diff --git a/games.te b/games.te
index 653e326..9c05eee 100644
--- a/games.te
+++ b/games.te
@@ -147,14 +147,9 @@ init_dontaudit_rw_utmp(games_t)
logging_dontaudit_search_logs(games_t)
-<<<<<<< HEAD
-sysnet_read_config(games_t)
-=======
miscfiles_read_man_pages(games_t)
-miscfiles_read_localization(games_t)
sysnet_dns_name_resolve(games_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
userdom_manage_user_tmp_dirs(games_t)
userdom_manage_user_tmp_files(games_t)
diff --git a/gatekeeper.te b/gatekeeper.te
index d246837..10a1bbe 100644
--- a/gatekeeper.te
+++ b/gatekeeper.te
@@ -76,8 +76,6 @@ dev_read_urand(gatekeeper_t)
domain_use_interactive_fds(gatekeeper_t)
-files_read_etc_files(gatekeeper_t)
-
fs_getattr_all_fs(gatekeeper_t)
fs_search_auto_mountpoints(gatekeeper_t)
diff --git a/gift.te b/gift.te
index 53552f5..af76abb 100644
--- a/gift.te
+++ b/gift.te
@@ -52,11 +52,7 @@ domtrans_pattern(gift_t, giftd_exec_t, giftd_t)
kernel_read_system_state(gift_t)
-<<<<<<< HEAD
-# Connect to gift daemon
-=======
corenet_all_recvfrom_unlabeled(gift_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
corenet_all_recvfrom_netlabel(gift_t)
corenet_tcp_sendrecv_generic_if(gift_t)
corenet_tcp_sendrecv_generic_node(gift_t)
@@ -94,11 +90,7 @@ userdom_user_home_dir_filetrans(giftd_t, gift_home_t, dir)
kernel_read_system_state(giftd_t)
kernel_read_kernel_sysctls(giftd_t)
-<<<<<<< HEAD
-# Serve content on various p2p networks. Ports can be random.
-=======
corenet_all_recvfrom_unlabeled(giftd_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
corenet_all_recvfrom_netlabel(giftd_t)
corenet_tcp_sendrecv_generic_if(giftd_t)
corenet_udp_sendrecv_generic_if(giftd_t)
@@ -117,8 +109,6 @@ corenet_sendrecv_all_client_packets(giftd_t)
corenet_tcp_connect_all_ports(giftd_t)
files_read_etc_runtime_files(giftd_t)
-files_read_usr_files(giftd_t)
-
sysnet_dns_name_resolve(giftd_t)
diff --git a/git.fc b/git.fc
index 0e6338b..24700f8 100644
--- a/git.fc
+++ b/git.fc
@@ -1,27 +1,13 @@
HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0)
-/srv/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
-
/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
-<<<<<<< HEAD
-/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-=======
/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
-<<<<<<< HEAD
-/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
-/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
-/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
-/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
-=======
/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
diff --git a/git.if b/git.if
index db8e59b..9f159d1 100644
--- a/git.if
+++ b/git.if
@@ -15,14 +15,10 @@
##
##
#
-template(`git_session_role',`
+template(`git_role',`
gen_require(`
-<<<<<<< HEAD
- type git_session_t, gitd_exec_t;
-=======
attribute_role git_session_roles;
type git_session_t, gitd_exec_t, git_user_content_t;
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
########################################
@@ -37,21 +33,13 @@ template(`git_session_role',`
# Policy
#
-<<<<<<< HEAD
- allow $2 git_session_t:process signal_perms;
-=======
allow $2 git_user_content_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 git_user_content_t:file { exec_file_perms manage_file_perms relabel_file_perms };
userdom_user_home_dir_filetrans($2, git_user_content_t, dir, "public_git")
allow $2 git_session_t:process { ptrace signal_perms };
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
ps_process_pattern($2, git_session_t)
- tunable_policy(`deny_ptrace',`',`
- allow $2 git_session_t:process ptrace;
- ')
-
tunable_policy(`git_session_users',`
domtrans_pattern($2, gitd_exec_t, git_session_t)
',`
@@ -61,356 +49,7 @@ template(`git_session_role',`
########################################
##
-<<<<<<< HEAD
-## Create a set of derived types for Git
-## daemon shared repository content.
-##
-##
-##
-## The prefix to be used for deriving type names.
-##
-##
-#
-template(`git_content_template',`
- gen_require(`
- attribute git_system_content, git_content;
- ')
-
- ########################################
- #
- # Git daemon content shared declarations.
- #
-
- type git_$1_content_t, git_system_content, git_content;
- files_type(git_$1_content_t)
-')
-
-########################################
-##
-## Create a set of derived types for Git
-## daemon shared repository roles.
-##
-##
-##
-## The prefix to be used for deriving type names.
-##
-##
-#
-template(`git_role_template',`
- gen_require(`
- class context contains;
- role system_r;
- ')
-
- ########################################
- #
- # Git daemon role shared declarations.
- #
-
- attribute $1_usertype;
-
- type $1_t;
- userdom_unpriv_usertype($1, $1_t)
- domain_type($1_t)
-
- role $1_r types $1_t;
- allow system_r $1_r;
-
- ########################################
- #
- # Git daemon role shared policy.
- #
-
- allow $1_t self:context contains;
- allow $1_t self:fifo_file rw_fifo_file_perms;
-
- corecmd_exec_bin($1_t)
- corecmd_bin_entry_type($1_t)
- corecmd_shell_entry_type($1_t)
-
- domain_interactive_fd($1_t)
- domain_user_exemption_target($1_t)
-
- kernel_read_system_state($1_t)
-
- files_read_etc_files($1_t)
- files_dontaudit_search_home($1_t)
-
-
- git_rwx_generic_system_content($1_t)
-
- ssh_rw_stream_sockets($1_t)
-
- tunable_policy(`git_system_use_cifs',`
- fs_exec_cifs_files($1_t)
- fs_manage_cifs_dirs($1_t)
- fs_manage_cifs_files($1_t)
- ')
-
- tunable_policy(`git_system_use_nfs',`
- fs_exec_nfs_files($1_t)
- fs_manage_nfs_dirs($1_t)
- fs_manage_nfs_files($1_t)
- ')
-
- optional_policy(`
- nscd_read_pid($1_t)
- ')
-')
-
-#######################################
-##
-## Allow specified domain access to the
-## specified Git daemon content.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Type of the object that access is allowed to.
-##
-##
-#
-interface(`git_content_delegation',`
- gen_require(`
- type $1, $2;
- ')
-
- exec_files_pattern($1, $2, $2)
- manage_dirs_pattern($1, $2, $2)
- manage_files_pattern($1, $2, $2)
- files_search_var_lib($1)
-
- tunable_policy(`git_system_use_cifs',`
- fs_exec_cifs_files($1)
- fs_manage_cifs_dirs($1)
- fs_manage_cifs_files($1)
- ')
-
- tunable_policy(`git_system_use_nfs',`
- fs_exec_nfs_files($1)
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- ')
-')
-
-########################################
-##
-## Allow the specified domain to manage
-## and execute all Git daemon content.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`git_rwx_all_content',`
- gen_require(`
- attribute git_content;
- ')
-
- exec_files_pattern($1, git_content, git_content)
- manage_dirs_pattern($1, git_content, git_content)
- manage_files_pattern($1, git_content, git_content)
- userdom_search_user_home_dirs($1)
- files_search_var_lib($1)
-
- tunable_policy(`git_system_use_cifs',`
- fs_exec_cifs_files($1)
- fs_manage_cifs_dirs($1)
- fs_manage_cifs_files($1)
- ')
-
- tunable_policy(`git_system_use_nfs',`
- fs_exec_nfs_files($1)
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- ')
-')
-
-########################################
-##
-## Allow the specified domain to manage
-## and execute all Git daemon system content.
-=======
## Read generic system content files.
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-<<<<<<< HEAD
-interface(`git_rwx_all_system_content',`
- gen_require(`
- attribute git_system_content;
- ')
-
- exec_files_pattern($1, git_system_content, git_system_content)
- manage_dirs_pattern($1, git_system_content, git_system_content)
- manage_files_pattern($1, git_system_content, git_system_content)
- files_search_var_lib($1)
-
- tunable_policy(`git_system_use_cifs',`
- fs_exec_cifs_files($1)
- fs_manage_cifs_dirs($1)
- fs_manage_cifs_files($1)
- ')
-
- tunable_policy(`git_system_use_nfs',`
- fs_exec_nfs_files($1)
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- ')
-')
-
-########################################
-##
-## Allow the specified domain to manage
-## and execute Git daemon generic system content.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`git_rwx_generic_system_content',`
- gen_require(`
- type git_sys_content_t;
- ')
-
- exec_files_pattern($1, git_sys_content_t, git_sys_content_t)
- manage_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
- manage_files_pattern($1, git_sys_content_t, git_sys_content_t)
- files_search_var_lib($1)
-
- tunable_policy(`git_system_use_cifs',`
- fs_exec_cifs_files($1)
- fs_manage_cifs_dirs($1)
- fs_manage_cifs_files($1)
- ')
-
- tunable_policy(`git_system_use_nfs',`
- fs_exec_nfs_files($1)
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- ')
-')
-
-########################################
-##
-## Allow the specified domain to read
-## all Git daemon content files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`git_read_all_content_files',`
- gen_require(`
- attribute git_content;
- ')
-
- list_dirs_pattern($1, git_content, git_content)
- read_files_pattern($1, git_content, git_content)
- userdom_search_user_home_dirs($1)
- files_search_var_lib($1)
-
- tunable_policy(`git_system_use_cifs',`
- fs_list_cifs($1)
- fs_read_cifs_files($1)
- ')
-
- tunable_policy(`git_system_use_nfs',`
- fs_list_nfs($1)
- fs_read_nfs_files($1)
- ')
-')
-
-########################################
-##
-## Allow the specified domain to read
-## Git daemon session content files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`git_read_session_content_files',`
- gen_require(`
- type git_user_content_t;
- ')
-
- list_dirs_pattern($1, git_user_content_t, git_user_content_t)
- read_files_pattern($1, git_user_content_t, git_user_content_t)
- userdom_search_user_home_dirs($1)
-')
-
-#######################################
-##
-## Dontaudit the specified domain to read
-## Git daemon session content files.
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-interface(`git_dontaudit_read_session_content_files',`
- gen_require(`
- type git_user_content_t;
- ')
-
- dontaudit $1 git_user_content_t:file read_file_perms;
-')
-
-########################################
-##
-## Allow the specified domain to read
-## all Git daemon system content files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`git_read_all_system_content_files',`
- gen_require(`
- attribute git_system_content;
- ')
-
- list_dirs_pattern($1, git_system_content, git_system_content)
- read_files_pattern($1, git_system_content, git_system_content)
- files_search_var_lib($1)
-
- tunable_policy(`git_system_use_cifs',`
- fs_list_cifs($1)
- fs_read_cifs_files($1)
- ')
-
- tunable_policy(`git_system_use_nfs',`
- fs_list_nfs($1)
- fs_read_nfs_files($1)
- ')
-')
-
-########################################
-##
-## Allow the specified domain to read
-## Git daemon generic system content files.
##
##
##
@@ -418,145 +57,43 @@ interface(`git_read_all_system_content_files',`
##
##
#
-interface(`git_read_generic_system_content_files',`
-=======
interface(`git_read_generic_sys_content_files',`
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
gen_require(`
type git_sys_content_t;
')
list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
read_files_pattern($1, git_sys_content_t, git_sys_content_t)
-<<<<<<< HEAD
- read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t)
- files_search_var_lib($1)
-
- tunable_policy(`git_system_use_cifs',`
-=======
files_search_var_lib($1)
tunable_policy(`git_system_use_cifs',`
fs_getattr_cifs($1)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
fs_list_cifs($1)
fs_read_cifs_files($1)
')
tunable_policy(`git_system_use_nfs',`
-<<<<<<< HEAD
-=======
fs_getattr_nfs($1)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
fs_list_nfs($1)
fs_read_nfs_files($1)
')
')
-<<<<<<< HEAD
-########################################
-##
-## Allow the specified domain to relabel
-## all Git daemon content.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`git_relabel_all_content',`
- gen_require(`
- attribute git_content;
- ')
-
- relabel_dirs_pattern($1, git_content, git_content)
- relabel_files_pattern($1, git_content, git_content)
- userdom_search_user_home_dirs($1)
- files_search_var_lib($1)
-')
-
-########################################
-##
-## Allow the specified domain to relabel
-## all Git daemon system content.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`git_relabel_all_system_content',`
- gen_require(`
- attribute git_system_content;
- ')
-
- relabel_dirs_pattern($1, git_system_content, git_system_content)
- relabel_files_pattern($1, git_system_content, git_system_content)
- files_search_var_lib($1)
-')
-
-########################################
-##
-## Allow the specified domain to relabel
-## Git daemon generic system content.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`git_relabel_generic_system_content',`
- gen_require(`
- type git_sys_content_t;
- ')
-
- relabel_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
- relabel_files_pattern($1, git_sys_content_t, git_sys_content_t)
- files_search_var_lib($1)
-')
-
-########################################
-##
-## Allow the specified domain to relabel
-## Git daemon session content.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`git_relabel_session_content',`
- gen_require(`
- type git_user_content_t;
- ')
-
- relabel_dirs_pattern($1, git_user_content_t, git_user_content_t)
- relabel_files_pattern($1, git_user_content_t, git_user_content_t)
- userdom_search_user_home_dirs($1)
-')
-
-########################################
+#######################################
##
-## Create Git user content with a
-## named file transition.
+## Create Git user content with a
+## named file transition.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`git_filetrans_user_content',`
- gen_require(`
- type git_user_content_t;
- ')
-
- userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+ gen_require(`
+ type git_user_content_t;
+ ')
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git"
')
-=======
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
diff --git a/git.te b/git.te
index 2dcb933..93b0301 100644
--- a/git.te
+++ b/git.te
@@ -34,8 +34,6 @@ gen_tunable(git_cgi_use_nfs, false)
## Determine whether Git session daemon
## can bind TCP sockets to all
## unreserved ports.
-<<<<<<< HEAD
-=======
##
##
gen_tunable(git_session_bind_all_unreserved_ports, false)
@@ -45,19 +43,17 @@ gen_tunable(git_session_bind_all_unreserved_ports, false)
## Determine whether calling user domains
## can execute Git daemon in the
## git_session_t domain.
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
##
##
-gen_tunable(git_session_bind_all_unreserved_ports, false)
+gen_tunable(git_session_users, false)
##
##
@@ -84,14 +80,7 @@ gen_tunable(git_system_use_cifs, false)
gen_tunable(git_system_use_nfs, false)
attribute git_daemon;
-<<<<<<< HEAD
-attribute git_system_content;
-attribute git_content;
-
-role git_shell_r;
-=======
attribute_role git_session_roles;
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
apache_content_template(git)
@@ -100,21 +89,14 @@ type gitd_exec_t;
inetd_service_domain(git_system_t, gitd_exec_t)
type git_session_t, git_daemon;
-<<<<<<< HEAD
-application_domain(git_session_t, gitd_exec_t)
-ubac_constrained(git_session_t)
-=======
userdom_user_application_domain(git_session_t, gitd_exec_t)
role git_session_roles types git_session_t;
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
-type git_sys_content_t, git_content, git_system_content;
+type git_sys_content_t;
files_type(git_sys_content_t)
-typealias git_sys_content_t alias { git_data_t git_system_content_t };
-type git_user_content_t, git_content;
+type git_user_content_t;
userdom_user_home_content(git_user_content_t)
-typealias git_user_content_t alias git_session_content_t;
########################################
#
@@ -127,9 +109,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
userdom_search_user_home_dirs(git_session_t)
-kernel_read_system_state(git_session_t)
-
corenet_all_recvfrom_netlabel(git_session_t)
+corenet_all_recvfrom_unlabeled(git_session_t)
corenet_tcp_bind_generic_node(git_session_t)
corenet_tcp_sendrecv_generic_if(git_session_t)
corenet_tcp_sendrecv_generic_node(git_session_t)
@@ -143,10 +124,6 @@ auth_use_nsswitch(git_session_t)
userdom_use_user_terminals(git_session_t)
tunable_policy(`git_session_bind_all_unreserved_ports',`
-<<<<<<< HEAD
- corenet_tcp_bind_all_unreserved_ports(git_session_t)
- corenet_sendrecv_generic_server_packets(git_session_t)
-=======
corenet_sendrecv_all_server_packets(git_session_t)
corenet_tcp_bind_all_unreserved_ports(git_session_t)
corenet_tcp_sendrecv_all_ports(git_session_t)
@@ -154,11 +131,8 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
tunable_policy(`git_session_send_syslog_msg',`
logging_send_syslog_msg(git_session_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
-logging_send_syslog_msg(git_session_t)
-
tunable_policy(`use_nfs_home_dirs',`
fs_getattr_nfs(git_session_t)
fs_list_nfs(git_session_t)
@@ -180,18 +154,11 @@ tunable_policy(`use_samba_home_dirs',`
# System policy
#
-<<<<<<< HEAD
-list_dirs_pattern(git_system_t, git_content, git_content)
-read_files_pattern(git_system_t, git_content, git_content)
-=======
list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
files_search_var_lib(git_system_t)
-kernel_read_system_state(git_system_t)
-
auth_use_nsswitch(git_system_t)
logging_send_syslog_msg(git_system_t)
@@ -237,8 +204,8 @@ tunable_policy(`git_system_use_nfs',`
# CGI policy
#
-list_dirs_pattern(httpd_git_script_t, git_content, git_content)
-read_files_pattern(httpd_git_script_t, git_content, git_content)
+list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
files_search_var_lib(httpd_git_script_t)
files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
@@ -288,16 +255,12 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
+kernel_read_system_state(git_daemon)
+
corecmd_exec_bin(git_daemon)
files_read_usr_files(git_daemon)
fs_search_auto_mountpoints(git_daemon)
-
-########################################
-#
-# Git-shell private policy.
