg_t, dpkg_roles) seutil_run_loadpolicy(dpkg_t, dpkg_roles) @@ -257,7 +207,6 @@ optional_policy(` optional_policy(` usermanage_run_groupadd(dpkg_t, dpkg_roles) usermanage_run_useradd(dpkg_t, dpkg_roles) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') ######################################## @@ -336,45 +285,28 @@ selinux_compute_user_contexts(dpkg_script_t) storage_raw_read_fixed_disk(dpkg_script_t) storage_raw_write_fixed_disk(dpkg_script_t) -<<<<<<< HEAD -term_use_all_inherited_terms(dpkg_script_t) - -auth_dontaudit_getattr_shadow(dpkg_script_t) -# ideally we would not need this -auth_manage_all_files_except_shadow(dpkg_script_t) -======= term_use_all_terms(dpkg_script_t) auth_dontaudit_getattr_shadow(dpkg_script_t) # ideally we would not need this files_manage_non_auth_files(dpkg_script_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 init_domtrans_script(dpkg_script_t) init_use_script_fds(dpkg_script_t) libs_exec_ld_so(dpkg_script_t) libs_exec_lib_files(dpkg_script_t) -<<<<<<< HEAD -libs_domtrans_ldconfig(dpkg_script_t) -======= libs_run_ldconfig(dpkg_script_t, dpkg_roles) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 logging_send_syslog_msg(dpkg_script_t) miscfiles_read_localization(dpkg_script_t) -<<<<<<< HEAD -seutil_domtrans_loadpolicy(dpkg_script_t) -seutil_domtrans_setfiles(dpkg_script_t) -======= modutils_run_depmod(dpkg_script_t, dpkg_roles) modutils_run_insmod(dpkg_script_t, dpkg_roles) seutil_run_loadpolicy(dpkg_script_t, dpkg_roles) seutil_run_setfiles(dpkg_script_t, dpkg_roles) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 userdom_use_all_users_fds(dpkg_script_t) @@ -388,16 +320,7 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD - bootloader_domtrans(dpkg_script_t) -') - -optional_policy(` - modutils_domtrans_depmod(dpkg_script_t) - modutils_domtrans_insmod(dpkg_script_t) -======= bootloader_run(dpkg_script_t, dpkg_roles) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(` @@ -413,11 +336,6 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD - usermanage_domtrans_groupadd(dpkg_script_t) - usermanage_domtrans_useradd(dpkg_script_t) -======= usermanage_run_groupadd(dpkg_script_t, dpkg_roles) usermanage_run_useradd(dpkg_script_t, dpkg_roles) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') diff --git a/entropyd.te b/entropyd.te index 1bd8014..053caed 100644 --- a/entropyd.te +++ b/entropyd.te @@ -52,11 +52,8 @@ domain_use_interactive_fds(entropyd_t) logging_send_syslog_msg(entropyd_t) -<<<<<<< HEAD auth_use_nsswitch(entropyd_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 miscfiles_read_localization(entropyd_t) userdom_dontaudit_use_unpriv_user_fds(entropyd_t) diff --git a/evolution.te b/evolution.te index b2af310..61483ec 100644 --- a/evolution.te +++ b/evolution.te @@ -1,8 +1,4 @@ -<<<<<<< HEAD -policy_module(evolution, 2.2.0) -======= policy_module(evolution, 2.3.0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -13,84 +9,44 @@ type evolution_t; type evolution_exec_t; typealias evolution_t alias { user_evolution_t staff_evolution_t sysadm_evolution_t }; typealias evolution_t alias { auditadm_evolution_t secadm_evolution_t }; -<<<<<<< HEAD -application_domain(evolution_t, evolution_exec_t) -ubac_constrained(evolution_t) -======= userdom_user_application_domain(evolution_t, evolution_exec_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type evolution_alarm_t; type evolution_alarm_exec_t; typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t }; typealias evolution_alarm_t alias { auditadm_evolution_alarm_t secadm_evolution_alarm_t }; -<<<<<<< HEAD -application_domain(evolution_alarm_t, evolution_alarm_exec_t) -ubac_constrained(evolution_alarm_t) -======= userdom_user_application_domain(evolution_alarm_t, evolution_alarm_exec_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type evolution_alarm_tmpfs_t; typealias evolution_alarm_tmpfs_t alias { user_evolution_alarm_tmpfs_t staff_evolution_alarm_tmpfs_t sysadm_evolution_alarm_tmpfs_t }; typealias evolution_alarm_tmpfs_t alias { auditadm_evolution_alarm_tmpfs_t secadm_evolution_alarm_tmpfs_t }; -<<<<<<< HEAD -files_tmpfs_file(evolution_alarm_tmpfs_t) -ubac_constrained(evolution_alarm_tmpfs_t) -======= userdom_user_tmpfs_file(evolution_alarm_tmpfs_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type evolution_alarm_orbit_tmp_t; typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t }; typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t }; -<<<<<<< HEAD -files_tmp_file(evolution_alarm_orbit_tmp_t) -ubac_constrained(evolution_alarm_orbit_tmp_t) -======= userdom_user_tmp_file(evolution_alarm_orbit_tmp_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type evolution_exchange_t; type evolution_exchange_exec_t; typealias evolution_exchange_t alias { user_evolution_exchange_t staff_evolution_exchange_t sysadm_evolution_exchange_t }; typealias evolution_exchange_t alias { auditadm_evolution_exchange_t secadm_evolution_exchange_t }; -<<<<<<< HEAD -application_domain(evolution_exchange_t, evolution_exchange_exec_t) -ubac_constrained(evolution_exchange_t) -======= userdom_user_application_domain(evolution_exchange_t, evolution_exchange_exec_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type evolution_exchange_tmpfs_t; typealias evolution_exchange_tmpfs_t alias { user_evolution_exchange_tmpfs_t staff_evolution_exchange_tmpfs_t sysadm_evolution_exchange_tmpfs_t }; typealias evolution_exchange_tmpfs_t alias { auditadm_evolution_exchange_tmpfs_t secadm_evolution_exchange_tmpfs_t }; -<<<<<<< HEAD -files_tmpfs_file(evolution_exchange_tmpfs_t) -ubac_constrained(evolution_exchange_tmpfs_t) -======= userdom_user_tmpfs_file(evolution_exchange_tmpfs_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type evolution_exchange_tmp_t; typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t }; typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t }; -<<<<<<< HEAD -files_tmp_file(evolution_exchange_tmp_t) -ubac_constrained(evolution_exchange_tmp_t) -======= userdom_user_tmp_file(evolution_exchange_tmp_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type evolution_exchange_orbit_tmp_t; typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t }; typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t }; -<<<<<<< HEAD -files_tmp_file(evolution_exchange_orbit_tmp_t) -ubac_constrained(evolution_exchange_orbit_tmp_t) -======= userdom_user_tmp_file(evolution_exchange_orbit_tmp_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type evolution_home_t; typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t }; @@ -100,64 +56,34 @@ userdom_user_home_content(evolution_home_t) type evolution_orbit_tmp_t; typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t }; typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t }; -<<<<<<< HEAD -files_tmp_file(evolution_orbit_tmp_t) -ubac_constrained(evolution_orbit_tmp_t) -======= userdom_user_tmp_file(evolution_orbit_tmp_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type evolution_server_t; type evolution_server_exec_t; typealias evolution_server_t alias { user_evolution_server_t staff_evolution_server_t sysadm_evolution_server_t }; typealias evolution_server_t alias { auditadm_evolution_server_t secadm_evolution_server_t }; -<<<<<<< HEAD -application_domain(evolution_server_t, evolution_server_exec_t) -ubac_constrained(evolution_server_t) -======= userdom_user_application_domain(evolution_server_t, evolution_server_exec_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type evolution_server_orbit_tmp_t; typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t }; typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t }; -<<<<<<< HEAD -files_tmp_file(evolution_server_orbit_tmp_t) -ubac_constrained(evolution_server_orbit_tmp_t) -======= userdom_user_tmp_file(evolution_server_orbit_tmp_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type evolution_tmpfs_t; typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t }; typealias evolution_tmpfs_t alias { auditadm_evolution_tmpfs_t secadm_evolution_tmpfs_t }; -<<<<<<< HEAD -files_tmpfs_file(evolution_tmpfs_t) -ubac_constrained(evolution_tmpfs_t) -======= userdom_user_tmpfs_file(evolution_tmpfs_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type evolution_webcal_t; type evolution_webcal_exec_t; typealias evolution_webcal_t alias { user_evolution_webcal_t staff_evolution_webcal_t sysadm_evolution_webcal_t }; typealias evolution_webcal_t alias { auditadm_evolution_webcal_t secadm_evolution_webcal_t }; -<<<<<<< HEAD -application_domain(evolution_webcal_t, evolution_webcal_exec_t) -ubac_constrained(evolution_webcal_t) -======= userdom_user_application_domain(evolution_webcal_t, evolution_webcal_exec_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type evolution_webcal_tmpfs_t; typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_evolution_webcal_tmpfs_t sysadm_evolution_webcal_tmpfs_t }; typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t }; -<<<<<<< HEAD -files_tmpfs_file(evolution_webcal_tmpfs_t) -ubac_constrained(evolution_webcal_tmpfs_t) -======= userdom_user_tmpfs_file(evolution_webcal_tmpfs_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # @@ -262,11 +188,8 @@ files_read_var_files(evolution_t) fs_search_auto_mountpoints(evolution_t) -<<<<<<< HEAD auth_use_nsswitch(evolution_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 logging_send_syslog_msg(evolution_t) miscfiles_read_localization(evolution_t) @@ -280,11 +203,7 @@ userdom_rw_user_tmp_files(evolution_t) userdom_manage_user_tmp_dirs(evolution_t) userdom_manage_user_tmp_sockets(evolution_t) userdom_manage_user_tmp_files(evolution_t) -<<<<<<< HEAD userdom_use_inherited_user_terminals(evolution_t) -======= -userdom_use_user_terminals(evolution_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 # FIXME: suppress access to .local/.icons/.themes until properly implemented # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) # until