1 |
commit: 93ce6c8c23d102a9a5b50da848779d1ffe49cb80 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Thu Sep 27 13:41:53 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Thu Sep 27 18:02:58 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=93ce6c8c |
7 |
|
8 |
Changes to the dcc policy module |
9 |
|
10 |
Use role attributes for application domains |
11 |
Module clean up |
12 |
|
13 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
14 |
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> |
15 |
|
16 |
--- |
17 |
policy/modules/contrib/dcc.fc | 42 ++++++++--------- |
18 |
policy/modules/contrib/dcc.if | 37 +++++++++------- |
19 |
policy/modules/contrib/dcc.te | 99 +++++++++------------------------------- |
20 |
3 files changed, 63 insertions(+), 115 deletions(-) |
21 |
|
22 |
diff --git a/policy/modules/contrib/dcc.fc b/policy/modules/contrib/dcc.fc |
23 |
index 29773e7..62d3c4e 100644 |
24 |
--- a/policy/modules/contrib/dcc.fc |
25 |
+++ b/policy/modules/contrib/dcc.fc |
26 |
@@ -1,30 +1,26 @@ |
27 |
-/etc/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) |
28 |
-/etc/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0) |
29 |
-/etc/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) |
30 |
+/etc/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) |
31 |
+/etc/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0) |
32 |
+/etc/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) |
33 |
|
34 |
-/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0) |
35 |
-/usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0) |
36 |
+/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0) |
37 |
+/usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0) |
38 |
|
39 |
/usr/libexec/dcc/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) |
40 |
-/usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) |
41 |
-/usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) |
42 |
-/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) |
43 |
+/usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) |
44 |
+/usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) |
45 |
+/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) |
46 |
|
47 |
-ifdef(`distro_debian',` |
48 |
-/usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) |
49 |
-/usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) |
50 |
-/usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) |
51 |
-/usr/sbin/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) |
52 |
-') |
53 |
+/usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) |
54 |
+/usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) |
55 |
+/usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) |
56 |
+/usr/sbin/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) |
57 |
|
58 |
-/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) |
59 |
-/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) |
60 |
+/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) |
61 |
+/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) |
62 |
|
63 |
-/var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0) |
64 |
-/var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) |
65 |
-/var/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0) |
66 |
+/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) |
67 |
+/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) |
68 |
|
69 |
-ifdef(`distro_redhat',` |
70 |
-/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) |
71 |
-/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) |
72 |
-') |
73 |
+/var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0) |
74 |
+/var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) |