-#
-git_role_template(git_shell)
-gen_user(git_shell_u, user, git_shell_r, s0, s0)
+miscfiles_read_localization(git_daemon)
diff --git a/gitosis.fc b/gitosis.fc
index 0f1e0d8..b64de32 100644
--- a/gitosis.fc
+++ b/gitosis.fc
@@ -3,10 +3,5 @@
/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0)
/usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0)
-<<<<<<< HEAD
-/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
-/var/lib/gitolite(3)?(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
-=======
/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
/var/lib/gitolite(3)?(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
diff --git a/gitosis.te b/gitosis.te
index 16ec134..d3acb1a 100644
--- a/gitosis.te
+++ b/gitosis.te
@@ -7,21 +7,14 @@ policy_module(gitosis, 1.3.2)
##
##
-<<<<<<< HEAD
-## Allow gitisis daemon to send mail
-=======
## Determine whether Gitosis can send mail.
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
##
##
gen_tunable(gitosis_can_sendmail, false)
-<<<<<<< HEAD
-=======
attribute_role gitosis_roles;
roleattribute system_r gitosis_roles;
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
type gitosis_t;
type gitosis_exec_t;
application_domain(gitosis_t, gitosis_exec_t)
@@ -59,18 +52,10 @@ corecmd_exec_shell(gitosis_t)
dev_read_urand(gitosis_t)
-files_read_etc_files(gitosis_t)
-files_read_usr_files(gitosis_t)
files_search_var_lib(gitosis_t)
-
sysnet_read_config(gitosis_t)
-<<<<<<< HEAD
-corenet_tcp_bind_all_ports(gitosis_t)
-
-=======
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
tunable_policy(`gitosis_can_sendmail',`
mta_send_mail(gitosis_t)
')
diff --git a/glance.if b/glance.if
index 65a96e2..9ca9614 100644
--- a/glance.if
+++ b/glance.if
@@ -264,17 +264,13 @@ interface(`glance_admin',`
type glance_registry_initrc_exec_t, glance_api_initrc_exec_t;
')
-<<<<<<< HEAD
allow $1 glance_registry_t:process signal_perms;
ps_process_pattern($1, glance_registry_t)
+
tunable_policy(`deny_ptrace',`',`
allow $1 glance_registry_t:process ptrace;
allow $1 glance_api_t:process ptrace;
')
-=======
- allow $1 { glance_api_t glance_registry_t }:process signal_perms;
- ps_process_pattern($1, { glance_api_t glance_registry_t })
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
index 7e75812..2d0f228 100644
--- a/glance.te
+++ b/glance.te
@@ -57,10 +57,6 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
-<<<<<<< HEAD
-=======
-kernel_read_system_state(glance_domain)
-
corenet_all_recvfrom_unlabeled(glance_domain)
corenet_all_recvfrom_netlabel(glance_domain)
corenet_tcp_sendrecv_generic_if(glance_domain)
@@ -68,26 +64,15 @@ corenet_tcp_sendrecv_generic_node(glance_domain)
corenet_tcp_sendrecv_all_ports(glance_domain)
corenet_tcp_bind_generic_node(glance_domain)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
corecmd_exec_bin(glance_domain)
corecmd_exec_shell(glance_domain)
dev_read_urand(glance_domain)
-files_read_etc_files(glance_domain)
-files_read_usr_files(glance_domain)
-
-<<<<<<< HEAD
auth_read_passwd(glance_domain)
libs_exec_ldconfig(glance_domain)
-=======
-libs_exec_ldconfig(glance_domain)
-
-miscfiles_read_localization(glance_domain)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
-
sysnet_dns_name_resolve(glance_domain)
########################################
@@ -99,15 +84,12 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
-<<<<<<< HEAD
manage_dirs_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
manage_files_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
fs_tmpfs_filetrans(glance_registry_t, glance_registry_tmpfs_t,{ dir file })
corenet_tcp_bind_generic_node(glance_registry_t)
-=======
corenet_sendrecv_glance_registry_server_packets(glance_registry_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
corenet_tcp_bind_glance_registry_port(glance_registry_t)
corenet_tcp_connect_mysqld_port(glance_registry_t)
corenet_tcp_connect_all_ephemeral_ports(glance_registry_t)
@@ -116,12 +98,6 @@ logging_send_syslog_msg(glance_registry_t)
optional_policy(`
mysql_stream_connect(glance_registry_t)
-')
-
-logging_send_syslog_msg(glance_registry_t)
-
-optional_policy(`
- mysql_stream_connect(glance_registry_t)
mysql_tcp_connect(glance_registry_t)
')
@@ -135,28 +111,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
can_exec(glance_api_t, glance_tmp_t)
+corenet_tcp_bind_generic_node(glance_api_t)
+
corenet_sendrecv_armtechdaemon_server_packets(glance_api_t)
corenet_tcp_bind_armtechdaemon_port(glance_api_t)
-<<<<<<< HEAD
-corenet_tcp_bind_generic_node(glance_api_t)
corenet_tcp_bind_glance_port(glance_api_t)
-corenet_tcp_bind_hplip_port(glance_api_t)
corenet_tcp_connect_glance_registry_port(glance_api_t)
+
corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
-=======
+
corenet_sendrecv_hplip_server_packets(glance_api_t)
corenet_tcp_bind_hplip_port(glance_api_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
corenet_sendrecv_glance_registry_client_packets(glance_api_t)
corenet_tcp_connect_glance_registry_port(glance_api_t)
fs_getattr_xattr_fs(glance_api_t)
-<<<<<<< HEAD
optional_policy(`
mysql_stream_connect(glance_api_t)
')
-=======
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
diff --git a/glusterd.fc b/glusterd.fc
deleted file mode 100644
index 6418e39..0000000
--- a/glusterd.fc
+++ /dev/null
@@ -1,16 +0,0 @@
-
-/etc/rc\.d/init\.d/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
-
-/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_etc_t,s0)
-/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_etc_t,s0)
-
-/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
-/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
-
-/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
-
-/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
-
-/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
-/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
-
diff --git a/glusterd.if b/glusterd.if
deleted file mode 100644
index e15bbb0..0000000
--- a/glusterd.if
+++ /dev/null
@@ -1,146 +0,0 @@
-
-## policy for glusterd
-
-
-########################################
-##
-## Transition to glusterd.
-##
-##
-##
-## Domain allowed to transition.
-##
-##
-#
-interface(`glusterd_domtrans',`
- gen_require(`
- type glusterd_t, glusterd_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, glusterd_exec_t, glusterd_t)
-')
-
-
-########################################
-##
-## Execute glusterd server in the glusterd domain.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`glusterd_initrc_domtrans',`
- gen_require(`
- type glusterd_initrc_exec_t;
- ')
-
- init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
-')
-
-
-########################################
-##
-## Read glusterd's log files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-#
-interface(`glusterd_read_log',`
- gen_require(`
- type glusterd_log_t;
- ')
-
- logging_search_logs($1)
- read_files_pattern($1, glusterd_log_t, glusterd_log_t)
-')
-
-########################################
-##
-## Append to glusterd log files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`glusterd_append_log',`
- gen_require(`
- type glusterd_log_t;
- ')
-
- logging_search_logs($1)
- append_files_pattern($1, glusterd_log_t, glusterd_log_t)
-')
-
-########################################
-##
-## Manage glusterd log files
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`glusterd_manage_log',`
- gen_require(`
- type glusterd_log_t;
- ')
-
- logging_search_logs($1)
- manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t)
- manage_files_pattern($1, glusterd_log_t, glusterd_log_t)
- manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)
-')
-
-########################################
-##
-## All of the rules required to administrate
-## an glusterd environment
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-#
-interface(`glusterd_admin',`
- gen_require(`
- type glusterd_t;
- type glusterd_initrc_exec_t;
- type glusterd_log_t;
- type glusterd_tmp_t;
- type glusterd_etc_t;
- ')
-
- allow $1 glusterd_t:process { ptrace signal_perms };
- ps_process_pattern($1, glusterd_t)
-
- glusterd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 glusterd_initrc_exec_t system_r;
- allow $2 system_r;
-
- logging_search_logs($1)
- admin_pattern($1, glusterd_log_t)
-
- admin_pattern($1, glusterd_tmp_t)
-
- admin_pattern($1, glusterd_etc_t)
-
-')
-
diff --git a/glusterd.te b/glusterd.te
deleted file mode 100644
index d35f2b0..0000000
--- a/glusterd.te
+++ /dev/null
@@ -1,101 +0,0 @@
-policy_module(glusterd, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type glusterd_t;
-type glusterd_exec_t;
-init_daemon_domain(glusterd_t, glusterd_exec_t)
-
-type glusterd_etc_t;
-files_type(glusterd_etc_t)
-
-type glusterd_tmp_t;
-files_tmp_file(glusterd_tmp_t)
-
-type glusterd_initrc_exec_t;
-init_script_file(glusterd_initrc_exec_t)
-
-type glusterd_log_t;
-logging_log_file(glusterd_log_t)
-
-type glusterd_var_run_t;
-files_pid_file(glusterd_var_run_t)
-
-type glusterd_var_lib_t;
-files_type(glusterd_var_lib_t);
-
-
-########################################
-#
-# glusterd local policy
-#
-
-allow glusterd_t self:capability { net_bind_service sys_admin dac_override chown dac_read_search fowner };
-allow glusterd_t self:process { setrlimit signal };
-allow glusterd_t self:capability sys_resource;
-
-allow glusterd_t self:fifo_file rw_fifo_file_perms;
-allow glusterd_t self:netlink_route_socket r_netlink_socket_perms;
-allow glusterd_t self:tcp_socket create_stream_socket_perms;
-allow glusterd_t self:udp_socket create_socket_perms;
-allow glusterd_t self:unix_stream_socket create_stream_socket_perms;
-allow glusterd_t self:unix_dgram_socket create_socket_perms;
-
-manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
-userdom_user_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
-
-manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-logging_log_filetrans(glusterd_t, glusterd_log_t, { dir file })
-
-manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file })
-
-manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, { dir file })
-
-manage_dirs_pattern(glusterd_t, glusterd_etc_t, glusterd_etc_t)
-manage_files_pattern(glusterd_t, glusterd_etc_t, glusterd_etc_t)
-files_etc_filetrans(glusterd_t, glusterd_etc_t, { dir file }, "glusterfs")
-
-can_exec(glusterd_t, glusterd_exec_t)
-
-kernel_read_system_state(glusterd_t)
-
-corecmd_exec_bin(glusterd_t)
-corecmd_exec_shell(glusterd_t)
-
-domain_use_interactive_fds(glusterd_t)
-
-corenet_tcp_bind_generic_node(glusterd_t)
-corenet_tcp_bind_generic_port(glusterd_t)
-corenet_tcp_bind_all_reserved_ports(glusterd_t)
-corenet_udp_bind_all_rpc_ports(glusterd_t)
-corenet_tcp_connect_unreserved_ports(glusterd_t)
-corenet_udp_bind_generic_node(glusterd_t)
-corenet_udp_bind_ipp_port(glusterd_t)
-
-dev_read_sysfs(glusterd_t)
-dev_read_urand(glusterd_t)
-
-files_read_usr_files(glusterd_t)
-files_rw_pid_dirs(glusterd_t)
-
-# Why is this needed
-#files_manage_urandom_seed(glusterd_t)
-
-auth_use_nsswitch(glusterd_t)
-
-logging_send_syslog_msg(glusterd_t)
-
-sysnet_read_config(glusterd_t)
-
-userdom_manage_user_home_dirs(glusterd_t)
diff --git a/glusterfs.if b/glusterfs.if
index 05233c8..279177d 100644
--- a/glusterfs.if
+++ b/glusterfs.if
@@ -1,31 +1,110 @@
-## Cluster File System binary, daemon and command line.
+
+## policy for glusterd
+
########################################
##
-## All of the rules required to
-## administrate an glusterfs environment.
+## Transition to glusterd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`glusterd_domtrans',`
+ gen_require(`
+ type glusterd_t, glusterd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, glusterd_exec_t, glusterd_t)
+')
+
+
+########################################
+##
+## Execute glusterd server in the glusterd domain.
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`glusterd_initrc_domtrans',`
+ gen_require(`
+ type glusterd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
+')
+
+
+########################################
+##
+## Read glusterd's log files.
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
##
#
-interface(`glusterd_admin',`
- refpolicywarn(`$0($*) has been deprecated, use glusterfs_admin() instead.')
- glusterfs_admin($1, $2)
+interface(`glusterd_read_log',`
+ gen_require(`
+ type glusterd_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, glusterd_log_t, glusterd_log_t)
')
########################################
##
-## All of the rules required to
-## administrate an glusterfs environment.
+## Append to glusterd log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`glusterd_append_log',`
+ gen_require(`
+ type glusterd_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
+########################################
+##
+## Manage glusterd log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`glusterd_manage_log',`
+ gen_require(`
+ type glusterd_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t)
+ manage_files_pattern($1, glusterd_log_t, glusterd_log_t)
+ manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an glusterd environment
##
##
##
@@ -39,33 +118,33 @@ interface(`glusterd_admin',`
##
##
#
-interface(`glusterfs_admin',`
+interface(`glusterd_admin',`
gen_require(`
- type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t;
- type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t;
- type glusterd_var_run_t;
+ type glusterd_t;
+ type glusterd_initrc_exec_t;
+ type glusterd_log_t;
+ type glusterd_tmp_t;
+ type glusterd_etc_t;
')
- init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
+ allow $1 glusterd_t:process { signal_perms };
+ ps_process_pattern($1, glusterd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 glusterd_t:process ptrace;
+ ')
+
+ glusterd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 glusterd_initrc_exec_t system_r;
allow $2 system_r;
- allow $1 glusterd_t:process { ptrace signal_perms };
- ps_process_pattern($1, glusterd_t)
-
- files_search_etc($1)
- admin_pattern($1, glusterd_conf_t)
-
logging_search_logs($1)
admin_pattern($1, glusterd_log_t)
- files_search_tmp($1)
admin_pattern($1, glusterd_tmp_t)
- files_search_var_lib($1)
- admin_pattern($1, glusterd_var_lib_t)
+ admin_pattern($1, glusterd_etc_t)
- files_search_pids($1)
- admin_pattern($1, glusterd_var_run_t)
')
+
diff --git a/glusterfs.te b/glusterfs.te
index fd02acc..9075dd9 100644
--- a/glusterfs.te
+++ b/glusterfs.te
@@ -40,7 +40,7 @@ allow glusterd_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
-files_etc_filetrans(glusterd_t, glusterd_conf_t, dir)
+files_etc_filetrans(glusterd_t, glusterd_etc_t, { dir file }, "glusterfs")
manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
@@ -93,10 +93,10 @@ dev_read_urand(glusterd_t)
domain_use_interactive_fds(glusterd_t)
-files_read_usr_files(glusterd_t)
-
auth_use_nsswitch(glusterd_t)
logging_send_syslog_msg(glusterd_t)
miscfiles_read_localization(glusterd_t)
+
+userdom_manage_user_home_dirs(glusterd_t)
diff --git a/gnome.fc b/gnome.fc
index cec3ddb..52e5a3a 100644
--- a/gnome.fc
+++ b/gnome.fc
@@ -1,4 +1,3 @@
-<<<<<<< HEAD
HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
@@ -40,20 +39,11 @@ HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
/root/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
-=======
-HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
-HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
-HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
-HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
-/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
+/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
-<<<<<<< HEAD
/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0)
/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
@@ -65,9 +55,3 @@ HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
-=======
-/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
-
-/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
diff --git a/gnome.if b/gnome.if
index 58ccb0b..2d6e6bb 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,14 +1,8 @@
-## GNU network object model environment.
+## GNU network object model environment (GNOME)
-<<<<<<< HEAD
###########################################################
##
## Role access for gnome
-=======
-########################################
-##
-## Role access for gnome. (Deprecated)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
##
##
##
@@ -260,6 +254,25 @@ interface(`gnome_dontaudit_search_config',`
##
##
#
+interface(`gnome_dontaudit_append_config_files',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ dontaudit $1 gnome_home_type:file append;
+')
+
+
+########################################
+##
+## Dontaudit write gnome homedir content (.config)
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
interface(`gnome_dontaudit_write_config_files',`
gen_require(`
attribute gnome_home_type;
@@ -972,11 +985,7 @@ interface(`gnome_append_gconf_home_files',`
##
##
##
-<<<<<<< HEAD
## Domain allowed access.
-=======
-## Role allowed access.
