remove raw network, make mta optional, and a little cleanup.
This commit is contained in:
Chris PeBenito
parent
e586ecc752
commit
cc0c00d044
|
|
@ -165,10 +165,8 @@ template(`base_user_template',`
|
|||
|
||||
corenet_non_ipsec_sendrecv($1_t)
|
||||
corenet_tcp_sendrecv_all_if($1_t)
|
||||
corenet_raw_sendrecv_all_if($1_t)
|
||||
corenet_udp_sendrecv_all_if($1_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_t)
|
||||
corenet_udp_sendrecv_all_ports($1_t)
|
||||
|
|
@ -256,8 +254,6 @@ template(`base_user_template',`
|
|||
seutil_read_default_contexts($1_t)
|
||||
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||
|
||||
mta_rw_spool($1_t)
|
||||
|
||||
tunable_policy(`allow_execmem',`
|
||||
# Allow loading DSOs that require executable stack.
|
||||
allow $1_t self:process execmem;
|
||||
|
|
@ -384,6 +380,10 @@ template(`base_user_template',`
|
|||
jabber_tcp_connect($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mta_rw_spool($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind($1_t)
|
||||
')
|
||||
|
|
@ -643,7 +643,7 @@ template(`unpriv_user_template', `
|
|||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`enable_mls',`',`
|
||||
ifndef(`enable_mls',`
|
||||
fs_exec_noxattr($1_t)
|
||||
|
||||
tunable_policy(`user_rw_noexattrfile',`
|
||||
|
|
@ -654,8 +654,8 @@ template(`unpriv_user_template', `
|
|||
# cjp: what does this have to do with removable devices?
|
||||
allow $1_t usbtty_device_t:chr_file write;
|
||||
',`
|
||||
fs_read_noxattr_files($1_t)
|
||||
r_dir_file($1_t, noexattrfile)
|
||||
r_dir_file($1_t, removable_t)
|
||||
allow $1_t removable_device_t:blk_file r_file_perms;
|
||||
')
|
||||
')
|
||||
|
|
@ -703,14 +703,6 @@ template(`unpriv_user_template', `
|
|||
|
||||
dontaudit $1_t sysadm_home_t:file { read append };
|
||||
|
||||
ifdef(`syslogd.te', `
|
||||
# Some programs that are left in $1_t will try to connect
|
||||
# to syslogd, but we do not want to let them generate log messages.
|
||||
# Do not audit.
|
||||
dontaudit $1_t devlog_t:sock_file { read write };
|
||||
dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
|
||||
')
|
||||
|
||||
allow $1_t initrc_t:fifo_file write;
|
||||
') dnl end TODO
|
||||
')
|
||||
|
|
@ -923,12 +915,6 @@ template(`admin_user_template',`
|
|||
can_pipe_xdm($1_t)
|
||||
')
|
||||
|
||||
# Connect data port to ftpd.
|
||||
ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
|
||||
|
||||
# Connect second port to rshd.
|
||||
ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
|
||||
|
||||
# Allow MAKEDEV to work
|
||||
allow $1_t device_t:dir rw_dir_perms;
|
||||
allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
|
||||
|
|
@ -960,11 +946,8 @@ template(`admin_user_template',`
|
|||
allow $1_t usbtty_device_t:chr_file write;
|
||||
',`
|
||||
r_dir_file($1_t, noexattrfile)
|
||||
r_dir_file($1_t, removable_t)
|
||||
allow $1_t removable_device_t:blk_file r_file_perms;
|
||||
storage_raw_read_removable_device($1_t)
|
||||
')
|
||||
allow $1 removable_t:filesystem getattr;
|
||||
|
||||
') dnl endif TODO
|
||||
')
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue