packets for admin modules

This commit is contained in:
Chris PeBenito 2006-05-29 19:53:43 +00:00
parent c0d8c41e37
commit 9d0c9b3ed5
11 changed files with 43 additions and 53 deletions

View File

@ -1,5 +1,5 @@
policy_module(amanda,1.3.2)
policy_module(amanda,1.3.3)
#######################################
#
@ -124,6 +124,7 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
# Added for targeted policy
term_use_unallocated_ttys(amanda_t)
corenet_non_ipsec_sendrecv(amanda_t)
corenet_tcp_sendrecv_all_if(amanda_t)
corenet_udp_sendrecv_all_if(amanda_t)
corenet_raw_sendrecv_all_if(amanda_t)
@ -132,7 +133,6 @@ corenet_udp_sendrecv_all_nodes(amanda_t)
corenet_raw_sendrecv_all_nodes(amanda_t)
corenet_tcp_sendrecv_all_ports(amanda_t)
corenet_udp_sendrecv_all_ports(amanda_t)
corenet_non_ipsec_sendrecv(amanda_t)
corenet_tcp_bind_all_nodes(amanda_t)
corenet_udp_bind_all_nodes(amanda_t)
@ -212,19 +212,18 @@ files_tmp_filetrans(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file
kernel_read_system_state(amanda_recover_t)
kernel_read_kernel_sysctls(amanda_recover_t)
corenet_non_ipsec_sendrecv(amanda_recover_t)
corenet_tcp_sendrecv_all_if(amanda_recover_t)
corenet_udp_sendrecv_all_if(amanda_recover_t)
corenet_raw_sendrecv_all_if(amanda_recover_t)
corenet_tcp_sendrecv_all_nodes(amanda_recover_t)
corenet_udp_sendrecv_all_nodes(amanda_recover_t)
corenet_raw_sendrecv_all_nodes(amanda_recover_t)
corenet_tcp_sendrecv_all_ports(amanda_recover_t)
corenet_udp_sendrecv_all_ports(amanda_recover_t)
corenet_non_ipsec_sendrecv(amanda_recover_t)
corenet_tcp_bind_all_nodes(amanda_recover_t)
corenet_udp_bind_all_nodes(amanda_recover_t)
corenet_tcp_bind_reserved_port(amanda_recover_t)
corenet_tcp_connect_amanda_port(amanda_recover_t)
corenet_sendrecv_amanda_client_packets(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)

View File

@ -1,5 +1,5 @@
policy_module(apt,1.0.0)
policy_module(apt,1.0.1)
########################################
#
@ -76,17 +76,18 @@ corecmd_exec_bin(apt_t)
corecmd_exec_shell(apt_t)
corecmd_exec_sbin(apt_t)
corenet_non_ipsec_sendrecv(apt_t)
corenet_tcp_sendrecv_all_if(apt_t)
corenet_udp_sendrecv_all_if(apt_t)
corenet_tcp_sendrecv_all_nodes(apt_t)
corenet_udp_sendrecv_all_nodes(apt_t)
corenet_tcp_sendrecv_all_ports(apt_t)
corenet_udp_sendrecv_all_ports(apt_t)
corenet_non_ipsec_sendrecv(apt_t)
# TODO: reall allow all these?
corenet_tcp_bind_all_nodes(apt_t)
corenet_udp_bind_all_nodes(apt_t)
corenet_tcp_connect_all_ports(apt_t)
corenet_sendrecv_all_client_packets(apt_t)
dev_read_urand(apt_t)

View File

@ -1,5 +1,5 @@
policy_module(backup,1.0.0)
policy_module(backup,1.0.1)
########################################
#
@ -44,9 +44,8 @@ corenet_udp_sendrecv_all_nodes(backup_t)
corenet_raw_sendrecv_all_nodes(backup_t)
corenet_tcp_sendrecv_all_ports(backup_t)
corenet_udp_sendrecv_all_ports(backup_t)
corenet_tcp_bind_all_nodes(backup_t)
corenet_udp_bind_all_nodes(backup_t)
corenet_tcp_connect_all_ports(backup_t)
corenet_sendrecv_all_client_packets(backup_t)
dev_getattr_all_blk_files(backup_t)
dev_getattr_all_chr_files(backup_t)