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
##
##
#
@@ -995,7 +1004,6 @@ interface(`gnome_manage_gconf_home_files',`
##
##
##
-<<<<<<< HEAD
## Domain allowed access.
##
##
@@ -1049,119 +1057,11 @@ interface(`gnome_setattr_home_config',`
setattr_dirs_pattern($1, config_home_t, config_home_t)
userdom_search_user_home_dirs($1)
-=======
-## User domain for the role.
-##
-##
-#
-interface(`gnome_role',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-#######################################
-##
-## The role template for gnome.
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## The role associated with the user domain.
-##
-##
-##
-##
-## The type of the user domain.
-##
-##
-#
-template(`gnome_role_template',`
- gen_require(`
- attribute gnomedomain, gkeyringd_domain;
- attribute_role gconfd_roles;
- type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
- type gconfd_t, gconfd_exec_t, gconf_tmp_t;
- type gconf_home_t;
- ')
-
- ########################################
- #
- # Gconf declarations
- #
-
- roleattribute $2 gconfd_roles;
-
- ########################################
- #
- # Gkeyringd declarations
- #
-
- type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;
- userdom_user_application_domain($1_gkeyringd_t, gkeyringd_exec_t)
- domain_user_exemption_target($1_gkeyringd_t)
-
- role $2 types $1_gkeyringd_t;
-
- ########################################
- #
- # Gconf policy
- #
-
- domtrans_pattern($3, gconfd_exec_t, gconfd_t)
-
- allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
-
- allow $3 gconfd_t:process { ptrace signal_perms };
- ps_process_pattern($3, gconfd_t)
-
- ########################################
- #
- # Gkeyringd policy
- #
-
- domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
-
- allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
- allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms };
-
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome")
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2")
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private")
-
- gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings")
-
- allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
-
- ps_process_pattern($3, $1_gkeyringd_t)
- allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
-
- corecmd_bin_domtrans($1_gkeyringd_t, $3)
- corecmd_shell_domtrans($1_gkeyringd_t, $3)
-
- gnome_stream_connect_gkeyringd($1, $3)
-
- optional_policy(`
- dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
-
- gnome_dbus_chat_gkeyringd($1, $3)
- ')
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
########################################
##
-<<<<<<< HEAD
## read gnome homedir content (.config)
-=======
-## Execute gconf in the caller domain.
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
##
##
##
@@ -1174,7 +1074,6 @@ interface(`gnome_read_home_config',`
type config_home_t;
')
-<<<<<<< HEAD
list_dirs_pattern($1, config_home_t, config_home_t)
read_files_pattern($1, config_home_t, config_home_t)
read_lnk_files_pattern($1, config_home_t, config_home_t)
@@ -1214,19 +1113,11 @@ interface(`gnome_setattr_home_config_dirs',`
')
setattr_dirs_pattern($1, config_home_t, config_home_t)
-=======
- corecmd_search_bin($1)
- can_exec($1, gconfd_exec_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
########################################
##
-<<<<<<< HEAD
## manage gnome homedir content (.config)
-=======
-## Read gconf configuration content.
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
##
##
##
@@ -1234,47 +1125,16 @@ interface(`gnome_setattr_home_config_dirs',`
##
##
#
-<<<<<<< HEAD
interface(`gnome_manage_home_config',`
-=======
-interface(`gnome_read_gconf_config',`
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
gen_require(`
type config_home_t;
')
-<<<<<<< HEAD
manage_files_pattern($1, config_home_t, config_home_t)
-=======
- files_search_etc($1)
- allow $1 gconf_etc_t:dir list_dir_perms;
- allow $1 gconf_etc_t:file read_file_perms;
- allow $1 gconf_etc_t:lnk_file read_lnk_file_perms;
-')
-
-########################################
-##
-## Do not audit attempts to read
-## inherited gconf configuration files.
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
- gen_require(`
- type gconf_etc_t;
- ')
-
- dontaudit $1 gconf_etc_t:file read;
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
#######################################
##
-<<<<<<< HEAD
## delete gnome homedir content (.config)
##
##
@@ -1294,10 +1154,6 @@ interface(`gnome_delete_home_config_dirs',`
########################################
##
## manage gnome homedir content (.config)
-=======
-## Create, read, write, and delete
-## gconf configuration content.
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
##
##
##
@@ -1310,24 +1166,12 @@ interface(`gnome_manage_home_config_dirs',`
type config_home_t;
')
-<<<<<<< HEAD
manage_dirs_pattern($1, config_home_t, config_home_t)
-=======
- files_search_etc($1)
- allow $1 gconf_etc_t:dir manage_dir_perms;
- allow $1 gconf_etc_t:file manage_file_perms;
- allow $1 gconf_etc_t:lnk_file manage_lnk_file_perms;
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
########################################
##
-<<<<<<< HEAD
## manage gstreamer home content files.
-=======
-## Connect to gconf using a unix
-## domain stream socket.
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
##
##
##
@@ -1340,7 +1184,6 @@ interface(`gnome_manage_gstreamer_home_files',`
type gstreamer_home_t;
')
-<<<<<<< HEAD
manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
gnome_filetrans_gstreamer_home_content($1)
@@ -1414,10 +1257,6 @@ interface(`gnome_manage_gstreamer_home_dirs',`
')
manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
-=======
- files_search_tmp($1)
- stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
########################################
@@ -1426,7 +1265,7 @@ interface(`gnome_manage_gstreamer_home_dirs',`
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
##
##
#
@@ -1435,17 +1274,11 @@ interface(`gnome_rw_inherited_config',`
attribute gnome_home_type;
')
-<<<<<<< HEAD
allow $1 gnome_home_type:file rw_inherited_file_perms;
-=======
- corecmd_search_bin($1)
- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
########################################
##
-<<<<<<< HEAD
## Dontaudit Read/Write all inherited gnome home config
##
##
@@ -1460,33 +1293,12 @@ interface(`gnome_dontaudit_rw_inherited_config',`
')
dontaudit $1 gnome_home_type:file rw_inherited_file_perms;
-=======
-## Create generic gnome home directories.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`gnome_create_generic_home_dirs',`
- gen_require(`
- type gnome_home_t;
- ')
-
- allow $1 gnome_home_t:dir create_dir_perms;
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
########################################
##
-<<<<<<< HEAD
## Send and receive messages from
## gconf system service over dbus.
-=======
-## Set attributes of generic gnome
-## user home directories. (Deprecated)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
##
##
##
@@ -1494,104 +1306,40 @@ interface(`gnome_create_generic_home_dirs',`
##
##
#
-<<<<<<< HEAD
interface(`gnome_dbus_chat_gconfdefault',`
-=======
-interface(`gnome_setattr_config_dirs',`
- refpolicywarn(`$0($*) has been deprecated, use gnome_setattr_generic_home_dirs() instead.')
- gnome_setattr_generic_home_dirs($1)
-')
-
-########################################
-##
-## Set attributes of generic gnome
-## user home directories.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`gnome_setattr_generic_home_dirs',`
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
gen_require(`
type gconfdefaultsm_t;
class dbus send_msg;
')
-<<<<<<< HEAD
allow $1 gconfdefaultsm_t:dbus send_msg;
allow gconfdefaultsm_t $1:dbus send_msg;
-=======
- userdom_search_user_home_dirs($1)
- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
########################################
##
-<<<<<<< HEAD
## Send and receive messages from
## gkeyringd over dbus.
##
##
-=======
-## Read generic gnome user home content. (Deprecated)
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`gnome_read_config',`
- refpolicywarn(`$0($*) has been deprecated, use gnome_read_generic_home_content() instead.')
- gnome_read_generic_home_content($1)
-')
-
-########################################
-##
-## Read generic gnome home content.
-##
-##
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
##
## Domain allowed access.
##
##
#
-<<<<<<< HEAD
interface(`gnome_dbus_chat_gkeyringd',`
-=======
-interface(`gnome_read_generic_home_content',`
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
gen_require(`
attribute gkeyringd_domain;
class dbus send_msg;
')
-<<<<<<< HEAD
allow $1 gkeyringd_domain:dbus send_msg;
allow gkeyringd_domain $1:dbus send_msg;
-=======
- userdom_search_user_home_dirs($1)
- allow $1 gnome_home_t:dir list_dir_perms;
- allow $1 gnome_home_t:file read_file_perms;
- allow $1 gnome_home_t:fifo_file read_fifo_file_perms;
- allow $1 gnome_home_t:lnk_file read_lnk_file_perms;
- allow $1 gnome_home_t:sock_file read_sock_file_perms;
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
########################################
##
-<<<<<<< HEAD
## Send signull signal to gkeyringd processes.
-=======
-## Create, read, write, and delete
-## generic gnome user home content. (Deprecated)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
##
##
##
@@ -1599,7 +1347,6 @@ interface(`gnome_read_generic_home_content',`
##
##
#
-<<<<<<< HEAD
interface(`gnome_signull_gkeyringd',`
gen_require(`
attribute gkeyringd_domain;
@@ -1624,22 +1371,12 @@ interface(`gnome_read_gkeyringd_state',`
')
ps_process_pattern($1, gkeyringd_domain)
-=======
-interface(`gnome_manage_config',`
- refpolicywarn(`$0($*) has been deprecated, use gnome_manage_generic_home_content() instead.')
- gnome_manage_generic_home_content($1)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
########################################
##
-<<<<<<< HEAD
## Create directories in user home directories
## with the gnome home file type.
-=======
-## Create, read, write, and delete
-## generic gnome home content.
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
##
##
##
@@ -1647,372 +1384,13 @@ interface(`gnome_manage_config',`
##
##
#
-<<<<<<< HEAD
interface(`gnome_home_dir_filetrans',`
-=======
-interface(`gnome_manage_generic_home_content',`
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
gen_require(`
type gnome_home_t;
')
-<<<<<<< HEAD
userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
-=======
- userdom_search_user_home_dirs($1)
- allow $1 gnome_home_t:dir manage_dir_perms;
- allow $1 gnome_home_t:file manage_file_perms;
- allow $1 gnome_home_t:fifo_file manage_fifo_file_perms;
- allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
- allow $1 gnome_home_t:sock_file manage_sock_file_perms;
-')
-
-########################################
-##
-## Search generic gnome home directories.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`gnome_search_generic_home',`
- gen_require(`
- type gnome_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 gnome_home_t:dir search_dir_perms;
-')
-
-########################################
-##
-## Create objects in gnome user home
-## directories with a private type.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Private file type.
-##
-##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
-#
-interface(`gnome_home_filetrans',`
- gen_require(`
- type gnome_home_t;
- ')
-
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
- userdom_search_user_home_dirs($1)
- filetrans_pattern($1, gnome_home_t, $2, $3, $4)
-')
-
-########################################
-##
-## Create generic gconf home directories.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`gnome_create_generic_gconf_home_dirs',`
- gen_require(`
- type gconf_home_t;
- ')
-
- allow $1 gconf_home_t:dir create_dir_perms;
-')
-
-########################################
-##
-## Read generic gconf home content.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`gnome_read_generic_gconf_home_content',`
- gen_require(`
- type gconf_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir list_dir_perms;
- allow $1 gconf_home_t:file read_file_perms;
- allow $1 gconf_home_t:fifo_file read_fifo_file_perms;
- allow $1 gconf_home_t:lnk_file read_lnk_file_perms;
- allow $1 gconf_home_t:sock_file read_sock_file_perms;
-')
-
-########################################
-##
-## Create, read, write, and delete
-## generic gconf home content.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`gnome_manage_generic_gconf_home_content',`
- gen_require(`
- type gconf_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir manage_dir_perms;
- allow $1 gconf_home_t:file manage_file_perms;
- allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
- allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
- allow $1 gconf_home_t:sock_file manage_sock_file_perms;
-')
-
-########################################
-##
-## Search generic gconf home directories.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`gnome_search_generic_gconf_home',`
- gen_require(`
- type gconf_home_t;
- ')
-
userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir search_dir_perms;
-')
-
-########################################
-##
-## Create objects in user home
-## directories with the generic gconf
-## home type.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
-#
-interface(`gnome_home_filetrans_gconf_home',`
- gen_require(`
- type gconf_home_t;
- ')
-
- userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
-')
-
-########################################
-##
-## Create objects in user home
-## directories with the generic gnome
-## home type.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
-#
-interface(`gnome_home_filetrans_gnome_home',`
- gen_require(`
- type gnome_home_t;
- ')
-
- userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
-')
-
-########################################
-##
-## Create objects in gnome gconf home
-## directories with a private type.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Private file type.
-##
-##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
-#
-interface(`gnome_gconf_home_filetrans',`
- gen_require(`
- type gconf_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- filetrans_pattern($1, gconf_home_t, $2, $3, $4)
-')
-
-########################################
-##
-## Read generic gnome keyring home files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`gnome_read_keyring_home_files',`
- gen_require(`
- type gnome_home_t, gnome_keyring_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
-')
-
-########################################
-##
-## Send and receive messages from
-## gnome keyring daemon over dbus.
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`gnome_dbus_chat_gkeyringd',`
- gen_require(`
- type $1_gkeyringd_t;
- class dbus send_msg;
- ')
-
- allow $2 $1_gkeyringd_t:dbus send_msg;
- allow $1_gkeyringd_t $2:dbus send_msg;
-')
-
-########################################
-##
-## Send and receive messages from all
-## gnome keyring daemon over dbus.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`gnome_dbus_chat_all_gkeyringd',`
- gen_require(`
- attribute gkeyringd_domain;
- class dbus send_msg;
- ')
-
- allow $1 gkeyringd_domain:dbus send_msg;
- allow gkeyringd_domain $1:dbus send_msg;
-')
-
-########################################
-##
-## Connect to gnome keyring daemon
-## with a unix stream socket.
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`gnome_stream_connect_gkeyringd',`
- gen_require(`
- type $1_gkeyringd_t, gnome_keyring_tmp_t;
- ')
-
- files_search_tmp($2)
- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
-')
-
-########################################
-##
-## Connect to all gnome keyring daemon
-## with a unix stream socket.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`gnome_stream_connect_all_gkeyringd',`
- gen_require(`
- attribute gkeyringd_domain;
- type gnome_keyring_tmp_t;
- ')
-
- files_search_tmp($1)
- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
')
######################################
diff --git a/gnome.te b/gnome.te
index 09e1511..3a0a272 100644
--- a/gnome.te
+++ b/gnome.te
@@ -1,18 +1,13 @@
-policy_module(gnome, 2.2.5)
+policy_module(gnome, 2.2.0)
##############################
#
# Declarations
#
-attribute gkeyringd_domain;
attribute gnomedomain;
-<<<<<<< HEAD
attribute gnome_home_type;
attribute gkeyringd_domain;
-=======
-attribute_role gconfd_roles;
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
type gconf_etc_t;
files_config_file(gconf_etc_t)
@@ -52,7 +47,6 @@ type gconfd_exec_t;
typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
-role gconfd_roles types gconfd_t;
type gnome_home_t, gnome_home_type;
typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
@@ -60,7 +54,6 @@ typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
typealias gnome_home_t alias unconfined_gnome_home_t;
userdom_user_home_content(gnome_home_t)
-<<<<<<< HEAD
# type KDE /usr/share/config files
type config_usr_t;
files_type(config_usr_t)
@@ -81,49 +74,14 @@ init_daemon_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
type gnomesystemmm_t;
type gnomesystemmm_exec_t;
init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
-=======
-type gkeyringd_exec_t;
-application_executable_file(gkeyringd_exec_t)
-
-type gnome_keyring_home_t;
-userdom_user_home_content(gnome_keyring_home_t)
-
-type gnome_keyring_tmp_t;
-userdom_user_tmp_file(gnome_keyring_tmp_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
-
-##############################
-#
-# Common local Policy
-#
-
-allow gnomedomain self:process { getsched signal };
-allow gnomedomain self:fifo_file rw_fifo_file_perms;
-
-dev_read_urand(gnomedomain)
-
-domain_use_interactive_fds(gnomedomain)
-
-files_read_etc_files(gnomedomain)
-
-miscfiles_read_localization(gnomedomain)
-
-logging_send_syslog_msg(gnomedomain)
-
-userdom_use_user_terminals(gnomedomain)
-
-optional_policy(`
- xserver_rw_xdm_pipes(gnomedomain)
- xserver_use_xdm_fds(gnomedomain)
-')
##############################
#
-# Conf daemon local Policy
+# Local Policy
#
-allow gconfd_t gconf_etc_t:dir list_dir_perms;
-read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
+allow gconfd_t self:process getsched;
+allow gconfd_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
@@ -133,54 +91,27 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
-userdom_manage_user_tmp_dirs(gconfd_t)
-userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
-
-optional_policy(`
- nscd_dontaudit_search_pid(gconfd_t)
-')
-
-##############################
-#
-# Keyring-daemon local policy
-#
-
-<<<<<<< HEAD
-=======
-allow gkeyringd_domain self:capability ipc_lock;
-allow gkeyringd_domain self:process { getcap setcap };
-allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
-
-allow gkeyringd_domain gnome_home_t:dir create_dir_perms;
-gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2")
-
-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
-manage_files_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
-gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings")
+allow gconfd_t gconf_etc_t:dir list_dir_perms;
+read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
-manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
-files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
+dev_read_urand(gconfd_t)
-kernel_read_system_state(gkeyringd_domain)
-kernel_read_crypto_sysctls(gkeyringd_domain)
+files_read_etc_files(gconfd_t)
-dev_read_rand(gkeyringd_domain)
-dev_read_sysfs(gkeyringd_domain)
-files_read_usr_files(gkeyringd_domain)
+logging_send_syslog_msg(gconfd_t)
-fs_getattr_all_fs(gkeyringd_domain)
-
-selinux_getattr_fs(gkeyringd_domain)
+userdom_manage_user_tmp_sockets(gconfd_t)
+userdom_manage_user_tmp_dirs(gconfd_t)
+userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
optional_policy(`
- ssh_read_user_home_files(gkeyringd_domain)
+ nscd_dontaudit_search_pid(gconfd_t)
')
optional_policy(`
- telepathy_mission_control_read_state(gkeyringd_domain)
+ xserver_use_xdm_fds(gconfd_t)
+ xserver_rw_xdm_pipes(gconfd_t)
')
#######################################
diff --git a/gnomeclock.fc b/gnomeclock.fc
index 20759b2..5d92f4e 100644
--- a/gnomeclock.fc
+++ b/gnomeclock.fc
@@ -2,12 +2,6 @@
/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-<<<<<<< HEAD
/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-=======
-/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-
-/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
diff --git a/gnomeclock.if b/gnomeclock.if
index fca8e86..25c7ab8 100644
--- a/gnomeclock.if
+++ b/gnomeclock.if
@@ -2,8 +2,7 @@
########################################
##
-## Execute a domain transition to
-## run gnomeclock.
