Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Sat, 09 Sep 2017 02:43:10
Message-Id: 1504910931.4415515602830a864de3212284013eac37767b5c.perfinion@gentoo
1 commit: 4415515602830a864de3212284013eac37767b5c
2 Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
3 AuthorDate: Sun Aug 13 20:14:05 2017 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Fri Sep 8 22:48:51 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=44155156
7
8 Remove complement and wildcard in allow rules.
9
10 Remove complement (~) and wildcard (*) in allow rules so that there are no
11 unintentional additions when new permissions are declared.
12
13 This patch does not add or remove permissions from any rules.
14
15 policy/modules/contrib/apache.te | 2 +-
16 policy/modules/contrib/cron.te | 4 ++--
17 policy/modules/contrib/cyrus.te | 2 +-
18 policy/modules/contrib/dbus.if | 4 ++--
19 policy/modules/contrib/dpkg.te | 2 +-
20 policy/modules/contrib/imaze.te | 2 +-
21 policy/modules/contrib/logrotate.te | 2 +-
22 policy/modules/contrib/nscd.if | 2 +-
23 policy/modules/contrib/portage.if | 3 +--
24 policy/modules/contrib/portslave.te | 3 +--
25 policy/modules/contrib/razor.te | 2 +-
26 policy/modules/contrib/remotelogin.te | 2 +-
27 policy/modules/contrib/rpm.te | 5 ++---
28 policy/modules/contrib/rssh.te | 2 +-
29 policy/modules/contrib/samba.te | 4 ++--
30 policy/modules/contrib/spamassassin.te | 6 +++---
31 policy/modules/contrib/squid.te | 2 +-
32 policy/modules/contrib/userhelper.te | 2 +-
33 policy/modules/contrib/usernetctl.te | 2 +-
34 policy/modules/contrib/vmware.te | 3 +--
35 policy/modules/contrib/webalizer.te | 2 +-
36 policy/modules/contrib/yam.te | 2 +-
37 22 files changed, 28 insertions(+), 32 deletions(-)
38
39 diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
40 index 7c41358d..e39b7951 100644
41 --- a/policy/modules/contrib/apache.te
42 +++ b/policy/modules/contrib/apache.te
43 @@ -379,7 +379,7 @@ optional_policy(`
44
45 allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
46 dontaudit httpd_t self:capability net_admin;
47 -allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
48 +allow httpd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
49 allow httpd_t self:fd use;
50 allow httpd_t self:sock_file read_sock_file_perms;
51 allow httpd_t self:fifo_file rw_fifo_file_perms;
52
53 diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
54 index 8991b2c8..27467232 100644
55 --- a/policy/modules/contrib/cron.te
56 +++ b/policy/modules/contrib/cron.te
57 @@ -219,8 +219,8 @@ tunable_policy(`fcron_crond',`
58
59 allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice };
60 dontaudit crond_t self:capability { sys_resource sys_tty_config };
61 -allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
62 -allow crond_t self:process { setexec setfscreate };
63 +
64 +allow crond_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
65 allow crond_t self:fd use;
66 allow crond_t self:fifo_file rw_fifo_file_perms;
67 allow crond_t self:unix_dgram_socket sendto;
68
69 diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
70 index 02c0a746..816cf457 100644
71 --- a/policy/modules/contrib/cyrus.te
72 +++ b/policy/modules/contrib/cyrus.te
73 @@ -31,7 +31,7 @@ files_pid_file(cyrus_var_run_t)
74
75 allow cyrus_t self:capability { dac_override setgid setuid sys_resource };
76 dontaudit cyrus_t self:capability sys_tty_config;
77 -allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
78 +allow cyrus_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
79 allow cyrus_t self:process setrlimit;
80 allow cyrus_t self:fd use;
81 allow cyrus_t self:fifo_file rw_fifo_file_perms;
82
83 diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
84 index 32824d9a..4f62c23a 100644
85 --- a/policy/modules/contrib/dbus.if
86 +++ b/policy/modules/contrib/dbus.if
87 @@ -460,10 +460,10 @@ interface(`dbus_send_system_bus',`
88 interface(`dbus_system_bus_unconfined',`
89 gen_require(`
90 type system_dbusd_t;
91 - class dbus all_dbus_perms;
92 + class dbus { acquire_svc send_msg };
93 ')
94
95 - allow $1 system_dbusd_t:dbus *;
96 + allow $1 system_dbusd_t:dbus { acquire_svc send_msg };
97 ')
98
99 ########################################
100
101 diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
102 index 9c59f073..e165fec3 100644
103 --- a/policy/modules/contrib/dpkg.te
104 +++ b/policy/modules/contrib/dpkg.te
105 @@ -203,7 +203,7 @@ optional_policy(`
106 #
107
108 allow dpkg_script_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setfcap setgid setuid sys_chroot sys_nice sys_ptrace };
109 -allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
110 +allow dpkg_script_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
111 allow dpkg_script_t self:fd use;
112 allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
113 allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
114
115 diff --git a/policy/modules/contrib/imaze.te b/policy/modules/contrib/imaze.te
116 index f7b386b4..7649b91a 100644
117 --- a/policy/modules/contrib/imaze.te
118 +++ b/policy/modules/contrib/imaze.te
119 @@ -25,7 +25,7 @@ files_pid_file(imazesrv_var_run_t)
120 #
121
122 dontaudit imazesrv_t self:capability sys_tty_config;
123 -allow imazesrv_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
124 +allow imazesrv_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
125 allow imazesrv_t self:fifo_file rw_fifo_file_perms;
126 allow imazesrv_t self:tcp_socket { accept listen };
127 allow imazesrv_t self:unix_dgram_socket sendto;
128
129 diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
130 index 4593e98f..ab2c6152 100644
131 --- a/policy/modules/contrib/logrotate.te
132 +++ b/policy/modules/contrib/logrotate.te
133 @@ -37,7 +37,7 @@ role system_r types logrotate_mail_t;
134 #
135
136 allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
137 -allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack execheap };
138 +allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
139 allow logrotate_t self:fd use;
140 allow logrotate_t self:key manage_key_perms;
141 allow logrotate_t self:fifo_file rw_fifo_file_perms;
142
143 diff --git a/policy/modules/contrib/nscd.if b/policy/modules/contrib/nscd.if
144 index c83635fe..d6b3687a 100644
145 --- a/policy/modules/contrib/nscd.if
146 +++ b/policy/modules/contrib/nscd.if
147 @@ -226,7 +226,7 @@ interface(`nscd_unconfined',`
148 class nscd all_nscd_perms;
149 ')
150
151 - allow $1 nscd_t:nscd *;
152 + allow $1 nscd_t:nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost getserv shmemserv };
153 ')
154
155 ########################################
156
157 diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
158 index cad9b9f1..32f39a22 100644
159 --- a/policy/modules/contrib/portage.if
160 +++ b/policy/modules/contrib/portage.if
161 @@ -74,8 +74,7 @@ interface(`portage_compile_domain',`
162
163 allow $1 self:capability { chown dac_override fowner fsetid mknod net_raw setgid setuid };
164 dontaudit $1 self:capability sys_chroot;
165 - allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate };
166 - allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
167 + allow $1 self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
168 allow $1 self:fd use;
169 allow $1 self:fifo_file rw_fifo_file_perms;
170 allow $1 self:shm create_shm_perms;
171
172 diff --git a/policy/modules/contrib/portslave.te b/policy/modules/contrib/portslave.te
173 index 64282695..1d61734d 100644
174 --- a/policy/modules/contrib/portslave.te
175 +++ b/policy/modules/contrib/portslave.te
176 @@ -23,8 +23,7 @@ files_lock_file(portslave_lock_t)
177
178 allow portslave_t self:capability { fsetid net_admin net_bind_service setgid setuid sys_tty_config };
179 dontaudit portslave_t self:capability sys_admin;
180 -allow portslave_t self:process signal_perms;
181 -allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
182 +allow portslave_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
183 allow portslave_t self:fd use;
184 allow portslave_t self:fifo_file rw_fifo_file_perms;
185 allow portslave_t self:unix_dgram_socket sendto;
186
187 diff --git a/policy/modules/contrib/razor.te b/policy/modules/contrib/razor.te
188 index 68455f90..8497f9af 100644
189 --- a/policy/modules/contrib/razor.te
190 +++ b/policy/modules/contrib/razor.te
191 @@ -45,7 +45,7 @@ role system_r types system_razor_t;
192 # Common razor domain local policy
193 #
194
195 -allow razor_domain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
196 +allow razor_domain self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
197 allow razor_domain self:fd use;
198 allow razor_domain self:fifo_file rw_fifo_file_perms;
199 allow razor_domain self:unix_dgram_socket sendto;
200
201 diff --git a/policy/modules/contrib/remotelogin.te b/policy/modules/contrib/remotelogin.te
202 index 0d171e23..bc2292e3 100644
203 --- a/policy/modules/contrib/remotelogin.te
204 +++ b/policy/modules/contrib/remotelogin.te
205 @@ -19,7 +19,7 @@ files_tmp_file(remote_login_tmp_t)
206 #
207
208 allow remote_login_t self:capability { chown dac_override fowner fsetid kill net_bind_service setgid setuid sys_nice sys_resource sys_tty_config };
209 -allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
210 +allow remote_login_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
211 allow remote_login_t self:process { setrlimit setexec };
212 allow remote_login_t self:fd use;
213 allow remote_login_t self:fifo_file rw_fifo_file_perms;
214
215 diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
216 index 4f7edc84..44e8c7b5 100644
217 --- a/policy/modules/contrib/rpm.te
218 +++ b/policy/modules/contrib/rpm.te
219 @@ -74,8 +74,7 @@ files_tmpfs_file(rpm_script_tmpfs_t)
220 #
221
222 allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config };
223 -allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
224 -allow rpm_t self:process { getattr setexec setfscreate setrlimit };
225 +allow rpm_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
226 allow rpm_t self:fd use;
227 allow rpm_t self:fifo_file rw_fifo_file_perms;
228 allow rpm_t self:unix_dgram_socket sendto;
229 @@ -242,7 +241,7 @@ optional_policy(`
230 #
231
232 allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setgid setuid sys_admin sys_chroot sys_nice sys_rawio };
233 -allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
234 +allow rpm_script_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem execstack setkeycreate setsockcreate getrlimit };
235 allow rpm_script_t self:fd use;
236 allow rpm_script_t self:fifo_file rw_fifo_file_perms;
237 allow rpm_script_t self:unix_dgram_socket sendto;
238
239 diff --git a/policy/modules/contrib/rssh.te b/policy/modules/contrib/rssh.te
240 index cf6dd81e..91a89f65 100644
241 --- a/policy/modules/contrib/rssh.te
242 +++ b/policy/modules/contrib/rssh.te
243 @@ -42,7 +42,7 @@ userdom_user_home_content(rssh_rw_t)
244 # Local policy
245 #
246
247 -allow rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
248 +allow rssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
249 allow rssh_t self:fd use;
250 allow rssh_t self:fifo_file rw_fifo_file_perms;
251 allow rssh_t self:unix_dgram_socket sendto;
252
253 diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
254 index 12e9f567..f61077fa 100644
255 --- a/policy/modules/contrib/samba.te
256 +++ b/policy/modules/contrib/samba.te
257 @@ -269,7 +269,7 @@ optional_policy(`
258
259 allow smbd_t self:capability { chown dac_override dac_read_search fowner fsetid kill lease setgid setuid sys_admin sys_chroot sys_nice sys_resource };
260 dontaudit smbd_t self:capability sys_tty_config;
261 -allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
262 +allow smbd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
263 allow smbd_t self:fd use;
264 allow smbd_t self:fifo_file rw_fifo_file_perms;
265 allow smbd_t self:msg { send receive };
266 @@ -518,7 +518,7 @@ optional_policy(`
267 #
268
269 dontaudit nmbd_t self:capability sys_tty_config;
270 -allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
271 +allow nmbd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
272 allow nmbd_t self:fd use;
273 allow nmbd_t self:fifo_file rw_fifo_file_perms;
274 allow nmbd_t self:msg { send receive };
275
276 diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
277 index f402bc7d..fc2a0ac4 100644
278 --- a/policy/modules/contrib/spamassassin.te
279 +++ b/policy/modules/contrib/spamassassin.te
280 @@ -89,7 +89,7 @@ files_pid_file(spamd_var_run_t)
281 # Standalone local policy
282 #
283
284 -allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
285 +allow spamassassin_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
286 allow spamassassin_t self:fd use;
287 allow spamassassin_t self:fifo_file rw_fifo_file_perms;
288 allow spamassassin_t self:unix_dgram_socket sendto;
289 @@ -169,7 +169,7 @@ optional_policy(`
290 #
291
292 allow spamc_t self:capability dac_override;
293 -allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
294 +allow spamc_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
295 allow spamc_t self:fd use;
296 allow spamc_t self:fifo_file rw_fifo_file_perms;
297 allow spamc_t self:unix_dgram_socket sendto;
298 @@ -273,7 +273,7 @@ optional_policy(`
299
300 allow spamd_t self:capability { dac_override kill setgid setuid sys_tty_config };
