1 |
commit: 216ba03f525ec540f16c1514ebbeffed211c526b |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Wed Nov 28 16:29:18 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Wed Nov 28 20:20:07 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=216ba03f |
7 |
|
8 |
Changes to the various policy modules |
9 |
|
10 |
Revert setsched, sys_nice and list_tmp |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/cups.te | 11 +++++------ |
16 |
policy/modules/contrib/fail2ban.te | 6 +++--- |
17 |
policy/modules/contrib/firewalld.te | 5 +---- |
18 |
policy/modules/contrib/logwatch.te | 7 +++---- |
19 |
4 files changed, 12 insertions(+), 17 deletions(-) |
20 |
|
21 |
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te |
22 |
index bf41251..069141c 100644 |
23 |
--- a/policy/modules/contrib/cups.te |
24 |
+++ b/policy/modules/contrib/cups.te |
25 |
@@ -1,4 +1,4 @@ |
26 |
-policy_module(cups, 1.15.5) |
27 |
+policy_module(cups, 1.15.6) |
28 |
|
29 |
######################################## |
30 |
# |
31 |
@@ -339,9 +339,9 @@ optional_policy(` |
32 |
# Configuration daemon local policy |
33 |
# |
34 |
|
35 |
-allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid sys_nice }; |
36 |
+allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid }; |
37 |
dontaudit cupsd_config_t self:capability sys_tty_config; |
38 |
-allow cupsd_config_t self:process { getsched setsched signal_perms }; |
39 |
+allow cupsd_config_t self:process { getsched signal_perms }; |
40 |
allow cupsd_config_t self:fifo_file rw_fifo_file_perms; |
41 |
allow cupsd_config_t self:tcp_socket { accept listen }; |
42 |
|
43 |
@@ -401,7 +401,6 @@ files_read_etc_runtime_files(cupsd_config_t) |
44 |
files_read_usr_files(cupsd_config_t) |
45 |
files_read_var_symlinks(cupsd_config_t) |
46 |
files_search_all_mountpoints(cupsd_config_t) |
47 |
-files_dontaudit_list_tmp(cupsd_config_t) |
48 |
|
49 |
fs_getattr_all_fs(cupsd_config_t) |
50 |
fs_search_auto_mountpoints(cupsd_config_t) |
51 |
@@ -591,10 +590,10 @@ optional_policy(` |
52 |
# HPLIP local policy |
53 |
# |
54 |
|
55 |
-allow hplip_t self:capability { dac_override dac_read_search net_raw sys_nice }; |
56 |
+allow hplip_t self:capability { dac_override dac_read_search net_raw }; |
57 |
dontaudit hplip_t self:capability sys_tty_config; |
58 |
allow hplip_t self:fifo_file rw_fifo_file_perms; |
59 |
-allow hplip_t self:process { setsched signal_perms }; |
60 |
+allow hplip_t self:process signal_perms; |
61 |
allow hplip_t self:tcp_socket { accept listen }; |
62 |
allow hplip_t self:rawip_socket create_socket_perms; |
63 |
|
64 |
|
65 |
diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te |
66 |
index 525f6c2..955be6e 100644 |
67 |
--- a/policy/modules/contrib/fail2ban.te |
68 |
+++ b/policy/modules/contrib/fail2ban.te |
69 |
@@ -1,4 +1,4 @@ |
70 |
-policy_module(fail2ban, 1.4.8) |
71 |
+policy_module(fail2ban, 1.4.9) |
72 |
|
73 |
######################################## |
74 |
# |
75 |
@@ -36,8 +36,8 @@ role fail2ban_client_roles types fail2ban_client_t; |
76 |
# Server Local policy |
77 |
# |
78 |
|
79 |
-allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config sys_nice }; |
80 |
-allow fail2ban_t self:process { setsched signal }; |
81 |
+allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config }; |
82 |
+allow fail2ban_t self:process signal; |
83 |
allow fail2ban_t self:fifo_file rw_fifo_file_perms; |
84 |
allow fail2ban_t self:unix_stream_socket { accept connectto listen }; |
85 |
allow fail2ban_t self:tcp_socket { accept listen }; |
86 |
|
87 |
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te |
88 |
index edccdb3..711a2ab 100644 |
89 |
--- a/policy/modules/contrib/firewalld.te |
90 |
+++ b/policy/modules/contrib/firewalld.te |
91 |
@@ -1,4 +1,4 @@ |
92 |
-policy_module(firewalld, 1.0.4) |
93 |
+policy_module(firewalld, 1.0.5) |
94 |
|
95 |
######################################## |
96 |
# |
97 |
@@ -26,9 +26,7 @@ files_pid_file(firewalld_var_run_t) |
98 |
# Local policy |
99 |
# |
100 |
|
101 |
-allow firewalld_t self:capability sys_nice; |
102 |
dontaudit firewalld_t self:capability sys_tty_config; |
103 |
-allow firewalld_t self:process setsched; |
104 |
allow firewalld_t self:fifo_file rw_fifo_file_perms; |
105 |
allow firewalld_t self:unix_stream_socket { accept listen }; |
106 |
allow firewalld_t self:udp_socket create_socket_perms; |
107 |
@@ -55,7 +53,6 @@ dev_read_urand(firewalld_t) |
108 |
|
109 |
domain_use_interactive_fds(firewalld_t) |
110 |
|
111 |
-files_list_tmp(firewalld_t) |
112 |
files_read_etc_files(firewalld_t) |
113 |
files_read_usr_files(firewalld_t) |
114 |
files_dontaudit_list_tmp(firewalld_t) |
115 |
|
116 |
diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te |
117 |
index 6269990..077a3f3 100644 |
118 |
--- a/policy/modules/contrib/logwatch.te |
119 |
+++ b/policy/modules/contrib/logwatch.te |
120 |
@@ -1,4 +1,4 @@ |
121 |
-policy_module(logwatch, 1.11.4) |
122 |
+policy_module(logwatch, 1.11.5) |
123 |
|
124 |
################################# |
125 |
# |
126 |
@@ -29,8 +29,8 @@ role system_r types logwatch_mail_t; |
127 |
# Local policy |
128 |
# |
129 |
|
130 |
-allow logwatch_t self:capability { dac_override dac_read_search setgid sys_nice }; |
131 |
-allow logwatch_t self:process { setsched signal }; |
132 |
+allow logwatch_t self:capability { dac_override dac_read_search setgid }; |
133 |
+allow logwatch_t self:process signal; |
134 |
allow logwatch_t self:fifo_file rw_fifo_file_perms; |
135 |
allow logwatch_t self:unix_stream_socket { accept listen }; |
136 |
|
137 |
@@ -68,7 +68,6 @@ files_search_all(logwatch_t) |
138 |
files_read_var_symlinks(logwatch_t) |
139 |
files_read_etc_runtime_files(logwatch_t) |
140 |
files_read_usr_files(logwatch_t) |
141 |
-files_dontaudit_list_tmp(logwatch_t) |
142 |
|
143 |
fs_getattr_all_fs(logwatch_t) |
144 |
fs_dontaudit_list_auto_mountpoints(logwatch_t) |