+## Execute a domain transition to run gnomeclock.
##
##
##
@@ -16,15 +15,13 @@ interface(`gnomeclock_domtrans',`
type gnomeclock_t, gnomeclock_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t)
')
########################################
##
-## Execute gnomeclock in the gnomeclock
-## domain, and allow the specified
-## role the gnomeclock domain.
+## Execute gnomeclock in the gnomeclock domain, and
+## allow the specified role the gnomeclock domain.
##
##
##
@@ -39,11 +36,11 @@ interface(`gnomeclock_domtrans',`
#
interface(`gnomeclock_run',`
gen_require(`
- attribute_role gnomeclock_roles;
+ type gnomeclock_t;
')
gnomeclock_domtrans($1)
- roleattribute $2 gnomeclock_roles;
+ role $2 types gnomeclock_t;
')
########################################
@@ -69,14 +66,8 @@ interface(`gnomeclock_dbus_chat',`
########################################
##
-<<<<<<< HEAD
## Do not audit send and receive messages from
## gnomeclock over dbus.
-=======
-## Do not audit attempts to send and
-## receive messages from gnomeclock
-## over dbus.
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
##
##
##
diff --git a/gnomeclock.te b/gnomeclock.te
index f6cdd3e..d58acfc 100644
--- a/gnomeclock.te
+++ b/gnomeclock.te
@@ -1,44 +1,29 @@
-policy_module(gnomeclock, 1.0.5)
+policy_module(gnomeclock, 1.0.0)
########################################
#
# Declarations
#
-attribute_role gnomeclock_roles;
-
type gnomeclock_t;
type gnomeclock_exec_t;
-<<<<<<< HEAD
init_daemon_domain(gnomeclock_t, gnomeclock_exec_t)
-=======
-init_system_domain(gnomeclock_t, gnomeclock_exec_t)
-role gnomeclock_roles types gnomeclock_t;
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
########################################
#
-# Local policy
+# gnomeclock local policy
#
-<<<<<<< HEAD
allow gnomeclock_t self:capability { sys_nice sys_time dac_override };
allow gnomeclock_t self:process { getattr getsched signal };
allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
allow gnomeclock_t self:unix_dgram_socket create_socket_perms;
-=======
-allow gnomeclock_t self:capability { sys_nice sys_time };
-allow gnomeclock_t self:process { getattr getsched signal };
-allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
-allow gnomeclock_t self:unix_stream_socket { accept listen };
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
kernel_read_system_state(gnomeclock_t)
corecmd_exec_bin(gnomeclock_t)
corecmd_exec_shell(gnomeclock_t)
-<<<<<<< HEAD
corecmd_dontaudit_access_check_bin(gnomeclock_t)
corenet_tcp_connect_time_port(gnomeclock_t)
@@ -49,64 +34,32 @@ dev_write_kmsg(gnomeclock_t)
dev_read_sysfs(gnomeclock_t)
files_read_etc_runtime_files(gnomeclock_t)
-=======
-
-corenet_all_recvfrom_unlabeled(gnomeclock_t)
-corenet_all_recvfrom_netlabel(gnomeclock_t)
-corenet_tcp_sendrecv_generic_if(gnomeclock_t)
-corenet_tcp_sendrecv_generic_node(gnomeclock_t)
-
-# tcp:37 (time)
-corenet_sendrecv_inetd_child_client_packets(gnomeclock_t)
-corenet_tcp_connect_inetd_child_port(gnomeclock_t)
-corenet_tcp_sendrecv_inetd_child_port(gnomeclock_t)
-
-dev_read_sysfs(gnomeclock_t)
-dev_read_urand(gnomeclock_t)
-dev_rw_realtime_clock(gnomeclock_t)
-
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
files_read_usr_files(gnomeclock_t)
fs_getattr_xattr_fs(gnomeclock_t)
auth_use_nsswitch(gnomeclock_t)
-<<<<<<< HEAD
init_dbus_chat(gnomeclock_t)
logging_stream_connect_syslog(gnomeclock_t)
logging_send_syslog_msg(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-=======
-logging_send_syslog_msg(gnomeclock_t)
-
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
miscfiles_etc_filetrans_localization(gnomeclock_t)
-miscfiles_manage_localization(gnomeclock_t)
-miscfiles_read_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
-<<<<<<< HEAD
chronyd_systemctl(gnomeclock_t)
')
optional_policy(`
clock_read_adjtime(gnomeclock_t)
-=======
- chronyd_initrc_domtrans(gnomeclock_t)
-')
-
-optional_policy(`
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
clock_domtrans(gnomeclock_t)
')
optional_policy(`
-<<<<<<< HEAD
consolekit_dbus_chat(gnomeclock_t)
')
@@ -133,25 +86,6 @@ optional_policy(`
optional_policy(`
policykit_dbus_chat(gnomeclock_t)
-=======
- dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
-
- optional_policy(`
- consolekit_dbus_chat(gnomeclock_t)
- ')
-
- optional_policy(`
- policykit_dbus_chat(gnomeclock_t)
- ')
-')
-
-optional_policy(`
- ntp_domtrans_ntpdate(gnomeclock_t)
- ntp_initrc_domtrans(gnomeclock_t)
-')
-
-optional_policy(`
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
policykit_domtrans_auth(gnomeclock_t)
policykit_read_lib(gnomeclock_t)
policykit_read_reload(gnomeclock_t)
diff --git a/gpg.fc b/gpg.fc
index fb48740..c02fa56 100644
--- a/gpg.fc
+++ b/gpg.fc
@@ -1,14 +1,14 @@
-HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
-HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+HOME_DIR/\.gnupg/log-socket gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
/etc/mail/spamassassin/sa-update-keys(/.*)? gen_context(system_u:object_r:gpg_secret_t,s0)
/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --git a/gpg.if b/gpg.if
index 6d31d33..951b790 100644
--- a/gpg.if
+++ b/gpg.if
@@ -2,55 +2,63 @@
############################################################
##
-## Role access for gpg.
+## Role access for gpg
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
#
interface(`gpg_role',`
gen_require(`
- attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles;
- type gpg_t, gpg_exec_t, gpg_agent_t;
- type gpg_agent_exec_t, gpg_agent_tmp_t, gpg_helper_t;
- type gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_secret_t;
+ type gpg_t, gpg_exec_t;
+ type gpg_agent_t, gpg_agent_exec_t;
+ type gpg_agent_tmp_t;
+ type gpg_helper_t, gpg_pinentry_t;
+ type gpg_pinentry_tmp_t;
')
- roleattribute $1 gpg_roles;
- roleattribute $1 gpg_agent_roles;
- roleattribute $1 gpg_helper_roles;
- roleattribute $1 gpg_pinentry_roles;
+ role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t };
+ # transition from the userdomain to the derived domain
domtrans_pattern($2, gpg_exec_t, gpg_t)
- domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
- allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms };
- ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t })
+ # allow ps to show gpg
+ ps_process_pattern($2, gpg_t)
+ allow $2 gpg_t:process { signull sigstop signal sigkill };
- allow gpg_pinentry_t $2:process signull;
+ # communicate with the user
allow gpg_helper_t $2:fd use;
- allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write };
+ allow gpg_helper_t $2:fifo_file write;
+
+ # allow ps to show gpg-agent
+ ps_process_pattern($2, gpg_agent_t)
+
+ # Allow the user shell to signal the gpg-agent program.
+ allow $2 gpg_agent_t:process { signal sigkill };
+
+ manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+
+ # Transition from the user domain to the agent domain.
+ domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
- allow $2 { gpg_agent_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { gpg_agent_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms };
- allow $2 gpg_secret_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- allow $2 { gpg_agent_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
- filetrans_pattern($2, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
- userdom_user_home_dir_filetrans($2, gpg_secret_t, dir, ".gnupg")
+ manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+ relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
allow gpg_pinentry_t $2:fifo_file { read write };
optional_policy(`
gpg_pinentry_dbus_chat($2)
')
-<<<<<<< HEAD
allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto };
ifdef(`hide_broken_symptoms',`
@@ -58,13 +66,11 @@ interface(`gpg_role',`
dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms;
')
-=======
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
########################################
##
-## Execute the gpg in the gpg domain.
+## Transition to a user gpg domain.
##
##
##
@@ -77,17 +83,12 @@ interface(`gpg_domtrans',`
type gpg_t, gpg_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, gpg_exec_t, gpg_t)
')
######################################
##
-<<<<<<< HEAD
## Execute gpg in the caller domain.
-=======
-## Execute the gpg in the caller domain.
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
##
##
##
@@ -143,74 +144,7 @@ interface(`gpg_entry_type',`
########################################
##
-## Execute gpg in a specified domain.
-##
-##
-##
-## Execute gpg in a specified domain.
-##
-##
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-##
-##
-##
-##
-## Domain allowed to transition.
-##
-##
-##
-##
-## Domain to transition to.
-##
-##
-#
-interface(`gpg_spec_domtrans',`
- gen_require(`
- type gpg_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1, gpg_exec_t, $2)
-')
-
-######################################
-##
-## Execute gpg in the gpg web domain. (Deprecated)
-##
-##
-##
-## Domain allowed to transition.
-##
-##
-#
-interface(`gpg_domtrans_web',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-######################################
-##
-## Make gpg executable files an
-## entrypoint for the specified domain.
-##
-##
-##
-## The domain for which gpg_exec_t is an entrypoint.
-##
-##
-#
-interface(`gpg_entry_type',`
- gen_require(`
- type gpg_exec_t;
- ')
-
- domain_entry_file($1, gpg_exec_t)
-')
-
-########################################
-##
-## Send generic signals to gpg.
+## Send generic signals to user gpg processes.
##
##
##
@@ -228,7 +162,7 @@ interface(`gpg_signal',`
########################################
##
-## Read and write gpg agent pipes.
+## Read and write GPG agent pipes.
##
##
##
@@ -237,6 +171,7 @@ interface(`gpg_signal',`
##
#
interface(`gpg_rw_agent_pipes',`
+ # Just wants read/write could this be a leak?
gen_require(`
type gpg_agent_t;
')
@@ -246,8 +181,8 @@ interface(`gpg_rw_agent_pipes',`
########################################
##
-## Send messages to and from gpg
-## pinentry over DBUS.
+## Send messages to and from GPG
+## Pinentry over DBUS.
##
##
##
@@ -267,7 +202,7 @@ interface(`gpg_pinentry_dbus_chat',`
########################################
##
-## List gpg user secrets.
+## List Gnu Privacy Guard user secrets.
##
##
##
diff --git a/gpg.te b/gpg.te
index 046d61b..29063e5 100644
--- a/gpg.te
+++ b/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.7.3)
+policy_module(gpg, 2.6.0)
########################################
#
@@ -7,15 +7,13 @@ policy_module(gpg, 2.7.3)
attribute gpgdomain;
##
-##
-## Determine whether GPG agent can manage
-## generic user home content files. This is
-## required by the --write-env-file option.
-##
+##
+## Allow usage of the gpg-agent --write-env-file option.
+## This also allows gpg-agent to manage user files.
+##
##
gen_tunable(gpg_agent_env_file, false)
-<<<<<<< HEAD
##
##
## Allow gpg web domain to modify public files
@@ -31,36 +29,13 @@ typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
application_domain(gpg_t, gpg_exec_t)
ubac_constrained(gpg_t)
role system_r types gpg_t;
-=======
-attribute_role gpg_roles;
-roleattribute system_r gpg_roles;
-
-attribute_role gpg_agent_roles;
-
-attribute_role gpg_helper_roles;
-roleattribute system_r gpg_helper_roles;
-
-attribute_role gpg_pinentry_roles;
-
-type gpg_t;
-type gpg_exec_t;
-typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
-typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
-userdom_user_application_domain(gpg_t, gpg_exec_t)
-role gpg_roles types gpg_t;
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
type gpg_agent_t;
type gpg_agent_exec_t;
typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
-<<<<<<< HEAD
application_domain(gpg_agent_t, gpg_agent_exec_t)
ubac_constrained(gpg_agent_t)
-=======
-userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
-role gpg_agent_roles types gpg_agent_t;
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
type gpg_agent_tmp_t;
typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
@@ -77,26 +52,16 @@ type gpg_helper_t;
type gpg_helper_exec_t;
typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
-<<<<<<< HEAD
application_domain(gpg_helper_t, gpg_helper_exec_t)
ubac_constrained(gpg_helper_t)
role system_r types gpg_helper_t;
-=======
-userdom_user_application_domain(gpg_helper_t, gpg_helper_exec_t)
-role gpg_helper_roles types gpg_helper_t;
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
type gpg_pinentry_t;
type pinentry_exec_t;
typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
-<<<<<<< HEAD
application_domain(gpg_pinentry_t, pinentry_exec_t)
ubac_constrained(gpg_pinentry_t)
-=======
-userdom_user_application_domain(gpg_pinentry_t, pinentry_exec_t)
-role gpg_pinentry_roles types gpg_pinentry_t;
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
type gpg_pinentry_tmp_t;
files_tmp_file(gpg_pinentry_tmp_t)
@@ -111,16 +76,11 @@ domain_type(gpg_web_t)
gpg_entry_type(gpg_web_t)
role system_r types gpg_web_t;
-optional_policy(`
- pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
-')
-
########################################
#
-# Local policy
+# GPG local policy
#
-<<<<<<< HEAD
allow gpgdomain self:capability { ipc_lock setuid };
allow gpgdomain self:process { getsched setsched };
#at setrlimit is for ulimit -c 0
@@ -129,38 +89,22 @@ dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms;
allow gpgdomain self:fifo_file rw_fifo_file_perms;
allow gpgdomain self:tcp_socket create_stream_socket_perms;
-=======
-allow gpg_t self:capability { ipc_lock setuid };
-allow gpg_t self:process { signal signull setrlimit getcap setcap getsched setsched setpgid };
-dontaudit gpg_t self:netlink_audit_socket r_netlink_socket_perms;
-allow gpg_t self:fifo_file rw_fifo_file_perms;
-allow gpg_t self:tcp_socket { accept listen };
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
-<<<<<<< HEAD
domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
# transition from the gpg domain to the helper domain
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
allow gpg_t gpg_secret_t:dir create_dir_perms;
-=======
-manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")
-stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
-
-domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
-domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
-
kernel_read_sysctl(gpg_t)
corecmd_exec_shell(gpg_t)
@@ -168,62 +112,43 @@ corecmd_exec_bin(gpg_t)
corenet_all_recvfrom_netlabel(gpg_t)
corenet_tcp_sendrecv_generic_if(gpg_t)
+corenet_udp_sendrecv_generic_if(gpg_t)
corenet_tcp_sendrecv_generic_node(gpg_t)
-
-corenet_sendrecv_all_client_packets(gpg_t)
-corenet_tcp_connect_all_ports(gpg_t)
+corenet_udp_sendrecv_generic_node(gpg_t)
corenet_tcp_sendrecv_all_ports(gpg_t)
+corenet_udp_sendrecv_all_ports(gpg_t)
+corenet_tcp_connect_all_ports(gpg_t)
+corenet_sendrecv_all_client_packets(gpg_t)
-dev_read_generic_usb_dev(gpg_t)
dev_read_rand(gpg_t)
dev_read_urand(gpg_t)
-
-files_read_usr_files(gpg_t)
-files_dontaudit_search_var(gpg_t)
+dev_read_generic_usb_dev(gpg_t)
fs_getattr_xattr_fs(gpg_t)
fs_list_inotifyfs(gpg_t)
domain_use_interactive_fds(gpg_t)
-<<<<<<< HEAD
files_read_usr_files(gpg_t)
files_dontaudit_search_var(gpg_t)
-=======
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
auth_use_nsswitch(gpg_t)
logging_send_syslog_msg(gpg_t)
-<<<<<<< HEAD
userdom_use_inherited_user_terminals(gpg_t)
# sign/encrypt user files
userdom_manage_all_user_tmp_content(gpg_t)
#userdom_manage_user_home_content(gpg_t)
-=======
-miscfiles_read_localization(gpg_t)
-
-userdom_use_user_terminals(gpg_t)
-
-userdom_manage_user_tmp_files(gpg_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
userdom_manage_user_home_content_files(gpg_t)
userdom_manage_user_home_content_dirs(gpg_t)
userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
userdom_stream_connect(gpg_t)
-<<<<<<< HEAD
mta_manage_config(gpg_t)
mta_read_spool(gpg_t)
userdom_home_manager(gpg_t)
-=======
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(gpg_t)
- fs_manage_nfs_files(gpg_t)
-')
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
optional_policy(`
gnome_read_config(gpg_t)
@@ -231,23 +156,11 @@ optional_policy(`
')
optional_policy(`
- gnome_read_generic_home_content(gpg_t)
- gnome_stream_connect_all_gkeyringd(gpg_t)
-')
-
-optional_policy(`
-<<<<<<< HEAD
-=======
- mozilla_dontaudit_rw_user_home_files(gpg_t)
-')
-
-optional_policy(`
- mta_read_spool_files(gpg_t)
- mta_write_config(gpg_t)
+ mozilla_read_user_home_files(gpg_t)
+ mozilla_write_user_home_files(gpg_t)
')
optional_policy(`
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
spamassassin_read_spamd_tmp_files(gpg_t)
')
@@ -256,38 +169,41 @@ optional_policy(`
xserver_rw_xdm_pipes(gpg_t)
')
-<<<<<<< HEAD
#optional_policy(`
# cron_system_entry(gpg_t, gpg_exec_t)
# cron_read_system_job_tmp_files(gpg_t)
#')
-=======
-optional_policy(`
- xserver_use_xdm_fds(gpg_t)
- xserver_rw_xdm_pipes(gpg_t)
-')
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
########################################
#
-# Helper local policy
+# GPG helper local policy
#
allow gpg_helper_t self:process { getsched setsched };
+
+# for helper programs (which automatically fetch keys)
+# Note: this is only tested with the hkp interface. If you use eg the
+# mail interface you will likely need additional permissions.
