[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
rpms/selinux-policy-targeted/FC-4 policy-20050629.patch,NONE,1.1
- From: fedora-cvs-commits redhat com
- To: fedora-cvs-commits redhat com
- Subject: rpms/selinux-policy-targeted/FC-4 policy-20050629.patch,NONE,1.1
- Date: Sun, 3 Jul 2005 11:21:47 -0400
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv4284
Added Files:
policy-20050629.patch
Log Message:
* Sun Jul 3 2005 Dan Walsh <dwalsh redhat com> 1.24-3
- Bump for FC4.
policy-20050629.patch:
Makefile | 23 +--
attrib.te | 2
domains/misc/kernel.te | 7
domains/misc/local.te | 5
domains/program/fsadm.te | 5
domains/program/getty.te | 7
domains/program/init.te | 4
domains/program/initrc.te | 11 +
domains/program/klogd.te | 2
domains/program/login.te | 4
domains/program/modutil.te | 2
domains/program/mount.te | 4
domains/program/passwd.te | 5
domains/program/restorecon.te | 5
domains/program/ssh.te | 6
domains/program/syslogd.te | 3
domains/program/unused/NetworkManager.te | 9 +
domains/program/unused/acct.te | 2
domains/program/unused/afs.te | 1
domains/program/unused/alsa.te | 17 ++
domains/program/unused/amanda.te | 7
domains/program/unused/amavis.te | 5
domains/program/unused/apache.te | 5
domains/program/unused/apmd.te | 4
domains/program/unused/asterisk.te | 2
domains/program/unused/auditd.te | 10 +
domains/program/unused/bluetooth.te | 3
domains/program/unused/bonobo.te | 9 +
domains/program/unused/ciped.te | 5
domains/program/unused/clamav.te | 1
domains/program/unused/clockspeed.te | 2
domains/program/unused/consoletype.te | 2
domains/program/unused/cups.te | 37 ++++
domains/program/unused/cyrus.te | 7
domains/program/unused/dante.te | 1
domains/program/unused/dcc.te | 3
domains/program/unused/ddclient.te | 4
domains/program/unused/dhcpc.te | 17 +-
domains/program/unused/dhcpd.te | 3
domains/program/unused/dictd.te | 1
domains/program/unused/distcc.te | 1
domains/program/unused/dovecot.te | 4
domains/program/unused/ethereal.te | 48 ++++++
domains/program/unused/evolution.te | 13 +
domains/program/unused/fingerd.te | 1
domains/program/unused/gatekeeper.te | 1
domains/program/unused/gconf.te | 12 +
domains/program/unused/gift.te | 2
domains/program/unused/gnome.te | 7
domains/program/unused/gnome_vfs.te | 9 +
domains/program/unused/gpg.te | 3
domains/program/unused/hald.te | 4
domains/program/unused/hotplug.te | 6
domains/program/unused/howl.te | 1
domains/program/unused/i18n_input.te | 7
domains/program/unused/iceauth.te | 12 +
domains/program/unused/imazesrv.te | 1
domains/program/unused/inetd.te | 7
domains/program/unused/innd.te | 1
domains/program/unused/ircd.te | 1
domains/program/unused/jabberd.te | 3
domains/program/unused/lpd.te | 1
domains/program/unused/lrrd.te | 1
domains/program/unused/mdadm.te | 2
domains/program/unused/monopd.te | 1
domains/program/unused/mozilla.te | 6
domains/program/unused/mysqld.te | 4
domains/program/unused/named.te | 1
domains/program/unused/nessusd.te | 1
domains/program/unused/nscd.te | 1
domains/program/unused/ntpd.te | 1
domains/program/unused/openvpn.te | 2
domains/program/unused/orbit.te | 7
domains/program/unused/pam.te | 5
domains/program/unused/pamconsole.te | 2
domains/program/unused/ping.te | 2
domains/program/unused/postgresql.te | 4
domains/program/unused/postgrey.te | 2
domains/program/unused/pppd.te | 7
domains/program/unused/pxe.te | 1
domains/program/unused/pyzor.te | 2
domains/program/unused/radius.te | 2