75 |
+/var/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0) |
76 |
|
77 |
diff --git a/policy/modules/contrib/dcc.if b/policy/modules/contrib/dcc.if |
78 |
index 784753e..a5c21e0 100644 |
79 |
--- a/policy/modules/contrib/dcc.if |
80 |
+++ b/policy/modules/contrib/dcc.if |
81 |
@@ -1,4 +1,4 @@ |
82 |
-## <summary>Distributed checksum clearinghouse spam filtering</summary> |
83 |
+## <summary>Distributed checksum clearinghouse spam filtering.</summary> |
84 |
|
85 |
######################################## |
86 |
## <summary> |
87 |
@@ -22,7 +22,8 @@ interface(`dcc_domtrans_cdcc',` |
88 |
######################################## |
89 |
## <summary> |
90 |
## Execute cdcc in the cdcc domain, and |
91 |
-## allow the specified role the cdcc domain. |
92 |
+## allow the specified role the |
93 |
+## cdcc domain. |
94 |
## </summary> |
95 |
## <param name="domain"> |
96 |
## <summary> |
97 |
@@ -38,16 +39,17 @@ interface(`dcc_domtrans_cdcc',` |
98 |
# |
99 |
interface(`dcc_run_cdcc',` |
100 |
gen_require(` |
101 |
- type cdcc_t; |
102 |
+ attribute_role cdcc_roles; |
103 |
') |
104 |
|
105 |
dcc_domtrans_cdcc($1) |
106 |
- role $2 types cdcc_t; |
107 |
+ roleattribute $2 cdcc_roles; |
108 |
') |
109 |
|
110 |
######################################## |
111 |
## <summary> |
112 |
-## Execute dcc_client in the dcc_client domain. |
113 |
+## Execute dcc client in the dcc |
114 |
+## client domain. |
115 |
## </summary> |
116 |
## <param name="domain"> |
117 |
## <summary> |
118 |
@@ -66,7 +68,7 @@ interface(`dcc_domtrans_client',` |
119 |
|
120 |
######################################## |
121 |
## <summary> |
122 |
-## Send a signal to the dcc_client. |
123 |
+## Send generic signals to dcc client. |
124 |
## </summary> |
125 |
## <param name="domain"> |
126 |
## <summary> |
127 |
@@ -84,8 +86,9 @@ interface(`dcc_signal_client',` |
128 |
|
129 |
######################################## |
130 |
## <summary> |
131 |
-## Execute dcc_client in the dcc_client domain, and |
132 |
-## allow the specified role the dcc_client domain. |
133 |
+## Execute dcc client in the dcc |
134 |
+## client domain, and allow the |
135 |
+## specified role the dcc client domain. |
136 |
## </summary> |
137 |
## <param name="domain"> |
138 |
## <summary> |
139 |
@@ -101,16 +104,16 @@ interface(`dcc_signal_client',` |
140 |
# |
141 |
interface(`dcc_run_client',` |
142 |
gen_require(` |
143 |
- type dcc_client_t; |
144 |
+ attribute_role dcc_client_roles; |
145 |
') |
146 |
|
147 |
dcc_domtrans_client($1) |
148 |
- role $2 types dcc_client_t; |
149 |
+ roleattribute $2 dcc_client_roles; |
150 |
') |
151 |
|
152 |
######################################## |
153 |
## <summary> |
154 |
-## Execute dbclean in the dcc_dbclean domain. |
155 |
+## Execute dbclean in the dcc dbclean domain. |
156 |
## </summary> |
157 |
## <param name="domain"> |
158 |
## <summary> |
159 |
@@ -129,8 +132,9 @@ interface(`dcc_domtrans_dbclean',` |
160 |
|
161 |
######################################## |
162 |
## <summary> |
163 |
-## Execute dbclean in the dcc_dbclean domain, and |
164 |
-## allow the specified role the dcc_dbclean domain. |
165 |
+## Execute dbclean in the dcc dbclean |
166 |
+## domain, and allow the specified |
167 |
+## role the dcc dbclean domain. |
168 |
## </summary> |
169 |
## <param name="domain"> |
170 |
## <summary> |
171 |
@@ -146,16 +150,17 @@ interface(`dcc_domtrans_dbclean',` |
172 |
# |
173 |
interface(`dcc_run_dbclean',` |
174 |
gen_require(` |
175 |
- type dcc_dbclean_t; |
176 |
+ attribute_role dcc_dbclean_roles; |
177 |
') |
178 |
|
179 |
dcc_domtrans_dbclean($1) |
180 |
- role $2 types dcc_dbclean_t; |