+
allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
+allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
-dontaudit gpg_helper_t gpg_secret_t:file read_file_perms;
+dontaudit gpg_helper_t gpg_secret_t:file read;
corenet_all_recvfrom_netlabel(gpg_helper_t)
corenet_tcp_sendrecv_generic_if(gpg_helper_t)
+corenet_raw_sendrecv_generic_if(gpg_helper_t)
+corenet_udp_sendrecv_generic_if(gpg_helper_t)
corenet_tcp_sendrecv_generic_node(gpg_helper_t)
+corenet_udp_sendrecv_generic_node(gpg_helper_t)
+corenet_raw_sendrecv_generic_node(gpg_helper_t)
corenet_tcp_sendrecv_all_ports(gpg_helper_t)
-
-<<<<<<< HEAD
-=======
-corenet_sendrecv_all_client_packets(gpg_helper_t)
+corenet_udp_sendrecv_all_ports(gpg_helper_t)
+corenet_tcp_bind_generic_node(gpg_helper_t)
+corenet_udp_bind_generic_node(gpg_helper_t)
corenet_tcp_connect_all_ports(gpg_helper_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
+
auth_use_nsswitch(gpg_helper_t)
@@ -303,35 +219,33 @@ tunable_policy(`use_samba_home_dirs',`
########################################
#
-# Agent local policy
+# GPG agent local policy
#
domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+# rlimit: gpg-agent wants to prevent coredumps
allow gpg_agent_t self:process setrlimit;
-<<<<<<< HEAD
allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ;
-=======
-allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+# Allow the gpg-agent to manage its tmp files (socket)
manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
-
-domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
-
-kernel_dontaudit_search_sysctl(gpg_agent_t)
+# allow gpg to connect to the gpg agent
+stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+corecmd_read_bin_symlinks(gpg_agent_t)
+corecmd_search_bin(gpg_agent_t)
corecmd_exec_shell(gpg_agent_t)
dev_read_rand(gpg_agent_t)
@@ -342,13 +256,9 @@ domain_use_interactive_fds(gpg_agent_t)
fs_dontaudit_list_inotifyfs(gpg_agent_t)
-<<<<<<< HEAD
# Write to the user domain tty.
userdom_use_inherited_user_terminals(gpg_agent_t)
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
-=======
-userdom_use_user_terminals(gpg_agent_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
userdom_search_user_home_dirs(gpg_agent_t)
ifdef(`hide_broken_symptoms',`
@@ -357,16 +267,12 @@ ifdef(`hide_broken_symptoms',`
')
tunable_policy(`gpg_agent_env_file',`
-<<<<<<< HEAD
# write ~/.gpg-agent-info or a similar to the users home dir
# or subdir (gpg-agent --write-env-file option)
#
userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, { dir file })
-=======
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
userdom_manage_user_home_content_dirs(gpg_agent_t)
userdom_manage_user_home_content_files(gpg_agent_t)
- userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
')
userdom_home_manager(gpg_agent_t)
@@ -382,8 +288,17 @@ optional_policy(`
allow gpg_pinentry_t self:process { getcap getsched setsched signal };
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms;
allow gpg_pinentry_t self:shm create_shm_perms;
-allow gpg_pinentry_t self:tcp_socket { accept listen };
+allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms;
+allow gpg_pinentry_t self:unix_dgram_socket sendto;
+allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+
+can_exec(gpg_pinentry_t, pinentry_exec_t)
+
+# we need to allow gpg-agent to call pinentry so it can get the passphrase
+# from the user.
+domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
@@ -392,36 +307,28 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
-can_exec(gpg_pinentry_t, pinentry_exec_t)
-
+# read /proc/meminfo
kernel_read_system_state(gpg_pinentry_t)
corecmd_exec_shell(gpg_pinentry_t)
corecmd_exec_bin(gpg_pinentry_t)
corenet_all_recvfrom_netlabel(gpg_pinentry_t)
-<<<<<<< HEAD
corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
corenet_tcp_bind_generic_node(gpg_pinentry_t)
corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
-=======
-corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_port(gpg_pinentry_t)
dev_read_urand(gpg_pinentry_t)
dev_read_rand(gpg_pinentry_t)
-domain_use_interactive_fds(gpg_pinentry_t)
-
files_read_usr_files(gpg_pinentry_t)
-<<<<<<< HEAD
# read /etc/X11/qtrc
-=======
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
+fs_getattr_tmpfs(gpg_pinentry_t)
auth_use_nsswitch(gpg_pinentry_t)
@@ -429,15 +336,12 @@ logging_send_syslog_msg(gpg_pinentry_t)
miscfiles_read_fonts(gpg_pinentry_t)
-<<<<<<< HEAD
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_read_user_tmpfs_files(gpg_pinentry_t)
# Bug: user pulseaudio files need open,read and unlink:
allow gpg_pinentry_t user_tmpfs_t:file unlink;
userdom_signull_unpriv_users(gpg_pinentry_t)
-=======
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
userdom_use_user_terminals(gpg_pinentry_t)
userdom_home_reader(gpg_pinentry_t)
@@ -447,12 +351,11 @@ optional_policy(`
')
optional_policy(`
- dbus_all_session_bus_client(gpg_pinentry_t)
+ dbus_session_bus_client(gpg_pinentry_t)
dbus_system_bus_client(gpg_pinentry_t)
')
optional_policy(`
-<<<<<<< HEAD
gnome_write_generic_cache_files(gpg_pinentry_t)
gnome_read_generic_cache_files(gpg_pinentry_t)
gnome_read_gconf_home_files(gpg_pinentry_t)
@@ -464,9 +367,6 @@ optional_policy(`
pulseaudio_setattr_home_dir(gpg_pinentry_t)
pulseaudio_stream_connect(gpg_pinentry_t)
pulseaudio_signull(gpg_pinentry_t)
-=======
- pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
optional_policy(`
diff --git a/gpm.if b/gpm.if
index d5b0056..f1528c9 100644
--- a/gpm.if
+++ b/gpm.if
@@ -78,8 +78,6 @@ interface(`gpm_setattr_gpmctl',`
dev_list_all_dev_nodes($1)
allow $1 gpmctl_t:sock_file setattr_sock_file_perms;
-<<<<<<< HEAD
-=======
')
########################################
@@ -121,5 +119,4 @@ interface(`gpm_admin',`
files_search_pids($1)
admin_pattern($1, gpm_var_run_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
diff --git a/gpm.te b/gpm.te
index ffd564d..bc3f49e 100644
--- a/gpm.te
+++ b/gpm.te
@@ -68,12 +68,6 @@ domain_use_interactive_fds(gpm_t)
logging_send_syslog_msg(gpm_t)
-<<<<<<< HEAD
-=======
-miscfiles_read_localization(gpm_t)
-
-userdom_use_user_terminals(gpm_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
userdom_dontaudit_use_unpriv_user_fds(gpm_t)
userdom_dontaudit_search_user_home_dirs(gpm_t)
userdom_use_inherited_user_terminals(gpm_t)
diff --git a/gpsd.te b/gpsd.te
index c71a5af..61d3e29 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -45,13 +45,6 @@ files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
kernel_list_proc(gpsd_t)
kernel_request_load_module(gpsd_t)
-<<<<<<< HEAD
-corenet_all_recvfrom_netlabel(gpsd_t)
-corenet_tcp_sendrecv_generic_if(gpsd_t)
-corenet_tcp_sendrecv_generic_node(gpsd_t)
-corenet_tcp_sendrecv_all_ports(gpsd_t)
-corenet_tcp_bind_generic_node(gpsd_t)
-=======
corenet_all_recvfrom_unlabeled(gpsd_t)
corenet_all_recvfrom_netlabel(gpsd_t)
corenet_tcp_sendrecv_generic_if(gpsd_t)
@@ -59,7 +52,6 @@ corenet_tcp_sendrecv_generic_node(gpsd_t)
corenet_tcp_bind_all_nodes(gpsd_t)
corenet_sendrecv_gpsd_server_packets(gpsd_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
corenet_tcp_bind_gpsd_port(gpsd_t)
corenet_tcp_sendrecv_gpsd_port(gpsd_t)
diff --git a/guest.te b/guest.te
index 9215e55..93d2d83 100644
--- a/guest.te
+++ b/guest.te
@@ -20,8 +20,4 @@ optional_policy(`
apache_role(guest_r, guest_t)
')
-<<<<<<< HEAD
gen_user(guest_u, user, guest_r, s0, s0)
-=======
-#gen_user(guest_u, user, guest_r, s0, s0)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
diff --git a/hadoop.if b/hadoop.if
index 00cea49..d17a75f 100644
--- a/hadoop.if
+++ b/hadoop.if
@@ -66,65 +66,8 @@ template(`hadoop_domain_template',`
manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file)
-<<<<<<< HEAD
- files_tmp_filetrans(hadoop_$1_t, hadoop_hsperfdata_t, dir)
-
- kernel_read_kernel_sysctls(hadoop_$1_t)
- kernel_read_sysctl(hadoop_$1_t)
- kernel_read_network_state(hadoop_$1_t)
- kernel_read_system_state(hadoop_$1_t)
-
- corecmd_exec_bin(hadoop_$1_t)
- corecmd_exec_shell(hadoop_$1_t)
-
- corenet_all_recvfrom_netlabel(hadoop_$1_t)
- corenet_tcp_bind_all_nodes(hadoop_$1_t)
- corenet_tcp_sendrecv_generic_if(hadoop_$1_t)
- corenet_udp_sendrecv_generic_if(hadoop_$1_t)
- corenet_tcp_sendrecv_generic_node(hadoop_$1_t)
- corenet_udp_sendrecv_generic_node(hadoop_$1_t)
- corenet_tcp_sendrecv_all_ports(hadoop_$1_t)
- corenet_udp_bind_generic_node(hadoop_$1_t)
- # Hadoop uses high ordered random ports for services
- # If permanent ports are chosen, remove line below and lock down
- corenet_tcp_connect_generic_port(hadoop_$1_t)
-
- dev_read_rand(hadoop_$1_t)
- dev_read_urand(hadoop_$1_t)
- dev_read_sysfs(hadoop_$1_t)
-
- files_read_etc_files(hadoop_$1_t)
-
- auth_domtrans_chkpwd(hadoop_$1_t)
-
- hadoop_match_lan_spd(hadoop_$1_t)
-
- init_read_utmp(hadoop_$1_t)
- init_use_fds(hadoop_$1_t)
- init_use_script_fds(hadoop_$1_t)
- init_use_script_ptys(hadoop_$1_t)
-
- logging_send_audit_msgs(hadoop_$1_t)
- logging_send_syslog_msg(hadoop_$1_t)
-
-
- sysnet_read_config(hadoop_$1_t)
-
- hadoop_exec_config(hadoop_$1_t)
-
- java_exec(hadoop_$1_t)
-
- kerberos_use(hadoop_$1_t)
-
- su_exec(hadoop_$1_t)
-
- optional_policy(`
- nscd_socket_use(hadoop_$1_t)
- ')
-=======
auth_use_nsswitch(hadoop_$1_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
####################################
#
@@ -143,46 +86,6 @@ template(`hadoop_domain_template',`
manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_log_t, hadoop_$1_log_t)
filetrans_pattern(hadoop_$1_initrc_t, hadoop_log_t, hadoop_$1_log_t, { dir file })
-<<<<<<< HEAD
- logging_search_logs(hadoop_$1_initrc_t)
-
- manage_dirs_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_var_run_t)
- manage_files_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_var_run_t)
-
- kernel_read_kernel_sysctls(hadoop_$1_initrc_t)
- kernel_read_sysctl(hadoop_$1_initrc_t)
- kernel_read_system_state(hadoop_$1_initrc_t)
-
- corecmd_exec_bin(hadoop_$1_initrc_t)
- corecmd_exec_shell(hadoop_$1_initrc_t)
-
- files_read_etc_files(hadoop_$1_initrc_t)
- files_read_usr_files(hadoop_$1_initrc_t)
-
- consoletype_exec(hadoop_$1_initrc_t)
-
- fs_getattr_xattr_fs(hadoop_$1_initrc_t)
- fs_search_cgroup_dirs(hadoop_$1_initrc_t)
-
- term_use_generic_ptys(hadoop_$1_initrc_t)
-
- hadoop_exec_config(hadoop_$1_initrc_t)
-
- init_rw_utmp(hadoop_$1_initrc_t)
- init_use_fds(hadoop_$1_initrc_t)
- init_use_script_ptys(hadoop_$1_initrc_t)
-
- logging_send_syslog_msg(hadoop_$1_initrc_t)
- logging_send_audit_msgs(hadoop_$1_initrc_t)
-
-
- userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t)
-
- optional_policy(`
- nscd_socket_use(hadoop_$1_initrc_t)
- ')
-=======
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
########################################
@@ -209,17 +112,7 @@ interface(`hadoop_role',`
')
hadoop_domtrans($2)
-<<<<<<< HEAD
- role $1 types hadoop_t;
-
- allow $2 hadoop_t:process signal_perms;
- ps_process_pattern($2, hadoop_t)
- tunable_policy(`deny_ptrace',`',`
- allow $2 hadoop_t:process ptrace;
- ')
-=======
roleattribute $1 hadoop_roles;
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
hadoop_domtrans_zookeeper_client($2)
roleattribute $1 zookeeper_roles;
@@ -227,18 +120,9 @@ interface(`hadoop_role',`
allow $2 { hadoop_t zookeeper_t }:process { ptrace signal_perms };
ps_process_pattern($2, { hadoop_t zookeeper_t })
-<<<<<<< HEAD
- allow $2 zookeeper_t:process signal_perms;
- ps_process_pattern($2, zookeeper_t)
- tunable_policy(`deny_ptrace',`',`
- allow $2 zookeeper_t:process ptrace;
- ')
-
-=======
allow $2 { hadoop_home_t hadoop_tmp_t hadoop_hsperfdata_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { hadoop_home_t hadoop_tmp_t zookeeper_tmp_t }:file { manage_file_perms relabel_file_perms };
allow $2 hadoop_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
########################################
diff --git a/hadoop.te b/hadoop.te
index 81bb22d..e62bcb7 100644
--- a/hadoop.te
+++ b/hadoop.te
@@ -127,6 +127,7 @@ kernel_read_system_state(hadoop_t)
corecmd_exec_bin(hadoop_t)
corecmd_exec_shell(hadoop_t)
+corenet_all_recvfrom_unlabeled(hadoop_t)
corenet_all_recvfrom_netlabel(hadoop_t)
corenet_tcp_sendrecv_generic_if(hadoop_t)
corenet_tcp_sendrecv_generic_node(hadoop_t)
@@ -160,22 +161,10 @@ fs_getattr_xattr_fs(hadoop_t)
auth_use_nsswitch(hadoop_t)
-<<<<<<< HEAD
-=======
miscfiles_read_localization(hadoop_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
-userdom_use_inherited_user_terminals(hadoop_t)
+userdom_use_user_terminals(hadoop_t)
-<<<<<<< HEAD
-optional_policy(`
- java_exec(hadoop_t)
-')
-
-optional_policy(`
- kerberos_use(hadoop_t)
-')
-=======
hadoop_match_lan_spd(hadoop_t)
hadoop_recvfrom_datanode(hadoop_t)
hadoop_recvfrom_jobtracker(hadoop_t)
@@ -243,7 +232,6 @@ logging_send_audit_msgs(hadoop_domain)
logging_send_syslog_msg(hadoop_domain)
miscfiles_read_localization(hadoop_domain)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
optional_policy(`
java_exec(hadoop_domain)
@@ -447,6 +435,7 @@ kernel_read_system_state(zookeeper_t)
corecmd_exec_bin(zookeeper_t)
corecmd_exec_shell(zookeeper_t)
+corenet_all_recvfrom_unlabeled(zookeeper_t)
corenet_all_recvfrom_netlabel(zookeeper_t)
corenet_tcp_sendrecv_generic_if(zookeeper_t)
corenet_tcp_sendrecv_generic_node(zookeeper_t)
@@ -467,22 +456,15 @@ domain_use_interactive_fds(zookeeper_t)
files_read_usr_files(zookeeper_t)
auth_use_nsswitch(zookeeper_t)
-<<<<<<< HEAD
-
-=======
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
miscfiles_read_localization(zookeeper_t)
-userdom_use_inherited_user_terminals(zookeeper_t)
+userdom_use_user_terminals(zookeeper_t)
userdom_dontaudit_search_user_home_dirs(zookeeper_t)
-<<<<<<< HEAD
-=======
hadoop_match_lan_spd(zookeeper_t)
hadoop_recvfrom_zookeeper_server(zookeeper_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
optional_policy(`
java_exec(zookeeper_t)
')
@@ -526,6 +508,7 @@ kernel_read_system_state(zookeeper_server_t)
corecmd_exec_bin(zookeeper_server_t)
corecmd_exec_shell(zookeeper_server_t)
+corenet_all_recvfrom_unlabeled(zookeeper_server_t)
corenet_all_recvfrom_netlabel(zookeeper_server_t)
corenet_tcp_sendrecv_generic_if(zookeeper_server_t)
corenet_tcp_sendrecv_generic_node(zookeeper_server_t)
@@ -560,14 +543,10 @@ fs_getattr_xattr_fs(zookeeper_server_t)
logging_send_syslog_msg(zookeeper_server_t)
-<<<<<<< HEAD
-sysnet_read_config(zookeeper_server_t)
-=======
miscfiles_read_localization(zookeeper_server_t)
hadoop_match_lan_spd(zookeeper_server_t)
hadoop_recvfrom_zookeeper_client(zookeeper_server_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
optional_policy(`
java_exec(zookeeper_server_t)
diff --git a/hal.if b/hal.if
index 4ee0e16..5e94c21 100644
--- a/hal.if
+++ b/hal.if
@@ -70,9 +70,7 @@ interface(`hal_ptrace',`
type hald_t;
')
- tunable_policy(`deny_ptrace',`',`
- allow $1 hald_t:process ptrace;
- ')
+ allow $1 hald_t:process ptrace;
')
########################################
@@ -440,22 +438,3 @@ interface(`hal_manage_pid_files',`
files_search_pids($1)
manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
')
-
-#######################################
-##
-## Do not audit attempts to read
-## hald PID files.