301 dontaudit spamd_t self:capability sys_tty_config;
302 -allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
303 +allow spamd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
304 allow spamd_t self:fd use;
305 allow spamd_t self:fifo_file rw_fifo_file_perms;
306 allow spamd_t self:unix_dgram_socket sendto;
307
308 diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
309 index 41b0b75b..a9093f5f 100644
310 --- a/policy/modules/contrib/squid.te
311 +++ b/policy/modules/contrib/squid.te
312 @@ -61,7 +61,7 @@ files_pid_file(squid_var_run_t)
313
314 allow squid_t self:capability { dac_override kill setgid setuid sys_resource };
315 dontaudit squid_t self:capability sys_tty_config;
316 -allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
317 +allow squid_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
318 allow squid_t self:fifo_file rw_fifo_file_perms;
319 allow squid_t self:fd use;
320 allow squid_t self:shm create_shm_perms;
321
322 diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te
323 index 35fbda6f..bffbc94c 100644
324 --- a/policy/modules/contrib/userhelper.te
325 +++ b/policy/modules/contrib/userhelper.te
326 @@ -95,7 +95,7 @@ optional_policy(`
327 #
328
329 allow userhelper_type self:capability { chown dac_override net_bind_service setgid setuid sys_tty_config };
330 -allow userhelper_type self:process ~{ ptrace setcurrent setfscreate setrlimit execmem execstack execheap };
331 +allow userhelper_type self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
332 allow userhelper_type self:fd use;
333 allow userhelper_type self:fifo_file rw_fifo_file_perms;
334 allow userhelper_type self:shm create_shm_perms;
335
336 diff --git a/policy/modules/contrib/usernetctl.te b/policy/modules/contrib/usernetctl.te
337 index 97ebe828..4ef6f9b2 100644
338 --- a/policy/modules/contrib/usernetctl.te
339 +++ b/policy/modules/contrib/usernetctl.te
340 @@ -19,7 +19,7 @@ role usernetctl_roles types usernetctl_t;
341 #
342
343 allow usernetctl_t self:capability { dac_override setgid setuid };
344 -allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
345 +allow usernetctl_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
346 allow usernetctl_t self:fd use;
347 allow usernetctl_t self:fifo_file rw_fifo_file_perms;
348 allow usernetctl_t self:unix_dgram_socket sendto;
349
350 diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
351 index 6d2e10d6..441fe9ef 100644
352 --- a/policy/modules/contrib/vmware.te
353 +++ b/policy/modules/contrib/vmware.te
354 @@ -188,8 +188,7 @@ optional_policy(`
355
356 allow vmware_t self:capability { chown dac_override setgid setuid sys_admin sys_nice sys_rawio sys_resource };
357 dontaudit vmware_t self:capability sys_tty_config;
358 -allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
359 -allow vmware_t self:process { execmem execstack };
360 +allow vmware_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem execstack setkeycreate setsockcreate getrlimit };
361 allow vmware_t self:fd use;
362 allow vmware_t self:fifo_file rw_fifo_file_perms;
363 allow vmware_t self:unix_dgram_socket { create_socket_perms sendto };
364
365 diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
366 index faea9beb..da454655 100644
367 --- a/policy/modules/contrib/webalizer.te
368 +++ b/policy/modules/contrib/webalizer.te
369 @@ -31,7 +31,7 @@ files_type(webalizer_var_lib_t)
370 #
371
372 allow webalizer_t self:capability dac_override;
373 -allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
374 +allow webalizer_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
375 allow webalizer_t self:fd use;
376 allow webalizer_t self:fifo_file rw_fifo_file_perms;
377 allow webalizer_t self:unix_dgram_socket sendto;
378
379 diff --git a/policy/modules/contrib/yam.te b/policy/modules/contrib/yam.te
380 index 4927d4d7..b451e6e8 100644
381 --- a/policy/modules/contrib/yam.te
382 +++ b/policy/modules/contrib/yam.te
383 @@ -27,7 +27,7 @@ files_tmp_file(yam_tmp_t)
384 #
385
386 allow yam_t self:capability { chown dac_override fowner fsetid };
387 -allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
388 +allow yam_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
389 allow yam_t self:fd use;
390 allow yam_t self:fifo_file rw_fifo_file_perms;
391 allow yam_t self:unix_stream_socket { accept connectto listen };
Report Message
Find on MARC Find on Google Groups