181 |
+ roleattribute $2 dcc_dbclean_roles; |
182 |
') |
183 |
|
184 |
######################################## |
185 |
## <summary> |
186 |
-## Connect to dccifd over a unix domain stream socket. |
187 |
+## Connect to dccifd over a unix |
188 |
+## domain stream socket. |
189 |
## </summary> |
190 |
## <param name="domain"> |
191 |
## <summary> |
192 |
|
193 |
diff --git a/policy/modules/contrib/dcc.te b/policy/modules/contrib/dcc.te |
194 |
index 5178337..15d908f 100644 |
195 |
--- a/policy/modules/contrib/dcc.te |
196 |
+++ b/policy/modules/contrib/dcc.te |
197 |
@@ -1,14 +1,23 @@ |
198 |
-policy_module(dcc, 1.11.0) |
199 |
+policy_module(dcc, 1.11.1) |
200 |
|
201 |
######################################## |
202 |
# |
203 |
# Declarations |
204 |
# |
205 |
|
206 |
+attribute_role cdcc_roles; |
207 |
+roleattribute system_r cdcc_roles; |
208 |
+ |
209 |
+attribute_role dcc_client_roles; |
210 |
+roleattribute system_r dcc_client_roles; |
211 |
+ |
212 |
+attribute_role dcc_dbclean_roles; |
213 |
+roleattribute system_r dcc_dbclean_roles; |
214 |
+ |
215 |
type cdcc_t; |
216 |
type cdcc_exec_t; |
217 |
application_domain(cdcc_t, cdcc_exec_t) |
218 |
-role system_r types cdcc_t; |
219 |
+role cdcc_roles types cdcc_t; |
220 |
|
221 |
type cdcc_tmp_t; |
222 |
files_tmp_file(cdcc_tmp_t) |
223 |
@@ -16,7 +25,7 @@ files_tmp_file(cdcc_tmp_t) |
224 |
type dcc_client_t; |
225 |
type dcc_client_exec_t; |
226 |
application_domain(dcc_client_t, dcc_client_exec_t) |
227 |
-role system_r types dcc_client_t; |
228 |
+role dcc_client_roles types dcc_client_t; |
229 |
|
230 |
type dcc_client_map_t; |
231 |
files_type(dcc_client_map_t) |
232 |
@@ -27,7 +36,7 @@ files_tmp_file(dcc_client_tmp_t) |
233 |
type dcc_dbclean_t; |
234 |
type dcc_dbclean_exec_t; |
235 |
application_domain(dcc_dbclean_t, dcc_dbclean_exec_t) |
236 |
-role system_r types dcc_dbclean_t; |
237 |
+role dcc_dbclean_roles types dcc_dbclean_t; |
238 |
|
239 |
type dcc_dbclean_tmp_t; |
240 |
files_tmp_file(dcc_dbclean_tmp_t) |
241 |
@@ -68,21 +77,12 @@ files_tmp_file(dccm_tmp_t) |
242 |
type dccm_var_run_t; |
243 |
files_pid_file(dccm_var_run_t) |
244 |
|
245 |
-# NOTE: DCC has writeable files in /etc/dcc that should probably be in |
246 |
-# /var/lib/dcc. For now this policy supports both directories being |
247 |
-# writable. |
248 |
- |
249 |
-# cjp: dccifd and dccm should be merged, as |
250 |
-# they have the same rules. |
251 |
- |
252 |
######################################## |
253 |
# |
254 |
-# dcc daemon controller local policy |
255 |
+# Daemon controller local policy |
256 |
# |
257 |
|
258 |
allow cdcc_t self:capability { setuid setgid }; |
259 |
-allow cdcc_t self:unix_dgram_socket create_socket_perms; |
260 |
-allow cdcc_t self:udp_socket create_socket_perms; |
261 |
|
262 |
manage_dirs_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t) |
263 |
manage_files_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t) |
264 |
@@ -90,18 +90,10 @@ files_tmp_filetrans(cdcc_t, cdcc_tmp_t, { file dir }) |
265 |
|
266 |
allow cdcc_t dcc_client_map_t:file rw_file_perms; |
267 |
|
268 |
-# Access files in /var/dcc. The map file can be updated |
269 |
allow cdcc_t dcc_var_t:dir list_dir_perms; |
270 |
read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) |
271 |
read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) |
272 |
|
273 |
-corenet_all_recvfrom_unlabeled(cdcc_t) |
274 |
-corenet_all_recvfrom_netlabel(cdcc_t) |
275 |
-corenet_udp_sendrecv_generic_if(cdcc_t) |
276 |
-corenet_udp_sendrecv_generic_node(cdcc_t) |
277 |
-corenet_udp_sendrecv_all_ports(cdcc_t) |
278 |
- |
279 |
-files_read_etc_files(cdcc_t) |
280 |