domains/program/unused/razor.te | 2
domains/program/unused/rpcd.te | 11 +
domains/program/unused/samba.te | 3
domains/program/unused/snmpd.te | 1
domains/program/unused/sound-server.te | 1
domains/program/unused/spamd.te | 1
domains/program/unused/squid.te | 1
domains/program/unused/ssh-agent.te | 3
domains/program/unused/stunnel.te | 1
domains/program/unused/tftpd.te | 2
domains/program/unused/thunderbird.te | 9 +
domains/program/unused/transproxy.te | 2
domains/program/unused/ucspi-tcp.te | 2
domains/program/unused/udev.te | 2
domains/program/unused/utempter.te | 5
domains/program/unused/watchdog.te | 2
domains/program/unused/xdm.te | 23 ++-
domains/program/unused/xserver.te | 3
domains/program/unused/zebra.te | 1
domains/user.te | 14 +
file_contexts/distros.fc | 21 --
file_contexts/program/alsa.fc | 3
file_contexts/program/apache.fc | 2
file_contexts/program/bonobo.fc | 1
file_contexts/program/cups.fc | 6
file_contexts/program/cyrus.fc | 1
file_contexts/program/ethereal.fc | 3
file_contexts/program/evolution.fc | 8 +
file_contexts/program/fontconfig.fc | 6
file_contexts/program/fsadm.fc | 1
file_contexts/program/gconf.fc | 5
file_contexts/program/gnome.fc | 8 +
file_contexts/program/gnome_vfs.fc | 1
file_contexts/program/iceauth.fc | 3
file_contexts/program/irc.fc | 2
file_contexts/program/mozilla.fc | 6
file_contexts/program/orbit.fc | 3
file_contexts/program/thunderbird.fc | 2
file_contexts/program/xauth.fc | 1
file_contexts/program/xdm.fc | 1
file_contexts/program/xserver.fc | 2
file_contexts/types.fc | 23 +--
macros/admin_macros.te | 12 +
macros/base_user_macros.te | 75 ++++++---
macros/content_macros.te | 185 ++++++++++++++++++++++++
macros/global_macros.te | 121 +--------------
macros/home_macros.te | 130 +++++++++++++++++
macros/network_macros.te | 2
macros/program/apache_macros.te | 5
macros/program/bonobo_macros.te | 119 +++++++++++++++
macros/program/dbusd_macros.te | 5
macros/program/ethereal_macros.te | 83 ++++++++++
macros/program/evolution_macros.te | 235 +++++++++++++++++++++++++++++++
macros/program/fontconfig_macros.te | 38 ++++-
macros/program/games_domain.te | 38 +----
macros/program/gconf_macros.te | 56 +++++++
macros/program/gift_macros.te | 60 ++-----
macros/program/gnome_macros.te | 115 +++++++++++++++
macros/program/gnome_vfs_macros.te | 49 ++++++
macros/program/gpg_agent_macros.te | 1
macros/program/gpg_macros.te | 45 -----
macros/program/ice_macros.te | 38 +++++
macros/program/iceauth_macros.te | 40 +++++
macros/program/inetd_macros.te | 1
macros/program/irc_macros.te | 1
macros/program/lpr_macros.te | 24 ---
macros/program/mail_client_macros.te | 54 +++++++
macros/program/mozilla_macros.te | 131 ++++++-----------
macros/program/mplayer_macros.te | 15 +
macros/program/orbit_macros.te | 44 +++++
macros/program/pyzor_macros.te | 1
macros/program/razor_macros.te | 1
macros/program/spamassassin_macros.te | 9 -
macros/program/ssh_agent_macros.te | 3
macros/program/ssh_macros.te | 5
macros/program/thunderbird_macros.te | 57 +++++++
macros/program/tvtime_macros.te | 1
macros/program/userhelper_macros.te | 3
macros/program/x_client_macros.te | 12 -
macros/program/xauth_macros.te | 1
macros/program/xdm_macros.te | 11 +
macros/program/xserver_macros.te | 17 +-
macros/user_macros.te | 8 -
mls | 41 ++---
net_contexts | 135 +++++------------
targeted/domains/program/ssh.te | 1
targeted/domains/program/xdm.te | 1
types/device.te | 7
types/devpts.te | 2
types/file.te | 8 +
