cron_system_entry(acct_t,acct_exec_t)
')
-optional_policy(`rhgb.te',`
- rhgb_domain(acct_t)
-')
-
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(acct_t)
')
optional_policy(`udev.te', `
udev_read_db(acct_t)
')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+ rhgb_domain(acct_t)
+')
+')
files_dontaudit_read_root_file(quota_t)
')
-optional_policy(`rhgb.te',`
- rhgb_domain(quota_t)
-')
-
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(quota_t)
')
allow quota_t file_t:file quotaon;
allow quota_t proc_t:file getattr;
+optional_policy(`rhgb.te',`
+ rhgb_domain(quota_t)
+')
') dnl end TODO
modutils_read_mods_deps(updfstab_t)
')
-optional_policy(`rhgb.te',`
- rhgb_domain(updfstab_t)
-')
-
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(updfstab_t)
')
optional_policy(`udev.te',`
udev_read_db(updfstab_t)
')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+ rhgb_domain(updfstab_t)
+')
+')
nscd_use_socket(named_t)
')
-optional_policy(`rhgb.te',`
- rhgb_domain(named_t)
-')
-
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(named_t)
')
udev_read_db(named_t)
')
+ifdef(`TODO',`
+can_udp_send(domain, named_t)
+can_udp_send(named_t, domain)
+can_tcp_connect(domain, named_t)
+optional_policy(`rhgb.te',`
+ rhgb_domain(named_t)
+')
+')
+
########################################
#
# NDC local policy
optional_policy(`nscd.te',`
nscd_use_socket(ndc_t)
')
-
-ifdef(`TODO',`
-can_udp_send(domain, named_t)
-can_udp_send(named_t, domain)
-can_tcp_connect(domain, named_t)
-')
nscd_use_socket(system_dbusd_t)
')
+optional_policy(`udev.te', `
+ udev_read_db(system_dbusd_t)
+')
+
+ifdef(`TODO',`
optional_policy(`rhgb.te',`
rhgb_domain(system_dbusd_t)
')
-
-optional_policy(`udev.te', `
- udev_read_db(system_dbusd_t)
')
files_dontaudit_read_root_file(gpm_t)
')
-optional_policy(`rhgb.te',`
- rhgb_domain(gpm_t)
-')
-
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(gpm_t)
')
# Access the mouse.
# cjp: why write?
allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms;
+optional_policy(`rhgb.te',`
+ rhgb_domain(gpm_t)
+')
')
nis_use_ypbind(howl_t)
')
-optional_policy(`rhgb.te',`
- rhgb_domain(howl_t)
-')
-
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(howl_t)
')
optional_policy(`udev.te', `
udev_read_db(howl_t)
')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+ rhgb_domain(howl_t)
+')
+')
rhgb_domain(inetd_t)
')
-# Bind to the telnet, ftp, rlogin and rsh ports.
-# cjp: these ports currently dont exist in the NSA example
-ifdef(`talk.te', `
-allow inetd_t talk_port_t:tcp_socket name_bind;
-allow inetd_t ntalk_port_t:tcp_socket name_bind;
-')
-
# Communicate with the portmapper.
ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
') dnl TODO
nis_use_ypbind(slapd_t)
')
-optional_policy(`rhgb.te',`
- rhgb_domain(slapd_t)
-')
-
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(slapd_t)
')
')
ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+ rhgb_domain(slapd_t)
+')
# allow any domain to connect to the LDAP server
# cjp: how does this relate to the old can_ldap() macro?
can_tcp_connect(domain, slapd_t)
nis_use_ypbind(mysqld_t)
')
-optional_policy(`rhgb.te',`
- rhgb_domain(mysqld_t)
-')
-
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(mysqld_t)
')
udev_read_db(mysqld_t)
')
-ifdef(`TODO',
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+ rhgb_domain(mysqld_t)
+')
optional_policy(`daemontools.te',`
domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
mysqld_signal(svc_start_t)
nis_use_ypbind(nscd_t)
')
-optional_policy(`rhgb.te',`
- rhgb_domain(nscd_t)
-')
-
optional_policy(`selinuxutils.te',`
seutil_sigchld_newrole(nscd_t)
')
allow nscd_t samba_var_t:dir search;
allow nscd_t winbind_var_run_t:dir { getattr search };
')
-
+optional_policy(`rhgb.te',`
+ rhgb_domain(nscd_t)
+')
allow nscd_t tmp_t:dir { search getattr };
allow nscd_t tmp_t:lnk_file read;
') dnl end TODO
mount_send_nfs_client_request(privoxy_t)
')
-optional_policy(`rhgb.te',`
- rhgb_domain(privoxy_t)
-')
-
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(privoxy_t)
')
optional_policy(`udev.te', `
udev_read_db(privoxy_t)
')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+ rhgb_domain(privoxy_t)
+')
+')
ssh_server_template(sshd)
optional_policy(`inetd.te',`
-# CJP: commenting this out until typeattribute works in a conditional
+# cjp: commenting this out until typeattribute works in a conditional
# tunable_policy(`run_ssh_inetd',`
inetd_tcp_service_domain(sshd_t,sshd_exec_t)
# ',`
files_dontaudit_read_root_file(ssh_keygen_t)
')
-optional_policy(`rhgb.te', `
- rhgb_domain(ssh_keygen_t)
-')
-
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(ssh_keygen_t)
')
optional_policy(`udev.te', `
udev_read_db(ssh_keygen_t)
')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te', `
+ rhgb_domain(ssh_keygen_t)
+')
+')
nis_use_ypbind(ipsec_t)
')
-optional_policy(`rhgb.te',`
- rhgb_domain(ipsec_t)
-')
-
optional_policy(`selinuxutils.te',`
seutil_sigchld_newrole(ipsec_t)
')
udev_read_db(ipsec_t)
')
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+ rhgb_domain(ipsec_t)
+')
+')
+
########################################
#
# ipsec_mgmt Local policy
files_dontaudit_read_root_file(cardmgr_t)
')
-optional_policy(`rhgb.te',`
- rhgb_domain(cardmgr_t)
-')
-
optional_policy(`selinuxutils.te',`
seutil_sigchld_newrole(cardmgr_t)
')
pcmcia_manage_pid(hald_t)
pcmcia_manage_runtime_chr(hald_t)
')
+optional_policy(`rhgb.te',`
+ rhgb_domain(cardmgr_t)
+')
') dnl end TODO
files_dontaudit_read_root_file(mdadm_t)
')
-optional_policy(`rhgb.te',`
- rhgb_domain(mdadm_t)
-')
-
optional_policy(`selinux.te',`
seutil_sigchld_newrole(mdadm_t)
')
dontaudit mdadm_t device_t:{ fifo_file file chr_file blk_file } { read getattr };
allow mdadm_t var_t:dir getattr;
+optional_policy(`rhgb.te',`
+ rhgb_domain(mdadm_t)
+')
') dnl TODO
projects / people / stevee / selinux-policy.git / commitdiff