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-interface(`hal_dontaudit_read_pid_files',`
- gen_require(`
- type hald_var_run_t;
- ')
-
- dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
-')
diff --git a/hal.te b/hal.te
index 2d86a57..0801fe1 100644
--- a/hal.te
+++ b/hal.te
@@ -56,9 +56,6 @@ files_pid_file(hald_var_run_t)
type hald_var_lib_t;
files_type(hald_var_lib_t)
-typealias hald_log_t alias pmtools_log_t;
-typealias hald_var_run_t alias pmtools_var_run_t;
-
########################################
#
# Common local policy
@@ -76,11 +73,7 @@ hal_stream_connect(hald_domain)
#
allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
-<<<<<<< HEAD
-dontaudit hald_t self:capability sys_tty_config;
-=======
dontaudit hald_t self:capability { sys_ptrace sys_tty_config };
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
allow hald_t self:process { getsched getattr signal_perms };
allow hald_t self:fifo_file rw_fifo_file_perms;
allow hald_t self:unix_stream_socket { accept listen };
@@ -123,26 +116,11 @@ kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
kernel_rw_net_sysctls(hald_t)
-<<<<<<< HEAD
-kernel_search_network_sysctl(hald_t)
-=======
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
kernel_setsched(hald_t)
kernel_request_load_module(hald_t)
corecmd_exec_all_executables(hald_t)
-<<<<<<< HEAD
-corenet_all_recvfrom_netlabel(hald_t)
-corenet_tcp_sendrecv_generic_if(hald_t)
-corenet_udp_sendrecv_generic_if(hald_t)
-corenet_tcp_sendrecv_generic_node(hald_t)
-corenet_udp_sendrecv_generic_node(hald_t)
-corenet_tcp_sendrecv_all_ports(hald_t)
-corenet_udp_sendrecv_all_ports(hald_t)
-
-=======
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
dev_rw_usbfs(hald_t)
dev_read_rand(hald_t)
dev_read_urand(hald_t)
@@ -164,10 +142,7 @@ domain_read_all_domains_state(hald_t)
domain_dontaudit_ptrace_all_domains(hald_t)
files_exec_etc_files(hald_t)
-<<<<<<< HEAD
-=======
files_getattr_all_mountpoints(hald_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
files_rw_etc_runtime_files(hald_t)
files_manage_mnt_dirs(hald_t)
files_manage_mnt_files(hald_t)
@@ -387,11 +362,6 @@ dev_setattr_sound_dev(hald_acl_t)
dev_setattr_generic_usb_dev(hald_acl_t)
dev_setattr_usbfs_files(hald_acl_t)
-<<<<<<< HEAD
-files_read_usr_files(hald_acl_t)
-
-=======
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
fs_getattr_all_fs(hald_acl_t)
storage_getattr_removable_dev(hald_acl_t)
@@ -403,8 +373,6 @@ auth_use_nsswitch(hald_acl_t)
logging_send_syslog_msg(hald_acl_t)
-<<<<<<< HEAD
-=======
optional_policy(`
dbus_system_bus_client(hald_acl_t)
@@ -413,7 +381,6 @@ optional_policy(`
')
')
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
optional_policy(`
policykit_domtrans_auth(hald_acl_t)
policykit_read_lib(hald_acl_t)
@@ -438,18 +405,10 @@ dev_read_raw_memory(hald_mac_t)
dev_write_raw_memory(hald_mac_t)
dev_read_sysfs(hald_mac_t)
-<<<<<<< HEAD
-files_read_usr_files(hald_mac_t)
-
-auth_use_nsswitch(hald_mac_t)
-
-logging_send_syslog_msg(hald_mac_t)
-=======
auth_use_nsswitch(hald_mac_t)
logging_send_syslog_msg(hald_mac_t)
logging_search_logs(hald_mac_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
########################################
#
@@ -464,12 +423,7 @@ manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
append_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t)
-<<<<<<< HEAD
-files_read_usr_files(hald_sonypic_t)
-
-=======
logging_search_logs(hald_sonypic_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
########################################
#
@@ -483,14 +437,9 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
dev_rw_input_dev(hald_keymap_t)
-<<<<<<< HEAD
-files_read_usr_files(hald_keymap_t)
-
-=======
files_read_etc_files(hald_keymap_t)
logging_search_logs(hald_keymap_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
########################################
#
@@ -519,12 +468,7 @@ append_files_pattern(hald_dccm_t, hald_log_t, hald_log_t)
kernel_search_network_sysctl(hald_dccm_t)
-<<<<<<< HEAD
-dev_read_urand(hald_dccm_t)
-
-=======
corenet_all_recvfrom_unlabeled(hald_dccm_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
corenet_all_recvfrom_netlabel(hald_dccm_t)
corenet_tcp_sendrecv_generic_if(hald_dccm_t)
corenet_udp_sendrecv_generic_if(hald_dccm_t)
@@ -541,10 +485,6 @@ corenet_udp_bind_dhcpc_port(hald_dccm_t)
corenet_sendrecv_ftp_server_packets(hald_dccm_t)
corenet_tcp_bind_ftp_port(hald_dccm_t)
-<<<<<<< HEAD
-files_read_usr_files(hald_dccm_t)
-
-=======
corenet_sendrecv_dccm_server_packets(hald_dccm_t)
corenet_tcp_bind_dccm_port(hald_dccm_t)
@@ -553,11 +493,8 @@ dev_read_urand(hald_dccm_t)
logging_send_syslog_msg(hald_dccm_t)
logging_search_logs(hald_dccm_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
hal_dontaudit_rw_dgram_sockets(hald_dccm_t)
-logging_send_syslog_msg(hald_dccm_t)
-
optional_policy(`
dbus_system_bus_client(hald_dccm_t)
')
diff --git a/hddtemp.if b/hddtemp.if
index 468ab00..77e71ea 100644
--- a/hddtemp.if
+++ b/hddtemp.if
@@ -62,6 +62,7 @@ interface(`hddtemp_admin',`
allow $1 hddtemp_t:process signal_perms;
ps_process_pattern($1, hddtemp_t)
+
tunable_policy(`deny_ptrace',`',`
allow $1 hddtemp_t:process ptrace;
')
@@ -72,9 +73,5 @@ interface(`hddtemp_admin',`
allow $2 system_r;
admin_pattern($1, hddtemp_etc_t)
-<<<<<<< HEAD
- files_list_etc($1)
-=======
files_search_etc($1)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
diff --git a/hddtemp.te b/hddtemp.te
index 0b980c4..588c964 100644
--- a/hddtemp.te
+++ b/hddtemp.te
@@ -35,22 +35,10 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t)
corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
corenet_tcp_sendrecv_hddtemp_port(hddtemp_t)
-files_read_etc_files(hddtemp_t)
-files_read_usr_files(hddtemp_t)
-
storage_raw_read_fixed_disk(hddtemp_t)
storage_raw_read_removable_device(hddtemp_t)
-<<<<<<< HEAD
-logging_send_syslog_msg(hddtemp_t)
-
-optional_policy(`
- sysnet_dns_name_resolve(hddtemp_t)
-')
-=======
auth_use_nsswitch(hddtemp_t)
logging_send_syslog_msg(hddtemp_t)
-miscfiles_read_localization(hddtemp_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
diff --git a/howl.te b/howl.te
index b13aabc..4e0f8ba 100644
--- a/howl.te
+++ b/howl.te
@@ -64,12 +64,6 @@ init_dontaudit_write_utmp(howl_t)
logging_send_syslog_msg(howl_t)
-<<<<<<< HEAD
-sysnet_read_config(howl_t)
-=======
-miscfiles_read_localization(howl_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
-
userdom_dontaudit_use_unpriv_user_fds(howl_t)
userdom_dontaudit_search_user_home_dirs(howl_t)
diff --git a/i18n_input.te b/i18n_input.te
index 3424950..a738d7f 100644
--- a/i18n_input.te
+++ b/i18n_input.te
@@ -67,7 +67,6 @@ fs_getattr_all_fs(i18n_input_t)
fs_search_auto_mountpoints(i18n_input_t)
files_read_etc_runtime_files(i18n_input_t)
-files_read_usr_files(i18n_input_t)
auth_use_nsswitch(i18n_input_t)
@@ -75,12 +74,6 @@ init_stream_connect_script(i18n_input_t)
logging_send_syslog_msg(i18n_input_t)
-<<<<<<< HEAD
-sysnet_read_config(i18n_input_t)
-=======
-miscfiles_read_localization(i18n_input_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
-
userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
userdom_read_user_home_content_files(i18n_input_t)
userdom_home_reader(i18n_input_t)
diff --git a/icecast.if b/icecast.if
index b49c4bc..c267cea 100644
--- a/icecast.if
+++ b/icecast.if
@@ -176,16 +176,14 @@ interface(`icecast_admin',`
type icecast_var_run_t;
')
-<<<<<<< HEAD
allow $1 icecast_t:process signal_perms;
ps_process_pattern($1, icecast_t)
+
tunable_policy(`deny_ptrace',`',`
allow $1 icecast_t:process ptrace;
')
# Allow icecast_t to restart the apache service
-=======
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
icecast_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 icecast_initrc_exec_t system_r;
@@ -194,13 +192,9 @@ interface(`icecast_admin',`
allow $1 icecast_t:process { ptrace signal_perms };
ps_process_pattern($1, icecast_t)
-<<<<<<< HEAD
- icecast_manage_log($1)
-=======
logging_search_logs($1)
admin_pattern($1, icecast_log_t)
files_search_pids($1)
admin_pattern($1, icecast_var_run_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
diff --git a/icecast.te b/icecast.te
index ccffc02..73f5015 100644
--- a/icecast.te
+++ b/icecast.te
@@ -7,19 +7,11 @@ policy_module(icecast, 1.1.1)
##
##
-<<<<<<< HEAD
-## Allow icecast to connect to all ports, not just
-## sound ports.
-##
-##
-gen_tunable(icecast_connect_any, false)