files_read_etc_runtime_files(cdcc_t) |
281 |
|
282 |
auth_use_nsswitch(cdcc_t) |
283 |
@@ -114,12 +106,10 @@ userdom_use_user_terminals(cdcc_t) |
284 |
|
285 |
######################################## |
286 |
# |
287 |
-# dcc procmail interface local policy |
288 |
+# Procmail interface local policy |
289 |
# |
290 |
|
291 |
allow dcc_client_t self:capability { setuid setgid }; |
292 |
-allow dcc_client_t self:unix_dgram_socket create_socket_perms; |
293 |
-allow dcc_client_t self:udp_socket create_socket_perms; |
294 |
|
295 |
allow dcc_client_t dcc_client_map_t:file rw_file_perms; |
296 |
|
297 |
@@ -127,21 +117,12 @@ manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) |
298 |
manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) |
299 |
files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir }) |
300 |
|
301 |
-# Access files in /var/dcc. The map file can be updated |
302 |
allow dcc_client_t dcc_var_t:dir list_dir_perms; |
303 |
manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) |
304 |
read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) |
305 |
|
306 |
kernel_read_system_state(dcc_client_t) |
307 |
|
308 |
-corenet_all_recvfrom_unlabeled(dcc_client_t) |
309 |
-corenet_all_recvfrom_netlabel(dcc_client_t) |
310 |
-corenet_udp_sendrecv_generic_if(dcc_client_t) |
311 |
-corenet_udp_sendrecv_generic_node(dcc_client_t) |
312 |
-corenet_udp_sendrecv_all_ports(dcc_client_t) |
313 |
-corenet_udp_bind_generic_node(dcc_client_t) |
314 |
- |
315 |
-files_read_etc_files(dcc_client_t) |
316 |
files_read_etc_runtime_files(dcc_client_t) |
317 |
|
318 |
fs_getattr_all_fs(dcc_client_t) |
319 |
@@ -164,12 +145,9 @@ optional_policy(` |
320 |
|
321 |
######################################## |
322 |
# |
323 |
-# Database cleanup tool local policy |
324 |
+# Database cleanup local policy |
325 |
# |
326 |
|
327 |
-allow dcc_dbclean_t self:unix_dgram_socket create_socket_perms; |
328 |
-allow dcc_dbclean_t self:udp_socket create_socket_perms; |
329 |
- |
330 |
allow dcc_dbclean_t dcc_client_map_t:file rw_file_perms; |
331 |
|
332 |
manage_dirs_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t) |
333 |
@@ -182,13 +160,6 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) |
334 |
|
335 |
kernel_read_system_state(dcc_dbclean_t) |
336 |
|
337 |
-corenet_all_recvfrom_unlabeled(dcc_dbclean_t) |
338 |
-corenet_all_recvfrom_netlabel(dcc_dbclean_t) |
339 |
-corenet_udp_sendrecv_generic_if(dcc_dbclean_t) |
340 |
-corenet_udp_sendrecv_generic_node(dcc_dbclean_t) |
341 |
-corenet_udp_sendrecv_all_ports(dcc_dbclean_t) |
342 |
- |
343 |
-files_read_etc_files(dcc_dbclean_t) |
344 |
files_read_etc_runtime_files(dcc_dbclean_t) |
345 |
|
346 |
auth_use_nsswitch(dcc_dbclean_t) |
347 |
@@ -201,28 +172,21 @@ userdom_use_user_terminals(dcc_dbclean_t) |
348 |
|
349 |
######################################## |
350 |
# |
351 |
-# Server daemon local policy |
352 |
+# Server local policy |
353 |
# |
354 |
|
355 |
allow dccd_t self:capability net_admin; |
356 |
dontaudit dccd_t self:capability sys_tty_config; |
357 |
allow dccd_t self:process signal_perms; |
358 |
-allow dccd_t self:unix_stream_socket create_socket_perms; |
359 |
-allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; |
360 |
-allow dccd_t self:udp_socket create_socket_perms; |
361 |
|
362 |
allow dccd_t dcc_client_map_t:file rw_file_perms; |
363 |
|
364 |
-# Access files in /var/dcc. The map file can be updated |
365 |
allow dccd_t dcc_var_t:dir list_dir_perms; |
366 |
read_files_pattern(dccd_t, dcc_var_t, dcc_var_t) |
367 |
read_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t) |
368 |
|
369 |
-# Runs the dbclean program |
370 |
