commit: 4415515602830a864de3212284013eac37767b5c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 13 20:14:05 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep 8 22:48:51 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=44155156
Remove complement and wildcard in allow rules.
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.
This patch does not add or remove permissions from any rules.
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/cron.te | 4 ++--
policy/modules/contrib/cyrus.te | 2 +-
policy/modules/contrib/dbus.if | 4 ++--
policy/modules/contrib/dpkg.te | 2 +-
policy/modules/contrib/imaze.te | 2 +-
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/nscd.if | 2 +-
policy/modules/contrib/portage.if | 3 +--
policy/modules/contrib/portslave.te | 3 +--
policy/modules/contrib/razor.te | 2 +-
policy/modules/contrib/remotelogin.te | 2 +-
policy/modules/contrib/rpm.te | 5 ++---
policy/modules/contrib/rssh.te | 2 +-
policy/modules/contrib/samba.te | 4 ++--
policy/modules/contrib/spamassassin.te | 6 +++---
policy/modules/contrib/squid.te | 2 +-
policy/modules/contrib/userhelper.te | 2 +-
policy/modules/contrib/usernetctl.te | 2 +-
policy/modules/contrib/vmware.te | 3 +--
policy/modules/contrib/webalizer.te | 2 +-
policy/modules/contrib/yam.te | 2 +-
22 files changed, 28 insertions(+), 32 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 7c41358d..e39b7951 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -379,7 +379,7 @@ optional_policy(`
allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice
sys_tty_config };
dontaudit httpd_t self:capability net_admin;
-allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
execmem execstack execheap };
+allow httpd_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr noatsecure siginh
rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
allow httpd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 8991b2c8..27467232 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -219,8 +219,8 @@ tunable_policy(`fcron_crond',`
allow crond_t self:capability { chown dac_override dac_read_search fowner
setgid setuid sys_nice };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
-allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem
execstack execheap };
-allow crond_t self:process { setexec setfscreate };
+
+allow crond_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr setexec setfscreate
noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate
getrlimit };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
allow crond_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
index 02c0a746..816cf457 100644
--- a/policy/modules/contrib/cyrus.te
+++ b/policy/modules/contrib/cyrus.te
@@ -31,7 +31,7 @@ files_pid_file(cyrus_var_run_t)
allow cyrus_t self:capability { dac_override setgid setuid sys_resource };
dontaudit cyrus_t self:capability sys_tty_config;
-allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
execmem execstack execheap };
+allow cyrus_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr noatsecure siginh
rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow cyrus_t self:process setrlimit;
allow cyrus_t self:fd use;
allow cyrus_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
index 32824d9a..4f62c23a 100644
--- a/policy/modules/contrib/dbus.if
+++ b/policy/modules/contrib/dbus.if
@@ -460,10 +460,10 @@ interface(`dbus_send_system_bus',`
interface(`dbus_system_bus_unconfined',`
gen_require(`
type system_dbusd_t;
- class dbus all_dbus_perms;
+ class dbus { acquire_svc send_msg };
')
- allow $1 system_dbusd_t:dbus *;
+ allow $1 system_dbusd_t:dbus { acquire_svc send_msg };
')
########################################
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index 9c59f073..e165fec3 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -203,7 +203,7 @@ optional_policy(`
#
allow dpkg_script_t self:capability { audit_write chown dac_override
dac_read_search fowner fsetid ipc_lock kill mknod net_admin setfcap setgid
setuid sys_chroot sys_nice sys_ptrace };
-allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setrlimit
execmem execstack execheap };
+allow dpkg_script_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure
siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow dpkg_script_t self:fd use;
allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
diff --git a/policy/modules/contrib/imaze.te b/policy/modules/contrib/imaze.te
index f7b386b4..7649b91a 100644
--- a/policy/modules/contrib/imaze.te
+++ b/policy/modules/contrib/imaze.te
@@ -25,7 +25,7 @@ files_pid_file(imazesrv_var_run_t)
#
dontaudit imazesrv_t self:capability sys_tty_config;
-allow imazesrv_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execstack execheap };
+allow imazesrv_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr noatsecure siginh
rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow imazesrv_t self:fifo_file rw_fifo_file_perms;
allow imazesrv_t self:tcp_socket { accept listen };
allow imazesrv_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/logrotate.te
b/policy/modules/contrib/logrotate.te
index 4593e98f..ab2c6152 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -37,7 +37,7 @@ role system_r types logrotate_mail_t;
#
allow logrotate_t self:capability { chown dac_override dac_read_search fowner
fsetid kill setgid setuid sys_nice sys_resource };
-allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack
execheap };
+allow logrotate_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure
siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow logrotate_t self:fd use;
allow logrotate_t self:key manage_key_perms;
allow logrotate_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/nscd.if b/policy/modules/contrib/nscd.if
index c83635fe..d6b3687a 100644
--- a/policy/modules/contrib/nscd.if
+++ b/policy/modules/contrib/nscd.if