View File

@ -1,5 +1,5 @@
policy_module(dpkg,1.0.1)
policy_module(dpkg,1.0.2)
########################################
#
@ -91,6 +91,7 @@ kernel_read_kernel_sysctls(dpkg_t)
corecmd_exec_all_executables(dpkg_t)
# TODO: do we really need all networking?
corenet_non_ipsec_sendrecv(dpkg_t)
corenet_tcp_sendrecv_all_if(dpkg_t)
corenet_raw_sendrecv_all_if(dpkg_t)
corenet_udp_sendrecv_all_if(dpkg_t)
@ -99,10 +100,8 @@ corenet_raw_sendrecv_all_nodes(dpkg_t)
corenet_udp_sendrecv_all_nodes(dpkg_t)
corenet_tcp_sendrecv_all_ports(dpkg_t)
corenet_udp_sendrecv_all_ports(dpkg_t)
corenet_non_ipsec_sendrecv(dpkg_t)
corenet_tcp_bind_all_nodes(dpkg_t)
corenet_udp_bind_all_nodes(dpkg_t)
corenet_tcp_connect_all_ports(dpkg_t)
corenet_sendrecv_all_client_packets(dpkg_t)
dev_list_sysfs(dpkg_t)
dev_list_usbfs(dpkg_t)

View File

@ -1,5 +1,5 @@
policy_module(firstboot,1.1.1)
policy_module(firstboot,1.1.2)
gen_require(`
class passwd rootok;
@ -48,13 +48,10 @@ unconfined_domain(firstboot_t)
kernel_read_system_state(firstboot_t)
kernel_read_kernel_sysctls(firstboot_t)
corenet_tcp_sendrecv_all_if(firstboot_t)
corenet_raw_sendrecv_all_if(firstboot_t)
corenet_tcp_sendrecv_all_nodes(firstboot_t)
corenet_raw_sendrecv_all_nodes(firstboot_t)
corenet_tcp_sendrecv_all_ports(firstboot_t)
corenet_non_ipsec_sendrecv(firstboot_t)
corenet_tcp_bind_all_nodes(firstboot_t)
corenet_tcp_sendrecv_all_if(firstboot_t)
corenet_tcp_sendrecv_all_nodes(firstboot_t)
corenet_tcp_sendrecv_all_ports(firstboot_t)
dev_read_urand(firstboot_t)

View File

@ -1,5 +1,5 @@
policy_module(mrtg,1.0.0)
policy_module(mrtg,1.0.1)
########################################
#
@ -68,15 +68,12 @@ corecmd_exec_shell(mrtg_t)
corenet_non_ipsec_sendrecv(mrtg_t)
corenet_tcp_sendrecv_generic_if(mrtg_t)
corenet_udp_sendrecv_generic_if(mrtg_t)
corenet_raw_sendrecv_generic_if(mrtg_t)
corenet_tcp_sendrecv_all_nodes(mrtg_t)
corenet_udp_sendrecv_all_nodes(mrtg_t)
corenet_raw_sendrecv_all_nodes(mrtg_t)
corenet_tcp_sendrecv_all_ports(mrtg_t)
corenet_udp_sendrecv_all_ports(mrtg_t)
corenet_tcp_bind_all_nodes(mrtg_t)
corenet_udp_bind_all_nodes(mrtg_t)
corenet_tcp_connect_all_ports(mrtg_t)
corenet_sendrecv_all_client_packets(mrtg_t)
dev_read_sysfs(mrtg_t)
dev_read_urand(mrtg_t)