-=======
## Determine whether icecast can listen
## on and connect to any TCP port.
##
##
gen_tunable(icecast_use_any_tcp_ports, false)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
type icecast_t;
type icecast_exec_t;
@@ -57,20 +49,6 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
kernel_read_system_state(icecast_t)
-<<<<<<< HEAD
-dev_read_sysfs(icecast_t)
-dev_read_urand(icecast_t)
-dev_read_rand(icecast_t)
-
-corenet_tcp_bind_soundd_port(icecast_t)
-corenet_tcp_connect_soundd_port(icecast_t)
-
-tunable_policy(`icecast_connect_any',`
- corenet_tcp_connect_all_ports(icecast_t)
- corenet_tcp_bind_all_ports(icecast_t)
- corenet_sendrecv_all_client_packets(icecast_t)
-')
-=======
corenet_all_recvfrom_unlabeled(icecast_t)
corenet_all_recvfrom_netlabel(icecast_t)
corenet_tcp_sendrecv_generic_if(icecast_t)
@@ -82,22 +60,17 @@ corenet_tcp_bind_soundd_port(icecast_t)
corenet_sendrecv_soundd_client_packets(icecast_t)
corenet_tcp_connect_soundd_port(icecast_t)
corenet_tcp_sendrecv_soundd_port(icecast_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
dev_read_sysfs(icecast_t)
dev_read_urand(icecast_t)
dev_read_rand(icecast_t)
-<<<<<<< HEAD
auth_use_nsswitch(icecast_t)
-=======
domain_use_interactive_fds(icecast_t)
auth_use_nsswitch(icecast_t)
-miscfiles_read_localization(icecast_t)
-
tunable_policy(`icecast_use_any_tcp_ports',`
corenet_tcp_connect_all_ports(icecast_t)
corenet_sendrecv_all_client_packets(icecast_t)
@@ -105,7 +78,6 @@ tunable_policy(`icecast_use_any_tcp_ports',`
corenet_sendrecv_all_server_packets(icecast_t)
corenet_tcp_sendrecv_all_ports(icecast_t)
')
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
optional_policy(`
apache_read_sys_content(icecast_t)
diff --git a/ifplugd.te b/ifplugd.te
index 584388c..c4a9fcb 100644
--- a/ifplugd.te
+++ b/ifplugd.te
@@ -48,9 +48,7 @@ corecmd_exec_shell(ifplugd_t)
dev_read_sysfs(ifplugd_t)
-#domain_read_all_domains_state(ifplugd_t)
domain_read_confined_domains_state(ifplugd_t)
-#domain_dontaudit_read_all_domains_state(ifplugd_t)
auth_use_nsswitch(ifplugd_t)
diff --git a/imaze.fc b/imaze.fc
index 566421a..16f104c 100644
--- a/imaze.fc
+++ b/imaze.fc
@@ -1,11 +1,7 @@
/usr/games/imazesrv -- gen_context(system_u:object_r:imazesrv_exec_t,s0)
-<<<<<<< HEAD
-/var/log/imaze\.log.* -- gen_context(system_u:object_r:imazesrv_log_t,s0)
-=======
/usr/share/games/imaze(/.*)? gen_context(system_u:object_r:imazesrv_data_t,s0)
/var/log/imaze\.log.* -- gen_context(system_u:object_r:imazesrv_log_t,s0)
/var/run/imaze\.pid -- gen_context(system_u:object_r:imazesrv_var_run_t,s0)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
diff --git a/imaze.te b/imaze.te
index 4cf99ad..08a489c 100644
--- a/imaze.te
+++ b/imaze.te
@@ -70,12 +70,6 @@ auth_use_nsswitch(imazesrv_t)
logging_send_syslog_msg(imazesrv_t)
-<<<<<<< HEAD
-sysnet_read_config(imazesrv_t)
-=======
-miscfiles_read_localization(imazesrv_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
-
userdom_use_unpriv_users_fds(imazesrv_t)
userdom_dontaudit_search_user_home_dirs(imazesrv_t)
diff --git a/inetd.te b/inetd.te
index cd48162..1d7550f 100644
--- a/inetd.te
+++ b/inetd.te
@@ -62,11 +62,7 @@ kernel_tcp_recvfrom_unlabeled(inetd_t)
corecmd_bin_domtrans(inetd_t, inetd_child_t)
-<<<<<<< HEAD
-# base networking:
-=======
corenet_all_recvfrom_unlabeled(inetd_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
corenet_all_recvfrom_netlabel(inetd_t)
corenet_tcp_sendrecv_generic_if(inetd_t)
corenet_udp_sendrecv_generic_if(inetd_t)
@@ -101,27 +97,22 @@ corenet_udp_bind_ftp_port(inetd_t)
corenet_sendrecv_inetd_child_server_packets(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_inetd_child_port(inetd_t)
-<<<<<<< HEAD
+
corenet_tcp_bind_echo_port(inetd_t)
corenet_udp_bind_echo_port(inetd_t)
corenet_tcp_bind_time_port(inetd_t)
corenet_udp_bind_time_port(inetd_t)
-=======
corenet_sendrecv_ircd_server_packets(inetd_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
corenet_tcp_bind_ircd_port(inetd_t)
corenet_sendrecv_ktalkd_server_packets(inetd_t)
corenet_udp_bind_ktalkd_port(inetd_t)
-<<<<<<< HEAD
-=======
corenet_sendrecv_pop_server_packets(inetd_t)
corenet_tcp_bind_pop_port(inetd_t)
corenet_sendrecv_printer_server_packets(inetd_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
corenet_tcp_bind_printer_port(inetd_t)
corenet_sendrecv_rlogind_server_packets(inetd_t)
@@ -134,15 +125,11 @@ corenet_tcp_bind_rsh_port(inetd_t)
corenet_sendrecv_rsync_server_packets(inetd_t)
corenet_tcp_bind_rsync_port(inetd_t)
corenet_udp_bind_rsync_port(inetd_t)
-<<<<<<< HEAD
-#corenet_tcp_bind_stunnel_port(inetd_t)
-=======
corenet_sendrecv_stunnel_server_packets(inetd_t)
corenet_tcp_bind_stunnel_port(inetd_t)
corenet_sendrecv_swat_server_packets(inetd_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
corenet_tcp_bind_swat_port(inetd_t)
corenet_udp_bind_swat_port(inetd_t)
@@ -159,25 +146,6 @@ corenet_sendrecv_git_server_packets(inetd_t)
corenet_tcp_bind_git_port(inetd_t)
corenet_udp_bind_git_port(inetd_t)
-<<<<<<< HEAD
-# service port packets:
-corenet_sendrecv_amanda_server_packets(inetd_t)
-corenet_sendrecv_auth_server_packets(inetd_t)
-corenet_sendrecv_comsat_server_packets(inetd_t)
-corenet_sendrecv_dbskkd_server_packets(inetd_t)
-corenet_sendrecv_ftp_server_packets(inetd_t)
-corenet_sendrecv_inetd_child_server_packets(inetd_t)
-corenet_sendrecv_ircd_server_packets(inetd_t)
-corenet_sendrecv_ktalkd_server_packets(inetd_t)
-corenet_sendrecv_printer_server_packets(inetd_t)
-corenet_sendrecv_rsh_server_packets(inetd_t)
-corenet_sendrecv_rsync_server_packets(inetd_t)
-#corenet_sendrecv_stunnel_server_packets(inetd_t)
-corenet_sendrecv_swat_server_packets(inetd_t)
-corenet_sendrecv_tftp_server_packets(inetd_t)
-
-=======
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
dev_read_sysfs(inetd_t)
domain_use_interactive_fds(inetd_t)
@@ -188,27 +156,12 @@ fs_search_auto_mountpoints(inetd_t)
selinux_validate_context(inetd_t)
selinux_compute_create_context(inetd_t)
-<<<<<<< HEAD
-# Run other daemons in the inetd_child_t domain.
-corecmd_search_bin(inetd_t)
-corecmd_read_bin_symlinks(inetd_t)
-
-domain_use_interactive_fds(inetd_t)
-
-=======
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
files_read_etc_runtime_files(inetd_t)
auth_use_nsswitch(inetd_t)
logging_send_syslog_msg(inetd_t)
-<<<<<<< HEAD
-# xinetd needs MLS override privileges to work
-=======
-miscfiles_read_localization(inetd_t)
-
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
@@ -240,11 +193,7 @@ optional_policy(`
')
optional_policy(`
-<<<<<<< HEAD
- tftp_read_config(inetd_t)
-=======
tftp_read_config_files(inetd_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
optional_policy(`
@@ -274,7 +223,7 @@ files_pid_filetrans(inetd_child_t, inetd_child_var_run_t, file)
kernel_read_kernel_sysctls(inetd_child_t)
kernel_read_network_state(inetd_child_t)
-<<<<<<< HEAD
+kernel_read_system_state(inetd_child_t)
corenet_all_recvfrom_netlabel(inetd_child_t)
corenet_tcp_sendrecv_generic_if(inetd_child_t)
@@ -283,9 +232,6 @@ corenet_tcp_sendrecv_generic_node(inetd_child_t)
corenet_udp_sendrecv_generic_node(inetd_child_t)
corenet_tcp_sendrecv_all_ports(inetd_child_t)
corenet_udp_sendrecv_all_ports(inetd_child_t)
-=======
-kernel_read_system_state(inetd_child_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
dev_read_urand(inetd_child_t)
@@ -297,15 +243,11 @@ auth_use_nsswitch(inetd_child_t)
logging_send_syslog_msg(inetd_child_t)
-<<<<<<< HEAD
sysnet_read_config(inetd_child_t)
optional_policy(`
kerberos_use(inetd_child_t)
')
-=======
-miscfiles_read_localization(inetd_child_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
optional_policy(`
unconfined_domain(inetd_child_t)
diff --git a/inn.if b/inn.if
index c26845f..8e11e4b 100644
--- a/inn.if
+++ b/inn.if
@@ -233,15 +233,13 @@ interface(`inn_admin',`
type innd_initrc_exec_t;
')
-<<<<<<< HEAD
allow $1 innd_t:process signal_perms;
ps_process_pattern($1, innd_t)
+
tunable_policy(`deny_ptrace',`',`
allow $1 innd_t:process ptrace;
')
-=======
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
init_labeled_script_domtrans($1, innd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 innd_initrc_exec_t system_r;
diff --git a/inn.te b/inn.te
index d138c3b..e694d0f 100644
--- a/inn.te
+++ b/inn.te
@@ -44,18 +44,12 @@ allow innd_t self:tcp_socket { accept listen };
read_files_pattern(innd_t, innd_etc_t, innd_etc_t)
read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
-<<<<<<< HEAD
can_exec(innd_t, innd_exec_t)
-manage_files_pattern(innd_t, innd_log_t, innd_log_t)
-allow innd_t innd_log_t:dir setattr_dir_perms;
-logging_log_filetrans(innd_t, innd_log_t, file)
-=======
allow innd_t innd_log_t:dir setattr_dir_perms;
append_files_pattern(innd_t, innd_log_t, innd_log_t)
create_files_pattern(innd_t, innd_log_t, innd_log_t)
setattr_files_pattern(innd_t, innd_log_t, innd_log_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
@@ -105,13 +99,7 @@ auth_use_nsswitch(innd_t)
logging_send_syslog_msg(innd_t)
-<<<<<<< HEAD
-sysnet_read_config(innd_t)
-=======
-miscfiles_read_localization(innd_t)
-
seutil_dontaudit_search_config(innd_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
userdom_dontaudit_use_unpriv_user_fds(innd_t)
userdom_dontaudit_search_user_home_dirs(innd_t)
diff --git a/irc.fc b/irc.fc
index 323798a..48e7739 100644
--- a/irc.fc
+++ b/irc.fc
@@ -1,22 +1,10 @@
HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
-<<<<<<< HEAD
-HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irssi_home_t,s0)
-HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irssi_home_t,s0)
-
-/etc/irssi\.conf -- gen_context(system_u:object_r:irssi_etc_t,s0)
-=======
HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irc_log_home_t,s0)
/etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
-<<<<<<< HEAD
-/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/irssi -- gen_context(system_u:object_r:irssi_exec_t,s0)
-=======
/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
/usr/bin/irssi -- gen_context(system_u:object_r:irc_exec_t,s0)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
diff --git a/irc.if b/irc.if
index d744b56..02053af 100644
--- a/irc.if
+++ b/irc.if
@@ -17,14 +17,6 @@
#
interface(`irc_role',`
gen_require(`
-<<<<<<< HEAD
- type irc_t, irc_exec_t;
- type irssi_t, irssi_exec_t, irssi_home_t;
- ')
-
- role $1 types irc_t;
- role $1 types irssi_t;
-=======
attribute_role irc_roles;
type irc_t, irc_exec_t, irc_home_t;
type irc_tmp_t, irc_log_home_t;
@@ -41,26 +33,20 @@ interface(`irc_role',`
#
# Policy
#
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
domtrans_pattern($2, irc_exec_t, irc_t)
+ allow $2 irc_t:process signal_perms;
ps_process_pattern($2, irc_t)
-<<<<<<< HEAD
- allow $2 irc_t:process signal;
domtrans_pattern($2, irssi_exec_t, irssi_t)
allow $2 irssi_t:process signal_perms;
ps_process_pattern($2, irssi_t)
- manage_dirs_pattern($2, irssi_home_t, irssi_home_t)
- manage_files_pattern($2, irssi_home_t, irssi_home_t)
- manage_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
-
- relabel_dirs_pattern($2, irssi_home_t, irssi_home_t)
- relabel_files_pattern($2, irssi_home_t, irssi_home_t)
- relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
+ allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
irc_filetrans_home_content($2)
')
@@ -79,18 +65,7 @@ interface(`irc_filetrans_home_content',`
gen_require(`
type irc_home_t;
')
-
- userdom_user_home_dir_filetrans($1, irc_home_t, file, ".ircmotd")
- userdom_user_home_dir_filetrans($1, irc_home_t, dir, ".irssi")
- userdom_user_home_dir_filetrans($1, irc_home_t, dir, "irclogs")
-=======
- allow $2 irc_t:process { ptrace signal_perms };
-
- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:file { manage_file_perms relabel_file_perms };
- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
userdom_user_home_dir_filetrans($2, irc_home_t, dir, ".irssi")
userdom_user_home_dir_filetrans($2, irc_home_t, file, ".ircmotd")
userdom_user_home_dir_filetrans($2, irc_log_home_t, dir, "irclogs")
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
diff --git a/irc.te b/irc.te
index 3673af5..85ad4d2 100644
--- a/irc.te
+++ b/irc.te
@@ -77,18 +77,10 @@ allow irc_t irc_conf_t:file read_file_perms;
manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
manage_files_pattern(irc_t, irc_home_t, irc_home_t)
manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
-<<<<<<< HEAD
irc_filetrans_home_content(irc_t)
-=======
userdom_user_home_dir_filetrans(irc_t, irc_home_t, dir, ".irssi")
userdom_user_home_dir_filetrans(irc_t, irc_home_t, file, ".ircmotd")
-manage_dirs_pattern(irc_t, irc_log_home_t, irc_log_home_t)
-create_files_pattern(irc_t, irc_log_home_t, irc_log_home_t)
-append_files_pattern(irc_t, irc_log_home_t, irc_log_home_t)
-userdom_user_home_dir_filetrans(irc_t, irc_log_home_t, dir, "irclogs")
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
-
manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
@@ -140,10 +132,9 @@ userdom_manage_user_home_content_dirs(irc_t)
userdom_manage_user_home_content_files(irc_t)
userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file })
-<<<<<<< HEAD
# Write to the user domain tty.
userdom_use_inherited_user_terminals(irc_t)
-=======
+
tunable_policy(`irc_use_any_tcp_ports',`
corenet_sendrecv_all_server_packets(irc_t)
corenet_tcp_bind_all_unreserved_ports(irc_t)
@@ -151,7 +142,6 @@ tunable_policy(`irc_use_any_tcp_ports',`
corenet_tcp_connect_all_unreserved_ports(irc_t)
corenet_tcp_sendrecv_all_ports(irc_t)
')
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
userdom_home_manager(irc_t)
@@ -220,9 +210,5 @@ tunable_policy(`irssi_use_full_network', `
userdom_home_manager(irssi_t)
optional_policy(`
-<<<<<<< HEAD
- automount_dontaudit_getattr_tmp_dirs(irssi_t)
-=======
seutil_use_newrole_fds(irc_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
diff --git a/ircd.te b/ircd.te
index 0f5a2cd..40e440c 100644
--- a/ircd.te
+++ b/ircd.te
@@ -74,12 +74,6 @@ auth_use_nsswitch(ircd_t)
logging_send_syslog_msg(ircd_t)
-<<<<<<< HEAD
-sysnet_read_config(ircd_t)
-=======
-miscfiles_read_localization(ircd_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
-
userdom_dontaudit_use_unpriv_user_fds(ircd_t)
userdom_dontaudit_search_user_home_dirs(ircd_t)
diff --git a/irqbalance.te b/irqbalance.te
index 0c60fb7..947efe0 100644
--- a/irqbalance.te
+++ b/irqbalance.te
@@ -41,7 +41,6 @@ kernel_rw_irq_sysctls(irqbalance_t)
dev_read_sysfs(irqbalance_t)
-files_read_etc_files(irqbalance_t)
files_read_etc_runtime_files(irqbalance_t)
fs_getattr_all_fs(irqbalance_t)
diff --git a/iscsi.fc b/iscsi.fc
index bead1da..08b7560 100644
--- a/iscsi.fc
+++ b/iscsi.fc
@@ -2,23 +2,6 @@
/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-<<<<<<< HEAD
-/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-
-/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
-
-/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
-
-/var/log/brcm-iscsi\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
-/var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
-
-/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
-/var/run/iscsiuio\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
-
-/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-=======
/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
@@ -34,4 +17,3 @@
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
/var/run/iscsiuio\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
diff --git a/iscsi.te b/iscsi.te
index 8c581ad..3dba77f 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -81,28 +81,20 @@ corenet_tcp_sendrecv_iscsi_port(iscsid_t)
corenet_sendrecv_isns_client_packets(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
-<<<<<<< HEAD
-corenet_tcp_connect_winshadow_port(iscsid_t)
-=======
corenet_tcp_sendrecv_isns_port(iscsid_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
+
+corenet_sendrecv_winshadow_client_packets(iscsid_t)
+corenet_tcp_connect_winshadow_port(iscsid_t)
+corenet_tcp_sendrecv_winshadow_port(iscsid_t)
dev_read_raw_memory(iscsid_t)
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
-<<<<<<< HEAD
-dev_read_raw_memory(iscsid_t)
-=======
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
dev_write_raw_memory(iscsid_t)
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
-<<<<<<< HEAD
-
-=======
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
auth_use_nsswitch(iscsid_t)
init_stream_connect_script(iscsid_t)
diff --git a/isns.te b/isns.te
index bc11034..e393434 100644
--- a/isns.te
+++ b/isns.te
@@ -46,8 +46,6 @@ corenet_tcp_bind_generic_node(isnsd_t)
corenet_sendrecv_isns_server_packets(isnsd_t)
corenet_tcp_bind_isns_port(isnsd_t)
-files_read_etc_files(isnsd_t)
-
logging_send_syslog_msg(isnsd_t)
miscfiles_read_localization(isnsd_t)
diff --git a/isnsd.fc b/isnsd.fc
deleted file mode 100644
index 3e29080..0000000
--- a/isnsd.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-/etc/rc\.d/init\.d/isnsd -- gen_context(system_u:object_r:isnsd_initrc_exec_t,s0)
-
-/usr/sbin/isnsd -- gen_context(system_u:object_r:isnsd_exec_t,s0)
-
-/var/lib/isns(/.*)? gen_context(system_u:object_r:isnsd_var_lib_t,s0)
-
-/var/run/isnsd\.pid -- gen_context(system_u:object_r:isnsd_var_run_t,s0)
-/var/run/isnsctl -s gen_context(system_u:object_r:isnsd_var_run_t,s0)
diff --git a/isnsd.if b/isnsd.if
deleted file mode 100644
index 1b3514a..0000000
--- a/isnsd.if
+++ /dev/null
@@ -1,181 +0,0 @@
-
-## policy for isnsd
-
-
-########################################
-##
-## Transition to isnsd.
-##
-##
-##
-## Domain allowed to transition.
-##
-##
-#
-interface(`isnsd_domtrans',`
- gen_require(`
- type isnsd_t, isnsd_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, isnsd_exec_t, isnsd_t)
-')
-
-
-########################################
-##
-## Execute isnsd server in the isnsd domain.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`isnsd_initrc_domtrans',`
- gen_require(`
- type isnsd_initrc_exec_t;
- ')
-
- init_labeled_script_domtrans($1, isnsd_initrc_exec_t)
-')
-
-
-########################################
-##
-## Search isnsd lib directories.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`isnsd_search_lib',`
- gen_require(`
- type isnsd_var_lib_t;
- ')
-
- allow $1 isnsd_var_lib_t:dir search_dir_perms;
- files_search_var_lib($1)
-')
-
-########################################
-##
-## Read isnsd lib files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`isnsd_read_lib_files',`
- gen_require(`
- type isnsd_var_lib_t;
- ')
-
- files_search_var_lib($1)
- read_files_pattern($1, isnsd_var_lib_t, isnsd_var_lib_t)
-')
-
-########################################
-##
-## Manage isnsd lib files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`isnsd_manage_lib_files',`
- gen_require(`
- type isnsd_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_files_pattern($1, isnsd_var_lib_t, isnsd_var_lib_t)
-')
-
-########################################
-##
-## Manage isnsd lib directories.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`isnsd_manage_lib_dirs',`
- gen_require(`
- type isnsd_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_dirs_pattern($1, isnsd_var_lib_t, isnsd_var_lib_t)
-')
-
-
-########################################
-##
-## Read isnsd PID files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`isnsd_read_pid_files',`
- gen_require(`
- type isnsd_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 isnsd_var_run_t:file read_file_perms;
-')
-
-
-########################################
-##
-## All of the rules required to administrate
-## an isnsd environment
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-#
-interface(`isnsd_admin',`
- gen_require(`
- type isnsd_t;
- type isnsd_initrc_exec_t;
- type isnsd_var_lib_t;
- type isnsd_var_run_t;
- ')
-
- allow $1 isnsd_t:process { ptrace signal_perms };
- ps_process_pattern($1, isnsd_t)
-
- isnsd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 isnsd_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_var_lib($1)
- admin_pattern($1, isnsd_var_lib_t)
-
- files_search_pids($1)
- admin_pattern($1, isnsd_var_run_t)
-
-')
-
diff --git a/isnsd.te b/isnsd.te
deleted file mode 100644
index 951fbae..0000000
--- a/isnsd.te
+++ /dev/null
@@ -1,52 +0,0 @@
-policy_module(isnsd, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type isnsd_t;
-type isnsd_exec_t;
-init_daemon_domain(isnsd_t, isnsd_exec_t)
-
-type isnsd_initrc_exec_t;
-init_script_file(isnsd_initrc_exec_t)
-
-type isnsd_var_lib_t;
-files_type(isnsd_var_lib_t)
-
-type isnsd_var_run_t;
-files_pid_file(isnsd_var_run_t)
-
-########################################
-#
-# isnsd local policy
-#
-
-allow isnsd_t self:capability { kill };
-allow isnsd_t self:process { signal };
-
-allow isnsd_t self:fifo_file rw_fifo_file_perms;
-allow isnsd_t self:tcp_socket { listen };
-allow isnsd_t self:udp_socket { listen };
-allow isnsd_t self:unix_stream_socket create_stream_socket_perms;
-
-manage_dirs_pattern(isnsd_t, isnsd_var_lib_t, isnsd_var_lib_t)
-manage_files_pattern(isnsd_t, isnsd_var_lib_t, isnsd_var_lib_t)
-files_var_lib_filetrans(isnsd_t, isnsd_var_lib_t, { dir file })
-
-manage_dirs_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
-manage_sock_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
-manage_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
-files_pid_filetrans(isnsd_t, isnsd_var_run_t, { dir file sock_file })
-
-corenet_tcp_bind_generic_node(isnsd_t)
-corenet_tcp_bind_isns_port(isnsd_t)
-
-domain_use_interactive_fds(isnsd_t)
-
-files_read_etc_files(isnsd_t)
-
-logging_send_syslog_msg(isnsd_t)
-
-sysnet_dns_name_resolve(isnsd_t)
diff --git a/jabber.fc b/jabber.fc
index d20981c..bd02cc8 100644
--- a/jabber.fc
+++ b/jabber.fc
@@ -1,4 +1,3 @@
-<<<<<<< HEAD
/etc/rc\.d/init\.d/jabberd -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
@@ -17,30 +16,3 @@
/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0)
/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0)
-=======
-/etc/rc\.d/init\.d/((jabber)|(ejabberd)|(jabberd)) -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
-
-/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
-/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
-/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-
-/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/sbin/ejabberdctl -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-
-/var/lock/ejabberdctl(/.*) gen_context(system_u:object_r:jabberd_lock_t,s0)
-
-/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
-/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
-
-/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-/var/lib/ejabberd/spool(/.*)? gen_context(system_u:object_r:jabberd_spool_t,s0)
-/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-/var/lib/jabberd/log(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
-/var/lib/jabberd/pid(/.*)? gen_context(system_u:object_r:jabberd_var_run_t,s0)
-
-/var/run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
-/var/run/jabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
diff --git a/jabber.if b/jabber.if
index 0d3a5e8..01673a4 100644
--- a/jabber.if
+++ b/jabber.if
@@ -1,44 +1,4 @@
-## Jabber instant messaging servers.
-
-#######################################
-##
-## The template to define a jabber domain.
-##
-##
-##
-## Domain prefix to be used.
-##
-##
-#
-template(`jabber_domain_template',`
- gen_require(`
- attribute jabberd_domain;
- ')
-
- type $1_t, jabberd_domain;
- type $1_exec_t;
- init_daemon_domain($1_t, $1_exec_t)
-')
-
-########################################
-##
-## Create, read, write, and delete
-## jabber lib files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`jabber_manage_lib_files',`
- gen_require(`
- type jabberd_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
-')
+## Jabber instant messaging server
#####################################
##
@@ -167,8 +127,8 @@ interface(`jabberd_manage_lib_files',`
########################################
##
-## All of the rules required to
-## administrate an jabber environment.
+## All of the rules required to administrate
+## an jabber environment
##
##
##
@@ -177,14 +137,13 @@ interface(`jabberd_manage_lib_files',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the jabber domain.
##
##
##
#
interface(`jabber_admin',`
gen_require(`
-<<<<<<< HEAD
type jabberd_t, jabberd_var_lib_t;
type jabberd_initrc_exec_t, jabberd_router_t;
')
@@ -198,38 +157,12 @@ interface(`jabber_admin',`
allow $1 jabberd_router_t:process signal_perms;
ps_process_pattern($1, jabberd_router_t)
-=======
- attribute jabberd_domain;
- type jabberd_lock_t, jabberd_log_t, jabberd_spool_t;
- type jabberd_var_lib_t, jabberd_var_run_t, jabberd_initrc_exec_t;
- ')
-
- allow $1 jabberd_domain:process { ptrace signal_perms };
- ps_process_pattern($1, jabberd_domain)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 jabberd_initrc_exec_t system_r;
allow $2 system_r;
-<<<<<<< HEAD
files_list_var_lib($1)
admin_pattern($1, jabberd_var_lib_t)
-=======
- files_search_locks($1))
- admin_pattern($1, jabberd_lock_t)
-
- logging_search_logs($1)
- admin_pattern($1, jabberd_log_t)
-
- files_search_spool($1)
- admin_pattern($1, jabberd_spool_t)
-
- files_search_var_lib($1)
- admin_pattern($1, jabberd_var_lib_t)
-
- files_search_pids($1)
- admin_pattern($1, jabberd_var_run_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')
diff --git a/jabber.te b/jabber.te
index 9d48190..c1ce1b7 100644
--- a/jabber.te
+++ b/jabber.te
@@ -1,8 +1,4 @@
-<<<<<<< HEAD
policy_module(jabber, 1.8.0)
-=======
-policy_module(jabber, 1.9.1)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
########################################
#
@@ -13,27 +9,12 @@ attribute jabberd_domain;
jabber_domain_template(jabberd)
jabber_domain_template(jabberd_router)
-<<<<<<< HEAD
jabber_domain_template(pyicqt)
-=======
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
type jabberd_initrc_exec_t;
init_script_file(jabberd_initrc_exec_t)
-<<<<<<< HEAD
# type which includes log/pid files pro jabberd components
-=======
-type jabberd_lock_t;
-files_lock_file(jabberd_lock_t)
-
-type jabberd_log_t;
-logging_log_file(jabberd_log_t)
-
-type jabberd_spool_t;
-files_type(jabberd_spool_t)
-
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
type jabberd_var_lib_t;
files_type(jabberd_var_lib_t)
@@ -49,7 +30,6 @@ files_pid_file(pyicqt_var_run_t)
######################################
#
-<<<<<<< HEAD
# Local policy for jabberd-router and c2s components
#
@@ -67,76 +47,6 @@ corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
fs_getattr_all_fs(jabberd_router_t)
-=======
-# Common local policy
-#
-
-allow jabberd_domain self:process signal_perms;
-allow jabberd_domain self:fifo_file rw_fifo_file_perms;
-allow jabberd_domain self:tcp_socket { accept listen };
-
-manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
-
-kernel_read_system_state(jabberd_domain)
-
-corenet_all_recvfrom_unlabeled(jabberd_domain)
-corenet_all_recvfrom_netlabel(jabberd_domain)
-corenet_tcp_sendrecv_generic_if(jabberd_domain)
-corenet_tcp_sendrecv_generic_node(jabberd_domain)
-corenet_tcp_bind_generic_node(jabberd_domain)
-
-dev_read_urand(jabberd_domain)
-dev_read_sysfs(jabberd_domain)
-
-fs_getattr_all_fs(jabberd_domain)
-
-logging_send_syslog_msg(jabberd_domain)
-
-miscfiles_read_localization(jabberd_domain)
-
-optional_policy(`
- nis_use_ypbind(jabberd_domain)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(jabberd_domain)
-')
-
-########################################
-#
-# Local policy
-#
-
-allow jabberd_t self:capability dac_override;
-dontaudit jabberd_t self:capability sys_tty_config;
-allow jabberd_t self:tcp_socket create_socket_perms;
-allow jabberd_t self:udp_socket create_socket_perms;
-
-manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t)
-
-allow jabberd_t jabberd_log_t:dir setattr_dir_perms;
-append_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-create_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-setattr_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
-
-manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)
-
-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
-
-kernel_read_kernel_sysctls(jabberd_t)
-
-corenet_sendrecv_jabber_client_server_packets(jabberd_t)
-corenet_tcp_bind_jabber_client_port(jabberd_t)
-corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
-
-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
-corenet_tcp_bind_jabber_interserver_port(jabberd_t)
-corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
-
-dev_read_rand(jabberd_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
miscfiles_read_generic_certs(jabberd_router_t)
@@ -144,7 +54,6 @@ optional_policy(`
kerberos_use(jabberd_router_t)
')
-<<<<<<< HEAD
optional_policy(`
nis_use_ypbind(jabberd_router_t)
')
@@ -159,17 +68,11 @@ manage_dirs_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
corenet_tcp_bind_jabber_interserver_port(jabberd_t)
corenet_tcp_connect_jabber_router_port(jabberd_t)
-=======
-fs_search_auto_mountpoints(jabberd_t)
-
-sysnet_read_config(jabberd_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
userdom_dontaudit_search_user_home_dirs(jabberd_t)
optional_policy(`
-<<<<<<< HEAD
seutil_sigchld_newrole(jabberd_t)
')
@@ -241,28 +144,3 @@ files_read_etc_files(jabberd_domain)
files_read_etc_runtime_files(jabberd_domain)
sysnet_read_config(jabberd_domain)
-=======
- udev_read_db(jabberd_t)
-')
-
-########################################
-#
-# Router local policy
-#
-
-manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
-
-kernel_read_network_state(jabberd_router_t)
-
-corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
-corenet_tcp_bind_jabber_client_port(jabberd_router_t)
-corenet_tcp_sendrecv_jabber_client_port(jabberd_router_t)
-
-# corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
-# corenet_tcp_bind_jabber_router_port(jabberd_router_t)
-# corenet_sendrecv_jabber_router_client_packets(jabberd_router_t)
-# corenet_tcp_connect_jabber_router_port(jabberd_router_t)
-# corenet_tcp_sendrecv_jabber_router_port(jabberd_router_t)
-
-auth_use_nsswitch(jabberd_router_t)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
diff --git a/java.fc b/java.fc
index aeb710a..e3be797 100644
--- a/java.fc
+++ b/java.fc
@@ -26,9 +26,6 @@ HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:java_home_t,s0)
/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
-<<<<<<< HEAD
-=======
/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
diff --git a/java.te b/java.te
index 240d9ec..b3fcfbb 100644
--- a/java.te
+++ b/java.te
@@ -11,7 +11,7 @@ policy_module(java, 2.6.3)
## its stack executable.
##
##
-gen_tunable(java_execstack, false)
+gen_tunable(allow_java_execstack, false)
attribute java_domain;
@@ -49,86 +49,12 @@ role unconfined_java_roles types unconfined_java_t;
# Common local policy
#
-<<<<<<< HEAD
-allow java_t self:process { signal_perms getsched setsched execmem };
-allow java_t self:fifo_file rw_fifo_file_perms;
-allow java_t self:tcp_socket create_socket_perms;
-allow java_t self:udp_socket create_socket_perms;
-
-manage_dirs_pattern(java_t, java_tmp_t, java_tmp_t)
-manage_files_pattern(java_t, java_tmp_t, java_tmp_t)
-files_tmp_filetrans(java_t, java_tmp_t, { file dir })
-
-manage_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
-manage_lnk_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
-manage_fifo_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
-manage_sock_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
-fs_tmpfs_filetrans(java_t, java_tmpfs_t, { file lnk_file sock_file fifo_file })
-
-can_exec(java_t, java_exec_t)
-
-kernel_read_all_sysctls(java_t)
-kernel_search_vm_sysctl(java_t)
-kernel_read_network_state(java_t)
-kernel_read_system_state(java_t)
-
-# Search bin directory under java for java executable
-corecmd_search_bin(java_t)
-
-corenet_all_recvfrom_netlabel(java_t)
-corenet_tcp_sendrecv_generic_if(java_t)
-corenet_udp_sendrecv_generic_if(java_t)
-corenet_tcp_sendrecv_generic_node(java_t)
-corenet_udp_sendrecv_generic_node(java_t)
-corenet_tcp_sendrecv_all_ports(java_t)
-corenet_udp_sendrecv_all_ports(java_t)
-corenet_tcp_connect_all_ports(java_t)
-corenet_sendrecv_all_client_packets(java_t)
-
-dev_read_sound(java_t)
-dev_write_sound(java_t)
-dev_read_urand(java_t)
-dev_read_rand(java_t)
-dev_dontaudit_append_rand(java_t)
-
-files_read_usr_files(java_t)
-files_search_home(java_t)
-files_search_var_lib(java_t)
-files_read_etc_runtime_files(java_t)
-# Read global fonts and font config
-files_read_etc_files(java_t)
-
-fs_getattr_xattr_fs(java_t)
-fs_dontaudit_rw_tmpfs_files(java_t)
-
-logging_send_syslog_msg(java_t)
-
-# Read global fonts and font config
-miscfiles_read_fonts(java_t)
-
-sysnet_read_config(java_t)
-
-userdom_dontaudit_use_user_terminals(java_t)
-userdom_dontaudit_setattr_user_home_content_files(java_t)
-userdom_dontaudit_exec_user_home_content_files(java_t)
-userdom_manage_user_home_content_dirs(java_t)
-userdom_manage_user_home_content_files(java_t)
-userdom_manage_user_home_content_symlinks(java_t)
-userdom_manage_user_home_content_pipes(java_t)
-userdom_manage_user_home_content_sockets(java_t)
-userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file })
-userdom_write_user_tmp_sockets(java_t)
-
-tunable_policy(`java_execstack',`
- allow java_t self:process execstack;
-=======
allow java_domain self:process { signal_perms getsched setsched };
allow java_domain self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(java_domain, java_home_t, java_home_t)
manage_files_pattern(java_domain, java_home_t, java_home_t)
userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".java")
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
manage_dirs_pattern(java_domain, java_tmp_t, java_tmp_t)
manage_files_pattern(java_domain, java_tmp_t, java_tmp_t)
diff --git a/jockey.fc b/jockey.fc
index 013d823..d57dad4 100644
--- a/jockey.fc
+++ b/jockey.fc
@@ -1,14 +1,6 @@
-<<<<<<< HEAD
-/usr/share/jockey/jockey-backend -- gen_context(system_u:object_r:jockey_exec_t,s0)
-
-/var/cache/jockey(/.*)? gen_context(system_u:object_r:jockey_cache_t,s0)
-
-/var/log/jockey(/.*)? gen_context(system_u:object_r:jockey_var_log_t,s0)
-=======
/usr/share/jockey/jockey-backend -- gen_context(system_u:object_r:jockey_exec_t,s0)
/var/cache/jockey(/.*)? gen_context(system_u:object_r:jockey_cache_t,s0)
/var/log/jockey(/.*)? gen_context(system_u:object_r:jockey_var_log_t,s0)
->>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
/var/log/jockey\.log.* -- gen_context(system_u:object_r:jockey_var_log_t,s0)
diff --git a/jockey.if b/jockey.if
index ec81f0a..c6ba007 100644
--- a/jockey.if
+++ b/jockey.if
@@ -1,4 +1,3 @@
-<<<<<<< HEAD
##