types/network.te | 98 ++++++++++--
types/security.te | 2
174 files changed, 2053 insertions(+), 742 deletions(-)
--- NEW FILE policy-20050629.patch ---
diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.24/attrib.te
--- nsapolicy/attrib.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.24/attrib.te 2005-07-03 09:51:22.000000000 -0400
@@ -30,7 +30,7 @@
attribute mlsnetwritetoclr;
attribute mlsnetupgrade;
attribute mlsnetdowngrade;
-attribute mlsnetbindall;
+attribute mlsnetrecvall;
attribute mlsipcread;
attribute mlsipcreadtoclr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.24/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te 2005-06-01 06:11:22.000000000 -0400
+++ policy-1.24/domains/misc/kernel.te 2005-07-03 09:51:22.000000000 -0400
@@ -11,7 +11,7 @@
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
#
-type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod ifdef(`nfs_export_all_rw',`,etc_writer') ;
+type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod ifdef(`nfs_export_all_rw',`,etc_writer'), privrangetrans ;
role system_r types kernel_t;
general_domain_access(kernel_t)
general_proc_read_access(kernel_t)
@@ -28,6 +28,11 @@
# Run init in the init_t domain.
domain_auto_trans(kernel_t, init_exec_t, init_t)
+ifdef(`mls_policy', `
+# run init with maximum MLS range
+range_transition kernel_t init_exec_t s0 - s9:c0.c127;
+')
+
# Share state with the init process.
allow kernel_t init_t:process share;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/local.te policy-1.24/domains/misc/local.te
--- nsapolicy/domains/misc/local.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.24/domains/misc/local.te 2005-07-03 09:51:22.000000000 -0400
@@ -0,0 +1,5 @@
+# Local customization of existing policy should be done in this file.
+# If you are creating brand new policy for a new "target" domain, you
+# need to create a type enforcement (.te) file in domains/program
+# and a file context (.fc) file in file_context/program.
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.24/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te 2005-06-01 06:11:22.000000000 -0400
+++ policy-1.24/domains/program/fsadm.te 2005-07-03 09:51:22.000000000 -0400
@@ -12,14 +12,14 @@
# administration.
# fsadm_exec_t is the type of the corresponding programs.
#
-type fsadm_t, domain, privlog, fs_domain;
+type fsadm_t, domain, privlog, fs_domain, mlsfileread;
role system_r types fsadm_t;
role sysadm_r types fsadm_t;
general_domain_access(fsadm_t)
# for swapon
-allow fsadm_t sysfs_t:dir { search getattr };
+r_dir_file(fsadm_t, sysfs_t)
# Read system information files in /proc.
r_dir_file(fsadm_t, proc_t)
@@ -116,3 +116,4 @@
allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
allow fsadm_t usbfs_t:dir { getattr search };
+allow fsadm_t ramfs_t:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/getty.te policy-1.24/domains/program/getty.te
--- nsapolicy/domains/program/getty.te 2005-05-02 14:06:54.000000000 -0400
+++ policy-1.24/domains/program/getty.te 2005-07-03 09:51:22.000000000 -0400
@@ -52,3 +52,10 @@
# for mgetty
var_run_domain(getty)
allow getty_t self:capability { fowner fsetid };
+
+#
+# getty needs to be able to run pppd
+#
+ifdef(`pppd.te', `
+domain_auto_trans(getty_t, pppd_exec_t, pppd_t)
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.24/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.24/domains/program/initrc.te 2005-07-03 09:51:22.000000000 -0400