@@ -226,7 +226,7 @@ interface(`nscd_unconfined',`
class nscd all_nscd_perms;
')
- allow $1 nscd_t:nscd *;
+ allow $1 nscd_t:nscd { getpwd getgrp gethost getstat admin shmempwd
shmemgrp shmemhost getserv shmemserv };
')
########################################
diff --git a/policy/modules/contrib/portage.if
b/policy/modules/contrib/portage.if
index cad9b9f1..32f39a22 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -74,8 +74,7 @@ interface(`portage_compile_domain',`
allow $1 self:capability { chown dac_override fowner fsetid mknod
net_raw setgid setuid };
dontaudit $1 self:capability sys_chroot;
- allow $1 self:process { setpgid setsched setrlimit signal_perms execmem
setfscreate };
- allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem
execstack execheap };
+ allow $1 self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure
siginh setrlimit rlimitinh dyntransition execmem setkeycreate setsockcreate
getrlimit };
allow $1 self:fd use;
allow $1 self:fifo_file rw_fifo_file_perms;
allow $1 self:shm create_shm_perms;
diff --git a/policy/modules/contrib/portslave.te
b/policy/modules/contrib/portslave.te
index 64282695..1d61734d 100644
--- a/policy/modules/contrib/portslave.te
+++ b/policy/modules/contrib/portslave.te
@@ -23,8 +23,7 @@ files_lock_file(portslave_lock_t)
allow portslave_t self:capability { fsetid net_admin net_bind_service setgid
setuid sys_tty_config };
dontaudit portslave_t self:capability sys_admin;
-allow portslave_t self:process signal_perms;
-allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execstack execheap };
+allow portslave_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr noatsecure siginh
rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow portslave_t self:fd use;
allow portslave_t self:fifo_file rw_fifo_file_perms;
allow portslave_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/razor.te b/policy/modules/contrib/razor.te
index 68455f90..8497f9af 100644
--- a/policy/modules/contrib/razor.te
+++ b/policy/modules/contrib/razor.te
@@ -45,7 +45,7 @@ role system_r types system_razor_t;
# Common razor domain local policy
#
-allow razor_domain self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execstack execheap };
+allow razor_domain self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr noatsecure siginh
rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow razor_domain self:fd use;
allow razor_domain self:fifo_file rw_fifo_file_perms;
allow razor_domain self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/remotelogin.te
b/policy/modules/contrib/remotelogin.te
index 0d171e23..bc2292e3 100644
--- a/policy/modules/contrib/remotelogin.te
+++ b/policy/modules/contrib/remotelogin.te
@@ -19,7 +19,7 @@ files_tmp_file(remote_login_tmp_t)
#
allow remote_login_t self:capability { chown dac_override fowner fsetid kill
net_bind_service setgid setuid sys_nice sys_resource sys_tty_config };
-allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execstack execheap };
+allow remote_login_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr noatsecure siginh
rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow remote_login_t self:process { setrlimit setexec };
allow remote_login_t self:fd use;
allow remote_login_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 4f7edc84..44e8c7b5 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -74,8 +74,7 @@ files_tmpfs_file(rpm_script_tmpfs_t)
#
allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock mknod
setfcap setgid setuid sys_chroot sys_nice sys_tty_config };
-allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
execstack execheap };
-allow rpm_t self:process { getattr setexec setfscreate setrlimit };
+allow rpm_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr setexec setfscreate
noatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate
setsockcreate getrlimit };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_fifo_file_perms;
allow rpm_t self:unix_dgram_socket sendto;
@@ -242,7 +241,7 @@ optional_policy(`
#
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner
fsetid ipc_lock kill mknod net_admin setgid setuid sys_admin sys_chroot
sys_nice sys_rawio };
-allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execheap };
+allow rpm_script_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr noatsecure siginh
rlimitinh dyntransition execmem execstack setkeycreate setsockcreate getrlimit
};
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/rssh.te b/policy/modules/contrib/rssh.te
index cf6dd81e..91a89f65 100644
--- a/policy/modules/contrib/rssh.te
+++ b/policy/modules/contrib/rssh.te
@@ -42,7 +42,7 @@ userdom_user_home_content(rssh_rw_t)
# Local policy
#
-allow rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
execmem execstack execheap };
+allow rssh_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr noatsecure siginh
rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow rssh_t self:fd use;
allow rssh_t self:fifo_file rw_fifo_file_perms;
allow rssh_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 12e9f567..f61077fa 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -269,7 +269,7 @@ optional_policy(`
allow smbd_t self:capability { chown dac_override dac_read_search fowner
fsetid kill lease setgid setuid sys_admin sys_chroot sys_nice sys_resource };
dontaudit smbd_t self:capability sys_tty_config;
-allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem
execstack execheap };
+allow smbd_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr noatsecure siginh
setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow smbd_t self:fd use;
allow smbd_t self:fifo_file rw_fifo_file_perms;
allow smbd_t self:msg { send receive };
@@ -518,7 +518,7 @@ optional_policy(`
#
dontaudit nmbd_t self:capability sys_tty_config;
-allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
execmem execstack execheap };