properly implemented @@ -388,8 +307,6 @@ optional_policy(` mozilla_domtrans(evolution_t) ') -<<<<<<< HEAD -======= # Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing) optional_policy(` nis_use_ypbind(evolution_t) @@ -399,7 +316,6 @@ optional_policy(` nscd_socket_use(evolution_t) ') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ### Junk mail filtering (start spamd) optional_policy(` spamassassin_exec_spamd(evolution_t) @@ -448,11 +364,8 @@ files_read_usr_files(evolution_alarm_t) fs_search_auto_mountpoints(evolution_alarm_t) -<<<<<<< HEAD auth_use_nsswitch(evolution_alarm_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 miscfiles_read_localization(evolution_alarm_t) # Access evolution home @@ -481,13 +394,10 @@ optional_policy(` gnome_stream_connect_gconf(evolution_alarm_t) ') -<<<<<<< HEAD -======= optional_policy(` nscd_socket_use(evolution_alarm_t) ') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # Evolution exchange connector local policy @@ -539,11 +449,8 @@ files_read_usr_files(evolution_exchange_t) # Access evolution home fs_search_auto_mountpoints(evolution_exchange_t) -<<<<<<< HEAD auth_use_nsswitch(evolution_exchange_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 miscfiles_read_localization(evolution_exchange_t) userdom_write_user_tmp_sockets(evolution_exchange_t) @@ -569,13 +476,10 @@ optional_policy(` gnome_stream_connect_gconf(evolution_exchange_t) ') -<<<<<<< HEAD -======= optional_policy(` nscd_socket_use(evolution_exchange_t) ') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # Evolution data server local policy @@ -627,11 +531,8 @@ files_read_usr_files(evolution_server_t) fs_search_auto_mountpoints(evolution_server_t) -<<<<<<< HEAD auth_use_nsswitch(evolution_server_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 miscfiles_read_localization(evolution_server_t) # Look in /etc/pki miscfiles_read_generic_certs(evolution_server_t) @@ -661,13 +562,10 @@ optional_policy(` gnome_stream_connect_gconf(evolution_server_t) ') -<<<<<<< HEAD -======= optional_policy(` nscd_socket_use(evolution_server_t) ') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ######################################## # # Evolution webcal local policy @@ -696,12 +594,8 @@ corenet_tcp_connect_http_port(evolution_webcal_t) corenet_sendrecv_http_client_packets(evolution_webcal_t) corenet_sendrecv_http_cache_client_packets(evolution_webcal_t) -<<<<<<< HEAD auth_use_nsswitch(evolution_webcal_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 -# Networking capability - connect to website and handle ics link sysnet_read_config(evolution_webcal_t) sysnet_dns_name_resolve(evolution_webcal_t) @@ -713,10 +607,7 @@ userdom_search_user_home_dirs(evolution_webcal_t) userdom_dontaudit_read_user_home_content_files(evolution_webcal_t) xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t) -<<<<<<< HEAD -======= optional_policy(` nscd_socket_use(evolution_webcal_t) ') ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/exim.fc b/exim.fc index b1be50d..02c2561 100644 --- a/exim.fc +++ b/exim.fc @@ -1,12 +1,9 @@ -<<<<<<< HEAD /etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0) /usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0) /usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0) -======= -/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 + /var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) /var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) /var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0) diff --git a/exim.if b/exim.if index 82d15ab..ba138e8 100644 --- a/exim.if +++ b/exim.if @@ -5,15 +5,9 @@ ## Execute a domain transition to run exim. ## ## -<<<<<<< HEAD -## -## Domain allowed to transition. -## -======= ## ## Domain allowed to transition. ## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`exim_domtrans',` @@ -26,7 +20,6 @@ interface(`exim_domtrans',` ######################################## ## -<<<<<<< HEAD ## Execute the mailman program in the mailman domain. ## ## @@ -70,8 +63,6 @@ interface(`exim_initrc_domtrans',` ######################################## ## -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## Do not audit attempts to read, ## exim tmp files ## @@ -153,15 +144,9 @@ interface(`exim_read_log',` ## exim log files. ## ## -<<<<<<< HEAD -## -## Domain allowed access. -## -======= ## ## Domain allowed access. ## ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## # interface(`exim_append_log',` @@ -252,7 +237,6 @@ interface(`exim_manage_spool_files',` manage_files_pattern($1, exim_spool_t, exim_spool_t) files_search_spool($1) ') -<<<<<<< HEAD ######################################## ## @@ -299,5 +283,3 @@ interface(`exim_admin',` files_list_pids($1) admin_pattern($1, exim_var_run_t) ') -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 diff --git a/exim.te b/exim.te index 9eea7d6..681d083 100644 --- a/exim.te +++ b/exim.te @@ -6,43 +6,24 @@ policy_module(exim, 1.5.0) # ## -<<<<<<< HEAD -##

-## Allow exim to connect to databases (PostgreSQL, MySQL) -##

-======= ##

## Allow exim to connect to databases (postgres, mysql) ##

->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## gen_tunable(exim_can_connect_db, false) ## -<<<<<<< HEAD -##

-## Allow exim to read unprivileged user files. -##

-======= ##

## Allow exim to read unprivileged user files. ##

->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## gen_tunable(exim_read_user_files, false) ## -<<<<<<< HEAD -##

-## Allow exim to create, read, write, and delete -## unprivileged user files. -##

-======= ##

## Allow exim to create, read, write, and delete ## unprivileged user files. ##

->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ## gen_tunable(exim_manage_user_files, false) @@ -54,21 +35,14 @@ mta_mailserver_user_agent(exim_t) application_executable_file(exim_exec_t) mta_agent_executable(exim_exec_t) -<<<<<<< HEAD type exim_initrc_exec_t; init_script_file(exim_initrc_exec_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type exim_log_t; logging_log_file(exim_log_t) type exim_spool_t; -<<<<<<< HEAD files_spool_file(exim_spool_t) -======= -files_type(exim_spool_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 type exim_tmp_t; files_tmp_file(exim_tmp_t) @@ -108,11 +82,7 @@ files_pid_filetrans(exim_t, exim_var_run_t, { file dir }) kernel_read_kernel_sysctls(exim_t) kernel_read_network_state(exim_t) -<<<<<<< HEAD kernel_read_system_state(exim_t) -======= -kernel_dontaudit_read_system_state(exim_t) ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 corecmd_search_bin(exim_t) @@ -141,10 +111,7 @@ domain_use_interactive_fds(exim_t) files_search_usr(exim_t) files_search_var(exim_t) -<<<<<<< HEAD files_read_usr_files(exim_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 files_read_etc_files(exim_t) files_read_etc_runtime_files(exim_t) files_getattr_all_mountpoints(exim_t) @@ -199,13 +166,10 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD dovecot_stream_connect(exim_t) ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 kerberos_keytab_template(exim, exim_t) ') @@ -215,13 +179,10 @@ optional_policy(` ') optional_policy(` -<<<<<<< HEAD nagios_search_spool(exim_t) ') optional_policy(` -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 tunable_policy(`exim_can_connect_db',` mysql_stream_connect(exim_t) ') @@ -235,10 +196,7 @@ optional_policy(` optional_policy(` procmail_domtrans(exim_t) -<<<<<<< HEAD procmail_read_home_files(exim_t) -======= ->>>>>>> 9f8a6a356b99a19e09256fc37630cd6c22da66b4 ') optional_policy(`