@@ -12,7 +12,7 @@
# initrc_exec_t is the type of the init program.
#
# do not use privmail for sendmail as it creates a type transition conflict
-type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain;
+type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite;
role system_r types initrc_t;
uses_shlib(initrc_t);
@@ -120,7 +120,13 @@
# Mount and unmount file systems.
allow initrc_t fs_type:filesystem mount_fs_perms;
-allow initrc_t { file_t default_t }:dir { read search getattr mounton };
+allow initrc_t file_t:dir { read search getattr mounton };
+
+# during boot up initrc needs to do the following
+allow initrc_t default_t:dir { read search getattr mounton };
+
+# rhgb-console writes to ramfs
+allow initrc_t ramfs_t:fifo_file write;
# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
@@ -253,6 +259,7 @@
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
+typeattribute initrc_t privuser;
domain_trans(initrc_t, shell_exec_t, unconfined_t)
allow initrc_t unconfined_t:system syslog_mod;
', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.24/domains/program/init.te
--- nsapolicy/domains/program/init.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.24/domains/program/init.te 2005-07-03 09:51:22.000000000 -0400
@@ -14,11 +14,11 @@
# by init during initialization. This pipe is used
# to communicate with init.
#
-type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain;
+type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite;
role system_r types init_t;
uses_shlib(init_t);
type init_exec_t, file_type, sysadmfile, exec_type;
-type initctl_t, file_type, sysadmfile, dev_fs;
+type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
# for init to determine whether SE Linux is active so it can know whether to
# activate it
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/klogd.te policy-1.24/domains/program/klogd.te
--- nsapolicy/domains/program/klogd.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.24/domains/program/klogd.te 2005-07-03 09:51:23.000000000 -0400
@@ -8,7 +8,7 @@
#
# Rules for the klogd_t domain.
#
-daemon_domain(klogd, `, privmem, privkmsg')
+daemon_domain(klogd, `, privmem, privkmsg, mlsfileread')
tmp_domain(klogd)
allow klogd_t proc_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.24/domains/program/login.te
--- nsapolicy/domains/program/login.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.24/domains/program/login.te 2005-07-03 09:51:23.000000000 -0400
@@ -13,7 +13,7 @@
# $1 is the name of the domain (local or remote)
define(`login_domain', `
-type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain;
+type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
role system_r types $1_login_t;
dontaudit $1_login_t shadow_t:file { getattr read };
@@ -111,7 +111,7 @@
allow $1_login_t lastlog_t:file rw_file_perms;
# Write to /var/log/btmp
-allow $1_login_t faillog_t:file { append read write };
+allow $1_login_t faillog_t:file { lock append read write };
# Search for mail spool file.
allow $1_login_t mail_spool_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.24/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te 2005-06-01 06:11:22.000000000 -0400
+++ policy-1.24/domains/program/modutil.te 2005-07-03 09:51:23.000000000 -0400
@@ -72,7 +72,7 @@
# Rules for the insmod_t domain.
#
-type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' )
+type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' ), mlsfilewrite
;
role system_r types insmod_t;
role sysadm_r types insmod_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.24/domains/program/mount.te
--- nsapolicy/domains/program/mount.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.24/domains/program/mount.te 2005-07-03 09:51:23.000000000 -0400
@@ -11,7 +11,7 @@
type mount_exec_t, file_type, sysadmfile, exec_type;
-mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain')
+mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain, mlsfileread, mlsfilewrite')
mount_loopback_privs(sysadm, mount)
role sysadm_r types mount_t;
role system_r types mount_t;
@@ -68,7 +68,7 @@
# for localization
allow mount_t lib_t:file { getattr read };
allow mount_t autofs_t:dir read;
-allow mount_t fs_t:filesystem relabelfrom;
+allow mount_t fs_type:filesystem relabelfrom;
[...4930 lines suppressed...]
