1 |
commit: 4415515602830a864de3212284013eac37767b5c |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Sun Aug 13 20:14:05 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Sep 8 22:48:51 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=44155156 |
7 |
|
8 |
Remove complement and wildcard in allow rules. |
9 |
|
10 |
Remove complement (~) and wildcard (*) in allow rules so that there are no |
11 |
unintentional additions when new permissions are declared. |
12 |
|
13 |
This patch does not add or remove permissions from any rules. |
14 |
|
15 |
policy/modules/contrib/apache.te | 2 +- |
16 |
policy/modules/contrib/cron.te | 4 ++-- |
17 |
policy/modules/contrib/cyrus.te | 2 +- |
18 |
policy/modules/contrib/dbus.if | 4 ++-- |
19 |
policy/modules/contrib/dpkg.te | 2 +- |
20 |
policy/modules/contrib/imaze.te | 2 +- |
21 |
policy/modules/contrib/logrotate.te | 2 +- |
22 |
policy/modules/contrib/nscd.if | 2 +- |
23 |
policy/modules/contrib/portage.if | 3 +-- |
24 |
policy/modules/contrib/portslave.te | 3 +-- |
25 |
policy/modules/contrib/razor.te | 2 +- |
26 |
policy/modules/contrib/remotelogin.te | 2 +- |
27 |
policy/modules/contrib/rpm.te | 5 ++--- |
28 |
policy/modules/contrib/rssh.te | 2 +- |
29 |
policy/modules/contrib/samba.te | 4 ++-- |
30 |
policy/modules/contrib/spamassassin.te | 6 +++--- |
31 |
policy/modules/contrib/squid.te | 2 +- |
32 |
policy/modules/contrib/userhelper.te | 2 +- |
33 |
policy/modules/contrib/usernetctl.te | 2 +- |
34 |
policy/modules/contrib/vmware.te | 3 +-- |
35 |
policy/modules/contrib/webalizer.te | 2 +- |
36 |
policy/modules/contrib/yam.te | 2 +- |
37 |
22 files changed, 28 insertions(+), 32 deletions(-) |
38 |
|
39 |
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te |
40 |
index 7c41358d..e39b7951 100644 |
41 |
--- a/policy/modules/contrib/apache.te |
42 |
+++ b/policy/modules/contrib/apache.te |
43 |
@@ -379,7 +379,7 @@ optional_policy(` |
44 |
|
45 |
allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; |
46 |
dontaudit httpd_t self:capability net_admin; |
47 |
-allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
48 |
+allow httpd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; |
49 |
allow httpd_t self:fd use; |
50 |
allow httpd_t self:sock_file read_sock_file_perms; |
51 |
allow httpd_t self:fifo_file rw_fifo_file_perms; |
52 |
|
53 |
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te |
54 |
index 8991b2c8..27467232 100644 |
55 |
--- a/policy/modules/contrib/cron.te |
56 |
+++ b/policy/modules/contrib/cron.te |
57 |
@@ -219,8 +219,8 @@ tunable_policy(`fcron_crond',` |
58 |
|
59 |
allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice }; |
60 |
dontaudit crond_t self:capability { sys_resource sys_tty_config }; |
61 |
-allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; |
62 |
-allow crond_t self:process { setexec setfscreate }; |
63 |
+ |
64 |
+allow crond_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; |
65 |
allow crond_t self:fd use; |
66 |
allow crond_t self:fifo_file rw_fifo_file_perms; |
67 |
allow crond_t self:unix_dgram_socket sendto; |
68 |
|
69 |
diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te |
70 |
index 02c0a746..816cf457 100644 |
71 |
--- a/policy/modules/contrib/cyrus.te |
72 |
+++ b/policy/modules/contrib/cyrus.te |
73 |
@@ -31,7 +31,7 @@ files_pid_file(cyrus_var_run_t) |
74 |
|
75 |
allow cyrus_t self:capability { dac_override setgid setuid sys_resource }; |
76 |
dontaudit cyrus_t self:capability sys_tty_config; |
77 |
-allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
78 |
+allow cyrus_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; |
79 |
allow cyrus_t self:process setrlimit; |
80 |
allow cyrus_t self:fd use; |
81 |
allow cyrus_t self:fifo_file rw_fifo_file_perms; |
82 |
|
83 |
diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if |
84 |
index 32824d9a..4f62c23a 100644 |
85 |
--- a/policy/modules/contrib/dbus.if |
86 |
+++ b/policy/modules/contrib/dbus.if |
87 |
@@ -460,10 +460,10 @@ interface(`dbus_send_system_bus',` |
88 |
interface(`dbus_system_bus_unconfined',` |
89 |
gen_require(` |
90 |
type system_dbusd_t; |
91 |
- class dbus all_dbus_perms; |
92 |
+ class dbus { acquire_svc send_msg }; |
93 |
') |
94 |
|
95 |
- allow $1 system_dbusd_t:dbus *; |
96 |
+ allow $1 system_dbusd_t:dbus { acquire_svc send_msg }; |
97 |
') |
98 |
|
99 |
######################################## |
100 |
|
101 |
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te |
102 |
index 9c59f073..e165fec3 100644 |
103 |
--- a/policy/modules/contrib/dpkg.te |
104 |
+++ b/policy/modules/contrib/dpkg.te |
105 |
@@ -203,7 +203,7 @@ optional_policy(` |
106 |
# |
107 |
|
108 |
allow dpkg_script_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setfcap setgid setuid sys_chroot sys_nice sys_ptrace }; |
109 |
-allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; |
110 |
+allow dpkg_script_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; |
111 |
allow dpkg_script_t self:fd use; |
112 |
allow dpkg_script_t self:fifo_file rw_fifo_file_perms; |
113 |
allow dpkg_script_t self:unix_dgram_socket create_socket_perms; |
114 |
|
115 |
diff --git a/policy/modules/contrib/imaze.te b/policy/modules/contrib/imaze.te |
116 |
index f7b386b4..7649b91a 100644 |
117 |
--- a/policy/modules/contrib/imaze.te |
118 |
+++ b/policy/modules/contrib/imaze.te |
119 |
@@ -25,7 +25,7 @@ files_pid_file(imazesrv_var_run_t) |
120 |
# |
121 |
|
122 |
dontaudit imazesrv_t self:capability sys_tty_config; |
123 |
-allow imazesrv_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
124 |
+allow imazesrv_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; |
125 |
allow imazesrv_t self:fifo_file rw_fifo_file_perms; |
126 |
allow imazesrv_t self:tcp_socket { accept listen }; |
127 |
allow imazesrv_t self:unix_dgram_socket sendto; |
128 |
|
129 |
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te |
130 |
index 4593e98f..ab2c6152 100644 |
131 |
--- a/policy/modules/contrib/logrotate.te |
132 |
+++ b/policy/modules/contrib/logrotate.te |
133 |
@@ -37,7 +37,7 @@ role system_r types logrotate_mail_t; |
134 |
# |
135 |
|
136 |
allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource }; |
137 |
-allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack execheap }; |
138 |
+allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; |
139 |
allow logrotate_t self:fd use; |
140 |
allow logrotate_t self:key manage_key_perms; |
141 |
allow logrotate_t self:fifo_file rw_fifo_file_perms; |
142 |
|
143 |
diff --git a/policy/modules/contrib/nscd.if b/policy/modules/contrib/nscd.if |
144 |
index c83635fe..d6b3687a 100644 |
145 |
--- a/policy/modules/contrib/nscd.if |
146 |
+++ b/policy/modules/contrib/nscd.if |
147 |
@@ -226,7 +226,7 @@ interface(`nscd_unconfined',` |
148 |
class nscd all_nscd_perms; |
149 |
') |
150 |
|
151 |
- allow $1 nscd_t:nscd *; |
152 |
+ allow $1 nscd_t:nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost getserv shmemserv }; |
153 |
') |
154 |
|
155 |
######################################## |
156 |
|
157 |
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if |
158 |
index cad9b9f1..32f39a22 100644 |
159 |
--- a/policy/modules/contrib/portage.if |
160 |
+++ b/policy/modules/contrib/portage.if |
161 |
@@ -74,8 +74,7 @@ interface(`portage_compile_domain',` |
162 |
|
163 |
allow $1 self:capability { chown dac_override fowner fsetid mknod net_raw setgid setuid }; |
164 |
dontaudit $1 self:capability sys_chroot; |
165 |
- allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate }; |
166 |
- allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; |
167 |
