Changeset 216

Show
Ignore:
Timestamp:
07/23/08 13:59:39 (4 months ago)
Author:
jmowery
Message:

adding back several networking permissions that were covered by all (now with specific calls instead)
patch also contains a few (autocorrected) whitespace changes

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • branch/RHEL-5.2-20080702merge/src/selinux-policy-clip/policy/modules/services/cups.te

    r215 r216  
    142142corenet_raw_sendrecv_generic_node(cupsd_t) 
    143143corenet_tcp_sendrecv_generic_port(cupsd_t) 
     144corenet_tcp_sendrecv_ipp_port(cupsd_t) 
     145corenet_tcp_sendrecv_reserved_port(cupsd_t) 
    144146corenet_udp_sendrecv_generic_port(cupsd_t) 
     147corenet_udp_sendrecv_ipp_port(cupsd_t) 
    145148corenet_tcp_bind_generic_node(cupsd_t) 
    146149corenet_udp_bind_generic_node(cupsd_t) 
     
    150153corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) 
    151154corenet_tcp_connect_generic_port(cupsd_t) 
     155corenet_tcp_connect_ipp_port(cupsd_t) 
     156corenet_tcp_connect_reserved_port(cupsd_t) 
    152157corenet_sendrecv_hplip_client_packets(cupsd_t) 
    153158corenet_sendrecv_ipp_client_packets(cupsd_t) 
     
    301306files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file) 
    302307 
    303 can_exec(cupsd_config_t, cupsd_config_exec_t)  
     308can_exec(cupsd_config_t, cupsd_config_exec_t) 
    304309 
    305310allow cupsd_config_t cupsd_log_t:file rw_file_perms; 
     
    457462corenet_udp_sendrecv_generic_node(cupsd_lpd_t) 
    458463corenet_tcp_sendrecv_generic_port(cupsd_lpd_t) 
     464corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) 
    459465corenet_udp_sendrecv_generic_port(cupsd_lpd_t) 
    460466corenet_tcp_bind_generic_node(cupsd_lpd_t) 
     
    525531corenet_raw_sendrecv_generic_node(hplip_t) 
    526532corenet_tcp_sendrecv_generic_port(hplip_t) 
     533corenet_tcp_sendrecv_ipp_port(hplip_t) 
    527534corenet_udp_sendrecv_generic_port(hplip_t) 
    528535corenet_tcp_bind_generic_node(hplip_t) 
     
    530537corenet_tcp_bind_hplip_port(hplip_t) 
    531538corenet_tcp_connect_hplip_port(hplip_t) 
     539corenet_tcp_sendrecv_hplip_port(hplip_t) 
    532540corenet_tcp_connect_ipp_port(hplip_t) 
    533541corenet_sendrecv_hplip_client_packets(hplip_t) 
     
    614622corenet_tcp_sendrecv_generic_node(ptal_t) 
    615623corenet_tcp_sendrecv_generic_port(ptal_t) 
     624corenet_tcp_sendrecv_ptal_port(ptal_t) 
    616625corenet_tcp_bind_generic_node(ptal_t) 
    617626corenet_tcp_bind_ptal_port(ptal_t) 

  • branch/RHEL-5.2-20080702merge/src/selinux-policy-clip/policy/modules/services/lpd.te

    r215 r216  
    161161corenet_udp_sendrecv_generic_node(lpd_t) 
    162162corenet_tcp_sendrecv_generic_port(lpd_t) 
     163corenet_tcp_sendrecv_printer_port(lpd_t) 
    163164corenet_udp_sendrecv_generic_port(lpd_t) 
    164165corenet_tcp_bind_generic_node(lpd_t) 

  • branch/RHEL-5.2-20080702merge/src/selinux-policy-clip/policy/modules/services/mta.if

    r215 r216  
    7777        corenet_tcp_sendrecv_generic_node($1_mail_t) 
    7878        corenet_tcp_sendrecv_generic_port($1_mail_t) 
     79        corenet_tcp_sendrecv_smtp_port($1_mail_t) 
    7980        corenet_tcp_connect_generic_port($1_mail_t) 
    8081        corenet_tcp_connect_smtp_port($1_mail_t) 
     
    687688####################################### 
    688689## <summary> 
    689 ##      Create private objects in the  
     690##      Create private objects in the 
    690691##      mail spool directory. 
    691692## </summary> 

  • branch/RHEL-5.2-20080702merge/src/selinux-policy-clip/policy/modules/services/ntp.te

    r215 r216  
    7070corenet_tcp_sendrecv_generic_port(ntpd_t) 
    7171corenet_udp_sendrecv_generic_port(ntpd_t) 
     72corenet_tcp_sendrecv_ntp_port(ntpd_t) 
     73corenet_udp_sendrecv_ntp_port(ntpd_t) 
    7274corenet_tcp_bind_generic_node(ntpd_t) 
    7375corenet_udp_bind_generic_node(ntpd_t) 

  • branch/RHEL-5.2-20080702merge/src/selinux-policy-clip/policy/modules/services/ricci.te

    r215 r216  
    126126corenet_tcp_sendrecv_generic_node(ricci_t) 
    127127corenet_tcp_sendrecv_generic_port(ricci_t) 
     128corenet_tcp_sendrecv_ricci_port(ricci_t) 
     129corenet_tcp_sendrecv_http_port(ricci_t) 
    128130corenet_tcp_bind_generic_node(ricci_t) 
    129131corenet_udp_bind_generic_node(ricci_t) 
     
    290292corenet_tcp_sendrecv_generic_if(ricci_modclusterd_t) 
    291293corenet_tcp_sendrecv_generic_port(ricci_modclusterd_t) 
     294corenet_tcp_sendrecv_ricci_modcluster_port(ricci_modclusterd_t) 
    292295corenet_tcp_bind_generic_node(ricci_modclusterd_t) 
    293296corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t) 

  • branch/RHEL-5.2-20080702merge/src/selinux-policy-clip/policy/modules/services/rwho.te

    r215 r216  
    4343corenet_udp_sendrecv_generic_node(rwho_t) 
    4444corenet_udp_sendrecv_generic_port(rwho_t) 
     45corenet_udp_sendrecv_rwho_port(rwho_t) 
    4546corenet_udp_bind_generic_node(rwho_t) 
    4647corenet_udp_bind_rwho_port(rwho_t) 

  • branch/RHEL-5.2-20080702merge/src/selinux-policy-clip/policy/modules/services/sendmail.te

    r215 r216  
    5454corenet_tcp_sendrecv_generic_node(sendmail_t) 
    5555corenet_tcp_sendrecv_generic_port(sendmail_t) 
     56corenet_tcp_sendrecv_smtp_port(sendmail_t) 
    5657corenet_tcp_bind_generic_node(sendmail_t) 
    5758corenet_tcp_bind_smtp_port(sendmail_t) 
    5859corenet_tcp_connect_generic_port(sendmail_t) 
     60corenet_tcp_connect_snmp_port(sendmail_t) 
     61corenet_tcp_connect_smtp_port(sendmail_t) 
     62corenet_tcp_sendrecv_snmp_port(sendmail_t) 
    5963corenet_sendrecv_smtp_server_packets(sendmail_t) 
    6064corenet_sendrecv_smtp_client_packets(sendmail_t) 

  • branch/RHEL-5.2-20080702merge/src/selinux-policy-clip/policy/modules/services/ssh.if

    r215 r216  
    115115        corenet_tcp_sendrecv_generic_port($1_ssh_t) 
    116116        corenet_tcp_connect_ssh_port($1_ssh_t) 
     117        corenet_tcp_sendrecv_ssh_port($1_ssh_t) 
    117118        corenet_sendrecv_ssh_client_packets($1_ssh_t) 
    118119 
     
    294295        # Should we have a boolean around this? 
    295296        files_search_mnt($1_ssh_t) 
    296         r_dir_file($1_ssh_t, removable_t)  
     297        r_dir_file($1_ssh_t, removable_t) 
    297298 
    298299        ') dnl endif TODO 
     
    475476        corenet_udp_sendrecv_generic_port($1_t) 
    476477        corenet_tcp_sendrecv_generic_port($1_t) 
     478        corenet_tcp_sendrecv_ssh_port($1_t) 
    477479        corenet_tcp_bind_generic_node($1_t) 
    478480        corenet_udp_bind_generic_node($1_t) 
    479481        corenet_tcp_bind_ssh_port($1_t) 
     482        corenet_tcp_connect_ssh_port($1_t) 
    480483        corenet_tcp_connect_generic_port($1_t) 
    481484        corenet_sendrecv_ssh_server_packets($1_t) 

  • branch/RHEL-5.2-20080702merge/src/selinux-policy-clip/policy/modules/services/ssh.te

    r203 r216  
    7979# for X forwarding 
    8080corenet_tcp_bind_xserver_port(sshd_t) 
     81corenet_tcp_connect_xserver_port(sshd_t) 
     82corenet_tcp_sendrecv_xserver_port(sshd_t) 
    8183corenet_sendrecv_xserver_server_packets(sshd_t) 
    8284 

  • branch/RHEL-5.2-20080702merge/src/selinux-policy-clip/policy/modules/services/xfs.te

    r215 r216  
    4444corenet_tcp_sendrecv_generic_node(xfs_t) 
    4545corenet_tcp_sendrecv_generic_port(xfs_t) 
     46corenet_tcp_sendrecv_xfs_port(xfs_t) 
    4647corenet_tcp_bind_generic_node(xfs_t) 
    4748corenet_tcp_bind_xfs_port(xfs_t) 

  • branch/RHEL-5.2-20080702merge/src/selinux-policy-clip/policy/modules/services/xserver.if

    r215 r216  
    115115        corenet_udp_sendrecv_generic_node($1_xserver_t) 
    116116        corenet_tcp_sendrecv_generic_port($1_xserver_t) 
     117        corenet_tcp_sendrecv_xserver_port($1_xserver_t) 
    117118        corenet_udp_sendrecv_generic_port($1_xserver_t) 
    118119        corenet_tcp_bind_generic_node($1_xserver_t) 
    119120        corenet_tcp_bind_xserver_port($1_xserver_t) 
    120121        corenet_tcp_connect_generic_port($1_xserver_t) 
     122        corenet_tcp_connect_xserver_port($1_xserver_t) 
    121123        corenet_sendrecv_xserver_server_packets($1_xserver_t) 
    122124        corenet_sendrecv_generic_client_packets($1_xserver_t) 
     
    453455 
    454456        userdom_use_user_terminals($1,$1_iceauth_t) 
    455          
     457 
    456458        files_search_tmp($1_iceauth_t) 
    457          
     459 
    458460        userdom_read_user_home_content_files($1, $1_iceauth_t) 
    459461        userdom_read_user_tmp_files($1, $1_iceauth_t) 
     
    461463                gen_require(` 
    462464                        type $1_t; 
    463                 ')      
     465                ') 
    464466        allow $1_iceauth_t $1_t:unix_stream_socket { read write }; 
    465467        ') 
     
    707709                class x_property all_x_property_perms; 
    708710                class x_selection all_x_selection_perms; 
    709                 class x_cursor all_x_cursor_perms;      
     711                class x_cursor all_x_cursor_perms; 
    710712                class x_client all_x_client_perms; 
    711713                class x_device all_x_device_perms; 
     
    11501152        ') 
    11511153 
    1152         allow $1 xdm_t:fd use;  
     1154        allow $1 xdm_t:fd use; 
    11531155') 
    11541156 
     
    11691171        ') 
    11701172 
    1171         dontaudit $1 xdm_t:fd use;  
     1173        dontaudit $1 xdm_t:fd use; 
    11721174') 
    11731175 
     
    11871189        ') 
    11881190 
    1189         allow $1 xdm_t:fifo_file { getattr read write };  
     1191        allow $1 xdm_t:fifo_file { getattr read write }; 
    11901192') 
    11911193 
     
    12071209        ') 
    12081210 
    1209         dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;  
     1211        dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; 
    12101212') 
    12111213 

  • branch/RHEL-5.2-20080702merge/src/selinux-policy-clip/policy/modules/services/xserver.te

    r215 r216  
    178178fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) 
    179179 
    180 manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)  
     180manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) 
    181181manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) 
    182182files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file) 
     
    227227corenet_udp_sendrecv_generic_node(xdm_t) 
    228228corenet_tcp_sendrecv_generic_port(xdm_t) 
     229corenet_tcp_sendrecv_xserver_port(xdm_t) 
    229230corenet_udp_sendrecv_generic_port(xdm_t) 
    230231corenet_tcp_bind_generic_node(xdm_t) 
    231232corenet_udp_bind_generic_node(xdm_t) 
    232233corenet_tcp_connect_generic_port(xdm_t) 
     234corenet_tcp_connect_xserver_port(xdm_t) 
    233235corenet_sendrecv_generic_client_packets(xdm_t) 
     236corenet_sendrecv_xserver_client_packets(xdm_t) 
    234237# xdm tries to bind to biff_port_t 
    235238corenet_dontaudit_tcp_bind_all_ports(xdm_t) 

  • branch/RHEL-5.2-20080702merge/src/selinux-policy-clip/policy/modules/system/iscsi.te

    r214 r216  
    6262corenet_tcp_sendrecv_generic_node(iscsid_t) 
    6363corenet_tcp_sendrecv_generic_port(iscsid_t) 
     64corenet_tcp_sendrecv_iscsi_port(iscsid_t) 
     65corenet_tcp_sendrecv_http_port(iscsid_t) 
    6466corenet_tcp_connect_http_port(iscsid_t) 
    6567corenet_tcp_connect_iscsi_port(iscsid_t) 

  • branch/RHEL-5.2-20080702merge/src/selinux-policy-clip/policy/modules/system/sysnetwork.te

    r215 r216  
    9595corenet_tcp_sendrecv_generic_port(dhcpc_t) 
    9696corenet_udp_sendrecv_generic_port(dhcpc_t) 
     97corenet_tcp_sendrecv_dhcpc_port(dhcpc_t) 
     98corenet_udp_sendrecv_dhcpc_port(dhcpc_t) 
    9799corenet_tcp_bind_generic_node(dhcpc_t) 
    98100corenet_udp_bind_generic_node(dhcpc_t) 
    99101corenet_udp_bind_dhcpc_port(dhcpc_t) 
    100102corenet_tcp_connect_generic_port(dhcpc_t) 
     103corenet_tcp_connect_dhcpc_port(dhcpc_t) 
    101104corenet_sendrecv_dhcpd_client_packets(dhcpc_t) 
    102105corenet_sendrecv_dhcpc_server_packets(dhcpc_t) 
     
    311314        ') 
    312315') 
    313    
     316 
    314317ifdef(`hide_broken_symptoms',` 
    315318        optional_policy(`