commit: 4415515602830a864de3212284013eac37767b5c Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> AuthorDate: Sun Aug 13 20:14:05 2017 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Fri Sep 8 22:48:51 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=44155156
Remove complement and wildcard in allow rules. Remove complement (~) and wildcard (*) in allow rules so that there are no unintentional additions when new permissions are declared. This patch does not add or remove permissions from any rules. policy/modules/contrib/apache.te | 2 +- policy/modules/contrib/cron.te | 4 ++-- policy/modules/contrib/cyrus.te | 2 +- policy/modules/contrib/dbus.if | 4 ++-- policy/modules/contrib/dpkg.te | 2 +- policy/modules/contrib/imaze.te | 2 +- policy/modules/contrib/logrotate.te | 2 +- policy/modules/contrib/nscd.if | 2 +- policy/modules/contrib/portage.if | 3 +-- policy/modules/contrib/portslave.te | 3 +-- policy/modules/contrib/razor.te | 2 +- policy/modules/contrib/remotelogin.te | 2 +- policy/modules/contrib/rpm.te | 5 ++--- policy/modules/contrib/rssh.te | 2 +- policy/modules/contrib/samba.te | 4 ++-- policy/modules/contrib/spamassassin.te | 6 +++--- policy/modules/contrib/squid.te | 2 +- policy/modules/contrib/userhelper.te | 2 +- policy/modules/contrib/usernetctl.te | 2 +- policy/modules/contrib/vmware.te | 3 +-- policy/modules/contrib/webalizer.te | 2 +- policy/modules/contrib/yam.te | 2 +- 22 files changed, 28 insertions(+), 32 deletions(-) diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te index 7c41358d..e39b7951 100644 --- a/policy/modules/contrib/apache.te +++ b/policy/modules/contrib/apache.te @@ -379,7 +379,7 @@ optional_policy(` allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; dontaudit httpd_t self:capability net_admin; -allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow httpd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow httpd_t self:fd use; allow httpd_t self:sock_file read_sock_file_perms; allow httpd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te index 8991b2c8..27467232 100644 --- a/policy/modules/contrib/cron.te +++ b/policy/modules/contrib/cron.te @@ -219,8 +219,8 @@ tunable_policy(`fcron_crond',` allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice }; dontaudit crond_t self:capability { sys_resource sys_tty_config }; -allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; -allow crond_t self:process { setexec setfscreate }; + +allow crond_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow crond_t self:fd use; allow crond_t self:fifo_file rw_fifo_file_perms; allow crond_t self:unix_dgram_socket sendto; diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te index 02c0a746..816cf457 100644 --- a/policy/modules/contrib/cyrus.te +++ b/policy/modules/contrib/cyrus.te @@ -31,7 +31,7 @@ files_pid_file(cyrus_var_run_t) allow cyrus_t self:capability { dac_override setgid setuid sys_resource }; dontaudit cyrus_t self:capability sys_tty_config; -allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow cyrus_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow cyrus_t self:process setrlimit; allow cyrus_t self:fd use; allow cyrus_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if index 32824d9a..4f62c23a 100644 --- a/policy/modules/contrib/dbus.if +++ b/policy/modules/contrib/dbus.if @@ -460,10 +460,10 @@ interface(`dbus_send_system_bus',` interface(`dbus_system_bus_unconfined',` gen_require(` type system_dbusd_t; - class dbus all_dbus_perms; + class dbus { acquire_svc send_msg }; ') - allow $1 system_dbusd_t:dbus *; + allow $1 system_dbusd_t:dbus { acquire_svc send_msg }; ') ######################################## diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te index 9c59f073..e165fec3 100644 --- a/policy/modules/contrib/dpkg.te +++ b/policy/modules/contrib/dpkg.te @@ -203,7 +203,7 @@ optional_policy(` # allow dpkg_script_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setfcap setgid setuid sys_chroot sys_nice sys_ptrace }; -allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; +allow dpkg_script_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow dpkg_script_t self:fd use; allow dpkg_script_t self:fifo_file rw_fifo_file_perms; allow dpkg_script_t self:unix_dgram_socket create_socket_perms; diff --git a/policy/modules/contrib/imaze.te b/policy/modules/contrib/imaze.te index f7b386b4..7649b91a 100644 --- a/policy/modules/contrib/imaze.te +++ b/policy/modules/contrib/imaze.te @@ -25,7 +25,7 @@ files_pid_file(imazesrv_var_run_t) # dontaudit imazesrv_t self:capability sys_tty_config; -allow imazesrv_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow imazesrv_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow imazesrv_t self:fifo_file rw_fifo_file_perms; allow imazesrv_t self:tcp_socket { accept listen }; allow imazesrv_t self:unix_dgram_socket sendto; diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te index 4593e98f..ab2c6152 100644 --- a/policy/modules/contrib/logrotate.te +++ b/policy/modules/contrib/logrotate.te @@ -37,7 +37,7 @@ role system_r types logrotate_mail_t; # allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource }; -allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack execheap }; +allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow logrotate_t self:fd use; allow logrotate_t self:key manage_key_perms; allow logrotate_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/nscd.if b/policy/modules/contrib/nscd.if index c83635fe..d6b3687a 100644 --- a/policy/modules/contrib/nscd.if +++ b/policy/modules/contrib/nscd.if @@ -226,7 +226,7 @@ interface(`nscd_unconfined',` class nscd all_nscd_perms; ') - allow $1 nscd_t:nscd *; + allow $1 nscd_t:nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost getserv shmemserv }; ') ######################################## diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if index cad9b9f1..32f39a22 100644 --- a/policy/modules/contrib/portage.if +++ b/policy/modules/contrib/portage.if @@ -74,8 +74,7 @@ interface(`portage_compile_domain',` allow $1 self:capability { chown dac_override fowner fsetid mknod net_raw setgid setuid }; dontaudit $1 self:capability sys_chroot; - allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate }; - allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; + allow $1 self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit }; allow $1 self:fd use; allow $1 self:fifo_file rw_fifo_file_perms; allow $1 self:shm create_shm_perms; diff --git a/policy/modules/contrib/portslave.te b/policy/modules/contrib/portslave.te index 64282695..1d61734d 100644 --- a/policy/modules/contrib/portslave.te +++ b/policy/modules/contrib/portslave.te @@ -23,8 +23,7 @@ files_lock_file(portslave_lock_t) allow portslave_t self:capability { fsetid net_admin net_bind_service setgid setuid sys_tty_config }; dontaudit portslave_t self:capability sys_admin; -allow portslave_t self:process signal_perms; -allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow portslave_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow portslave_t self:fd use; allow portslave_t self:fifo_file rw_fifo_file_perms; allow portslave_t self:unix_dgram_socket sendto; diff --git a/policy/modules/contrib/razor.te b/policy/modules/contrib/razor.te index 68455f90..8497f9af 100644 --- a/policy/modules/contrib/razor.te +++ b/policy/modules/contrib/razor.te @@ -45,7 +45,7 @@ role system_r types system_razor_t; # Common razor domain local policy # -allow razor_domain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow razor_domain self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow razor_domain self:fd use; allow razor_domain self:fifo_file rw_fifo_file_perms; allow razor_domain self:unix_dgram_socket sendto; diff --git a/policy/modules/contrib/remotelogin.te b/policy/modules/contrib/remotelogin.te index 0d171e23..bc2292e3 100644 --- a/policy/modules/contrib/remotelogin.te +++ b/policy/modules/contrib/remotelogin.te @@ -19,7 +19,7 @@ files_tmp_file(remote_login_tmp_t) # allow remote_login_t self:capability { chown dac_override fowner fsetid kill net_bind_service setgid setuid sys_nice sys_resource sys_tty_config }; -allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow remote_login_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow remote_login_t self:process { setrlimit setexec }; allow remote_login_t self:fd use; allow remote_login_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te index 4f7edc84..44e8c7b5 100644 --- a/policy/modules/contrib/rpm.te +++ b/policy/modules/contrib/rpm.te @@ -74,8 +74,7 @@ files_tmpfs_file(rpm_script_tmpfs_t) # allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config }; -allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; -allow rpm_t self:process { getattr setexec setfscreate setrlimit }; +allow rpm_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit }; allow rpm_t self:fd use; allow rpm_t self:fifo_file rw_fifo_file_perms; allow rpm_t self:unix_dgram_socket sendto; @@ -242,7 +241,7 @@ optional_policy(` # allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setgid setuid sys_admin sys_chroot sys_nice sys_rawio }; -allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; +allow rpm_script_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem execstack setkeycreate setsockcreate getrlimit }; allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; allow rpm_script_t self:unix_dgram_socket sendto; diff --git a/policy/modules/contrib/rssh.te b/policy/modules/contrib/rssh.te index cf6dd81e..91a89f65 100644 --- a/policy/modules/contrib/rssh.te +++ b/policy/modules/contrib/rssh.te @@ -42,7 +42,7 @@ userdom_user_home_content(rssh_rw_t) # Local policy # -allow rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow rssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow rssh_t self:fd use; allow rssh_t self:fifo_file rw_fifo_file_perms; allow rssh_t self:unix_dgram_socket sendto; diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te index 12e9f567..f61077fa 100644 --- a/policy/modules/contrib/samba.te +++ b/policy/modules/contrib/samba.te @@ -269,7 +269,7 @@ optional_policy(` allow smbd_t self:capability { chown dac_override dac_read_search fowner fsetid kill lease setgid setuid sys_admin sys_chroot sys_nice sys_resource }; dontaudit smbd_t self:capability sys_tty_config; -allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; +allow smbd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow smbd_t self:fd use; allow smbd_t self:fifo_file rw_fifo_file_perms; allow smbd_t self:msg { send receive }; @@ -518,7 +518,7 @@ optional_policy(` # dontaudit nmbd_t self:capability sys_tty_config; -allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow nmbd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow nmbd_t self:fd use; allow nmbd_t self:fifo_file rw_fifo_file_perms; allow nmbd_t self:msg { send receive }; diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te index f402bc7d..fc2a0ac4 100644 --- a/policy/modules/contrib/spamassassin.te +++ b/policy/modules/contrib/spamassassin.te @@ -89,7 +89,7 @@ files_pid_file(spamd_var_run_t) # Standalone local policy # -allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow spamassassin_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow spamassassin_t self:fd use; allow spamassassin_t self:fifo_file rw_fifo_file_perms; allow spamassassin_t self:unix_dgram_socket sendto; @@ -169,7 +169,7 @@ optional_policy(` # allow spamc_t self:capability dac_override; -allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow spamc_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow spamc_t self:fd use; allow spamc_t self:fifo_file rw_fifo_file_perms; allow spamc_t self:unix_dgram_socket sendto; @@ -273,7 +273,7 @@ optional_policy(` allow spamd_t self:capability { dac_override kill setgid setuid sys_tty_config }; dontaudit spamd_t self:capability sys_tty_config; -allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow spamd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow spamd_t self:fd use; allow spamd_t self:fifo_file rw_fifo_file_perms; allow spamd_t self:unix_dgram_socket sendto; diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te index 41b0b75b..a9093f5f 100644 --- a/policy/modules/contrib/squid.te +++ b/policy/modules/contrib/squid.te @@ -61,7 +61,7 @@ files_pid_file(squid_var_run_t) allow squid_t self:capability { dac_override kill setgid setuid sys_resource }; dontaudit squid_t self:capability sys_tty_config; -allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; +allow squid_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow squid_t self:fifo_file rw_fifo_file_perms; allow squid_t self:fd use; allow squid_t self:shm create_shm_perms; diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te index 35fbda6f..bffbc94c 100644 --- a/policy/modules/contrib/userhelper.te +++ b/policy/modules/contrib/userhelper.te @@ -95,7 +95,7 @@ optional_policy(` # allow userhelper_type self:capability { chown dac_override net_bind_service setgid setuid sys_tty_config }; -allow userhelper_type self:process ~{ ptrace setcurrent setfscreate setrlimit execmem execstack execheap }; +allow userhelper_type self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow userhelper_type self:fd use; allow userhelper_type self:fifo_file rw_fifo_file_perms; allow userhelper_type self:shm create_shm_perms; diff --git a/policy/modules/contrib/usernetctl.te b/policy/modules/contrib/usernetctl.te index 97ebe828..4ef6f9b2 100644 --- a/policy/modules/contrib/usernetctl.te +++ b/policy/modules/contrib/usernetctl.te @@ -19,7 +19,7 @@ role usernetctl_roles types usernetctl_t; # allow usernetctl_t self:capability { dac_override setgid setuid }; -allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow usernetctl_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow usernetctl_t self:fd use; allow usernetctl_t self:fifo_file rw_fifo_file_perms; allow usernetctl_t self:unix_dgram_socket sendto; diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te index 6d2e10d6..441fe9ef 100644 --- a/policy/modules/contrib/vmware.te +++ b/policy/modules/contrib/vmware.te @@ -188,8 +188,7 @@ optional_policy(` allow vmware_t self:capability { chown dac_override setgid setuid sys_admin sys_nice sys_rawio sys_resource }; dontaudit vmware_t self:capability sys_tty_config; -allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow vmware_t self:process { execmem execstack }; +allow vmware_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem execstack setkeycreate setsockcreate getrlimit }; allow vmware_t self:fd use; allow vmware_t self:fifo_file rw_fifo_file_perms; allow vmware_t self:unix_dgram_socket { create_socket_perms sendto }; diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te index faea9beb..da454655 100644 --- a/policy/modules/contrib/webalizer.te +++ b/policy/modules/contrib/webalizer.te @@ -31,7 +31,7 @@ files_type(webalizer_var_lib_t) # allow webalizer_t self:capability dac_override; -allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow webalizer_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow webalizer_t self:fd use; allow webalizer_t self:fifo_file rw_fifo_file_perms; allow webalizer_t self:unix_dgram_socket sendto; diff --git a/policy/modules/contrib/yam.te b/policy/modules/contrib/yam.te index 4927d4d7..b451e6e8 100644 --- a/policy/modules/contrib/yam.te +++ b/policy/modules/contrib/yam.te @@ -27,7 +27,7 @@ files_tmp_file(yam_tmp_t) # allow yam_t self:capability { chown dac_override fowner fsetid }; -allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; +allow yam_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit }; allow yam_t self:fd use; allow yam_t self:fifo_file rw_fifo_file_perms; allow yam_t self:unix_stream_socket { accept connectto listen };