+ allow $1 self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit }; |
168 |
allow $1 self:fd use; |
169 |
allow $1 self:fifo_file rw_fifo_file_perms; |
170 |
allow $1 self:shm create_shm_perms; |
171 |
|
172 |
diff --git a/policy/modules/contrib/portslave.te b/policy/modules/contrib/portslave.te |
173 |
index 64282695..1d61734d 100644 |
174 |
--- a/policy/modules/contrib/portslave.te |
175 |
+++ b/policy/modules/contrib/portslave.te |
176 |
@@ -23,8 +23,7 @@ files_lock_file(portslave_lock_t) |
177 |
|
178 |
allow portslave_t self:capability { fsetid net_admin net_bind_service setgid setuid sys_tty_config }; |
179 |
dontaudit portslave_t self:capability sys_admin; |
180 |
-allow portslave_t self:process signal_perms; |
181 |
-allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
182 |
+allow portslave_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; |
183 |
allow portslave_t self:fd use; |
184 |
allow portslave_t self:fifo_file rw_fifo_file_perms; |
185 |
allow portslave_t self:unix_dgram_socket sendto; |
186 |
|
187 |
diff --git a/policy/modules/contrib/razor.te b/policy/modules/contrib/razor.te |
188 |
index 68455f90..8497f9af 100644 |
189 |
--- a/policy/modules/contrib/razor.te |
190 |
+++ b/policy/modules/contrib/razor.te |
191 |
@@ -45,7 +45,7 @@ role system_r types system_razor_t; |
192 |
# Common razor domain local policy |
193 |
# |
194 |
|
195 |
-allow razor_domain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
196 |
+allow razor_domain self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; |
197 |
allow razor_domain self:fd use; |
198 |
allow razor_domain self:fifo_file rw_fifo_file_perms; |
199 |
allow razor_domain self:unix_dgram_socket sendto; |
200 |
|
201 |
diff --git a/policy/modules/contrib/remotelogin.te b/policy/modules/contrib/remotelogin.te |
202 |
index 0d171e23..bc2292e3 100644 |
203 |
--- a/policy/modules/contrib/remotelogin.te |
204 |
+++ b/policy/modules/contrib/remotelogin.te |
205 |
@@ -19,7 +19,7 @@ files_tmp_file(remote_login_tmp_t) |
206 |
# |
207 |
|
208 |
allow remote_login_t self:capability { chown dac_override fowner fsetid kill net_bind_service setgid setuid sys_nice sys_resource sys_tty_config }; |
209 |
-allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
210 |
+allow remote_login_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; |
211 |
allow remote_login_t self:process { setrlimit setexec }; |
212 |
allow remote_login_t self:fd use; |
213 |
allow remote_login_t self:fifo_file rw_fifo_file_perms; |
214 |
|
215 |
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te |
216 |
index 4f7edc84..44e8c7b5 100644 |
217 |
--- a/policy/modules/contrib/rpm.te |
218 |
+++ b/policy/modules/contrib/rpm.te |
219 |
@@ -74,8 +74,7 @@ files_tmpfs_file(rpm_script_tmpfs_t) |
220 |
# |
221 |
|
222 |
allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config }; |
223 |
-allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; |
224 |
-allow rpm_t self:process { getattr setexec setfscreate setrlimit }; |
225 |
+allow rpm_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit }; |
226 |
allow rpm_t self:fd use; |
227 |
allow rpm_t self:fifo_file rw_fifo_file_perms; |
228 |
allow rpm_t self:unix_dgram_socket sendto; |
229 |
@@ -242,7 +241,7 @@ optional_policy(` |
230 |
# |
231 |
|
232 |
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setgid setuid sys_admin sys_chroot sys_nice sys_rawio }; |
233 |
-allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; |
234 |
+allow rpm_script_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem execstack setkeycreate setsockcreate getrlimit }; |
235 |
allow rpm_script_t self:fd use; |
236 |
allow rpm_script_t self:fifo_file rw_fifo_file_perms; |
237 |
allow rpm_script_t self:unix_dgram_socket sendto; |
238 |
|
239 |