View File

@ -1,5 +1,5 @@
policy_module(netutils,1.1.2)
policy_module(netutils,1.1.3)
########################################
#
@ -43,6 +43,7 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
kernel_search_proc(netutils_t)
corenet_non_ipsec_sendrecv(netutils_t)
corenet_tcp_sendrecv_all_if(netutils_t)
corenet_raw_sendrecv_all_if(netutils_t)
corenet_udp_sendrecv_all_if(netutils_t)
@ -51,10 +52,8 @@ corenet_raw_sendrecv_all_nodes(netutils_t)
corenet_udp_sendrecv_all_nodes(netutils_t)
corenet_tcp_sendrecv_all_ports(netutils_t)
corenet_udp_sendrecv_all_ports(netutils_t)
corenet_non_ipsec_sendrecv(netutils_t)
corenet_tcp_bind_all_nodes(netutils_t)
corenet_udp_bind_all_nodes(netutils_t)
corenet_tcp_connect_all_ports(netutils_t)
corenet_sendrecv_all_client_packets(netutils_t)
fs_getattr_xattr_fs(netutils_t)
@ -96,21 +95,15 @@ allow ping_t self:capability { setuid net_raw };
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:udp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
corenet_non_ipsec_sendrecv(ping_t)
corenet_tcp_sendrecv_all_if(ping_t)
corenet_udp_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_nodes(ping_t)
corenet_tcp_sendrecv_all_nodes(ping_t)
corenet_udp_sendrecv_all_nodes(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)
corenet_udp_sendrecv_all_ports(ping_t)
corenet_non_ipsec_sendrecv(ping_t)
corenet_udp_bind_all_nodes(ping_t)
corenet_tcp_bind_all_nodes(ping_t)
fs_dontaudit_getattr_xattr_fs(ping_t)
@ -173,21 +166,23 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
corenet_non_ipsec_sendrecv(traceroute_t)
corenet_tcp_sendrecv_all_if(traceroute_t)
corenet_udp_sendrecv_all_if(traceroute_t)
corenet_raw_sendrecv_all_if(traceroute_t)
corenet_raw_sendrecv_all_nodes(traceroute_t)
corenet_tcp_sendrecv_all_nodes(traceroute_t)
corenet_udp_sendrecv_all_nodes(traceroute_t)
corenet_raw_sendrecv_all_nodes(traceroute_t)
corenet_tcp_sendrecv_all_ports(traceroute_t)
corenet_udp_sendrecv_all_ports(traceroute_t)
corenet_non_ipsec_sendrecv(traceroute_t)
corenet_udp_bind_all_nodes(traceroute_t)
corenet_tcp_bind_all_nodes(traceroute_t)
# traceroute needs this but not tracepath
corenet_raw_bind_all_nodes(traceroute_t)
corenet_udp_bind_traceroute_port(traceroute_t)
corenet_tcp_connect_all_ports(traceroute_t)
corenet_sendrecv_all_client_packets(traceroute_t)
corenet_sendrecv_traceroute_server_packets(traceroute_t)
fs_dontaudit_getattr_xattr_fs(traceroute_t)

View File

@ -1,5 +1,5 @@
policy_module(rpm,1.3.5)
policy_module(rpm,1.3.6)
########################################
#
@ -92,6 +92,7 @@ kernel_read_kernel_sysctls(rpm_t)
corecmd_exec_all_executables(rpm_t)
corenet_non_ipsec_sendrecv(rpm_t)
corenet_tcp_sendrecv_all_if(rpm_t)
corenet_raw_sendrecv_all_if(rpm_t)
corenet_udp_sendrecv_all_if(rpm_t)
@ -100,10 +101,8 @@ corenet_raw_sendrecv_all_nodes(rpm_t)
corenet_udp_sendrecv_all_nodes(rpm_t)
corenet_tcp_sendrecv_all_ports(rpm_t)
corenet_udp_sendrecv_all_ports(rpm_t)
corenet_non_ipsec_sendrecv(rpm_t)
corenet_tcp_bind_all_nodes(rpm_t)
corenet_udp_bind_all_nodes(rpm_t)
corenet_tcp_connect_all_ports(rpm_t)
corenet_sendrecv_all_client_packets(rpm_t)
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)

View File

@ -1,5 +1,5 @@
policy_module(sxid,1.0.0)
policy_module(sxid,1.0.1)
########################################
#
@ -43,17 +43,13 @@ corecmd_exec_bin(sxid_t)
corecmd_exec_sbin(sxid_t)
corecmd_exec_shell(sxid_t)
corenet_non_ipsec_sendrecv(sxid_t)
corenet_tcp_sendrecv_generic_if(sxid_t)
corenet_udp_sendrecv_generic_if(sxid_t)
corenet_raw_sendrecv_generic_if(sxid_t)
corenet_tcp_sendrecv_all_nodes(sxid_t)
corenet_udp_sendrecv_all_nodes(sxid_t)
corenet_raw_sendrecv_all_nodes(sxid_t)
corenet_tcp_sendrecv_all_ports(sxid_t)
corenet_udp_sendrecv_all_ports(sxid_t)
corenet_non_ipsec_sendrecv(sxid_t)
corenet_tcp_bind_all_nodes(sxid_t)
corenet_udp_bind_all_nodes(sxid_t)
dev_read_sysfs(sxid_t)
dev_getattr_all_blk_files(sxid_t)