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/xdm.te policy-1.24/targeted/domains/program/xdm.te
--- nsapolicy/targeted/domains/program/xdm.te 2005-05-02 07:37:54.000000000 -0400
+++ policy-1.24/targeted/domains/program/xdm.te 2005-07-03 10:01:05.000000000 -0400
@@ -12,7 +12,6 @@
#
type xdm_exec_t, file_type, sysadmfile, exec_type;
type xsession_exec_t, file_type, sysadmfile, exec_type;
-type vnc_port_t, port_type;
type xserver_log_t, file_type, sysadmfile;
type xdm_xserver_tmp_t, file_type, sysadmfile;
type xdm_rw_etc_t, file_type, sysadmfile;
diff --exclude-from=exclude -N -u -r nsapolicy/types/device.te policy-1.24/types/device.te
--- nsapolicy/types/device.te 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.24/types/device.te 2005-07-03 09:57:22.000000000 -0400
@@ -154,3 +154,10 @@
# for other device nodes such as the NVidia binary-only driver
type xserver_misc_device_t, device_type, dev_fs;
+
+# for the IBM zSeries z90crypt hardware ssl accelorator
+type crypt_device_t, device_type, dev_fs;
+
+
+
+
diff --exclude-from=exclude -N -u -r nsapolicy/types/devpts.te policy-1.24/types/devpts.te
--- nsapolicy/types/devpts.te 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.24/types/devpts.te 2005-07-03 09:58:04.000000000 -0400
@@ -10,7 +10,7 @@
#
# ptmx_t is the type for /dev/ptmx.
#
-type ptmx_t, sysadmfile, device_type, dev_fs;
+type ptmx_t, sysadmfile, device_type, dev_fs, mlstrustedobject;
#
# devpts_t is the type of the devpts file system and
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.24/types/file.te
--- nsapolicy/types/file.te 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.24/types/file.te 2005-07-03 09:58:31.000000000 -0400
@@ -137,7 +137,11 @@
# texrel_shlib_t is the type of shared objects in the system lib
# directories, which require text relocation.
#
+ifdef(`targeted_policy', `
+typealias lib_t alias texrel_shlib_t;
+', `
type texrel_shlib_t, file_type, sysadmfile;
+')
# ld_so_t is the type of the system dynamic loaders.
#
@@ -325,4 +329,8 @@
# Type for anonymous FTP data, used by ftp and rsync
type ftpd_anon_t, file_type, sysadmfile, customizable;
+allow customizable self:filesystem associate;
+
+# type for /tmp/.ICE-unix
+type ice_tmp_t, file_type, sysadmfile, tmpfile;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.24/types/network.te
--- nsapolicy/types/network.te 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.24/types/network.te 2005-07-03 09:51:23.000000000 -0400
@@ -8,17 +8,7 @@
# Modified by Russell Coker
# Move port types to their respective domains, add ifdefs, other cleanups.
-# generally we do not want to define port types in this file, but some things
-# are insanely difficult to do elsewhere, xserver_port_t is a good example
-# getting the type defined is the easy part for X, conditional code for many
-# other domains (including one that starts with a) is the hard part.
-ifdef(`xdm.te', `define(`use_x_ports')')
-ifdef(`startx.te', `define(`use_x_ports')')
-ifdef(`xauth.te', `define(`use_x_ports')')
-ifdef(`xserver.te', `define(`use_x_ports')')
-ifdef(`use_x_ports', `
type xserver_port_t, port_type;
-')
#
# Defines used by the te files need to be defined outside of net_constraints
#
@@ -31,24 +21,14 @@
type http_cache_port_t, port_type, reserved_port_type;
type http_port_t, port_type, reserved_port_type;
type ipp_port_t, port_type, reserved_port_type;
+type gopher_port_t, port_type, reserved_port_type;
allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect;
-ifdef(`cyrus.te', `define(`use_pop')')
-ifdef(`courier.te', `define(`use_pop')')
-ifdef(`perdition.te', `define(`use_pop')')
-ifdef(`dovecot.te', `define(`use_pop')')
-ifdef(`uwimapd.te', `define(`use_pop')')
-ifdef(`fetchmail.te', `define(`use_pop')')
-ifdef(`use_pop', `
type pop_port_t, port_type, reserved_port_type;
-')
type ftp_port_t, port_type, reserved_port_type;
type ftp_data_port_t, port_type, reserved_port_type;
-ifdef(`dhcpd.te', `define(`use_pxe')')
-ifdef(`pxe.te', `define(`use_pxe')')
-
############################################
#
# Network types
@@ -126,3 +106,79 @@
# Kernel-generated traffic, e.g. TCP resets.
allow kernel_t netif_type:netif { tcp_send tcp_recv };
allow kernel_t node_type:node { tcp_send tcp_recv };
+type radius_port_t, port_type;
+type radacct_port_t, port_type;
+type rndc_port_t, port_type, reserved_port_type;
+type tftp_port_t, port_type, reserved_port_type;
+type printer_port_t, port_type, reserved_port_type;
+type mysqld_port_t, port_type;
+type postgresql_port_t, port_type;
+type ptal_port_t, port_type, reserved_port_type;
+type howl_port_t, port_type;
+type dict_port_t, port_type;
+type syslogd_port_t, port_type, reserved_port_type;
+type spamd_port_t, port_type, reserved_port_type;
+type ssh_port_t, port_type, reserved_port_type;
+type pxe_port_t, port_type;
+type amanda_port_t, port_type;
+type fingerd_port_t, port_type, reserved_port_type;
+type dhcpc_port_t, port_type, reserved_port_type;
+type ntp_port_t, port_type, reserved_port_type;
+type stunnel_port_t, port_type;
+type zebra_port_t, port_type;
+type i18n_input_port_t, port_type;
+type vnc_port_t, port_type;
+type openvpn_port_t, port_type;
+type clamd_port_t, port_type, reserved_port_type;
+type transproxy_port_t, port_type;
+type clockspeed_port_t, port_type;
+type pyzor_port_t, port_type, reserved_port_type;
+type postgrey_port_t, port_type;
+type asterisk_port_t, port_type;
+type utcpserver_port_t, port_type;
+type nessus_port_t, port_type;
+type razor_port_t, port_type;
+type distccd_port_t, port_type;
+type socks_port_t, port_type;
+type gatekeeper_port_t, port_type;
+type dcc_port_t, port_type;
+type lrrd_port_t, port_type;
+type jabber_client_port_t, port_type;
+type jabber_interserver_port_t, port_type;
+type ircd_port_t, port_type;
+type giftd_port_t, port_type;
+type soundd_port_t, port_type;
+type imaze_port_t, port_type;
+type monopd_port_t, port_type;
+# Differentiate between the port where amavisd receives mail, and the
+# port where it returns cleaned mail back to the MTA.
+type amavisd_recv_port_t, port_type;
+type amavisd_send_port_t, port_type;
+type innd_port_t, port_type, reserved_port_type;
+type snmp_port_t, port_type, reserved_port_type;
+type biff_port_t, port_type, reserved_port_type;
+type hplip_port_t, port_type;
+
+#inetd_child_ports
+
+type rlogind_port_t, port_type, reserved_port_type;
+type telnetd_port_t, port_type, reserved_port_type;
+type comsat_port_t, port_type, reserved_port_type;
+type cvs_port_t, port_type;
+type dbskkd_port_t, port_type, reserved_port_type;
+type inetd_child_port_t, port_type, reserved_port_type;
+type ktalkd_port_t, port_type, reserved_port_type;
+type rsync_port_t, port_type, reserved_port_type;
+type uucpd_port_t, port_type, reserved_port_type;
+type swat_port_t, port_type, reserved_port_type;
+type zope_port_t, port_type;
+type auth_port_t, port_type, reserved_port_type;
+
+# afs ports
+
+type afs_fs_port_t, port_type;
+type afs_pt_port_t, port_type;
+type afs_vl_port_t, port_type;
+type afs_ka_port_t, port_type;
+type afs_bos_port_t, port_type;
+
diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.24/types/security.te
--- nsapolicy/types/security.te 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.24/types/security.te 2005-07-03 09:58:20.000000000 -0400
@@ -12,7 +12,7 @@
# the permissions in the security class. It is also
# applied to selinuxfs inodes.
#
-type security_t, mount_point, fs_type;
+type security_t, mount_point, fs_type, mlstrustedobject;
#
# policy_config_t is the type of /etc/security/selinux/*
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]