domtrans_pattern(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t) |
371 |
-corecmd_search_bin(dccd_t) |
372 |
|
373 |
-# Updating dcc_db, flod, ... |
374 |
manage_dirs_pattern(dccd_t, dcc_var_t, dcc_var_t) |
375 |
manage_files_pattern(dccd_t, dcc_var_t, dcc_var_t) |
376 |
manage_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t) |
377 |
@@ -244,14 +208,16 @@ corenet_udp_sendrecv_generic_if(dccd_t) |
378 |
corenet_udp_sendrecv_generic_node(dccd_t) |
379 |
corenet_udp_sendrecv_all_ports(dccd_t) |
380 |
corenet_udp_bind_generic_node(dccd_t) |
381 |
+ |
382 |
corenet_udp_bind_dcc_port(dccd_t) |
383 |
corenet_sendrecv_dcc_server_packets(dccd_t) |
384 |
|
385 |
+corecmd_search_bin(dccd_t) |
386 |
+ |
387 |
dev_read_sysfs(dccd_t) |
388 |
|
389 |
domain_use_interactive_fds(dccd_t) |
390 |
|
391 |
-files_read_etc_files(dccd_t) |
392 |
files_read_etc_runtime_files(dccd_t) |
393 |
|
394 |
fs_getattr_all_fs(dccd_t) |
395 |
@@ -281,13 +247,10 @@ optional_policy(` |
396 |
|
397 |
dontaudit dccifd_t self:capability sys_tty_config; |
398 |
allow dccifd_t self:process signal_perms; |
399 |
-allow dccifd_t self:unix_stream_socket create_stream_socket_perms; |
400 |
-allow dccifd_t self:unix_dgram_socket create_socket_perms; |
401 |
-allow dccifd_t self:udp_socket create_socket_perms; |
402 |
+allow dccifd_t self:unix_stream_socket { accept listen }; |
403 |
|
404 |
allow dccifd_t dcc_client_map_t:file rw_file_perms; |
405 |
|
406 |
-# Updating dcc_db, flod, ... |
407 |
manage_dirs_pattern(dccifd_t, dcc_var_t, dcc_var_t) |
408 |
manage_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) |
409 |
manage_lnk_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) |
410 |
@@ -306,17 +269,10 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file) |
411 |
kernel_read_system_state(dccifd_t) |
412 |
kernel_read_kernel_sysctls(dccifd_t) |
413 |
|
414 |
-corenet_all_recvfrom_unlabeled(dccifd_t) |
415 |
-corenet_all_recvfrom_netlabel(dccifd_t) |
416 |
-corenet_udp_sendrecv_generic_if(dccifd_t) |
417 |
-corenet_udp_sendrecv_generic_node(dccifd_t) |
418 |
-corenet_udp_sendrecv_all_ports(dccifd_t) |
419 |
- |
420 |
dev_read_sysfs(dccifd_t) |
421 |
|
422 |
domain_use_interactive_fds(dccifd_t) |
423 |
|
424 |
-files_read_etc_files(dccifd_t) |
425 |
files_read_etc_runtime_files(dccifd_t) |
426 |
|
427 |
fs_getattr_all_fs(dccifd_t) |
428 |
@@ -341,14 +297,12 @@ optional_policy(` |
429 |
|
430 |
######################################## |
431 |
# |
432 |
-# sendmail milter client local policy |
433 |
+# Sendmail milter client local policy |
434 |
# |
435 |
|
436 |
dontaudit dccm_t self:capability sys_tty_config; |
437 |
allow dccm_t self:process signal_perms; |
438 |
-allow dccm_t self:unix_stream_socket create_stream_socket_perms; |
439 |
-allow dccm_t self:unix_dgram_socket create_socket_perms; |
440 |
-allow dccm_t self:udp_socket create_socket_perms; |
441 |
+allow dccm_t self:unix_stream_socket { accept listen }; |
442 |
|
443 |
allow dccm_t dcc_client_map_t:file rw_file_perms; |
444 |
|
445 |
@@ -370,17 +324,10 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file) |
446 |
kernel_read_system_state(dccm_t) |
447 |
kernel_read_kernel_sysctls(dccm_t) |
448 |
|
449 |
-corenet_all_recvfrom_unlabeled(dccm_t) |
450 |
-corenet_all_recvfrom_netlabel(dccm_t) |
451 |
-corenet_udp_sendrecv_generic_if(dccm_t) |
452 |
-corenet_udp_sendrecv_generic_node(dccm_t) |
453 |
-corenet_udp_sendrecv_all_ports(dccm_t) |
454 |
- |
455 |
dev_read_sysfs(dccm_t) |
456 |
|
457 |
domain_use_interactive_fds(dccm_t) |
458 |
|
459 |
-files_read_etc_files(dccm_t) |
460 |
files_read_etc_runtime_files(dccm_t) |
461 |
|
462 |
fs_getattr_all_fs(dccm_t) |