View File

@ -1,5 +1,5 @@
policy_module(vpn,1.2.1)
policy_module(vpn,1.2.2)
########################################
#
@ -49,6 +49,7 @@ kernel_read_network_state(vpnc_t)
kernel_read_kernel_sysctls(vpnc_t)
kernel_rw_net_sysctls(vpnc_t)
corenet_non_ipsec_sendrecv(vpnc_t)
corenet_tcp_sendrecv_all_if(vpnc_t)
corenet_udp_sendrecv_all_if(vpnc_t)
corenet_raw_sendrecv_all_if(vpnc_t)
@ -57,12 +58,13 @@ corenet_udp_sendrecv_all_nodes(vpnc_t)
corenet_raw_sendrecv_all_nodes(vpnc_t)
corenet_tcp_sendrecv_all_ports(vpnc_t)
corenet_udp_sendrecv_all_ports(vpnc_t)
corenet_non_ipsec_sendrecv(vpnc_t)
corenet_tcp_bind_all_nodes(vpnc_t)
corenet_udp_bind_all_nodes(vpnc_t)
corenet_udp_bind_generic_port(vpnc_t)
corenet_udp_bind_isakmp_port(vpnc_t)
corenet_tcp_connect_all_ports(vpnc_t)
corenet_sendrecv_all_client_packets(vpnc_t)
corenet_sendrecv_isakmp_server_packets(vpnc_t)
corenet_sendrecv_generic_server_packets(vpnc_t)
corenet_rw_tun_tap_dev(vpnc_t)
dev_read_rand(vpnc_t)

View File

@ -1,5 +1,5 @@
policy_module(afs,1.0.0)
policy_module(afs,1.0.1)
########################################
#
@ -110,6 +110,7 @@ corenet_tcp_sendrecv_all_ports(afs_bosserver_t)
corenet_udp_sendrecv_all_ports(afs_bosserver_t)
corenet_udp_bind_all_nodes(afs_bosserver_t)
corenet_udp_bind_afs_bos_port(afs_bosserver_t)
corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
files_read_etc_files(afs_bosserver_t)
files_list_home(afs_bosserver_t)
@ -174,6 +175,7 @@ corenet_tcp_bind_all_nodes(afs_fsserver_t)
corenet_udp_bind_all_nodes(afs_fsserver_t)
corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
corenet_udp_bind_afs_fs_port(afs_fsserver_t)
corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
files_read_etc_files(afs_fsserver_t)
files_read_etc_runtime_files(afs_fsserver_t)
@ -233,6 +235,8 @@ corenet_udp_sendrecv_all_ports(afs_kaserver_t)
corenet_udp_bind_all_nodes(afs_kaserver_t)
corenet_udp_bind_afs_ka_port(afs_kaserver_t)
corenet_udp_bind_kerberos_port(afs_kaserver_t)
corenet_sendrecv_afs_ka_server_packets(afs_kaserver_t)
corenet_sendrecv_kerberos_server_packets(afs_kaserver_t)
files_read_etc_files(afs_kaserver_t)
files_list_home(afs_kaserver_t)
@ -280,6 +284,7 @@ corenet_tcp_sendrecv_all_ports(afs_ptserver_t)
corenet_udp_sendrecv_all_ports(afs_ptserver_t)
corenet_udp_bind_all_nodes(afs_ptserver_t)
corenet_udp_bind_afs_pt_port(afs_ptserver_t)
corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
files_read_etc_files(afs_ptserver_t)
@ -323,6 +328,7 @@ corenet_tcp_sendrecv_all_ports(afs_vlserver_t)
corenet_udp_sendrecv_all_ports(afs_vlserver_t)
corenet_udp_bind_all_nodes(afs_vlserver_t)
corenet_udp_bind_afs_vl_port(afs_vlserver_t)
corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
files_read_etc_files(afs_vlserver_t)