Fedora 8 odds and sods

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Today I've done a bit of a clean-up of the local policy modules I've had in use over the last couple of Fedora releases, removing bits that are no longer needed and consolidating the remaining ones into a single "localmisc" module. The results of this is: 

policy_module(localmisc, 0.1.34)

require {
        attribute mailserver_delivery;
        type depmod_t;
        type httpd_t;
        type load_policy_t;
        type procmail_t;
        type procmail_tmp_t;
        type pptp_t;
        type restorecon_t;
        type sendmail_t;
        type setfiles_t;
        type soundd_port_t;
        type squid_t;
        type useradd_t;
        type var_t;
};

# ========================================
# Things that probably need to go upstream
# ========================================

# Milter sockets, why did this work before?
#allow sendmail_t initrc_t:unix_stream_socket { read write connectto };
init_stream_connect_script(mailserver_delivery)
init_rw_script_stream_sockets(mailserver_delivery)

# Allow misc command output to be sent to a pipe, needed for rpm scriptlets
# Probably not needed since Fedora 8
#unconfined_rw_pipes(depmod_t)
#unconfined_rw_pipes(load_policy_t)
#unconfined_rw_pipes(setfiles_t)
#unconfined_rw_pipes(useradd_t)

# Allow pptp to manage its own processes
allow pptp_t self:process signal;

# Allow sendmail to read procmail tempfiles for forwarding
# (would need a new interface in procmail.if to do this properly)
allow sendmail_t procmail_tmp_t:file { read write getattr ioctl };

# Not sure what this is, needed when network is congested
allow sendmail_t self:process signull;

# ==============
# Local oddities
# ==============
# Allow restorecon to restore file contexts via the /var/www -> /srv/www symlink 
allow restorecon_t var_t:lnk_file read;

# Allow httpd to read /var/www -> /srv/www symlink
allow httpd_t var_t:lnk_file { getattr read };
# Allow squid to connect to websites on port 8000 (defined in policy as soundd_port_t) 
allow squid_t soundd_port_t:tcp_socket name_connect;
Not a lot left there, so I thought I'd post them here in their entirety for discussion and hopefully inclusion (at least in part) in a future policy update. 

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux