nicer te_trans conflict fix
This commit is contained in:
Chris PeBenito
parent
cac3eca0be
commit
f3936d3876
|
|
@ -35,17 +35,6 @@ allow sendmail_t self:fifo_file rw_file_perms;
|
||||||
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
|
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow sendmail_t self:unix_dgram_socket create_socket_perms;
|
allow sendmail_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
|
||||||
allow sendmail_t sendmail_log_t:file create_file_perms;
|
|
||||||
allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
|
|
||||||
logging_create_log(sendmail_t,sendmail_log_t,{ file dir })
|
|
||||||
|
|
||||||
allow sendmail_t sendmail_tmp_t:dir create_dir_perms;
|
|
||||||
allow sendmail_t sendmail_tmp_t:file create_file_perms;
|
|
||||||
files_create_tmp_files(sendmail_t, sendmail_tmp_t, { file dir })
|
|
||||||
|
|
||||||
allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink };
|
|
||||||
files_create_pid(sendmail_t,sendmail_var_run_t)
|
|
||||||
|
|
||||||
kernel_read_kernel_sysctl(sendmail_t)
|
kernel_read_kernel_sysctl(sendmail_t)
|
||||||
# for piping mail to a command
|
# for piping mail to a command
|
||||||
kernel_read_system_state(sendmail_t)
|
kernel_read_system_state(sendmail_t)
|
||||||
|
|
@ -112,6 +101,17 @@ ifdef(`targeted_policy',`
|
||||||
term_dontaudit_use_unallocated_tty(sendmail_t)
|
term_dontaudit_use_unallocated_tty(sendmail_t)
|
||||||
term_dontaudit_use_generic_pty(sendmail_t)
|
term_dontaudit_use_generic_pty(sendmail_t)
|
||||||
files_dontaudit_read_root_file(sendmail_t)
|
files_dontaudit_read_root_file(sendmail_t)
|
||||||
|
',`
|
||||||
|
allow sendmail_t sendmail_log_t:file create_file_perms;
|
||||||
|
allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
|
||||||
|
logging_create_log(sendmail_t,sendmail_log_t,{ file dir })
|
||||||
|
|
||||||
|
allow sendmail_t sendmail_tmp_t:dir create_dir_perms;
|
||||||
|
allow sendmail_t sendmail_tmp_t:file create_file_perms;
|
||||||
|
files_create_tmp_files(sendmail_t, sendmail_tmp_t, { file dir })
|
||||||
|
|
||||||
|
allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink };
|
||||||
|
files_create_pid(sendmail_t,sendmail_var_run_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`nis.te',`
|
optional_policy(`nis.te',`
|
||||||
|
|
|
||||||
|
|
@ -55,7 +55,6 @@ files_tmpfs_file(xdm_tmpfs_t)
|
||||||
# Local policy
|
# Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
ifdef(`targeted_policy',`',`
|
|
||||||
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
|
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
|
||||||
allow xdm_t self:process { setexec setpgid setsched setrlimit };
|
allow xdm_t self:process { setexec setpgid setsched setrlimit };
|
||||||
allow xdm_t self:fifo_file rw_file_perms;
|
allow xdm_t self:fifo_file rw_file_perms;
|
||||||
|
|
@ -63,6 +62,24 @@ ifdef(`targeted_policy',`',`
|
||||||
allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||||
allow xdm_t self:unix_dgram_socket create_socket_perms;
|
allow xdm_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
|
||||||
|
kernel_read_system_state(xdm_t)
|
||||||
|
kernel_read_kernel_sysctl(xdm_t)
|
||||||
|
|
||||||
|
dev_read_rand(xdm_t)
|
||||||
|
dev_read_urand(xdm_t)
|
||||||
|
|
||||||
|
selinux_get_fs_mount(xdm_t)
|
||||||
|
selinux_validate_context(xdm_t)
|
||||||
|
selinux_compute_access_vector(xdm_t)
|
||||||
|
selinux_compute_create_context(xdm_t)
|
||||||
|
selinux_compute_relabel_context(xdm_t)
|
||||||
|
selinux_compute_user_contexts(xdm_t)
|
||||||
|
|
||||||
|
files_read_etc_runtime_files(xdm_t)
|
||||||
|
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
unconfined_domain_template(xdm_t)
|
||||||
|
',`
|
||||||
allow xdm_t xdm_lock_t:file create_file_perms;
|
allow xdm_t xdm_lock_t:file create_file_perms;
|
||||||
files_create_lock(xdm_t,xdm_lock_t)
|
files_create_lock(xdm_t,xdm_lock_t)
|
||||||
|
|
||||||
|
|
@ -81,21 +98,7 @@ ifdef(`targeted_policy',`',`
|
||||||
allow xdm_t xdm_var_lib_t:file create_file_perms;
|
allow xdm_t xdm_var_lib_t:file create_file_perms;
|
||||||
allow xdm_t xdm_var_lib_t:dir create_dir_perms;
|
allow xdm_t xdm_var_lib_t:dir create_dir_perms;
|
||||||
files_create_var_lib(xdm_t,xdm_var_lib_t)
|
files_create_var_lib(xdm_t,xdm_var_lib_t)
|
||||||
|
')
|
||||||
kernel_read_system_state(xdm_t)
|
|
||||||
kernel_read_kernel_sysctl(xdm_t)
|
|
||||||
|
|
||||||
dev_read_rand(xdm_t)
|
|
||||||
dev_read_urand(xdm_t)
|
|
||||||
|
|
||||||
selinux_get_fs_mount(xdm_t)
|
|
||||||
selinux_validate_context(xdm_t)
|
|
||||||
selinux_compute_access_vector(xdm_t)
|
|
||||||
selinux_compute_create_context(xdm_t)
|
|
||||||
selinux_compute_relabel_context(xdm_t)
|
|
||||||
selinux_compute_user_contexts(xdm_t)
|
|
||||||
|
|
||||||
files_read_etc_runtime_files(xdm_t)
|
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
# cjp: TODO: integrate strict policy:
|
# cjp: TODO: integrate strict policy:
|
||||||
|
|
@ -417,4 +420,3 @@ ifdef(`targeted_policy',`',`
|
||||||
# Supress permission check on .ICE-unix
|
# Supress permission check on .ICE-unix
|
||||||
dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
|
dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
')
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue