| 1 |
commit: 01227f5efa0ae4bc8c5a6375c295fa065364cb2e |
| 2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
| 3 |
AuthorDate: Mon Sep 24 10:26:11 2012 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Thu Sep 27 17:15:37 2012 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=01227f5e |
| 7 |
|
| 8 |
Changes to the comsat policy module |
| 9 |
|
| 10 |
Module clean up |
| 11 |
|
| 12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
| 13 |
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> |
| 14 |
|
| 15 |
--- |
| 16 |
policy/modules/contrib/comsat.fc | 1 - |
| 17 |
policy/modules/contrib/comsat.te | 19 ++----------------- |
| 18 |
2 files changed, 2 insertions(+), 18 deletions(-) |
| 19 |
|
| 20 |
diff --git a/policy/modules/contrib/comsat.fc b/policy/modules/contrib/comsat.fc |
| 21 |
index e7633fa..90461f9 100644 |
| 22 |
--- a/policy/modules/contrib/comsat.fc |
| 23 |
+++ b/policy/modules/contrib/comsat.fc |
| 24 |
@@ -1,2 +1 @@ |
| 25 |
- |
| 26 |
/usr/sbin/in\.comsat -- gen_context(system_u:object_r:comsat_exec_t,s0) |
| 27 |
|
| 28 |
diff --git a/policy/modules/contrib/comsat.te b/policy/modules/contrib/comsat.te |
| 29 |
index 3d121fd..3f6e4dc 100644 |
| 30 |
--- a/policy/modules/contrib/comsat.te |
| 31 |
+++ b/policy/modules/contrib/comsat.te |
| 32 |
@@ -1,4 +1,4 @@ |
| 33 |
-policy_module(comsat, 1.7.0) |
| 34 |
+policy_module(comsat, 1.7.1) |
| 35 |
|
| 36 |
######################################## |
| 37 |
# |
| 38 |
@@ -8,7 +8,6 @@ policy_module(comsat, 1.7.0) |
| 39 |
type comsat_t; |
| 40 |
type comsat_exec_t; |
| 41 |
inetd_udp_service_domain(comsat_t, comsat_exec_t) |
| 42 |
-role system_r types comsat_t; |
| 43 |
|
| 44 |
type comsat_tmp_t; |
| 45 |
files_tmp_file(comsat_tmp_t) |
| 46 |
@@ -25,8 +24,7 @@ allow comsat_t self:capability { setuid setgid }; |
| 47 |
allow comsat_t self:process signal_perms; |
| 48 |
allow comsat_t self:fifo_file rw_fifo_file_perms; |
| 49 |
allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; |
| 50 |
-allow comsat_t self:tcp_socket connected_stream_socket_perms; |
| 51 |
-allow comsat_t self:udp_socket create_socket_perms; |
| 52 |
+allow comsat_t self:tcp_socket { accept listen }; |
| 53 |
|
| 54 |
manage_dirs_pattern(comsat_t, comsat_tmp_t, comsat_tmp_t) |
| 55 |
manage_files_pattern(comsat_t, comsat_tmp_t, comsat_tmp_t) |
| 56 |
@@ -39,19 +37,10 @@ kernel_read_kernel_sysctls(comsat_t) |
| 57 |
kernel_read_network_state(comsat_t) |
| 58 |
kernel_read_system_state(comsat_t) |
| 59 |
|
| 60 |
-corenet_all_recvfrom_unlabeled(comsat_t) |
| 61 |
-corenet_all_recvfrom_netlabel(comsat_t) |
| 62 |
-corenet_tcp_sendrecv_generic_if(comsat_t) |
| 63 |
-corenet_udp_sendrecv_generic_if(comsat_t) |
| 64 |
-corenet_tcp_sendrecv_generic_node(comsat_t) |
| 65 |
-corenet_udp_sendrecv_generic_node(comsat_t) |
| 66 |
-corenet_udp_sendrecv_all_ports(comsat_t) |
| 67 |
- |
| 68 |
dev_read_urand(comsat_t) |
| 69 |
|
| 70 |
fs_getattr_xattr_fs(comsat_t) |
| 71 |
|
| 72 |
-files_read_etc_files(comsat_t) |
| 73 |
files_list_usr(comsat_t) |
| 74 |
files_search_spool(comsat_t) |
| 75 |
files_search_home(comsat_t) |
| 76 |
@@ -68,7 +57,3 @@ miscfiles_read_localization(comsat_t) |
| 77 |
userdom_dontaudit_getattr_user_ttys(comsat_t) |
| 78 |
|
| 79 |
mta_getattr_spool(comsat_t) |
| 80 |
- |
| 81 |
-optional_policy(` |
| 82 |
- kerberos_use(comsat_t) |
| 83 |
-') |
Archives