+allow nmbd_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr noatsecure siginh
rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow nmbd_t self:fd use;
allow nmbd_t self:fifo_file rw_fifo_file_perms;
allow nmbd_t self:msg { send receive };
diff --git a/policy/modules/contrib/spamassassin.te
b/policy/modules/contrib/spamassassin.te
index f402bc7d..fc2a0ac4 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -89,7 +89,7 @@ files_pid_file(spamd_var_run_t)
# Standalone local policy
#
-allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execstack execheap };
+allow spamassassin_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr noatsecure siginh
rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow spamassassin_t self:fd use;
allow spamassassin_t self:fifo_file rw_fifo_file_perms;
allow spamassassin_t self:unix_dgram_socket sendto;
@@ -169,7 +169,7 @@ optional_policy(`
#
allow spamc_t self:capability dac_override;
-allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
execmem execstack execheap };
+allow spamc_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr noatsecure siginh
rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow spamc_t self:fd use;
allow spamc_t self:fifo_file rw_fifo_file_perms;
allow spamc_t self:unix_dgram_socket sendto;
@@ -273,7 +273,7 @@ optional_policy(`
allow spamd_t self:capability { dac_override kill setgid setuid sys_tty_config
};
dontaudit spamd_t self:capability sys_tty_config;
-allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
execmem execstack execheap };
+allow spamd_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr noatsecure siginh
rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow spamd_t self:fd use;
allow spamd_t self:fifo_file rw_fifo_file_perms;
allow spamd_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index 41b0b75b..a9093f5f 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -61,7 +61,7 @@ files_pid_file(squid_var_run_t)
allow squid_t self:capability { dac_override kill setgid setuid sys_resource };
dontaudit squid_t self:capability sys_tty_config;
-allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem
execstack execheap };
+allow squid_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr noatsecure siginh
setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow squid_t self:fifo_file rw_fifo_file_perms;
allow squid_t self:fd use;
allow squid_t self:shm create_shm_perms;
diff --git a/policy/modules/contrib/userhelper.te
b/policy/modules/contrib/userhelper.te
index 35fbda6f..bffbc94c 100644
--- a/policy/modules/contrib/userhelper.te
+++ b/policy/modules/contrib/userhelper.te
@@ -95,7 +95,7 @@ optional_policy(`
#
allow userhelper_type self:capability { chown dac_override net_bind_service
setgid setuid sys_tty_config };
-allow userhelper_type self:process ~{ ptrace setcurrent setfscreate setrlimit
execmem execstack execheap };
+allow userhelper_type self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr setexec noatsecure
siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow userhelper_type self:fd use;
allow userhelper_type self:fifo_file rw_fifo_file_perms;
allow userhelper_type self:shm create_shm_perms;
diff --git a/policy/modules/contrib/usernetctl.te
b/policy/modules/contrib/usernetctl.te
index 97ebe828..4ef6f9b2 100644
--- a/policy/modules/contrib/usernetctl.te
+++ b/policy/modules/contrib/usernetctl.te
@@ -19,7 +19,7 @@ role usernetctl_roles types usernetctl_t;
#
allow usernetctl_t self:capability { dac_override setgid setuid };
-allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execstack execheap };
+allow usernetctl_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr noatsecure siginh
rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow usernetctl_t self:fd use;
allow usernetctl_t self:fifo_file rw_fifo_file_perms;
allow usernetctl_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
index 6d2e10d6..441fe9ef 100644
--- a/policy/modules/contrib/vmware.te
+++ b/policy/modules/contrib/vmware.te
@@ -188,8 +188,7 @@ optional_policy(`
allow vmware_t self:capability { chown dac_override setgid setuid sys_admin
sys_nice sys_rawio sys_resource };
dontaudit vmware_t self:capability sys_tty_config;
-allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
execmem execstack execheap };
-allow vmware_t self:process { execmem execstack };
+allow vmware_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr noatsecure siginh
rlimitinh dyntransition execmem execstack setkeycreate setsockcreate getrlimit
};
allow vmware_t self:fd use;
allow vmware_t self:fifo_file rw_fifo_file_perms;
allow vmware_t self:unix_dgram_socket { create_socket_perms sendto };
diff --git a/policy/modules/contrib/webalizer.te
b/policy/modules/contrib/webalizer.te
index faea9beb..da454655 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -31,7 +31,7 @@ files_type(webalizer_var_lib_t)
#
allow webalizer_t self:capability dac_override;
-allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execstack execheap };
+allow webalizer_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr noatsecure siginh
rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow webalizer_t self:fd use;
allow webalizer_t self:fifo_file rw_fifo_file_perms;
allow webalizer_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/yam.te b/policy/modules/contrib/yam.te
index 4927d4d7..b451e6e8 100644
--- a/policy/modules/contrib/yam.te
+++ b/policy/modules/contrib/yam.te
@@ -27,7 +27,7 @@ files_tmp_file(yam_tmp_t)
#
allow yam_t self:capability { chown dac_override fowner fsetid };
-allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
execstack execheap };
+allow yam_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr noatsecure siginh
rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
allow yam_t self:fd use;
allow yam_t self:fifo_file rw_fifo_file_perms;
allow yam_t self:unix_stream_socket { accept connectto listen };