diff --git a/policy/modules/contrib/rssh.te b/policy/modules/contrib/rssh.te |
240 |
index cf6dd81e..91a89f65 100644 |
241 |
--- a/policy/modules/contrib/rssh.te |
242 |
+++ b/policy/modules/contrib/rssh.te |
243 |
@@ -42,7 +42,7 @@ userdom_user_home_content(rssh_rw_t) |
244 |
# Local policy |
245 |
# |
246 |
|
247 |
-allow rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
248 |
+allow rssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; |
249 |
allow rssh_t self:fd use; |
250 |
allow rssh_t self:fifo_file rw_fifo_file_perms; |
251 |
allow rssh_t self:unix_dgram_socket sendto; |
252 |
|
253 |
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te |
254 |
index 12e9f567..f61077fa 100644 |
255 |
--- a/policy/modules/contrib/samba.te |
256 |
+++ b/policy/modules/contrib/samba.te |
257 |
@@ -269,7 +269,7 @@ optional_policy(` |
258 |
|
259 |
allow smbd_t self:capability { chown dac_override dac_read_search fowner fsetid kill lease setgid setuid sys_admin sys_chroot sys_nice sys_resource }; |
260 |
dontaudit smbd_t self:capability sys_tty_config; |
261 |
-allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; |
262 |
+allow smbd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; |
263 |
allow smbd_t self:fd use; |
264 |
allow smbd_t self:fifo_file rw_fifo_file_perms; |
265 |
allow smbd_t self:msg { send receive }; |
266 |
@@ -518,7 +518,7 @@ optional_policy(` |
267 |
# |
268 |
|
269 |
dontaudit nmbd_t self:capability sys_tty_config; |
270 |
-allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
271 |
+allow nmbd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; |
272 |
allow nmbd_t self:fd use; |
273 |
allow nmbd_t self:fifo_file rw_fifo_file_perms; |
274 |
allow nmbd_t self:msg { send receive }; |
275 |
|
276 |
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te |
277 |
index f402bc7d..fc2a0ac4 100644 |
278 |
--- a/policy/modules/contrib/spamassassin.te |
279 |
+++ b/policy/modules/contrib/spamassassin.te |
280 |
@@ -89,7 +89,7 @@ files_pid_file(spamd_var_run_t) |
281 |
# Standalone local policy |
282 |
# |
283 |
|
284 |
-allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
285 |
+allow spamassassin_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; |
286 |
allow spamassassin_t self:fd use; |
287 |
allow spamassassin_t self:fifo_file rw_fifo_file_perms; |
288 |
allow spamassassin_t self:unix_dgram_socket sendto; |
289 |
@@ -169,7 +169,7 @@ optional_policy(` |
290 |
# |
291 |
|
292 |
allow spamc_t self:capability dac_override; |
293 |
-allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
294 |
+allow spamc_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; |
295 |
allow spamc_t self:fd use; |
296 |
allow spamc_t self:fifo_file rw_fifo_file_perms; |
297 |
allow spamc_t self:unix_dgram_socket sendto; |
298 |
@@ -273,7 +273,7 @@ optional_policy(` |
299 |
|
300 |
allow spamd_t self:capability { dac_override kill setgid setuid sys_tty_config }; |
301 |
dontaudit spamd_t self:capability sys_tty_config; |
302 |
-allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
303 |
+allow spamd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; |
304 |
allow spamd_t self:fd use; |
305 |
allow spamd_t self:fifo_file rw_fifo_file_perms; |
306 |
allow spamd_t self:unix_dgram_socket sendto; |
307 |
|
308 |
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te |
309 |
index 41b0b75b..a9093f5f 100644 |
310 |
--- a/policy/modules/contrib/squid.te |
311 |
+++ b/policy/modules/contrib/squid.te |
312 |
@@ -61,7 +61,7 @@ files_pid_file(squid_var_run_t) |
313 |
|
314 |
allow squid_t self:capability { dac_override kill setgid setuid sys_resource }; |
315 |
dontaudit squid_t self:capability sys_tty_config; |
316 |
-allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; |
317 |
+allow squid_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; |
318 |
allow squid_t self:fifo_file rw_fifo_file_perms; |
319 |
allow squid_t self:fd use; |
320 |
allow squid_t self:shm create_shm_perms; |
321 |
|
322 |
diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te |
323 |
index 35fbda6f..bffbc94c 100644 |
324 |
--- a/policy/modules/contrib/userhelper.te |
325 |
+++ b/policy/modules/contrib/userhelper.te |
326 |
@@ -95,7 +95,7 @@ optional_policy(` |
327 |
# |
328 |
|
329 |
allow userhelper_type self:capability { chown dac_override net_bind_service setgid setuid sys_tty_config }; |
330 |
-allow userhelper_type self:process ~{ ptrace setcurrent setfscreate setrlimit execmem execstack execheap }; |
331 |
+allow userhelper_type self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; |
332 |
allow userhelper_type self:fd use; |
333 |
allow userhelper_type self:fifo_file rw_fifo_file_perms; |
334 |
allow userhelper_type self:shm create_shm_perms; |
335 |
|
336 |
diff --git a/policy/modules/contrib/usernetctl.te b/policy/modules/contrib/usernetctl.te |
337 |
index 97ebe828..4ef6f9b2 100644 |
338 |
--- a/policy/modules/contrib/usernetctl.te |
339 |
+++ b/policy/modules/contrib/usernetctl.te |
340 |
@@ -19,7 +19,7 @@ role usernetctl_roles types usernetctl_t; |
341 |
# |
342 |
|
343 |
allow usernetctl_t self:capability { dac_override setgid setuid }; |
344 |
-allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
345 |
+allow usernetctl_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; |
346 |
allow usernetctl_t self:fd use; |
347 |
allow usernetctl_t self:fifo_file rw_fifo_file_perms; |
348 |
allow usernetctl_t self:unix_dgram_socket sendto; |
349 |
|
350 |
diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te |
351 |
index 6d2e10d6..441fe9ef 100644 |
352 |
--- a/policy/modules/contrib/vmware.te |
353 |
+++ b/policy/modules/contrib/vmware.te |
354 |
@@ -188,8 +188,7 @@ optional_policy(` |
355 |
|
356 |
allow vmware_t self:capability { chown dac_override setgid setuid sys_admin sys_nice sys_rawio sys_resource }; |
357 |
dontaudit vmware_t self:capability sys_tty_config; |
358 |
-allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
359 |
-allow vmware_t self:process { execmem execstack }; |
360 |
+allow vmware_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem execstack setkeycreate setsockcreate getrlimit }; |
361 |
allow vmware_t self:fd use; |
362 |
allow vmware_t self:fifo_file rw_fifo_file_perms; |
363 |
allow vmware_t self:unix_dgram_socket { create_socket_perms sendto }; |
364 |
|
365 |
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te |
366 |
index faea9beb..da454655 100644 |
367 |
--- a/policy/modules/contrib/webalizer.te |
368 |
+++ b/policy/modules/contrib/webalizer.te |
369 |
@@ -31,7 +31,7 @@ files_type(webalizer_var_lib_t) |
370 |
# |
371 |
|
372 |
allow webalizer_t self:capability dac_override; |
373 |
-allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
374 |
+allow webalizer_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; |
375 |
allow webalizer_t self:fd use; |
376 |
allow webalizer_t self:fifo_file rw_fifo_file_perms; |
377 |
allow webalizer_t self:unix_dgram_socket sendto; |
378 |
|
379 |
diff --git a/policy/modules/contrib/yam.te b/policy/modules/contrib/yam.te |
380 |
index 4927d4d7..b451e6e8 100644 |
381 |
--- a/policy/modules/contrib/yam.te |
382 |
+++ b/policy/modules/contrib/yam.te |
383 |
@@ -27,7 +27,7 @@ files_tmp_file(yam_tmp_t) |
384 |
# |
385 |
|
386 |
allow yam_t self:capability { chown dac_override fowner fsetid }; |
387 |
-allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; |
388 |
+allow yam_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit }; |
389 |
allow yam_t self:fd use; |
390 |
allow yam_t self:fifo_file rw_fifo_file_perms; |
391 |
allow yam_t self:unix_stream_socket { accept connectto listen }; |